{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress (and 46 more): Same pattern found in 46 additional files. Review if needed.", "shortDescription": {"text": "[MINED048] Php Error Suppress (and 46 more): Same pattern found in 46 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/554"}, "properties": {"repository": "drupal/drupal", "repoUrl": "https://github.com/drupal/drupal", "branch": "main"}, "results": [{"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 36098, "scanner": "repobility-ai-code-hygiene", "fingerprint": "846a5282190f1c19cc5127470c1c4648a8ee29fc18cf329979943f7a99b6f574", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|846a5282190f1c19cc5127470c1c4648a8ee29fc18cf329979943f7a99b6f574"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/workspaces/workspaces.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 36097, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9bc50b188e9b1a260f131b97881d24daaae874346a605691048444524876227c", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|9bc50b188e9b1a260f131b97881d24daaae874346a605691048444524876227c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/views/views.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 36096, "scanner": "repobility-ai-code-hygiene", "fingerprint": "14b193997a64f771631a70da0c3b0d2a3ec7e8336bb3ff247e4df1d4cd7fdea6", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|14b193997a64f771631a70da0c3b0d2a3ec7e8336bb3ff247e4df1d4cd7fdea6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/update/update.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 36095, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a7070ad8509e7e45496951c93af6445e9523f39e0fc78d5e4be8ce6b73c644ec", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|a7070ad8509e7e45496951c93af6445e9523f39e0fc78d5e4be8ce6b73c644ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/taxonomy/taxonomy.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 36094, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d3bc0fe66c38c0a9a25b18dbde6196e855619839d19413ac30b32407b458f32d", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|d3bc0fe66c38c0a9a25b18dbde6196e855619839d19413ac30b32407b458f32d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/system/system.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 36093, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9947319299c59e654fca61a0f58cddafbb78eeca8b55d40936b808c6b908d111", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|9947319299c59e654fca61a0f58cddafbb78eeca8b55d40936b808c6b908d111"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/node/node.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 36092, "scanner": "repobility-ai-code-hygiene", "fingerprint": "099d58d584c63037bc39d46533fefad7632b23eb660c6c86516987a58a60791b", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|099d58d584c63037bc39d46533fefad7632b23eb660c6c86516987a58a60791b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/media_library/media_library.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 36091, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1c4709065089abd9b6e70dfa55fc4cf38246f1e2e547a87abeb4d200ec5973b6", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|1c4709065089abd9b6e70dfa55fc4cf38246f1e2e547a87abeb4d200ec5973b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/media/media.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 36090, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1a2ddeda17029b67b67b0d8dd7d70ec2b46575ec54fb61da5430d1981142ccd6", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|1a2ddeda17029b67b67b0d8dd7d70ec2b46575ec54fb61da5430d1981142ccd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/locale/locale.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 36089, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b174ee139727ceaedaf8767788c76781578bd2f3cdb2b1a3f3f44328c6f5ef47", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|b174ee139727ceaedaf8767788c76781578bd2f3cdb2b1a3f3f44328c6f5ef47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/layout_builder/layout_builder.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 36088, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e998c62bced13eb3aee6610a2bcb16a3fcd614a89eba17cc8aa634c43a2b4571", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|e998c62bced13eb3aee6610a2bcb16a3fcd614a89eba17cc8aa634c43a2b4571"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/help/help.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 36087, "scanner": "repobility-ai-code-hygiene", "fingerprint": "696689ea21f2bdf95e78913db485d595010d100db415b3f6e88ed7d4f9812257", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|696689ea21f2bdf95e78913db485d595010d100db415b3f6e88ed7d4f9812257"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/field/field.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 36086, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cf07f1d354eca01fae146c703bedf3009f604f81a4d8985db19119423102b59d", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|cf07f1d354eca01fae146c703bedf3009f604f81a4d8985db19119423102b59d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/content_moderation/content_moderation.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 36085, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1946313adc9b0c84ebe3ffba54aff62895850dbe046fa1cff807e143dd462d75", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "fix", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|1946313adc9b0c84ebe3ffba54aff62895850dbe046fa1cff807e143dd462d75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/ckeditor5/js/ckeditor5.dialog.fix.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 36084, "scanner": "repobility-ai-code-hygiene", "fingerprint": "03397a2c30a43fb1a81429c42be683a9a5aa75a40408e670d805063bfac8169e", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|03397a2c30a43fb1a81429c42be683a9a5aa75a40408e670d805063bfac8169e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/ckeditor5/ckeditor5.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 36083, "scanner": "repobility-ai-code-hygiene", "fingerprint": "64a2850cf2284f0b4b99dacef9f0885baab9e4c2bd09621687177b5f9ab9ec12", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|64a2850cf2284f0b4b99dacef9f0885baab9e4c2bd09621687177b5f9ab9ec12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/block_content/block_content.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 36082, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f148fb4547718c7218f373282f4db90599da065a23b2c91d8fa363632435dc64", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|f148fb4547718c7218f373282f4db90599da065a23b2c91d8fa363632435dc64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/block/block.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 36063, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 36062, "scanner": "repobility-threat-engine", "fingerprint": "7bb461c9076800a6d462c2646620937442808e0fdcda15cd8b9260879f24a543", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "}\n    catch (BadRequestException) {\n      return NULL;\n    }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7bb461c9076800a6d462c2646620937442808e0fdcda15cd8b9260879f24a543"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/system/src/PathBasedBreadcrumbBuilder.php"}, "region": {"startLine": 147}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 36061, "scanner": "repobility-threat-engine", "fingerprint": "56392144c6c6c94d8e690ddfce10ded22861ccfb172772c39bbca21a086d0333", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "}\n    catch (RouteNotFoundException) {\n      return TRUE;\n    }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|56392144c6c6c94d8e690ddfce10ded22861ccfb172772c39bbca21a086d0333"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/navigation/src/Menu/NavigationMenuLinkTreeManipulators.php"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 36060, "scanner": "repobility-threat-engine", "fingerprint": "83e82b9ac57f5c6083cf7b2169236250e17e4765be73697d5bb7c0492c6f2f47", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "}\n    catch (ContextException) {\n      return NULL;\n    }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|83e82b9ac57f5c6083cf7b2169236250e17e4765be73697d5bb7c0492c6f2f47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/layout_builder/src/SectionStorage/SectionStorageManager.php"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 36059, "scanner": "repobility-threat-engine", "fingerprint": "448c9815d356206c79fdbbcc34cb6ae6be7cd88110bfe8e162677b2139049092", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\":url\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|87|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/system/src/Controller/SystemInfoController.php"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 36058, "scanner": "repobility-threat-engine", "fingerprint": "c1488fa3f324feb284f9ac5e203505deb4edd2603385f3133b8f2ab1c74fb579", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(\n        this.href,\n        'filePreview',\n        'toolbar=0,scrollbars=1,location=1,st", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|292|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/file/js/file.js"}, "region": {"startLine": 292}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 36057, "scanner": "repobility-threat-engine", "fingerprint": "a3e2a19bf82e06a03f8c45a6c2967d72e294d174b9e4cbe45dcd3208353f92e1", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"https://www.php.net/manual/datetime.format.php#refsect1-datetime.format-parameters\" target=", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|72|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/datetime/src/Plugin/Field/FieldFormatter/DateTimeCustomFormatter.php"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 36030, "scanner": "repobility-threat-engine", "fingerprint": "96d6ba984f060175273fef185bcc9e9dfdb1fd7dc9871efb1c6684c576cca6b9", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ">exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|38|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/sqlite/src/Driver/Database/sqlite/SqliteConnection.php"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 36029, "scanner": "repobility-threat-engine", "fingerprint": "1dfc1ae210070b696c2c61b3e5b80c058919a28c47d6dde898f3852c85d91194", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|175|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/misc/tableresponsive.js"}, "region": {"startLine": 175}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 36028, "scanner": "repobility-threat-engine", "fingerprint": "2c53d38f05b06f9f9c2e4aef6d767e5620be33a96c10813a2f46942dec4026d6", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|composer/composer.php|86|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "composer/Composer.php"}, "region": {"startLine": 86}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 36104, "scanner": "repobility-web-presence", "fingerprint": "f9abd9374ffea043b05c86d1d45a61e91624f3869e5e300b81b379d7625c6615", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|f9abd9374ffea043b05c86d1d45a61e91624f3869e5e300b81b379d7625c6615"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36103, "scanner": "repobility-ai-code-hygiene", "fingerprint": "932f06bd25fdaadad6f871cd1fef7799546002444d201c1cd981bb83d73aeb76", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/lib/Drupal/Component/PhpStorage/FileReadOnlyStorage.php", "duplicate_line": 25, "correlation_key": "fp|932f06bd25fdaadad6f871cd1fef7799546002444d201c1cd981bb83d73aeb76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/lib/Drupal/Component/PhpStorage/FileStorage.php"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36102, "scanner": "repobility-ai-code-hygiene", "fingerprint": "20907d060aa9063d78ef6f99b11f5a0892a0642cc00dac7a14db3c5ef4ead30d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "composer/Plugin/VendorHardening/FileSecurity.php", "duplicate_line": 3, "correlation_key": "fp|20907d060aa9063d78ef6f99b11f5a0892a0642cc00dac7a14db3c5ef4ead30d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/lib/Drupal/Component/FileSecurity/FileSecurity.php"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36101, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0a7759c496ced1f0a4165b928356c458bb16189af66188eb34fa8a5346541fdf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/lib/Drupal/Component/DependencyInjection/Container.php", "duplicate_line": 89, "correlation_key": "fp|0a7759c496ced1f0a4165b928356c458bb16189af66188eb34fa8a5346541fdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/lib/Drupal/Component/DependencyInjection/PhpArrayContainer.php"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36100, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ea7cd391adddec266df8a5987ab246b33cf62954928aa961e4b1268bd1339dbe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".ht.router.php", "duplicate_line": 1, "correlation_key": "fp|ea7cd391adddec266df8a5987ab246b33cf62954928aa961e4b1268bd1339dbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/assets/scaffold/files/ht.router.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 36099, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4bd0ba4acddb3d5a88f9088057c372c73baaf9a089c50b171c8a4e075a6fb19c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "composer/Generator/Builder/DrupalCoreRecommendedBuilder.php", "duplicate_line": 36, "correlation_key": "fp|4bd0ba4acddb3d5a88f9088057c372c73baaf9a089c50b171c8a4e075a6fb19c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "composer/Generator/Builder/DrupalPinnedDevDependenciesBuilder.php"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36081, "scanner": "repobility-ai-code-hygiene", "fingerprint": "25c1b95446791efa72560e9414894e683e2ff211ad93895b42f7f207e6e1ba27", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|25c1b95446791efa72560e9414894e683e2ff211ad93895b42f7f207e6e1ba27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/scripts/js/vendor-update.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36080, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3261c33a3a671b96e0f68c50eff4226181f5b3812ce82482f38b2ff7580dede3", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|3261c33a3a671b96e0f68c50eff4226181f5b3812ce82482f38b2ff7580dede3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/workspaces/workspaces.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36079, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a1f62919d287ae9a306469a188793959b4d79802a914be1bf11ea778582cf34", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|2a1f62919d287ae9a306469a188793959b4d79802a914be1bf11ea778582cf34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/views/views.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36078, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ed91fc0e4ce8db712632c09069d6b6413ffbdb9f1a0cd8e50d764190ce520b9e", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|ed91fc0e4ce8db712632c09069d6b6413ffbdb9f1a0cd8e50d764190ce520b9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/update/update.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36077, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e04eb5e28bf27792e3306da6bc04bf3c36194803a37a258f5c72ea3a58d5b826", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|e04eb5e28bf27792e3306da6bc04bf3c36194803a37a258f5c72ea3a58d5b826"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/taxonomy/taxonomy.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36076, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1490c8357a62a2685e722b5db87423c1072e8a140ec256c6df63a79f04074fa8", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|1490c8357a62a2685e722b5db87423c1072e8a140ec256c6df63a79f04074fa8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/system/system.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36075, "scanner": "repobility-ai-code-hygiene", "fingerprint": "af89bfd80f6a58f7b00afb6020270090e572424d379a1ccd7d3e3770972cd970", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|af89bfd80f6a58f7b00afb6020270090e572424d379a1ccd7d3e3770972cd970"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/node/node.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36074, "scanner": "repobility-ai-code-hygiene", "fingerprint": "35affd17ebf8ee53a4a779fc378a1906751c83fbc7a615aafa306ffb8799600c", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|35affd17ebf8ee53a4a779fc378a1906751c83fbc7a615aafa306ffb8799600c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/media_library/media_library.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36073, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cc6e4d7d99f52222cbd3d5008ab2998184ef411a4b23258e1a0b70170ffa05f1", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|cc6e4d7d99f52222cbd3d5008ab2998184ef411a4b23258e1a0b70170ffa05f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/media/media.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36072, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1495b6e26bdf69d7ab69f7e0a872a3d6acedba8a266ca77adfc7943789661626", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|1495b6e26bdf69d7ab69f7e0a872a3d6acedba8a266ca77adfc7943789661626"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/locale/locale.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36071, "scanner": "repobility-ai-code-hygiene", "fingerprint": "98d1598e99d36329d021b2c84572cd11be1d1761e0cd82ac7295462b7d24fb54", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|98d1598e99d36329d021b2c84572cd11be1d1761e0cd82ac7295462b7d24fb54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/layout_builder/layout_builder.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36070, "scanner": "repobility-ai-code-hygiene", "fingerprint": "74aa87d2b4878245cdf2922c2daa852f8467de82020e122787563e2276a2ec70", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|74aa87d2b4878245cdf2922c2daa852f8467de82020e122787563e2276a2ec70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/help/help.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36069, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eb2030054072dec9f4e74ad61bbf494ad045947d3dc15ef11ba2b33b31207e9f", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|eb2030054072dec9f4e74ad61bbf494ad045947d3dc15ef11ba2b33b31207e9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/field/field.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36068, "scanner": "repobility-ai-code-hygiene", "fingerprint": "315d3277b15f6a1a8ffee17c7f35fe79e97ddbd60375947aebfb6eb4e75cfe9a", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|315d3277b15f6a1a8ffee17c7f35fe79e97ddbd60375947aebfb6eb4e75cfe9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/content_moderation/content_moderation.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36067, "scanner": "repobility-ai-code-hygiene", "fingerprint": "63c63e24430b0ecf508adc4d73bb0d44a03093a9ac75e3b2caf00aeee8b47fb0", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "fix", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|63c63e24430b0ecf508adc4d73bb0d44a03093a9ac75e3b2caf00aeee8b47fb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/ckeditor5/js/ckeditor5.dialog.fix.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36066, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0660287e2fe779b21c31a4c9daa9b4d931d485bcf18755c5d26c9e853367848a", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|0660287e2fe779b21c31a4c9daa9b4d931d485bcf18755c5d26c9e853367848a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/ckeditor5/ckeditor5.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36065, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0e87c1b01f9b30af98006244979d0e4e58769f04c3e27fb2f15ac740a290fb89", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|0e87c1b01f9b30af98006244979d0e4e58769f04c3e27fb2f15ac740a290fb89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/block_content/block_content.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 36064, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d85033a46b0dcd6ffb84e3c099350d69bc82ba2248abe496c550139a1b1f45b4", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|d85033a46b0dcd6ffb84e3c099350d69bc82ba2248abe496c550139a1b1f45b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/block/block.post_update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 36040, "scanner": "repobility-threat-engine", "fingerprint": "6d3aca0cd93c447947cf02a257b9b1f426a2f6a404975816947f013ba96e8be4", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = i", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|172|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/ckeditor5/js/ckeditor5_plugins/drupalEntityLinkSuggestions/src/index.js"}, "region": {"startLine": 172}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 36039, "scanner": "repobility-threat-engine", "fingerprint": "225788b4ce74ff56335936f5b0fa61ab3f9f15e577ef6f42979921aa0713343b", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML ==", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|core/misc/message.js|61|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/misc/message.js"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 36038, "scanner": "repobility-threat-engine", "fingerprint": "803cebcb73eee14efb40726e1d34744f70cacaf37dc41855c8f3e7ccdd177378", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = t", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|core/misc/announce.js|77|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/misc/announce.js"}, "region": {"startLine": 77}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 36023, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 36056, "scanner": "repobility-threat-engine", "fingerprint": "1042e3d1020038748f6151646ae8f609c0131bee71c87445699ea3642eb0dade", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1042e3d1020038748f6151646ae8f609c0131bee71c87445699ea3642eb0dade"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/ckeditor5/js/ckeditor5_plugins/drupalMedia/src/mediaimagetextalternative/mediaimagetextalternativeui.js"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 36055, "scanner": "repobility-threat-engine", "fingerprint": "1d58c1757708a9153720d4c67167f703a535f9874424f6ee09ffa46ab98725aa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1d58c1757708a9153720d4c67167f703a535f9874424f6ee09ffa46ab98725aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/ckeditor5/js/ckeditor5_plugins/drupalMedia/src/drupalmediageneralhtmlsupport.js"}, "region": {"startLine": 198}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 36054, "scanner": "repobility-threat-engine", "fingerprint": "100a125fbc5f4d3609a14a0f37d106b62fe5cf33c65c360bafce8fa6ddba9cc7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|100a125fbc5f4d3609a14a0f37d106b62fe5cf33c65c360bafce8fa6ddba9cc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/ckeditor5/js/ckeditor5_plugins/drupalMedia/src/drupalelementstyle/drupalelementstyleediting.js"}, "region": {"startLine": 256}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 36051, "scanner": "repobility-threat-engine", "fingerprint": "d7c0c2af79d1d74daef8f27af98bbeadedb79f5d9f64f6d38da42c519f05dfda", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d7c0c2af79d1d74daef8f27af98bbeadedb79f5d9f64f6d38da42c519f05dfda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/big_pipe/js/big_pipe.commands.js"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 36048, "scanner": "repobility-threat-engine", "fingerprint": "2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 36044, "scanner": "repobility-threat-engine", "fingerprint": "54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 36034, "scanner": "repobility-threat-engine", "fingerprint": "6ca3af492f7e6c1db301ad52802c2d4a47c0eeb5e4b8c82b99531327b37204e9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6ca3af492f7e6c1db301ad52802c2d4a47c0eeb5e4b8c82b99531327b37204e9", "aggregated_count": 9}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 36033, "scanner": "repobility-threat-engine", "fingerprint": "5f98daed5844a4015109dae69407174874a0f4516eb54203daf424884d825878", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5f98daed5844a4015109dae69407174874a0f4516eb54203daf424884d825878"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/breakpoint/src/Hook/BreakpointHooks.php"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 36032, "scanner": "repobility-threat-engine", "fingerprint": "5b7b125a6a0664e0661c3f352dc825ebc74c3c008211227d07b4b4f28ca8d07a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5b7b125a6a0664e0661c3f352dc825ebc74c3c008211227d07b4b4f28ca8d07a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/basic_auth/src/Hook/BasicAuthHooks.php"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 36031, "scanner": "repobility-threat-engine", "fingerprint": "ff60ce918ca38f52154372daa81617bc72128f939c36bae8de8cfc047741941a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ff60ce918ca38f52154372daa81617bc72128f939c36bae8de8cfc047741941a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/install.php"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress (and 46 more): Same pattern found in 46 additional files. Review if needed."}, "properties": {"repobilityId": 36027, "scanner": "repobility-threat-engine", "fingerprint": "6cf7d775fa0d0cc3c1068d5e9ee15ead08d7f5e0755907d17c5f3895c5ce3e73", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 46 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6cf7d775fa0d0cc3c1068d5e9ee15ead08d7f5e0755907d17c5f3895c5ce3e73", "aggregated_count": 46}}}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 36026, "scanner": "repobility-threat-engine", "fingerprint": "06ac4d36a6115cb864a437c0c794c9e416df3bda9b0861a74c28fc01f35a690b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|06ac4d36a6115cb864a437c0c794c9e416df3bda9b0861a74c28fc01f35a690b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/big_pipe/src/Render/BigPipeResponseAttachmentsProcessor.php"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 36025, "scanner": "repobility-threat-engine", "fingerprint": "d7565dc86473be5d1019786074ff367d10a3e6d613f7ab4973feab198a7083bb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d7565dc86473be5d1019786074ff367d10a3e6d613f7ab4973feab198a7083bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "composer/Plugin/VendorHardening/FileSecurity.php"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 36024, "scanner": "repobility-threat-engine", "fingerprint": "38bc3bb361be613fa78b2bf5a321c18d7f569f079a2bf77123583383de14fcf8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|38bc3bb361be613fa78b2bf5a321c18d7f569f079a2bf77123583383de14fcf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".gitlab-ci/scripts/component-coverage-metrics.php"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 36050, "scanner": "repobility-threat-engine", "fingerprint": "656f41bcfc84bf87df32ab0aed52d47809dbf47b17e7a9415fa9bfc0ff31a500", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(prop", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|656f41bcfc84bf87df32ab0aed52d47809dbf47b17e7a9415fa9bfc0ff31a500"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/misc/tableresponsive.js"}, "region": {"startLine": 175}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 36049, "scanner": "repobility-threat-engine", "fingerprint": "82617b04d994956c53a473a544d4369c80d1d08e11b8741a4c2454e3c255c704", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(settings", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|82617b04d994956c53a473a544d4369c80d1d08e11b8741a4c2454e3c255c704"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/misc/machine-name.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 36047, "scanner": "repobility-threat-engine", "fingerprint": "63ece81445e8e89ee6dce585aeac73d971b9d9e353a9bf2c72c4ef391a4c5f39", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "super.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|63ece81445e8e89ee6dce585aeac73d971b9d9e353a9bf2c72c4ef391a4c5f39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/ckeditor5/js/ckeditor5_plugins/drupalImage/src/imagealternativetext/drupalimagealternativetextui.js"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 36046, "scanner": "repobility-threat-engine", "fingerprint": "9d7aff53d912d741e5d73637eb864ee686333a7dbbaf97f267496bedf1ad1799", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "view.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9d7aff53d912d741e5d73637eb864ee686333a7dbbaf97f267496bedf1ad1799"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/ckeditor5/js/ckeditor5_plugins/drupalImage/src/imagealternativetext/drupalimagealternativetextediting.js"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 36045, "scanner": "repobility-threat-engine", "fingerprint": "a4d80a16951874372c3ff8c935b58a7207c7463bfbee5bb196fabd90f79665bb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url.searchParams.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a4d80a16951874372c3ff8c935b58a7207c7463bfbee5bb196fabd90f79665bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/misc/htmx/htmx-assets.js"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 36043, "scanner": "repobility-threat-engine", "fingerprint": "60af7134122ada1d0787a55671d1a72fbd0557651f1f3bdb7f7b8ea292ff6425", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|60af7134122ada1d0787a55671d1a72fbd0557651f1f3bdb7f7b8ea292ff6425"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/announcements_feed/src/AnnounceFetcher.php"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 36042, "scanner": "repobility-threat-engine", "fingerprint": "ce78f2e10e5beb4311374dd34e8f349857482e4d99c47ea9c97130fe6b66849f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ce78f2e10e5beb4311374dd34e8f349857482e4d99c47ea9c97130fe6b66849f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/misc/timezone.js"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 36041, "scanner": "repobility-threat-engine", "fingerprint": "f8eed76eca6047463fa38c8f05dbcf4f812e81cfbfe9c0718e81b62714be33d4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f8eed76eca6047463fa38c8f05dbcf4f812e81cfbfe9c0718e81b62714be33d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/misc/htmx/htmx-assets.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 36037, "scanner": "repobility-threat-engine", "fingerprint": "881b465c15d10fa317ca506b51187e44cbcda36ad5aeb054e9fc9be92af7e351", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".html(`${percentage}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|881b465c15d10fa317ca506b51187e44cbcda36ad5aeb054e9fc9be92af7e351"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/misc/progress.js"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 36036, "scanner": "repobility-threat-engine", "fingerprint": "691c9c25a64948be65c02c8bfbf59576742b1a2c2bb242f0c1e056b4eb06d744", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `${text}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|691c9c25a64948be65c02c8bfbf59576742b1a2c2bb242f0c1e056b4eb06d744"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/misc/message.js"}, "region": {"startLine": 263}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 36035, "scanner": "repobility-threat-engine", "fingerprint": "092457612ab4b1cfe704381851eb30e20fd772da8ace849fcd582b398128b08e", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n          (selector) =>\n            `${selector}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|092457612ab4b1cfe704381851eb30e20fd772da8ace849fcd582b398128b08e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/misc/active-link.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 36053, "scanner": "repobility-threat-engine", "fingerprint": "ba5c2073447c1462972945ed122974ea00e314f73898986ed448d9f3c3ec45c0", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ba5c2073447c1462972945ed122974ea00e314f73898986ed448d9f3c3ec45c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/ckeditor5/js/ckeditor5_plugins/drupalMedia/src/mediaimagetextalternative/ui/textalternativeformview.js"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 36052, "scanner": "repobility-threat-engine", "fingerprint": "39dab1f87f41aa2f1ee1b0f241f112b87609de2c92d5daf4281e1226c2ec8890", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|39dab1f87f41aa2f1ee1b0f241f112b87609de2c92d5daf4281e1226c2ec8890"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/modules/ckeditor5/js/ckeditor5_plugins/drupalImage/src/imagealternativetext/ui/imagealternativetextformview.js"}, "region": {"startLine": 134}}}]}]}]}