{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB012", "name": "Service worker is present without a web app manifest", "shortDescription": {"text": "Service worker is present without a web app manifest"}, "fullDescription": {"text": "A service worker without a manifest often means the PWA install surface is incomplete or inconsistent across devices."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC007", "name": "Generated build artifact directory is present at repository root", "shortDescription": {"text": "Generated build artifact directory is present at repository root"}, "fullDescription": {"text": "Committed build outputs and caches make scans slower, confuse duplicate-code checks, and give AI agents stale generated code to imitate."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "A frontend flow appears to combine a caller-controlled callback/redirect parameter with a token-bearing URL or fragment. This can exfiltrate sessions when callback validation is incomplete."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/300"}, "properties": {"repository": "RabbyHub/Rabby", "repoUrl": "https://github.com/RabbyHub/Rabby", "branch": "develop"}, "results": [{"ruleId": "WEB012", "level": "warning", "message": {"text": "Service worker is present without a web app manifest"}, "properties": {"repobilityId": 9532, "scanner": "repobility-web-presence", "fingerprint": "fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A service worker was discovered but no common web manifest file was found.", "evidence": {"rule_id": "WEB012", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/Manifest"], "correlation_key": "fp|fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "manifest.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 9531, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 9530, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 9522, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js", "Koa"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 9521, "scanner": "repobility-threat-engine", "fingerprint": "632b36de9416ebb623b3bc9215384f82e425a8a0cf4df56e54f09e906b8b6fb5", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|632b36de9416ebb623b3bc9215384f82e425a8a0cf4df56e54f09e906b8b6fb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/ui/component/MiniSignV2/services/SignatureSteps.ts"}, "region": {"startLine": 558}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9513, "scanner": "repobility-ai-code-hygiene", "fingerprint": "68ad54daf7fa32c987f0a68f452f383573599a703035c26b0eb5d1bcf0760e07", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/ui/component/AccountSelector/AccountItem.tsx", "duplicate_line": 171, "correlation_key": "fp|68ad54daf7fa32c987f0a68f452f383573599a703035c26b0eb5d1bcf0760e07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/ui/component/AddressRiskAlert/index.tsx"}, "region": {"startLine": 150}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9512, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7f419eda323383e1775f460c11f6cfa2126aaf860a8e03f4959af6d0c8d1d7ac", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/background/service/transactionBroadcastWatcher.ts", "duplicate_line": 142, "correlation_key": "fp|7f419eda323383e1775f460c11f6cfa2126aaf860a8e03f4959af6d0c8d1d7ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/background/service/transactionWatcher.ts"}, "region": {"startLine": 208}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9511, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3c1c8971505daeb57075f3ff2066441269efa14528860fe126c4b7a24a3a63a2", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/background/service/bridge.ts", "duplicate_line": 61, "correlation_key": "fp|3c1c8971505daeb57075f3ff2066441269efa14528860fe126c4b7a24a3a63a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/background/service/swap.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9510, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dbb6ed3e6aaa26d8c6eb716bbb029cc265799b43aa188694e3308d04de7aaace", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/background/service/keyring/eth-bitbox02-keyring/bitbox02-offscreen-bridge.ts", "duplicate_line": 131, "correlation_key": "fp|dbb6ed3e6aaa26d8c6eb716bbb029cc265799b43aa188694e3308d04de7aaace"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/background/service/keyring/eth-onekey-keyring/onekey-offscreen-bridge.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9509, "scanner": "repobility-ai-code-hygiene", "fingerprint": "46fcc33c9552c0ffc40084ab30642747672eb49d58d275388fd6a7277cfad569", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/background/service/keyring/eth-bitbox02-keyring/eth-bitbox02-keyring.ts", "duplicate_line": 135, "correlation_key": "fp|46fcc33c9552c0ffc40084ab30642747672eb49d58d275388fd6a7277cfad569"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/background/service/keyring/eth-onekey-keyring/eth-onekey-keyring.ts"}, "region": {"startLine": 347}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9508, "scanner": "repobility-ai-code-hygiene", "fingerprint": "67097a56549487f815d9bd7d2cc0b78eb6afdd5908494b84d7e1c365cb94d7ce", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/background/service/keyring/eth-imkey-keyring/eth-imkey-keyring.ts", "duplicate_line": 127, "correlation_key": "fp|67097a56549487f815d9bd7d2cc0b78eb6afdd5908494b84d7e1c365cb94d7ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/background/service/keyring/eth-onekey-keyring/eth-onekey-keyring.ts"}, "region": {"startLine": 276}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9507, "scanner": "repobility-ai-code-hygiene", "fingerprint": "42b6b1a4e04f98626d1ef07c3f31c3d4863ec8dc9c0c45410f8b53c8ffcfe984", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/background/service/keyring/eth-lattice-keyring/eth-lattice-keyring.ts", "duplicate_line": 96, "correlation_key": "fp|42b6b1a4e04f98626d1ef07c3f31c3d4863ec8dc9c0c45410f8b53c8ffcfe984"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/background/service/keyring/eth-ledger-keyring.ts"}, "region": {"startLine": 506}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9506, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e19704b6d6a39a3e9411e540518c87103cdeefec55a5876df982b34a19e32e9", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/background/service/keyring/eth-imkey-keyring/eth-imkey-keyring.ts", "duplicate_line": 203, "correlation_key": "fp|4e19704b6d6a39a3e9411e540518c87103cdeefec55a5876df982b34a19e32e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/background/service/keyring/eth-ledger-keyring.ts"}, "region": {"startLine": 214}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9505, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5202096c96ebcfb70da072065883a7740b4345af13c6546922b92c21bbb0e18f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/background/service/keyring/eth-bitbox02-keyring/bitbox02-offscreen-bridge.ts", "duplicate_line": 131, "correlation_key": "fp|5202096c96ebcfb70da072065883a7740b4345af13c6546922b92c21bbb0e18f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/background/service/keyring/eth-imkey-keyring/imkey-offscreen-bridge.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9504, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e8d15f3e9aa53e5842c8d79ae2d872f166a5316b88d794b583ab7a659b3bd08f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/background/service/keyring/eth-bitbox02-keyring/eth-bitbox02-keyring.ts", "duplicate_line": 135, "correlation_key": "fp|e8d15f3e9aa53e5842c8d79ae2d872f166a5316b88d794b583ab7a659b3bd08f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/background/service/keyring/eth-imkey-keyring/eth-imkey-keyring.ts"}, "region": {"startLine": 198}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9503, "scanner": "repobility-ai-code-hygiene", "fingerprint": "022033f8ec26afdee6bf03dde03507280b8457b08a1a69ce7f2a17e02368ea88", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/background/service/keyring/eth-cobo-argus-keyring.ts", "duplicate_line": 59, "correlation_key": "fp|022033f8ec26afdee6bf03dde03507280b8457b08a1a69ce7f2a17e02368ea88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/background/service/keyring/eth-gnosis-keyring.ts"}, "region": {"startLine": 272}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9502, "scanner": "repobility-ai-code-hygiene", "fingerprint": "561076df5fcd58ed655710a8bf743c52ece3f9a325256ee5f2c2aadd89435c19", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/background/service/keyring/eth-bitbox02-keyring/bitbox02-bridge.ts", "duplicate_line": 10, "correlation_key": "fp|561076df5fcd58ed655710a8bf743c52ece3f9a325256ee5f2c2aadd89435c19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/background/service/keyring/eth-bitbox02-keyring/bitbox02-offscreen-bridge.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 9529, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 9528, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 9527, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 9526, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC007", "level": "note", "message": {"text": "Generated build artifact directory is present at repository root"}, "properties": {"repobilityId": 9501, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1", "category": "quality", "severity": "low", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains a common generated artifact directory.", "evidence": {"rule_id": "AIC007", "scanner": "repobility-ai-code-hygiene", "directory": "build", "references": ["https://git-scm.com/docs/gitignore", "https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 9520, "scanner": "repobility-threat-engine", "fingerprint": "7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9519, "scanner": "repobility-threat-engine", "fingerprint": "cfc9e674f2b25d4b9b56c35980f6ea054be182abc30d0d045decc10b77cde59a", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|42|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/ui/models/createMnemonics.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9518, "scanner": "repobility-threat-engine", "fingerprint": "1e113cee3a926e08366de71ff0f16c77aa356912202aa42e4fcc3124a99af984", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|365|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/ui/utils/sendTransaction.ts"}, "region": {"startLine": 365}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9517, "scanner": "repobility-threat-engine", "fingerprint": "c9f2e0411d491391813fe6a12be4a61b00b9fdfa12dbdde7c7a7980d1ff6e6b0", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|112|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/ui/utils/iframeBridge.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9516, "scanner": "repobility-threat-engine", "fingerprint": "99325eca291ec972a18b3b9406b90157def4e8d8ec24f062fac0e8b450aacbe4", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('[MiniSign] setLastTimeSendToken error', error)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|85|console.error minisign setlasttimesendtoken error error"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/ui/views/SendToken/index.tsx"}, "region": {"startLine": 859}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9515, "scanner": "repobility-threat-engine", "fingerprint": "b2870c02b2c9ca9023666d70e1e64f8710af70bb89bc5cf1677acb3c5cc275b1", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('Failed to fetch token categories:', error)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|src/ui/models/perps.ts|127|console.error failed to fetch token categories: error"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/ui/models/perps.ts"}, "region": {"startLine": 1271}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9514, "scanner": "repobility-threat-engine", "fingerprint": "8b18ed454c283c488aadac8f622f26de366d56b5b78510dd4a3da78ba1ce6e38", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('checkTokenDepositForbidden error', error)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|27|console.error checktokendepositforbidden error error"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/ui/hooks/useAddressRisk.ts"}, "region": {"startLine": 275}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 9525, "scanner": "repobility-journey-contract", "fingerprint": "7bd8d579d268907f41afd304ff76e9c28923f70aa0894496ac45916f5e524851", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|201|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/ui/views/BiometricUnlockSetup/index.tsx"}, "region": {"startLine": 201}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 9524, "scanner": "repobility-journey-contract", "fingerprint": "5fd3c002e684829e37314516f69bc67ba9d53e44675e92d1694713220980b2e0", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|164|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/ui/views/DesktopProfile/components/TokensTabPane/TokenItem.tsx"}, "region": {"startLine": 164}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 9523, "scanner": "repobility-journey-contract", "fingerprint": "8d7728479850ee9023d328c1422ab6fcd53e583990ce7475262766cd3c278ed8", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|74|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/ui/views/DesktopProfile/components/TokensTabPane/TokenItem.tsx"}, "region": {"startLine": 74}}}]}]}]}