{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "GHSA-48c2-rrv3-qjmp", "name": "yaml: GHSA-48c2-rrv3-qjmp", "shortDescription": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "fullDescription": {"text": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9jgg-88mc-972h", "name": "webpack-dev-server: GHSA-9jgg-88mc-972h", "shortDescription": {"text": "webpack-dev-server: GHSA-9jgg-88mc-972h"}, "fullDescription": {"text": "webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-79cf-xcqc-c78w", "name": "webpack-dev-server: GHSA-79cf-xcqc-c78w", "shortDescription": {"text": "webpack-dev-server: GHSA-79cf-xcqc-c78w"}, "fullDescription": {"text": "webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4v9v-hfq4-rm2v", "name": "webpack-dev-server: GHSA-4v9v-hfq4-rm2v", "shortDescription": {"text": "webpack-dev-server: GHSA-4v9v-hfq4-rm2v"}, "fullDescription": {"text": "webpack-dev-server users' source code may be stolen when they access a malicious web site"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9jcx-v3wj-wh4m", "name": "react-router: GHSA-9jcx-v3wj-wh4m", "shortDescription": {"text": "react-router: GHSA-9jcx-v3wj-wh4m"}, "fullDescription": {"text": "React Router has unexpected external redirect via untrusted paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7fh5-64p2-3v2j", "name": "postcss: GHSA-7fh5-64p2-3v2j", "shortDescription": {"text": "postcss: GHSA-7fh5-64p2-3v2j"}, "fullDescription": {"text": "PostCSS line return parsing error"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g4f-4pwh-qvx6", "name": "ajv: GHSA-2g4f-4pwh-qvx6", "shortDescription": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "fullDescription": {"text": "ajv has ReDoS when using `$data` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-968p-4wvh-cqc8", "name": "@babel/runtime-corejs2: GHSA-968p-4wvh-cqc8", "shortDescription": {"text": "@babel/runtime-corejs2: GHSA-968p-4wvh-cqc8"}, "fullDescription": {"text": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC014", "name": "Database data bind mount is inside the Docker build context", "shortDescription": {"text": "Database data bind mount is inside the Docker build context"}, "fullDescription": {"text": "Keeping live database files under the repository/build context can leak data into Docker builds, slow context loading, and make accidental commits more likely."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `db` image uses the latest tag", "shortDescription": {"text": "Compose service `db` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `wordpress` image has no explicit tag", "shortDescription": {"text": "Compose service `wordpress` image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `@wordpress/data-controls` is 2 major version(s) behind (2.2.8 -> 4.48.0)", "shortDescription": {"text": "npm package `@wordpress/data-controls` is 2 major version(s) behind (2.2.8 -> 4.48.0)"}, "fullDescription": {"text": "`@wordpress/data-controls` is pinned/resolved at 2.2.8 but the latest stable release on the npm registry is 4.48.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "A file created as a fixed/new/final/copy variant is not referenced by imports or path-like strings in the rest of the repository. This is a strong sign that an agent produced code beside the active application path."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "GHSA-8fgc-7cc6-rx7x", "name": "webpack: GHSA-8fgc-7cc6-rx7x", "shortDescription": {"text": "webpack: GHSA-8fgc-7cc6-rx7x"}, "fullDescription": {"text": "webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38r7-794h-5758", "name": "webpack: GHSA-38r7-794h-5758", "shortDescription": {"text": "webpack: GHSA-38r7-794h-5758"}, "fullDescription": {"text": "webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects \u2192 SSRF + cache persistence"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-73rr-hh4g-fpgx", "name": "diff: GHSA-73rr-hh4g-fpgx", "shortDescription": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "fullDescription": {"text": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v6h2-p8h4-qcjw", "name": "brace-expansion: GHSA-v6h2-p8h4-qcjw", "shortDescription": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "fullDescription": {"text": "brace-expansion Regular Expression Denial of Service vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "depends_on controls startup order, but without condition: service_healthy an app can start while the database is still initializing and fail intermittently."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "Package indexes increase image size and can expose stale metadata in the final image layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "GHSA-3h5v-q93c-6h6q", "name": "ws: GHSA-3h5v-q93c-6h6q", "shortDescription": {"text": "ws: GHSA-3h5v-q93c-6h6q"}, "fullDescription": {"text": "ws affected by a DoS when handling a request with many HTTP headers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2qf-rxjj-qqgw", "name": "semver: GHSA-c2qf-rxjj-qqgw", "shortDescription": {"text": "semver: GHSA-c2qf-rxjj-qqgw"}, "fullDescription": {"text": "semver vulnerable to Regular Expression Denial of Service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-37ch-88jc-xwx2", "name": "path-to-regexp: GHSA-37ch-88jc-xwx2", "shortDescription": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "fullDescription": {"text": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4q6p-r6v2-jvc5", "name": "get-func-name: GHSA-4q6p-r6v2-jvc5", "shortDescription": {"text": "get-func-name: GHSA-4q6p-r6v2-jvc5"}, "fullDescription": {"text": "Chaijs/get-func-name vulnerable to ReDoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rpmf-866q-6p89", "name": "basic-ftp: GHSA-rpmf-866q-6p89", "shortDescription": {"text": "basic-ftp: GHSA-rpmf-866q-6p89"}, "fullDescription": {"text": "basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC043", "name": "[SEC043] Secret stored in Odoo ir.config_parameter \u2014 broadly readable: ir.config_parameter is readable by any user with ", "shortDescription": {"text": "[SEC043] Secret stored in Odoo ir.config_parameter \u2014 broadly readable: ir.config_parameter is readable by any user with read access on the model \u2014 typically all internal users. Storing API keys, OAuth client secrets, or passwords there mean"}, "fullDescription": {"text": "Move to environment variables (loaded at server start, not in DB):\n  api_key = os.environ.get('STRIPE_API_KEY')\nOr use Odoo's dedicated 'res.config.settings' with restricted ACL:\n  - Set groups='base.group_system' on the field\n  - Use sudo() reads only from server-trusted code paths\nOr a secrets-manager (HashiCorp Vault, AWS Secrets Manager) with a thin Odoo client that fetches at runtime."}, "properties": {"scanner": "repobility-threat-engine", "category": "secret", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v2`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v2`"}, "fullDescription": {"text": "`uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `wordpress:php7.4` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `wordpress:php7.4` not pinned by digest"}, "fullDescription": {"text": "`FROM wordpress:php7.4` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "stripe-access-token", "name": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.", "shortDescription": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "curl-auth-user", "name": "Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed re", "shortDescription": {"text": "Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1080"}, "properties": {"repository": "woocommerce/woocommerce-gateway-stripe", "repoUrl": "https://github.com/woocommerce/woocommerce-gateway-stripe", "branch": "develop"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 106187, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 106186, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-48c2-rrv3-qjmp", "level": "warning", "message": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "properties": {"repobilityId": 106181, "scanner": "osv-scanner", "fingerprint": "f23c81ca1bf7793083d58c8b09cd6bf208ab392998a2d9a3bb3322561a728d6b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33532"], "package": "yaml", "rule_id": "GHSA-48c2-rrv3-qjmp", "scanner": "osv-scanner", "correlation_key": "vuln|yaml|CVE-2026-33532|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 106180, "scanner": "osv-scanner", "fingerprint": "1b788fa8525382946c739270c1849aaa868327cf2c4216daf211eef3de5db45b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9jgg-88mc-972h", "level": "warning", "message": {"text": "webpack-dev-server: GHSA-9jgg-88mc-972h"}, "properties": {"repobilityId": 106178, "scanner": "osv-scanner", "fingerprint": "d1a28b9a042bfc28a4ab9f84493472aa0ceb149446ec763c2df92095c044b8b2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-30360"], "package": "webpack-dev-server", "rule_id": "GHSA-9jgg-88mc-972h", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-server|CVE-2025-30360|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-79cf-xcqc-c78w", "level": "warning", "message": {"text": "webpack-dev-server: GHSA-79cf-xcqc-c78w"}, "properties": {"repobilityId": 106177, "scanner": "osv-scanner", "fingerprint": "684ef2e955258e7ac9b018cb59a57c756fefce7f72ddc2b844d92be26a1b10c6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6402"], "package": "webpack-dev-server", "rule_id": "GHSA-79cf-xcqc-c78w", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-server|CVE-2026-6402|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4v9v-hfq4-rm2v", "level": "warning", "message": {"text": "webpack-dev-server: GHSA-4v9v-hfq4-rm2v"}, "properties": {"repobilityId": 106176, "scanner": "osv-scanner", "fingerprint": "ff91999a7dfcd5c4d0e3c337ae3504cc71277a5f5fccbb3765123bbe5580d7f8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-30359"], "package": "webpack-dev-server", "rule_id": "GHSA-4v9v-hfq4-rm2v", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-server|CVE-2025-30359|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 106173, "scanner": "osv-scanner", "fingerprint": "2f6e44d3056f0549be14ae43b720d756ca97d735468761433ea29a9ddf340eaa", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9jcx-v3wj-wh4m", "level": "warning", "message": {"text": "react-router: GHSA-9jcx-v3wj-wh4m"}, "properties": {"repobilityId": 106171, "scanner": "osv-scanner", "fingerprint": "7d92006494cbe7746af396ad02b8869c0ad803779902be41019605fdc03c09cb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68470"], "package": "react-router", "rule_id": "GHSA-9jcx-v3wj-wh4m", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2025-68470|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 106170, "scanner": "osv-scanner", "fingerprint": "33aa829b4458c5ef73d832c9e568cf3032217bd31f4b18cc6a572d90111a50bb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7fh5-64p2-3v2j", "level": "warning", "message": {"text": "postcss: GHSA-7fh5-64p2-3v2j"}, "properties": {"repobilityId": 106169, "scanner": "osv-scanner", "fingerprint": "10ed0be82059e97c27fa0390e21b9e11a083bbd4fe100bff5e00c3725d08fa51", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-44270"], "package": "postcss", "rule_id": "GHSA-7fh5-64p2-3v2j", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2023-44270|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 106164, "scanner": "osv-scanner", "fingerprint": "e8eb0ab1ffbb15b3b127c7436af364aa04d69dbc42fb22d21fcb4f304d428269", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 106162, "scanner": "osv-scanner", "fingerprint": "b6e4ab66cc3522d009fa9b7b4cb49ad3d9a60843a6d25559c80bbc6b5b65b8d7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-968p-4wvh-cqc8", "level": "warning", "message": {"text": "@babel/runtime-corejs2: GHSA-968p-4wvh-cqc8"}, "properties": {"repobilityId": 106161, "scanner": "osv-scanner", "fingerprint": "7fbf19bc5d8e11a0fd170b5ff1f3d5f3cf6bfbeb572bc853c4248843024194f4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-27789"], "package": "@babel/runtime-corejs2", "rule_id": "GHSA-968p-4wvh-cqc8", "scanner": "osv-scanner", "correlation_key": "vuln|babel/runtime-corejs2|CVE-2025-27789|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-968p-4wvh-cqc8", "level": "warning", "message": {"text": "@babel/runtime: GHSA-968p-4wvh-cqc8"}, "properties": {"repobilityId": 106160, "scanner": "osv-scanner", "fingerprint": "1a021c51241fa6b167e8ea883b0ad2124ec3f45610123342d66941a8ba97193b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-27789"], "package": "@babel/runtime", "rule_id": "GHSA-968p-4wvh-cqc8", "scanner": "osv-scanner", "correlation_key": "vuln|babel/runtime|CVE-2025-27789|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 106132, "scanner": "repobility-docker", "fingerprint": "ea487931b8d625e82496cc3a2ddda1849d9b22cc34018e0d942fb1735f81abf9", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|ea487931b8d625e82496cc3a2ddda1849d9b22cc34018e0d942fb1735f81abf9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/e2e/env/docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKC014", "level": "warning", "message": {"text": "Database data bind mount is inside the Docker build context"}, "properties": {"repobilityId": 106131, "scanner": "repobility-docker", "fingerprint": "990aab0464d823c3e46cdc0b3c4b3bf02df2b0a179df6ae61e8cc9bd67f83ba1", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database data directory is mounted from a relative path that is not excluded by .dockerignore.", "evidence": {"source": "./docker/data", "target": "/var/lib/mysql", "rule_id": "DKC014", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/engine/storage/volumes/", "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|990aab0464d823c3e46cdc0b3c4b3bf02df2b0a179df6ae61e8cc9bd67f83ba1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/e2e/env/docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `db` image uses the latest tag"}, "properties": {"repobilityId": 106129, "scanner": "repobility-docker", "fingerprint": "7b63c23ecd273718512799c74cc7c489115bdf99a8a6f60468bc2a456506bc80", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "mariadb:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7b63c23ecd273718512799c74cc7c489115bdf99a8a6f60468bc2a456506bc80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/e2e/env/docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `wordpress` image has no explicit tag"}, "properties": {"repobilityId": 106125, "scanner": "repobility-docker", "fingerprint": "e22a56e5bff10811207c64739ebd847e7099f6a6361493e83ef01277edb1abcb", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "wordpress", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e22a56e5bff10811207c64739ebd847e7099f6a6361493e83ef01277edb1abcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/e2e/env/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `stripe` image has no explicit tag"}, "properties": {"repobilityId": 106124, "scanner": "repobility-docker", "fingerprint": "7cece5d8749f9dbdbb8824ca7d08f35a690182a94f18d5e7bf36b00c05197f6f", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "stripe/stripe-cli", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7cece5d8749f9dbdbb8824ca7d08f35a690182a94f18d5e7bf36b00c05197f6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/e2e/env/docker-compose.yml"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 106120, "scanner": "repobility-docker", "fingerprint": "d9829866185263ca9b8b9189a1bf37fc197d01c9fe19be6463312ea66289d997", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "wordpress:php7.4", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d9829866185263ca9b8b9189a1bf37fc197d01c9fe19be6463312ea66289d997"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/e2e/env/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 106117, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 106116, "scanner": "repobility-docker", "fingerprint": "df5da3449167bf6896cfe3d985ae5bdacb3a342a0bf7f460e4ccd4b53fc846a3", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "wordpress:php7.4", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|df5da3449167bf6896cfe3d985ae5bdacb3a342a0bf7f460e4ccd4b53fc846a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/wordpress_xdebug/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 106113, "scanner": "repobility-threat-engine", "fingerprint": "15e8ca53741c1f90a40679f5560de0a267f55de2052f7c3cdd05394967eb3de1", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|tasks/release.js|49|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tasks/release.js"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 106112, "scanner": "repobility-threat-engine", "fingerprint": "160bf361518e5e918ead8402cf893a5f91da9b0e7180a1732e82ac185e13cafe", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"https://docs.stripe.com/testing?payment-method=sepa-direct-debit#non-card-payments\" target=", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|124|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/payment-methods/class-wc-stripe-upe-payment-method-sepa.php"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 106111, "scanner": "repobility-threat-engine", "fingerprint": "872d7d108afb13cb1eeccff1643f959addcfc26f74a403b4c1f8e6aed29fe8c2", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"https://docs.stripe.com/testing\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|145|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/payment-methods/class-wc-stripe-upe-payment-method-cc.php"}, "region": {"startLine": 145}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 106105, "scanner": "repobility-threat-engine", "fingerprint": "fea1799dcc3fe223622dd34a2835db08695d20e1d8757e98dd9803c177a51604", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch( () => {} )", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fea1799dcc3fe223622dd34a2835db08695d20e1d8757e98dd9803c177a51604"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/stripe-utils/copy-test-number.js"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 106089, "scanner": "repobility-threat-engine", "fingerprint": "46c3ff64f452422e5d58d06d2143c6a8566fbc15881e13117e56683466497163", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.location = redirectURL", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|46c3ff64f452422e5d58d06d2143c6a8566fbc15881e13117e56683466497163"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/classic/upe/legacy-support.js"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 106088, "scanner": "repobility-threat-engine", "fingerprint": "ae8dfcb25ba26faf2b18c1bb51e759746722714a9e5a1421bf82eeebd7c18169", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.location = redirectUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ae8dfcb25ba26faf2b18c1bb51e759746722714a9e5a1421bf82eeebd7c18169"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/classic/upe/index.js"}, "region": {"startLine": 264}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 106087, "scanner": "repobility-threat-engine", "fingerprint": "f3877e0bea870406d367fc69e7e1d8caed8c194a56775e622b6a83609e0a071f", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.location = redirectUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f3877e0bea870406d367fc69e7e1d8caed8c194a56775e622b6a83609e0a071f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/blocks/express-checkout/hooks.js"}, "region": {"startLine": 50}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@wordpress/data-controls` is 2 major version(s) behind (2.2.8 -> 4.48.0)"}, "properties": {"repobilityId": 106081, "scanner": "repobility-dependency-currency", "fingerprint": "9b532c6759b2fd34ef77deaf1ad6d527c1598ebefa9a2dcea9eb070805a3e74f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@wordpress/data-controls", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.48.0", "correlation_key": "fp|9b532c6759b2fd34ef77deaf1ad6d527c1598ebefa9a2dcea9eb070805a3e74f", "current_version": "2.2.8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@wordpress/data` is 1 major version(s) behind (9.28.0 -> 10.48.0)"}, "properties": {"repobilityId": 106080, "scanner": "repobility-dependency-currency", "fingerprint": "e4957e994d1dfd7c9cb68e1d3f6c66f2098b89001f3393d61a5a9b9ed632f92c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@wordpress/data", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.48.0", "correlation_key": "fp|e4957e994d1dfd7c9cb68e1d3f6c66f2098b89001f3393d61a5a9b9ed632f92c", "current_version": "9.28.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@wordpress/components` is 10 major version(s) behind (25.16.0 -> 35.0.0)"}, "properties": {"repobilityId": 106079, "scanner": "repobility-dependency-currency", "fingerprint": "d1a171c6f6d636b89484b86ee73260fc52a329e5f8f56402ee126bea823ca2a8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "10 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@wordpress/components", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "35.0.0", "correlation_key": "fp|d1a171c6f6d636b89484b86ee73260fc52a329e5f8f56402ee126bea823ca2a8", "current_version": "25.16.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@wordpress/base-styles` is 3 major version(s) behind (6.7.0 -> 9.1.0)"}, "properties": {"repobilityId": 106078, "scanner": "repobility-dependency-currency", "fingerprint": "09a681a81cb2d34c0bf76ecf6c5e458f931345eb36b366706cff72918d0269d4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@wordpress/base-styles", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.1.0", "correlation_key": "fp|09a681a81cb2d34c0bf76ecf6c5e458f931345eb36b366706cff72918d0269d4", "current_version": "6.7.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@wordpress/babel-preset-default` is 2 major version(s) behind (6.17.0 -> 8.48.0)"}, "properties": {"repobilityId": 106077, "scanner": "repobility-dependency-currency", "fingerprint": "4918d1a01faefd4632bf95617f64a75ccabba086f89227348c0b8e1a83df59d8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@wordpress/babel-preset-default", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.48.0", "correlation_key": "fp|4918d1a01faefd4632bf95617f64a75ccabba086f89227348c0b8e1a83df59d8", "current_version": "6.17.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@wordpress/babel-plugin-makepot` is 2 major version(s) behind (4.2.0 -> 6.48.0)"}, "properties": {"repobilityId": 106076, "scanner": "repobility-dependency-currency", "fingerprint": "aafef49d29c6fef4d0e86a155d11bb27174403aedb7cd8f2b2c82ba2e7ed5deb", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@wordpress/babel-plugin-makepot", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.48.0", "correlation_key": "fp|aafef49d29c6fef4d0e86a155d11bb27174403aedb7cd8f2b2c82ba2e7ed5deb", "current_version": "4.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@wordpress/api-fetch` is 2 major version(s) behind (5.2.6 -> 7.48.0)"}, "properties": {"repobilityId": 106075, "scanner": "repobility-dependency-currency", "fingerprint": "36e20e03aa709dd70852fc1a7356175cd5787098a7e7a3cd064f2f41a787e0e3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@wordpress/api-fetch", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.48.0", "correlation_key": "fp|36e20e03aa709dd70852fc1a7356175cd5787098a7e7a3cd064f2f41a787e0e3", "current_version": "5.2.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@woocommerce/dependency-extraction-webpack-plugin` is 1 major version(s) behind (3.1.0 -> 4.0.0)"}, "properties": {"repobilityId": 106073, "scanner": "repobility-dependency-currency", "fingerprint": "9dcdf8f2f6058852bf2874e54f354680f7739b085cec21a3e8ff041ffd9a5e44", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@woocommerce/dependency-extraction-webpack-plugin", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.0.0", "correlation_key": "fp|9dcdf8f2f6058852bf2874e54f354680f7739b085cec21a3e8ff041ffd9a5e44", "current_version": "3.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/react-dom` is 1 major version(s) behind (18.3.7 -> 19.2.3)"}, "properties": {"repobilityId": 106072, "scanner": "repobility-dependency-currency", "fingerprint": "33dad5f4b4360d0cefb613eaa70f008882aa8ac481b08b89f11b5dd0b53f820e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/react-dom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "19.2.3", "correlation_key": "fp|33dad5f4b4360d0cefb613eaa70f008882aa8ac481b08b89f11b5dd0b53f820e", "current_version": "18.3.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@testing-library/user-event` is 1 major version(s) behind (13.5.0 -> 14.6.1)"}, "properties": {"repobilityId": 106071, "scanner": "repobility-dependency-currency", "fingerprint": "713c0a69ecd1dd23b9f4b82ed51c894668f3d12cb667383b474356948d4e1a2b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@testing-library/user-event", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "14.6.1", "correlation_key": "fp|713c0a69ecd1dd23b9f4b82ed51c894668f3d12cb667383b474356948d4e1a2b", "current_version": "13.5.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@testing-library/react` is 2 major version(s) behind (14.3.1 -> 16.3.2)"}, "properties": {"repobilityId": 106070, "scanner": "repobility-dependency-currency", "fingerprint": "e62d5d9bace5aa68d877dfb155b4047f6b766487c2d7959385ffabdf87bb53bb", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@testing-library/react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "16.3.2", "correlation_key": "fp|e62d5d9bace5aa68d877dfb155b4047f6b766487c2d7959385ffabdf87bb53bb", "current_version": "14.3.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@testing-library/jest-dom` is 1 major version(s) behind (5.16.1 -> 6.9.1)"}, "properties": {"repobilityId": 106069, "scanner": "repobility-dependency-currency", "fingerprint": "4033e6459c84f493affa4014492a2d22bca02a4156ea5781d7db3fa9f84ee868", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@testing-library/jest-dom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.9.1", "correlation_key": "fp|4033e6459c84f493affa4014492a2d22bca02a4156ea5781d7db3fa9f84ee868", "current_version": "5.16.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@automattic/color-studio` is 2 major version(s) behind (2.5.0 -> 4.1.0)"}, "properties": {"repobilityId": 106062, "scanner": "repobility-dependency-currency", "fingerprint": "57dc96d7649c448fb24c474ac56e79f572282318c310a944165337b131ed37a4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@automattic/color-studio", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.0", "correlation_key": "fp|57dc96d7649c448fb24c474ac56e79f572282318c310a944165337b131ed37a4", "current_version": "2.5.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@wordpress/html-entities` is 1 major version(s) behind (3.58.0 -> 4.48.0)"}, "properties": {"repobilityId": 106060, "scanner": "repobility-dependency-currency", "fingerprint": "e1eb9e687d535563ca908519550d5ec992838e3512525a67169fff9d8b2b97dc", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@wordpress/html-entities", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.48.0", "correlation_key": "fp|e1eb9e687d535563ca908519550d5ec992838e3512525a67169fff9d8b2b97dc", "current_version": "3.58.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@stripe/stripe-js` is 1 major version(s) behind (8.6.0 -> 9.7.0)"}, "properties": {"repobilityId": 106059, "scanner": "repobility-dependency-currency", "fingerprint": "a832e3056968264dafcf027790626d097d1a48343e9c9046badc2da51ef644c2", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@stripe/stripe-js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.7.0", "correlation_key": "fp|a832e3056968264dafcf027790626d097d1a48343e9c9046badc2da51ef644c2", "current_version": "8.6.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@stripe/react-stripe-js` is 1 major version(s) behind (5.4.1 -> 6.6.0)"}, "properties": {"repobilityId": 106058, "scanner": "repobility-dependency-currency", "fingerprint": "4912043637527c607613ed3801e922401c232385c0ca82489cdc8a9efb3baf88", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@stripe/react-stripe-js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.6.0", "correlation_key": "fp|4912043637527c607613ed3801e922401c232385c0ca82489cdc8a9efb3baf88", "current_version": "5.4.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 105994, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6e2a37ef376dd9b7b5b1b7d97dfa856ee516989eff40531149e0d458d8960e29", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|6e2a37ef376dd9b7b5b1b7d97dfa856ee516989eff40531149e0d458d8960e29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/compat/class-wc-stripe-subscriptions-legacy-sepa-token-update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 106185, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 106184, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 106183, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 106182, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8fgc-7cc6-rx7x", "level": "note", "message": {"text": "webpack: GHSA-8fgc-7cc6-rx7x"}, "properties": {"repobilityId": 106175, "scanner": "osv-scanner", "fingerprint": "885831ec9a185235867071859b61a882e0ef92e6f19d618957bda24e6b9a1eff", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68458"], "package": "webpack", "rule_id": "GHSA-8fgc-7cc6-rx7x", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68458|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38r7-794h-5758", "level": "note", "message": {"text": "webpack: GHSA-38r7-794h-5758"}, "properties": {"repobilityId": 106174, "scanner": "osv-scanner", "fingerprint": "cb693bda54a38b47305c57915d671e4fec7e8595eb17860c0919230b8f1f3165", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68157"], "package": "webpack", "rule_id": "GHSA-38r7-794h-5758", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68157|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 106166, "scanner": "osv-scanner", "fingerprint": "2405e68ce7f62e11671ae9eb41fe554f754a22acc3d904b80f3e56e6f25eadd6", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v6h2-p8h4-qcjw", "level": "note", "message": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "properties": {"repobilityId": 106165, "scanner": "osv-scanner", "fingerprint": "3b771ed61f472eab02b4c9eb792b38e138cfec35c8ab51f877acaaca0e374b2d", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-5889"], "package": "brace-expansion", "rule_id": "GHSA-v6h2-p8h4-qcjw", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2025-5889|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 106128, "scanner": "repobility-docker", "fingerprint": "d95ef500ee6bcdb6c00a75d8f031a366b351ff3a99e9872e765755216f436087", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "wordpress", "dependency": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|d95ef500ee6bcdb6c00a75d8f031a366b351ff3a99e9872e765755216f436087", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/e2e/env/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 106127, "scanner": "repobility-docker", "fingerprint": "84e3f1a453a58ec072b091e50659ad8fa27b0a5b353af97a487dd11692cbb126", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "wordpress", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|84e3f1a453a58ec072b091e50659ad8fa27b0a5b353af97a487dd11692cbb126"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/e2e/env/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 106126, "scanner": "repobility-docker", "fingerprint": "80b78dd29bf188f96c0923ad1f9dd13b9b00be0e4b701e72053769fc12de1dfe", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "wordpress", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|80b78dd29bf188f96c0923ad1f9dd13b9b00be0e4b701e72053769fc12de1dfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/e2e/env/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 106123, "scanner": "repobility-docker", "fingerprint": "7182cc491df4593669d0d78a00fb910b19a9ed29d037d9fdc24cc507ef2e291b", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "wordpress", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7182cc491df4593669d0d78a00fb910b19a9ed29d037d9fdc24cc507ef2e291b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 106122, "scanner": "repobility-docker", "fingerprint": "7b13b229b4a10fb67971aac197601c8c2bc2f1ea03714476604e7dd76377fcbe", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "wordpress", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7b13b229b4a10fb67971aac197601c8c2bc2f1ea03714476604e7dd76377fcbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 106119, "scanner": "repobility-docker", "fingerprint": "dd08cb4a28864d1251cdb36fcad9a261683937ce21c481c57db29863ca441d8e", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|dd08cb4a28864d1251cdb36fcad9a261683937ce21c481c57db29863ca441d8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/e2e/env/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 106118, "scanner": "repobility-docker", "fingerprint": "d044419ae183c90e0197a236f7a4a6dc960826d737f8c8583f160064cf94be0a", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d044419ae183c90e0197a236f7a4a6dc960826d737f8c8583f160064cf94be0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/e2e/env/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 106115, "scanner": "repobility-docker", "fingerprint": "32a7924291eb63e79b8ce07a9b028d0e008d7c16bb2d4e5cd0669c42c0a9fc0e", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|32a7924291eb63e79b8ce07a9b028d0e008d7c16bb2d4e5cd0669c42c0a9fc0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/wordpress_xdebug/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 106114, "scanner": "repobility-docker", "fingerprint": "209c714d4e324c5850abd8ee6f1de6b9cf9cf3286ec5aa64d11bca194fa656b3", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|209c714d4e324c5850abd8ee6f1de6b9cf9cf3286ec5aa64d11bca194fa656b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/wordpress_xdebug/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 106104, "scanner": "repobility-threat-engine", "fingerprint": "6ca89c6b9f2441f7e0a9ff890a8fe75c63370dd17502eab5c006e0fb2aaed0cc", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'All done: Release is built in the ' + releaseFolder + ' folder.'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6ca89c6b9f2441f7e0a9ff890a8fe75c63370dd17502eab5c006e0fb2aaed0cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tasks/release.js"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 106103, "scanner": "repobility-threat-engine", "fingerprint": "f3f7d29a718883dba34133093942cfaa9fefd79c708a1abb9e3b5c163aee3cce", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'<emphasize>' +\n\t\t\t\tadaptivePricingUnavailableText +\n\t\t\t\t'</emphasize>'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f3f7d29a718883dba34133093942cfaa9fefd79c708a1abb9e3b5c163aee3cce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/settings/advanced-settings-section/optimized-checkout-feature.js"}, "region": {"startLine": 146}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 106098, "scanner": "repobility-threat-engine", "fingerprint": "91ad48c3692c25468f2eca9eaa673335bb8edd88555bbdccfb9b583890e169fb", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = l", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|44|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/blocks/upe/token-label-updater.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@woocommerce/eslint-plugin` is minor version(s) behind (2.2.0 -> 2.3.0)"}, "properties": {"repobilityId": 106074, "scanner": "repobility-dependency-currency", "fingerprint": "0710fbab6e66e2fdf14f6ef2a2ff4c256be19cb8ae5c0f71d8eb1d38b5ce3fee", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@woocommerce/eslint-plugin", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.3.0", "correlation_key": "fp|0710fbab6e66e2fdf14f6ef2a2ff4c256be19cb8ae5c0f71d8eb1d38b5ce3fee", "current_version": "2.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@emotion/styled` is minor version(s) behind (11.3.0 -> 11.14.1)"}, "properties": {"repobilityId": 106068, "scanner": "repobility-dependency-currency", "fingerprint": "fb6ef4f212ce497739b9c6ee3bc542bac34f296c693990a3de01ee682a87bedd", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@emotion/styled", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.14.1", "correlation_key": "fp|fb6ef4f212ce497739b9c6ee3bc542bac34f296c693990a3de01ee682a87bedd", "current_version": "11.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@emotion/react` is minor version(s) behind (11.4.1 -> 11.14.0)"}, "properties": {"repobilityId": 106067, "scanner": "repobility-dependency-currency", "fingerprint": "866ac5655b9753f7b8f0131f96e4f60a6863a4b90b01bc3e28a7660991a4c709", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@emotion/react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.14.0", "correlation_key": "fp|866ac5655b9753f7b8f0131f96e4f60a6863a4b90b01bc3e28a7660991a4c709", "current_version": "11.4.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@emotion/babel-plugin` is minor version(s) behind (11.3.0 -> 11.13.5)"}, "properties": {"repobilityId": 106066, "scanner": "repobility-dependency-currency", "fingerprint": "d95dc0944feb455553bd492603d4b8d14ec517f48b22260c0b8a745838594dc8", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@emotion/babel-plugin", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.13.5", "correlation_key": "fp|d95dc0944feb455553bd492603d4b8d14ec517f48b22260c0b8a745838594dc8", "current_version": "11.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@babel/plugin-transform-optional-chaining` is minor version(s) behind (7.27.1 -> 7.29.7)"}, "properties": {"repobilityId": 106065, "scanner": "repobility-dependency-currency", "fingerprint": "98a7070dd7b1fccaa6fe59d1ddf907810464957affe244ae044a983f30775e46", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@babel/plugin-transform-optional-chaining", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.29.7", "correlation_key": "fp|98a7070dd7b1fccaa6fe59d1ddf907810464957affe244ae044a983f30775e46", "current_version": "7.27.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@babel/eslint-parser` is minor version(s) behind (7.25.7 -> 7.29.7)"}, "properties": {"repobilityId": 106064, "scanner": "repobility-dependency-currency", "fingerprint": "79582f5d6f60690951b854c7eb44299abc6a64186d3b17d84758788fac249fe8", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@babel/eslint-parser", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.29.7", "correlation_key": "fp|79582f5d6f60690951b854c7eb44299abc6a64186d3b17d84758788fac249fe8", "current_version": "7.25.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@babel/core` is minor version(s) behind (7.28.3 -> 7.29.7)"}, "properties": {"repobilityId": 106063, "scanner": "repobility-dependency-currency", "fingerprint": "e1fa6036999ab95a242dd1dfbc34a5d6ae374180bf180d8859957b440921b40d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@babel/core", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.29.7", "correlation_key": "fp|e1fa6036999ab95a242dd1dfbc34a5d6ae374180bf180d8859957b440921b40d", "current_version": "7.28.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106024, "scanner": "repobility-ai-code-hygiene", "fingerprint": "356193c2d0d00e372c28ad46c7c9363262bd531d05f3e1052bbdeee98f2af11d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/payment-methods/class-wc-stripe-upe-payment-method-ach.php", "duplicate_line": 9, "correlation_key": "fp|356193c2d0d00e372c28ad46c7c9363262bd531d05f3e1052bbdeee98f2af11d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/payment-methods/class-wc-stripe-upe-payment-method-multibanco.php"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106023, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f55544c6f8ee5fc0a18251272f71ea355a461b4fdc038133c9dd1a4edf2f982a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/payment-methods/class-wc-stripe-upe-payment-method-alipay.php", "duplicate_line": 112, "correlation_key": "fp|f55544c6f8ee5fc0a18251272f71ea355a461b4fdc038133c9dd1a4edf2f982a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/payment-methods/class-wc-stripe-upe-payment-method-klarna.php"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106022, "scanner": "repobility-ai-code-hygiene", "fingerprint": "225f5f6e266d05c09d70b2a0b45d270e70a9e81711629ff2f7425c2dbdcfa81d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/payment-methods/class-wc-stripe-upe-payment-method-ach.php", "duplicate_line": 13, "correlation_key": "fp|225f5f6e266d05c09d70b2a0b45d270e70a9e81711629ff2f7425c2dbdcfa81d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/payment-methods/class-wc-stripe-upe-payment-method-alipay.php"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106021, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a8d8d3549bd306b7add04c9e0b1c55ea49b2617360d9c39b81c09f6249b26517", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/admin/class-wc-rest-stripe-settings-controller.php", "duplicate_line": 456, "correlation_key": "fp|a8d8d3549bd306b7add04c9e0b1c55ea49b2617360d9c39b81c09f6249b26517"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/class-wc-stripe-payment-method-configurations.php"}, "region": {"startLine": 304}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106020, "scanner": "repobility-ai-code-hygiene", "fingerprint": "acb42855122c6d550c252c741375f965543b910b369834b45bad525f8e6a61ab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/agentic-commerce/class-wc-stripe-agentic-commerce-manual-approval.php", "duplicate_line": 35, "correlation_key": "fp|acb42855122c6d550c252c741375f965543b910b369834b45bad525f8e6a61ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/agentic-commerce/class-wc-stripe-agentic-commerce-tax-calculator.php"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106019, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e7b0d6f0a50cc53892ccef23045a4f325413b8fdac6418b129bfe228b58d680c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/abilities/domain/class-wc-stripe-ability-get-account-summary.php", "duplicate_line": 31, "correlation_key": "fp|e7b0d6f0a50cc53892ccef23045a4f325413b8fdac6418b129bfe228b58d680c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/abilities/domain/class-wc-stripe-ability-get-payouts.php"}, "region": {"startLine": 58}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106018, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0a11c304691b8fd8b863783966ffd0c94aa331c4d45f6991bdcb708b1f1e2d4c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/abilities/domain/class-wc-stripe-ability-get-balance-transactions.php", "duplicate_line": 13, "correlation_key": "fp|0a11c304691b8fd8b863783966ffd0c94aa331c4d45f6991bdcb708b1f1e2d4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/abilities/domain/class-wc-stripe-ability-get-payouts.php"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106017, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b700480427268e8c7f257f5859d5a29aa3ed604c7766985016734fcbbb459a2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/abilities/domain/class-wc-stripe-ability-get-account-summary.php", "duplicate_line": 31, "correlation_key": "fp|6b700480427268e8c7f257f5859d5a29aa3ed604c7766985016734fcbbb459a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/abilities/domain/class-wc-stripe-ability-get-payout.php"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106016, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e9c97da53d8a01778ee49e01bc93a4b8e2ec98d45edcc565e9a3d381db2d99b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/abilities/domain/class-wc-stripe-ability-get-balance-transactions.php", "duplicate_line": 57, "correlation_key": "fp|5e9c97da53d8a01778ee49e01bc93a4b8e2ec98d45edcc565e9a3d381db2d99b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/abilities/domain/class-wc-stripe-ability-get-payout.php"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106015, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a24f9b2702888f86d4c1f6c9c42375ca4bcd59074f257006526eaed81a009572", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/abilities/domain/class-wc-stripe-ability-get-account-summary.php", "duplicate_line": 31, "correlation_key": "fp|a24f9b2702888f86d4c1f6c9c42375ca4bcd59074f257006526eaed81a009572"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/abilities/domain/class-wc-stripe-ability-get-payment-intent.php"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106014, "scanner": "repobility-ai-code-hygiene", "fingerprint": "adb3096627ab1aca7ae5d8b0b350f062ab981b294cb5b4952bbd1cbc6ca36455", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/abilities/domain/class-wc-stripe-ability-get-balance-transactions.php", "duplicate_line": 57, "correlation_key": "fp|adb3096627ab1aca7ae5d8b0b350f062ab981b294cb5b4952bbd1cbc6ca36455"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/abilities/domain/class-wc-stripe-ability-get-payment-intent.php"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106013, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f277ab3e2c270b16a0d404d991d4024e03c1c2e234a2e788aa6831a7124d15cc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/abilities/domain/class-wc-stripe-ability-get-account-summary.php", "duplicate_line": 31, "correlation_key": "fp|f277ab3e2c270b16a0d404d991d4024e03c1c2e234a2e788aa6831a7124d15cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/abilities/domain/class-wc-stripe-ability-get-disputes.php"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106012, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d080f429a25ba6f66e97f2f00ae3d18192ff471cdb8d64d570a664333420d90a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/abilities/domain/class-wc-stripe-ability-get-balance-transactions.php", "duplicate_line": 13, "correlation_key": "fp|d080f429a25ba6f66e97f2f00ae3d18192ff471cdb8d64d570a664333420d90a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/abilities/domain/class-wc-stripe-ability-get-disputes.php"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106011, "scanner": "repobility-ai-code-hygiene", "fingerprint": "895de29ac884fb5aecebcc9b6656facd54f6661f15c4aa1f2399ddd6e1b85f08", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/abilities/domain/class-wc-stripe-ability-get-account-summary.php", "duplicate_line": 31, "correlation_key": "fp|895de29ac884fb5aecebcc9b6656facd54f6661f15c4aa1f2399ddd6e1b85f08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/abilities/domain/class-wc-stripe-ability-get-dispute.php"}, "region": {"startLine": 51}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106010, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a00f38df55a69848a0ce81795150e3f0ae4dba38dfd1c876aa5781b373f92164", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/abilities/domain/class-wc-stripe-ability-get-balance-transactions.php", "duplicate_line": 57, "correlation_key": "fp|a00f38df55a69848a0ce81795150e3f0ae4dba38dfd1c876aa5781b373f92164"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/abilities/domain/class-wc-stripe-ability-get-dispute.php"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106009, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e06a164a82692a4867155b464ea6772eff78c741ecc607dcbc810937bbf121e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/abilities/domain/class-wc-stripe-ability-get-account-summary.php", "duplicate_line": 31, "correlation_key": "fp|5e06a164a82692a4867155b464ea6772eff78c741ecc607dcbc810937bbf121e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/abilities/domain/class-wc-stripe-ability-get-charges.php"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106008, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b5cf488624078b845af17f28851ee38940851efcc9744234fa5d84101982f23f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/abilities/domain/class-wc-stripe-ability-get-balance-transactions.php", "duplicate_line": 13, "correlation_key": "fp|b5cf488624078b845af17f28851ee38940851efcc9744234fa5d84101982f23f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/abilities/domain/class-wc-stripe-ability-get-charges.php"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106007, "scanner": "repobility-ai-code-hygiene", "fingerprint": "87dc2f45adbd357bb50011ce446fc4a730ffc28847f4930e2fc6232658517de3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/abilities/domain/class-wc-stripe-ability-get-account-summary.php", "duplicate_line": 31, "correlation_key": "fp|87dc2f45adbd357bb50011ce446fc4a730ffc28847f4930e2fc6232658517de3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/abilities/domain/class-wc-stripe-ability-get-charge.php"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106006, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8a40bd57da0511ad4a0900ce3c7bcdcf91f63c031241ba9a2830235f2d9d984b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/abilities/domain/class-wc-stripe-ability-get-balance-transactions.php", "duplicate_line": 57, "correlation_key": "fp|8a40bd57da0511ad4a0900ce3c7bcdcf91f63c031241ba9a2830235f2d9d984b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/abilities/domain/class-wc-stripe-ability-get-charge.php"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106005, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7261695354d21b07a7bfbf0af25337f87c706a5ef381934b41e3374b303b3c23", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/abilities/domain/class-wc-stripe-ability-get-account-summary.php", "duplicate_line": 31, "correlation_key": "fp|7261695354d21b07a7bfbf0af25337f87c706a5ef381934b41e3374b303b3c23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/abilities/domain/class-wc-stripe-ability-get-balance.php"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106004, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c729f7d3f5a0b0bc5c8e206af55f3af2bb10ac66f41b5bfddfe0b704c9c8f2b4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/abilities/domain/class-wc-stripe-ability-get-balance-transactions.php", "duplicate_line": 59, "correlation_key": "fp|c729f7d3f5a0b0bc5c8e206af55f3af2bb10ac66f41b5bfddfe0b704c9c8f2b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/abilities/domain/class-wc-stripe-ability-get-balance.php"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106003, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d49bffee2ccb64d9cfdf435eace91da49557edc63de5f8dde2081ca4573c9533", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "includes/abilities/domain/class-wc-stripe-ability-get-account-summary.php", "duplicate_line": 31, "correlation_key": "fp|d49bffee2ccb64d9cfdf435eace91da49557edc63de5f8dde2081ca4573c9533"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/abilities/domain/class-wc-stripe-ability-get-balance-transactions.php"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106002, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d1da06678f0383d75865cba05b6abd8870a3d0ab17f38444ce05becce0ca2a8c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/classic/upe/index.js", "duplicate_line": 49, "correlation_key": "fp|d1da06678f0383d75865cba05b6abd8870a3d0ab17f38444ce05becce0ca2a8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/stripe-utils/utils.js"}, "region": {"startLine": 495}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106001, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a9bec770aa5307df92015689cdae60bd873524ff44216acd69ea35951c628982", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/settings/payment-settings/promotional-banner/ap-only-banner.js", "duplicate_line": 2, "correlation_key": "fp|a9bec770aa5307df92015689cdae60bd873524ff44216acd69ea35951c628982"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/settings/payment-settings/promotional-banner/ocs-only-banner.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106000, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bf5a679257cb8fde9e35a76a3104090eae09efd4112c43cf0b9e1026b5482534", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/settings/payment-settings/promotional-banner/ap-only-banner.js", "duplicate_line": 2, "correlation_key": "fp|bf5a679257cb8fde9e35a76a3104090eae09efd4112c43cf0b9e1026b5482534"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/settings/payment-settings/promotional-banner/ocs-ap-banner.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105999, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cfd75a03d9341ae4011f5755508546d380bdef4ae2d103ae01df00aa41f3c10a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/settings/optimized-checkout-notice/index.js", "duplicate_line": 39, "correlation_key": "fp|cfd75a03d9341ae4011f5755508546d380bdef4ae2d103ae01df00aa41f3c10a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/settings/payment-settings/promotional-banner/oc-promotion-banner.js"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105998, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5f03a1c217f4fe9675bfeabd2e9f9afed4893dfbb98007ea236adbed35bd28b1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/settings/payment-settings/promotional-banner/ap-only-banner.js", "duplicate_line": 60, "correlation_key": "fp|5f03a1c217f4fe9675bfeabd2e9f9afed4893dfbb98007ea236adbed35bd28b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/settings/payment-settings/promotional-banner/bnpl-promotion-banner.js"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105997, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e7ce4b722f6c9ec2eb9818f9bf311d2a26956363acebea7d079e03d31bc1869c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/settings/general-settings-section/payment-method.js", "duplicate_line": 12, "correlation_key": "fp|e7ce4b722f6c9ec2eb9818f9bf311d2a26956363acebea7d079e03d31bc1869c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/settings/general-settings-section/payment-methods-list.js"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105996, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fdb13f523f3d7574fde4075c3dca162f748613c9bf4b0d87eaea567b2bb26a85", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/entrypoints/amazon-pay-settings/amazon-pay-settings-section.js", "duplicate_line": 18, "correlation_key": "fp|fdb13f523f3d7574fde4075c3dca162f748613c9bf4b0d87eaea567b2bb26a85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/entrypoints/express-checkout-settings/express-checkout-settings-section.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105995, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff10c375356f3722f95fab63923f78d41779ee9361fdf985553dffc1052b1f22", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/entrypoints/amazon-pay-settings/express-checkout-preview-component.js", "duplicate_line": 18, "correlation_key": "fp|ff10c375356f3722f95fab63923f78d41779ee9361fdf985553dffc1052b1f22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/entrypoints/express-checkout-settings/express-checkout-preview-component.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 105993, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1485e0d8a8e0d3d68215786c883be04c944f03306f3b9ffdd808d3f13fe37e88", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|1485e0d8a8e0d3d68215786c883be04c944f03306f3b9ffdd808d3f13fe37e88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/compat/class-wc-stripe-subscriptions-legacy-sepa-token-update.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 105992, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `wordpress` image is selected through a build variable"}, "properties": {"repobilityId": 106121, "scanner": "repobility-docker", "fingerprint": "e6911e0a4ef905b1e8dbcb7a17851f5bc80b5269ac501145f54c213f67174f28", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "wcstripe_wp_${WORKTREE_ID:-default}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|e6911e0a4ef905b1e8dbcb7a17851f5bc80b5269ac501145f54c213f67174f28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 106109, "scanner": "repobility-threat-engine", "fingerprint": "3f739aa11d73227ef633b94bb1ee4a0022eb4aac112a5b3bee4257f127e10817", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3f739aa11d73227ef633b94bb1ee4a0022eb4aac112a5b3bee4257f127e10817"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/admin/class-wc-rest-stripe-orders-controller.php"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 106108, "scanner": "repobility-threat-engine", "fingerprint": "6477cd911e4c2444ad05bd9b4fabc6ec9fa49fda8503c55cb6b4cbc5062e4da5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6477cd911e4c2444ad05bd9b4fabc6ec9fa49fda8503c55cb6b4cbc5062e4da5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "woocommerce-gateway-stripe.php"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 106107, "scanner": "repobility-threat-engine", "fingerprint": "739ce1f1e809c661148eacb656675aef220c29caabacbf9ea758a6f528bc6e89", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|739ce1f1e809c661148eacb656675aef220c29caabacbf9ea758a6f528bc6e89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/class-wc-stripe-apple-pay-registration.php"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 106106, "scanner": "repobility-threat-engine", "fingerprint": "7bae615f01ebc00e6874ebeaf872604c334ef16f453f50f254c5d36b2513bbd1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7bae615f01ebc00e6874ebeaf872604c334ef16f453f50f254c5d36b2513bbd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/admin/class-wc-rest-stripe-locations-controller.php"}, "region": {"startLine": 228}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 106101, "scanner": "repobility-threat-engine", "fingerprint": "49ac1a7fb980318957b26f6448616814cd8af968c27bc6a4579429439adae5bb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|49ac1a7fb980318957b26f6448616814cd8af968c27bc6a4579429439adae5bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/payment-method-missing-currency-pill/index.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 106097, "scanner": "repobility-threat-engine", "fingerprint": "ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee"}}}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 106093, "scanner": "repobility-threat-engine", "fingerprint": "fee882eb7a8a852e2cabfafb357b0d58919e74ee54153a76b6d33acc0b399e4e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fee882eb7a8a852e2cabfafb357b0d58919e74ee54153a76b6d33acc0b399e4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/classic/upe/legacy-support.js"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 106092, "scanner": "repobility-threat-engine", "fingerprint": "6ab64224f4a4476c37c1999ab5e616b8ba823cd74e3c58fa04b0c48d2ace4b07", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ab64224f4a4476c37c1999ab5e616b8ba823cd74e3c58fa04b0c48d2ace4b07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/classic/upe/index.js"}, "region": {"startLine": 264}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 106091, "scanner": "repobility-threat-engine", "fingerprint": "3ade30808e5238b73fcdc1a5d35e15dafee73736a65c7645349ce41586ea7a6f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3ade30808e5238b73fcdc1a5d35e15dafee73736a65c7645349ce41586ea7a6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/blocks/express-checkout/hooks.js"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC046", "level": "none", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 106090, "scanner": "repobility-threat-engine", "fingerprint": "0f4f77474ee83b9cc4751408b1d6de2cd4cb21da2e9f39476c835779061cbee6", "category": "open_redirect", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0f4f77474ee83b9cc4751408b1d6de2cd4cb21da2e9f39476c835779061cbee6"}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 106086, "scanner": "repobility-threat-engine", "fingerprint": "f931c8d75c1a7ca8c75778a01a6166a73252cb74f0386404c1580b0141332b97", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f931c8d75c1a7ca8c75778a01a6166a73252cb74f0386404c1580b0141332b97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/blocks/checkout-sessions/checkout-form.js"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 106085, "scanner": "repobility-threat-engine", "fingerprint": "f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "aggregated_count": 2}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 106084, "scanner": "repobility-threat-engine", "fingerprint": "7ecd8d7e32be06be92ea067eacf55169d7ff53d4a09a8fd307311c071b46131e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7ecd8d7e32be06be92ea067eacf55169d7ff53d4a09a8fd307311c071b46131e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/blocks/checkout-sessions/hooks.js"}, "region": {"startLine": 366}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 106083, "scanner": "repobility-threat-engine", "fingerprint": "8657259b5410efc32acc124bea3d6d780923041cae6ab929b7929e3f6ef8a25b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8657259b5410efc32acc124bea3d6d780923041cae6ab929b7929e3f6ef8a25b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/blocks/checkout-sessions/checkout-container.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 106082, "scanner": "repobility-threat-engine", "fingerprint": "9c5ecb580fe13d0701a51af62b81d46504b0a853b64913ef8bc5fa727ffcb890", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9c5ecb580fe13d0701a51af62b81d46504b0a853b64913ef8bc5fa727ffcb890"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/compare-bundle-sizes.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `gridicons` is patch version(s) behind (3.4.0 -> 3.4.2)"}, "properties": {"repobilityId": 106061, "scanner": "repobility-dependency-currency", "fingerprint": "8a4982b0aaf5a95bdc3abc037ff53b974aac0f69d45e72e277bbc359d0ebe6f0", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "gridicons", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.4.2", "correlation_key": "fp|8a4982b0aaf5a95bdc3abc037ff53b974aac0f69d45e72e277bbc359d0ebe6f0", "current_version": "3.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3h5v-q93c-6h6q", "level": "error", "message": {"text": "ws: GHSA-3h5v-q93c-6h6q"}, "properties": {"repobilityId": 106179, "scanner": "osv-scanner", "fingerprint": "8238b367394f3eb3a63c9fdcf3a3af1b249bb37192f2b8decf177b0ea2da6032", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-37890"], "package": "ws", "rule_id": "GHSA-3h5v-q93c-6h6q", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2024-37890|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2qf-rxjj-qqgw", "level": "error", "message": {"text": "semver: GHSA-c2qf-rxjj-qqgw"}, "properties": {"repobilityId": 106172, "scanner": "osv-scanner", "fingerprint": "99a27955ef80d362141ad0a78ae49f493e9942bb5b0563c320b2990d69becaa1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-25883"], "package": "semver", "rule_id": "GHSA-c2qf-rxjj-qqgw", "scanner": "osv-scanner", "correlation_key": "vuln|semver|CVE-2022-25883|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-37ch-88jc-xwx2", "level": "error", "message": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "properties": {"repobilityId": 106168, "scanner": "osv-scanner", "fingerprint": "0553c735e6885cddd69fe125815eaa685a866283e1d2919fec632afa55cb94a7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4867"], "package": "path-to-regexp", "rule_id": "GHSA-37ch-88jc-xwx2", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2026-4867|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4q6p-r6v2-jvc5", "level": "error", "message": {"text": "get-func-name: GHSA-4q6p-r6v2-jvc5"}, "properties": {"repobilityId": 106167, "scanner": "osv-scanner", "fingerprint": "ef9e66b9a545034970827ad6694456b0bc4accf562dc16cca9d66cdc26a8ab24", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-43646"], "package": "get-func-name", "rule_id": "GHSA-4q6p-r6v2-jvc5", "scanner": "osv-scanner", "correlation_key": "vuln|get-func-name|CVE-2023-43646|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rpmf-866q-6p89", "level": "error", "message": {"text": "basic-ftp: GHSA-rpmf-866q-6p89"}, "properties": {"repobilityId": 106163, "scanner": "osv-scanner", "fingerprint": "0ac6731d638ce81d00e122a556a1b9bbc4348aabfb5343bffc8c32fd58d7e023", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44240"], "package": "basic-ftp", "rule_id": "GHSA-rpmf-866q-6p89", "scanner": "osv-scanner", "correlation_key": "vuln|basic-ftp|CVE-2026-44240|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 106130, "scanner": "repobility-docker", "fingerprint": "4c4aa67dcde904bde7cb368a22df9803edf0c353632223189252cfd0abe9e3f4", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6789:3306", "target": "3306", "host_ip": "", "published": "6789"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|4c4aa67dcde904bde7cb368a22df9803edf0c353632223189252cfd0abe9e3f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/e2e/env/docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC043", "level": "error", "message": {"text": "[SEC043] Secret stored in Odoo ir.config_parameter \u2014 broadly readable: ir.config_parameter is readable by any user with read access on the model \u2014 typically all internal users. Storing API keys, OAuth client secrets, or passwords there means any admin-account compromise, or any third-party module with broad read scope, exposes the credential. Odoo-specific instance of CWE-922 (insecure storage of sensitive info)."}, "properties": {"repobilityId": 106110, "scanner": "repobility-threat-engine", "fingerprint": "a9b39ce3c2978a846303a314f919c91e01d776ec721cf02a50a916c247dbbf5e", "category": "secret", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "get_param( 'token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC043", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|4|get_param token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "includes/admin/class-wc-rest-stripe-tokens-controller.php"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 106102, "scanner": "repobility-threat-engine", "fingerprint": "b24be37e9ee718ec158bffa88ba46b4b145652f06e5706d8d2d85af528302e79", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n\t\t\t\t\t\t( variation ) =>\n\t\t\t\t\t\t\t`${ variation.attribute }: ${ variation.value }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b24be37e9ee718ec158bffa88ba46b4b145652f06e5706d8d2d85af528302e79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/express-checkout/transformers/wc-to-stripe.js"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 106100, "scanner": "repobility-threat-engine", "fingerprint": "0e813429ceae157dfda1c614950317c6a5506028df4b9590ffd946247a88f046", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "elements.update( {\n\t\t\t\tamount: response.total.amount,\n\t\t\t} );", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0e813429ceae157dfda1c614950317c6a5506028df4b9590ffd946247a88f046"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/express-checkout/event-handler.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 106099, "scanner": "repobility-threat-engine", "fingerprint": "da95f42ad98531d47c524f00e24a8ce187867a16e299a73b053b9d87cbb0ad89", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "component.elements.update( {\n\t\t\t\t\t\tsetupFutureUsage:\n\t\t\t\t\t\t\tcartContainsSubscription || isCheck", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|da95f42ad98531d47c524f00e24a8ce187867a16e299a73b053b9d87cbb0ad89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/classic/upe/deferred-intent.js"}, "region": {"startLine": 212}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 106096, "scanner": "repobility-threat-engine", "fingerprint": "ce9e3c1378da90627c3f176a2c48fc668d7f3927902c6aad067c203752e2c2cb", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL( w", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ce9e3c1378da90627c3f176a2c48fc668d7f3927902c6aad067c203752e2c2cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/settings/stripe-auth-account/webhook-help-text.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 106095, "scanner": "repobility-threat-engine", "fingerprint": "fd4db63269fcbd7e99732a1cb83bd91543c34609961b22369eefd8540c5ca534", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url( s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fd4db63269fcbd7e99732a1cb83bd91543c34609961b22369eefd8540c5ca534"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/components/exit-survey-modal/index.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 106094, "scanner": "repobility-threat-engine", "fingerprint": "6191b01ede9429c41c13c8644e3bc9b7589738cc78438ecaf7a718187bf1ab90", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url( i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6191b01ede9429c41c13c8644e3bc9b7589738cc78438ecaf7a718187bf1ab90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/blocks/upe/checkout-icons.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 106053, "scanner": "repobility-supply-chain", "fingerprint": "104ea24cf8a8dd34d9936b97e033b5872a6449538026f0b22935c744291e2853", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|104ea24cf8a8dd34d9936b97e033b5872a6449538026f0b22935c744291e2853"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js-tests.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106052, "scanner": "repobility-supply-chain", "fingerprint": "11339ea6fd01c5337ea26c69c4f8c3d224a0d02ecfb364a661591000820a00c8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|11339ea6fd01c5337ea26c69c4f8c3d224a0d02ecfb364a661591000820a00c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js-tests.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106051, "scanner": "repobility-supply-chain", "fingerprint": "97486f02c8bdcaf9e81c846e4290dfa692e883ba8534f207d3340f03ee89ae59", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|97486f02c8bdcaf9e81c846e4290dfa692e883ba8534f207d3340f03ee89ae59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106050, "scanner": "repobility-supply-chain", "fingerprint": "fb58cdd987a02573d7e891f64e5427fa1f2a9f956c2f7e0f0a483d35566e9ef6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fb58cdd987a02573d7e891f64e5427fa1f2a9f956c2f7e0f0a483d35566e9ef6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106049, "scanner": "repobility-supply-chain", "fingerprint": "0f26feeebb74dc362721fd12fcf6cc740c7737eeb523bedf808b54ab07315b3c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f26feeebb74dc362721fd12fcf6cc740c7737eeb523bedf808b54ab07315b3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106048, "scanner": "repobility-supply-chain", "fingerprint": "9de02a76094669b20ebad4890149e786e019e812d46ae336633bcdc2772eb540", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9de02a76094669b20ebad4890149e786e019e812d46ae336633bcdc2772eb540"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106047, "scanner": "repobility-supply-chain", "fingerprint": "5fe7ff674fd629029536050943cfa128b6a03636650fd71cc14d2713717abc4a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5fe7ff674fd629029536050943cfa128b6a03636650fd71cc14d2713717abc4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106046, "scanner": "repobility-supply-chain", "fingerprint": "9e3cf4152bde54d8172af5995972916ea27debfe59aaddda9dc722b8bff11b82", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9e3cf4152bde54d8172af5995972916ea27debfe59aaddda9dc722b8bff11b82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106045, "scanner": "repobility-supply-chain", "fingerprint": "180228a803a01491bf7640199d7547e76d8f2adc820ef229b95f581cdc38fc26", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|180228a803a01491bf7640199d7547e76d8f2adc820ef229b95f581cdc38fc26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-tests.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106044, "scanner": "repobility-supply-chain", "fingerprint": "284ca52fe26723c45a2e1f0a6e56c4af78a6ed9a119818fb47dbfd94d73050e4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|284ca52fe26723c45a2e1f0a6e56c4af78a6ed9a119818fb47dbfd94d73050e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-qit.yml"}, "region": {"startLine": 355}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106043, "scanner": "repobility-supply-chain", "fingerprint": "4f89b006b7a45e31a4cd54b4e365c8f5a4fea956e79178fbd0ec3e2e045d8dd0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f89b006b7a45e31a4cd54b4e365c8f5a4fea956e79178fbd0ec3e2e045d8dd0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-qit.yml"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106042, "scanner": "repobility-supply-chain", "fingerprint": "f1dc448b8d69e30bb48f7856445260118675d9f3c35d900828678f948c928f8a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f1dc448b8d69e30bb48f7856445260118675d9f3c35d900828678f948c928f8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-live-branch.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106041, "scanner": "repobility-supply-chain", "fingerprint": "85160d6cd8235484ed79269849a9f84d45d5aafe6f914bfa6457b4aba1d1e6ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|85160d6cd8235484ed79269849a9f84d45d5aafe6f914bfa6457b4aba1d1e6ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-live-branch.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106040, "scanner": "repobility-supply-chain", "fingerprint": "eb27bc5ad2ea186957783f4bd2b10cbe567844119c45f146fb0c016cf0ca845e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb27bc5ad2ea186957783f4bd2b10cbe567844119c45f146fb0c016cf0ca845e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/php-code-coverage.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106039, "scanner": "repobility-supply-chain", "fingerprint": "ceb543a3e9639df7c4d3934d016fcf027fed07c902bb2326ee747c5b2961a35b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ceb543a3e9639df7c4d3934d016fcf027fed07c902bb2326ee747c5b2961a35b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/php-code-coverage.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106038, "scanner": "repobility-supply-chain", "fingerprint": "98b5fa7ab24ee6080d150fccce8ca04e59249ebc445b9488d750bd9f28f5facb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|98b5fa7ab24ee6080d150fccce8ca04e59249ebc445b9488d750bd9f28f5facb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/generate-zip.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106037, "scanner": "repobility-supply-chain", "fingerprint": "e867d9815cb58d2db65218bb35fbab94096356c4abcccb19438e9e4df93012a7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e867d9815cb58d2db65218bb35fbab94096356c4abcccb19438e9e4df93012a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/generate-zip.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106036, "scanner": "repobility-supply-chain", "fingerprint": "06c1dd4c3e165c4f0d76f5f56b5b93be87c01791870b637d2ea6811fc2c92eb2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|06c1dd4c3e165c4f0d76f5f56b5b93be87c01791870b637d2ea6811fc2c92eb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/generate-zip.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106035, "scanner": "repobility-supply-chain", "fingerprint": "9a0381541bf7fd3c5ffe4619032c896fb099fb58dd5e544b943d0a0706dfda50", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a0381541bf7fd3c5ffe4619032c896fb099fb58dd5e544b943d0a0706dfda50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-e2e-tests.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106034, "scanner": "repobility-supply-chain", "fingerprint": "99632bc9e65cf35c10daacf49b22bb8baee1eefc4ef883c0c487b03821db882a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|99632bc9e65cf35c10daacf49b22bb8baee1eefc4ef883c0c487b03821db882a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-e2e-tests.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106033, "scanner": "repobility-supply-chain", "fingerprint": "be30563fa6bea56e236a430cf89f49dd1d86f4b3324b4b043c8febe14bafea6f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be30563fa6bea56e236a430cf89f49dd1d86f4b3324b4b043c8febe14bafea6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-size.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `woocommerce/.github/.github/workflows/ai-code-review.yml` pinned to mutable ref `@trunk`"}, "properties": {"repobilityId": 106030, "scanner": "repobility-supply-chain", "fingerprint": "9c6d69f81f51e9cb09c7a2c8e772edf4c3e8cdef12b971a5dbbd4bb439cb7af2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c6d69f81f51e9cb09c7a2c8e772edf4c3e8cdef12b971a5dbbd4bb439cb7af2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ai-code-review.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 106029, "scanner": "repobility-supply-chain", "fingerprint": "8f3902305ad13502501c7793cf35b959f3b9f3f0891288c6bdec2f58be9b54a9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f3902305ad13502501c7793cf35b959f3b9f3f0891288c6bdec2f58be9b54a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-changelog.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 106028, "scanner": "repobility-supply-chain", "fingerprint": "f7115ae153416f2821427a06665776f023bde4127223d7ab2ed17598ed7412b0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f7115ae153416f2821427a06665776f023bde4127223d7ab2ed17598ed7412b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-changelog.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106027, "scanner": "repobility-supply-chain", "fingerprint": "8119283887045d59ec4f10b761fafa37db7d2f7b6baf18bb5e20ae4f152a90c3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8119283887045d59ec4f10b761fafa37db7d2f7b6baf18bb5e20ae4f152a90c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-changelog.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `wordpress:php7.4` not pinned by digest"}, "properties": {"repobilityId": 106026, "scanner": "repobility-supply-chain", "fingerprint": "9058efa85d79278697124d574e01ca91e7aef0f800663ebbaed77b07d9f43371", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9058efa85d79278697124d574e01ca91e7aef0f800663ebbaed77b07d9f43371"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/e2e/env/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `wordpress:php7.4` not pinned by digest"}, "properties": {"repobilityId": 106025, "scanner": "repobility-supply-chain", "fingerprint": "f8e3018fbaf9617898d5c6d661dce9fb394f7386d2b4f2368e95166801b7084f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f8e3018fbaf9617898d5c6d661dce9fb394f7386d2b4f2368e95166801b7084f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/wordpress_xdebug/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106159, "scanner": "gitleaks", "fingerprint": "26c6f1b4baa354f4bf6904a48606766aea3f52f66410df8d143790718b5a0a30", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "test_publishable_key' => 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|474|test_publishable_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/payment-methods/class-wc-stripe-upe-payment-gateway-test.php"}, "region": {"startLine": 4741}}}]}, {"ruleId": "stripe-access-token", "level": "error", "message": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "properties": {"repobilityId": 106158, "scanner": "gitleaks", "fingerprint": "0db0b6e0212ac1cacb0b87acaf295264f4602f719c13298448ca52e9f33f1bc7", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED'", "rule_id": "stripe-access-token", "scanner": "gitleaks", "detector": "stripe-access-token", "correlation_key": "secret|token|474|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/payment-methods/class-wc-stripe-upe-payment-gateway-test.php"}, "region": {"startLine": 4742}}}]}, {"ruleId": "stripe-access-token", "level": "error", "message": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "properties": {"repobilityId": 106157, "scanner": "gitleaks", "fingerprint": "7b21df443b6d63e451e0f5e5fbb79ca82a1398b732cb109e36861c47cda8a0d4", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED'", "rule_id": "stripe-access-token", "scanner": "gitleaks", "detector": "stripe-access-token", "correlation_key": "secret|token|93|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/payment-methods/class-wc-stripe-upe-payment-method-test.php"}, "region": {"startLine": 940}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106156, "scanner": "gitleaks", "fingerprint": "d24f86fc92d8e88e6bdeb5728983328940dd77afce1cbc0217edcf2e216003ce", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "publishable_key', 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|12|publishable_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/class-wc-rest-stripe-account-keys-controller-test.php"}, "region": {"startLine": 121}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106155, "scanner": "gitleaks", "fingerprint": "cfe00313342a07d606cc202dbbe14651b32a0d94f4840124811972b393ca819e", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "test_secret_key', 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|9|test_secret_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/class-wc-rest-stripe-account-keys-controller-test.php"}, "region": {"startLine": 99}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106154, "scanner": "gitleaks", "fingerprint": "e0b1ffa6f96989305aea56640f470dd2ecbd6ce2ca59cdfe20fb40a716dd39dc", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "test_publishable_key', 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|9|test_publishable_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/class-wc-rest-stripe-account-keys-controller-test.php"}, "region": {"startLine": 98}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106153, "scanner": "gitleaks", "fingerprint": "12726111892b9d3ef1cc3f7e80fa36a4ed494d9c1f027189f22bdb45792efdeb", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "secret_key', 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|7|secret_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/class-wc-rest-stripe-account-keys-controller-test.php"}, "region": {"startLine": 76}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106152, "scanner": "gitleaks", "fingerprint": "b9372323a7718a89d82bb2c5dc33fee6579e65e612f508ebbb2fb3d7140cc93a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "publishable_key', 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|7|publishable_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/class-wc-rest-stripe-account-keys-controller-test.php"}, "region": {"startLine": 75}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106151, "scanner": "gitleaks", "fingerprint": "c0f5a7db9ba7555228bb5f4e9094d244feb4ca3fd46faf0c1fe3dbb8fae86581", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "mocked_secret     = '<redacted>'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|49|mocked_secret redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/class-wc-stripe-checkout-sessions-ajax-handler-test.php"}, "region": {"startLine": 495}}}]}, {"ruleId": "stripe-access-token", "level": "error", "message": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "properties": {"repobilityId": 106150, "scanner": "gitleaks", "fingerprint": "671a3bc3c04c4ef5c1952844a3b2c5c98ef68f3d29af911ab0c04e8354b4a9af", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED'", "rule_id": "stripe-access-token", "scanner": "gitleaks", "detector": "stripe-access-token", "correlation_key": "secret|token|19|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/admin/class-wc-rest-stripe-settings-controller-test.php"}, "region": {"startLine": 199}}}]}, {"ruleId": "stripe-access-token", "level": "error", "message": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "properties": {"repobilityId": 106149, "scanner": "gitleaks", "fingerprint": "e7bc66b4e8ace0b2a72df44fc3de47fdf5ecea57f5746528e8853182640a2a97", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED'", "rule_id": "stripe-access-token", "scanner": "gitleaks", "detector": "stripe-access-token", "correlation_key": "secret|token|15|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/admin/class-wc-rest-stripe-settings-controller-test.php"}, "region": {"startLine": 155}}}]}, {"ruleId": "stripe-access-token", "level": "error", "message": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "properties": {"repobilityId": 106148, "scanner": "gitleaks", "fingerprint": "b2201191297623521a1c628253dd9c9bf64060623048a896cdb0ab600f2e0038", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED'", "rule_id": "stripe-access-token", "scanner": "gitleaks", "detector": "stripe-access-token", "correlation_key": "secret|token|8|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["stripe-access-token"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["7c6231cbad05e87b10f6d363bd9a71e84775a1a09e66d3c730d5add1f5a7a5c5", "b2201191297623521a1c628253dd9c9bf64060623048a896cdb0ab600f2e0038"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/admin/class-wc-rest-stripe-settings-controller-test.php"}, "region": {"startLine": 82}}}]}, {"ruleId": "stripe-access-token", "level": "error", "message": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "properties": {"repobilityId": 106147, "scanner": "gitleaks", "fingerprint": "19044c1a7e968f8bb6340c9ecbb6213f6932d797bda26fe1d72ca51915cad498", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED'", "rule_id": "stripe-access-token", "scanner": "gitleaks", "detector": "stripe-access-token", "correlation_key": "secret|token|95|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/class-wc-stripe-payment-method-configurations-test.php"}, "region": {"startLine": 958}}}]}, {"ruleId": "stripe-access-token", "level": "error", "message": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "properties": {"repobilityId": 106146, "scanner": "gitleaks", "fingerprint": "7826242b8e313d4b2cb94e57d7b861e435945a95aaa921ed2dc33f4f9e5c1833", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED'", "rule_id": "stripe-access-token", "scanner": "gitleaks", "detector": "stripe-access-token", "correlation_key": "secret|token|80|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["stripe-access-token"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["7826242b8e313d4b2cb94e57d7b861e435945a95aaa921ed2dc33f4f9e5c1833", "86b065fe416cb25765fb02007c15f198806f4a72f7eecc7b4eda6d0372fc40d3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/class-wc-stripe-payment-method-configurations-test.php"}, "region": {"startLine": 803}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106145, "scanner": "gitleaks", "fingerprint": "8f775786f34a4c5824451772be47678d727376da121936bfe4c3b404aae132fc", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "test_publishable_key' => 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|95|test_publishable_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/class-wc-stripe-payment-method-configurations-test.php"}, "region": {"startLine": 957}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106144, "scanner": "gitleaks", "fingerprint": "ec67e522d35ec83ca9acfeae84d5bfaf5ef77bf362741ba0423f7ac18bc6ec1b", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "client_secret\":\"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|15|client_secret : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/compat/dummy-data/subscription_renewal_response_authentication_required.json"}, "region": {"startLine": 155}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106143, "scanner": "gitleaks", "fingerprint": "8dbdc760f7e6f5771b5083dd70b1f04492e1b358e04dda9239e639e571e9816a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "client_secret\":\"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|14|client_secret : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/compat/dummy-data/subscription_renewal_response_success.json"}, "region": {"startLine": 141}}}]}, {"ruleId": "stripe-access-token", "level": "error", "message": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "properties": {"repobilityId": 106142, "scanner": "gitleaks", "fingerprint": "98e5f38bd86f150f3a223b5784f327d245ef46451b44a8feae0970ad3b0227a1", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED'", "rule_id": "stripe-access-token", "scanner": "gitleaks", "detector": "stripe-access-token", "correlation_key": "secret|token|4|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/helpers/class-upe-test-helper.php"}, "region": {"startLine": 41}}}]}, {"ruleId": "stripe-access-token", "level": "error", "message": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "properties": {"repobilityId": 106141, "scanner": "gitleaks", "fingerprint": "65a50d4ed91e8399cd98b44779a7142ef8ba3ec838c3a7fa9f908f430f3be54f", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED'", "rule_id": "stripe-access-token", "scanner": "gitleaks", "detector": "stripe-access-token", "correlation_key": "secret|token|3|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/helpers/class-upe-test-helper.php"}, "region": {"startLine": 38}}}]}, {"ruleId": "stripe-access-token", "level": "error", "message": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "properties": {"repobilityId": 106140, "scanner": "gitleaks", "fingerprint": "68cd78bdfce9acdc2c30d4fbb55a6e11c962af715cb4a0578f5d8abac44b7f79", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED'", "rule_id": "stripe-access-token", "scanner": "gitleaks", "detector": "stripe-access-token", "correlation_key": "secret|token|2|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/admin/migrations/class-migrate-payment-methods-from-db-to-pmc-test.php"}, "region": {"startLine": 23}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106139, "scanner": "gitleaks", "fingerprint": "a5ce279dfc79de112a6bab0c06182ce76c1166d1e2c2e46b89e447c08ff6920e", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "secret' =<redacted> 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|3|secret redacted redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/phpunit/admin/class-wc-rest-stripe-connection-tokens-controller-test.php"}, "region": {"startLine": 40}}}]}, {"ruleId": "stripe-access-token", "level": "error", "message": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "properties": {"repobilityId": 106138, "scanner": "gitleaks", "fingerprint": "896ab570ffb49853387a91bff76361abec6ae3aa7135a2e38e017f4f0b5d604a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED\"", "rule_id": "stripe-access-token", "scanner": "gitleaks", "detector": "stripe-access-token", "correlation_key": "secret|docs/api/readme.md|31|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api/README.md"}, "region": {"startLine": 312}}}]}, {"ruleId": "curl-auth-user", "level": "error", "message": {"text": "Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 106137, "scanner": "gitleaks", "fingerprint": "d62c31072744f0053b2a96330ba291df28fc97fe72d0a20590d6dd207cc77de4", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl -u REDACTED", "rule_id": "curl-auth-user", "scanner": "gitleaks", "detector": "curl-auth-user", "correlation_key": "secret|docs/api/readme.md|25|curl -u redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api/README.md"}, "region": {"startLine": 253}}}]}, {"ruleId": "curl-auth-user", "level": "error", "message": {"text": "Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 106136, "scanner": "gitleaks", "fingerprint": "d434894a368435e879eee9531f8cbadbf721151755b20e387125b9cb87b2bb4b", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl -X GET https://example.com/wp-json/wc/v2/payment_gateways/stripe -u REDACTED", "rule_id": "curl-auth-user", "scanner": "gitleaks", "detector": "curl-auth-user", "correlation_key": "secret|docs/api/readme.md|3|curl -x get token -u redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api/README.md"}, "region": {"startLine": 39}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106135, "scanner": "gitleaks", "fingerprint": "1f232ce086a906af9ff978bba667a5a19e227ea5eb254148d77932534784ee0a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "key: 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|21|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/express-checkout/transformers/__tests__/wc-to-stripe.test.js"}, "region": {"startLine": 214}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106134, "scanner": "gitleaks", "fingerprint": "753ccb8dd7fae0c01a9ab1aec1bb9662c0f375e4f2d2ad433454d99831b4c10d", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "key: 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|7|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/express-checkout/transformers/__tests__/wc-to-stripe.test.js"}, "region": {"startLine": 75}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106133, "scanner": "gitleaks", "fingerprint": "a43cf1c3caa23875b76726f9cddf382a26cc6fca39ee12e93a1bcc3efc7d9f87", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "key: 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|1|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/express-checkout/transformers/__tests__/wc-to-stripe.test.js"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger"}, "properties": {"repobilityId": 106057, "scanner": "repobility-supply-chain", "fingerprint": "d9e2beb77c88579ec3539504aefd5210c4b24ecb69e495078e7aca9552db1d08", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d9e2beb77c88579ec3539504aefd5210c4b24ecb69e495078e7aca9552db1d08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-extension-compat.yml"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger"}, "properties": {"repobilityId": 106056, "scanner": "repobility-supply-chain", "fingerprint": "fea31d91075e676148ccee9bbe84f9a17ec504ff5b584b57be31ad6ec56552cb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fea31d91075e676148ccee9bbe84f9a17ec504ff5b584b57be31ad6ec56552cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-extension-compat.yml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger"}, "properties": {"repobilityId": 106055, "scanner": "repobility-supply-chain", "fingerprint": "3e1e01c89686d321ce838eb18d93e11131dfa61ff36ff9a14477de8fc3cc69cd", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e1e01c89686d321ce838eb18d93e11131dfa61ff36ff9a14477de8fc3cc69cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-merge.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger"}, "properties": {"repobilityId": 106054, "scanner": "repobility-supply-chain", "fingerprint": "492231faeafda1d013c2183561a5f8a23b4a6fdc2b5e80d7cd47dca8d53280a3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|492231faeafda1d013c2183561a5f8a23b4a6fdc2b5e80d7cd47dca8d53280a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-merge.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.AI_REVIEW_TELEMETRY_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 106032, "scanner": "repobility-supply-chain", "fingerprint": "e68e6f63e17463ff2378861503c1c83065f1f7937eeb9fd507c02624b0aa850c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e68e6f63e17463ff2378861503c1c83065f1f7937eeb9fd507c02624b0aa850c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ai-code-review.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.AI_CODE_REVIEW_ANTHROPIC_API_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 106031, "scanner": "repobility-supply-chain", "fingerprint": "c1e4d13c73de8410fbced0db3d14fb9ab19bdf0cda9b57d102524f0103b8eea8", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c1e4d13c73de8410fbced0db3d14fb9ab19bdf0cda9b57d102524f0103b8eea8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ai-code-review.yml"}, "region": {"startLine": 16}}}]}]}]}