{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "[MINED109] Mutable default argument in `convert_to_book` (list): `def convert_to_book(... = []/{}/set())` \u2014 Python's def", "shortDescription": {"text": "[MINED109] Mutable default argument in `convert_to_book` (list): `def convert_to_book(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates "}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def convert_to_book(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC037", "name": "[SEC037] Uncontrolled Recursion \u2014 stack/depth exhaustion: Parsing arbitrary-depth user input (XML, JSON, YAML) without a", "shortDescription": {"text": "[SEC037] Uncontrolled Recursion \u2014 stack/depth exhaustion: Parsing arbitrary-depth user input (XML, JSON, YAML) without a depth limit, or recursive function over user-controlled structure. Attacker sends `{\"a\":{\"a\":{\"a\":...10000 levels...}}}"}, "fullDescription": {"text": "Use `defusedxml.ElementTree` instead of `xml.etree.ElementTree` \u2014 it rejects deeply-nested + billion-laughs payloads.\nFor JSON: set a depth limit explicitly:\n  import json\n  data = json.loads(s)  # then validate structure depth manually\nFor YAML: always use `yaml.safe_load`. For recursive code over user input, add an explicit depth counter and bail at depth > 100."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `classify` has cognitive complexity 8 (SonarSource scale). Cognitive compl", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `classify` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all w"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 8."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED063", "name": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use.", "shortDescription": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-367 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED077", "name": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.", "shortDescription": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-772 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED009", "name": "[MINED009] Floats For Money (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED009] Floats For Money (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 5 more): Same pattern found in 5 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 40 more): Same pattern found in 40 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED029", "name": "[MINED029] Kotlin Null Bang (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED029] Kotlin Null Bang (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar`", "shortDescription": {"text": "[MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,504 bytes) committed to a repo that otherwise has 1753 source files. Trojan binaries inside otherw"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `reactivecircus/android-emulator-runner` pinned to mutable ref `@v2`: `uses: reactivecircus/android-em", "shortDescription": {"text": "[MINED115] Action `reactivecircus/android-emulator-runner` pinned to mutable ref `@v2`: `uses: reactivecircus/android-emulator-runner@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the t"}, "fullDescription": {"text": "Replace with: `uses: reactivecircus/android-emulator-runner@<40-char-sha>  # v2` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.__get_format_args` used but never assigned in __init__: Method `check` of class `FormattingDoesNotMatch", "shortDescription": {"text": "[MINED108] `self.__get_format_args` used but never assigned in __init__: Method `check` of class `FormattingDoesNotMatch` reads `self.__get_format_args`, but no assignment to it exists in __init__ (and no class-level fallback). This raises "}, "fullDescription": {"text": "Initialize `self.__get_format_args = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED036", "name": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping.", "shortDescription": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED104", "name": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local pr", "shortDescription": {"text": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks."}, "fullDescription": {"text": "Use the least-privilege mode the file actually needs (e.g. 640 for configs, 750 for executables). For directories that genuinely need shared write access, use a group with chmod g+w and chown the right group."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `locale` used but not imported: The file uses `locale.something(...)` but never imports `loca", "shortDescription": {"text": "[MINED107] Missing import: `locale` used but not imported: The file uses `locale.something(...)` but never imports `locale`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import locale` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/fi", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrar", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python obje", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1112"}, "properties": {"repository": "kylecorry31/Trail-Sense", "repoUrl": "https://github.com/kylecorry31/Trail-Sense", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 109974, "scanner": "repobility-ast-engine", "fingerprint": "876327f84dc13652fbdc2df775b826c190760b84e55e5a19235f36e939b9236e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|876327f84dc13652fbdc2df775b826c190760b84e55e5a19235f36e939b9236e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/watch.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `convert_to_book` (list): `def convert_to_book(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 109973, "scanner": "repobility-ast-engine", "fingerprint": "0d7d0e1f8e6336e4e6f5f6c01d2d8024b8b7e1a8457e37693ce96523782f46df", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0d7d0e1f8e6336e4e6f5f6c01d2d8024b8b7e1a8457e37693ce96523782f46df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "survival-guide-book/generate-book.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 109964, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a89556d9668924e9d024e1aff0c53260b3ac35746a9de47e813bb23d9a59470", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "refactor", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|6a89556d9668924e9d024e1aff0c53260b3ac35746a9de47e813bb23d9a59470"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/files-to-refactor.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC037", "level": "warning", "message": {"text": "[SEC037] Uncontrolled Recursion \u2014 stack/depth exhaustion: Parsing arbitrary-depth user input (XML, JSON, YAML) without a depth limit, or recursive function over user-controlled structure. Attacker sends `{\"a\":{\"a\":{\"a\":...10000 levels...}}}` to blow the stack. Real CVEs: CVE-2019-16935 (Python xmlrpc), CVE-2020-25659 (PyYAML before 5.4). CWE-674/1325."}, "properties": {"repobilityId": 109952, "scanner": "repobility-threat-engine", "fingerprint": "ba5928afcf73de6a810bd768528f61fef43395f2ab2b2b800f2eeb630d4841e5", "category": "resource_exhaustion", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC037", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ba5928afcf73de6a810bd768528f61fef43395f2ab2b2b800f2eeb630d4841e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/build.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 109944, "scanner": "repobility-threat-engine", "fingerprint": "fecd2364b9d44cf81459dd745e0d2f10dcf08c79fd83beb9c18b7752a7dd2675", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.9 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password=\"<redacted> -n '", "reason": "Low entropy value (2.9 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|scripts/release-builds.sh|1|password redacted -n"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release-builds.sh"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109972, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4243c119d8ca66ae42eb247c0403c6dfbc48a531276fba77122ab23bd65f72fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/com/kylecorry/trail_sense/shared/text/TextUtils.kt", "duplicate_line": 193, "correlation_key": "fp|4243c119d8ca66ae42eb247c0403c6dfbc48a531276fba77122ab23bd65f72fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/shared/text/search/MultilingualFuzzySearchStrategy.kt"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109971, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6657e3f9260bae13e44e433983b697920464cc8f367e440182e6193a0245a385", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/com/kylecorry/trail_sense/shared/sensors/gps/TimezoneGPS.kt", "duplicate_line": 24, "correlation_key": "fp|6657e3f9260bae13e44e433983b697920464cc8f367e440182e6193a0245a385"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/shared/sensors/overrides/OverrideGPS.kt"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109970, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f53108a1be9b56e6d57c8686d935c1cc0495d48b8ac70e5a0d88834151922674", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/com/kylecorry/trail_sense/shared/sensors/gps/TimezoneGPS.kt", "duplicate_line": 26, "correlation_key": "fp|f53108a1be9b56e6d57c8686d935c1cc0495d48b8ac70e5a0d88834151922674"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/shared/sensors/overrides/CachedGPS.kt"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109969, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6434dfe5a86f5bac1fec99d1df9734d0f99c4fdfca2a8194b4b0f86efa1455d5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/com/kylecorry/trail_sense/shared/map_layers/ui/layers/geojson/features/GeoJsonLineStringRenderer.kt", "duplicate_line": 207, "correlation_key": "fp|6434dfe5a86f5bac1fec99d1df9734d0f99c4fdfca2a8194b4b0f86efa1455d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/shared/map_layers/ui/layers/geojson/features/GeoJsonPolygonRenderer.kt"}, "region": {"startLine": 114}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109968, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06c032fa66c68fbc14ef9fe0dcbdbb53ff30dd642b405eabd64360aff7c46059", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/com/kylecorry/trail_sense/shared/extensions/TrailSenseReactiveBottomSheetFragment.kt", "duplicate_line": 12, "correlation_key": "fp|06c032fa66c68fbc14ef9fe0dcbdbb53ff30dd642b405eabd64360aff7c46059"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/shared/extensions/TrailSenseReactiveFragment.kt"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109967, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5dcdb1e77d233e9f37fecd4439bc5007a416f50d6afa96635e4170d1c25fe088", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/com/kylecorry/trail_sense/shared/dem/map_layers/AspectMapTileSource.kt", "duplicate_line": 39, "correlation_key": "fp|5dcdb1e77d233e9f37fecd4439bc5007a416f50d6afa96635e4170d1c25fe088"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/shared/dem/map_layers/ElevationMapTileSource.kt"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109966, "scanner": "repobility-ai-code-hygiene", "fingerprint": "53243bddec61662fd91495bf698260dfe3b158892104b4bd9b60acd974d2ecf3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/com/kylecorry/trail_sense/plugins/map_layers/PluginGeoJsonSource.kt", "duplicate_line": 55, "correlation_key": "fp|53243bddec61662fd91495bf698260dfe3b158892104b4bd9b60acd974d2ecf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/plugins/map_layers/PluginTileSource.kt"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109965, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06f62e546edc712caa59d7af1f650861dd25a419aeb8ef1856d854786ac84fc1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/androidTest/java/com/kylecorry/trail_sense/SmokeTest.kt", "duplicate_line": 34, "correlation_key": "fp|06f62e546edc712caa59d7af1f650861dd25a419aeb8ef1856d854786ac84fc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/androidTest/java/com/kylecorry/trail_sense/test_utils/ToolTestBase.kt"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 109963, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4c112d16158e08485e50c1d624a6c73f83ea4e63d1b60348217a8e740406136d", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "refactor", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|4c112d16158e08485e50c1d624a6c73f83ea4e63d1b60348217a8e740406136d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/files-to-refactor.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 109941, "scanner": "repobility-threat-engine", "fingerprint": "f3749b394ad2af1983511e17cb797afec1b6d23e80befeb104e007734f2a3d40", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "raise Exception(\"Changelog does not exist (\" + changelog + \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f3749b394ad2af1983511e17cb797afec1b6d23e80befeb104e007734f2a3d40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "release.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `classify` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=1, if=4, nested_bonus=2."}, "properties": {"repobilityId": 109914, "scanner": "repobility-threat-engine", "fingerprint": "bf5e399cd1442db1f01d70e64ab8f462e0c30953fc9d6313af5ecad68664312b", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "classify", "breakdown": {"if": 4, "elif": 1, "else": 1, "nested_bonus": 2}, "complexity": 8, "correlation_key": "fp|bf5e399cd1442db1f01d70e64ab8f462e0c30953fc9d6313af5ecad68664312b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/experiments/clouds.py"}, "region": {"startLine": 141}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `calculate_precision_recall_f1` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=1, nested_bonus=3, ternary=6."}, "properties": {"repobilityId": 109913, "scanner": "repobility-threat-engine", "fingerprint": "acb302663a39e3710c1b9352dc83077b0136bb9e0e91e5a2cdf3a3f518660e3d", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "calculate_precision_recall_f1", "breakdown": {"for": 1, "ternary": 6, "nested_bonus": 3}, "complexity": 10, "correlation_key": "fp|acb302663a39e3710c1b9352dc83077b0136bb9e0e91e5a2cdf3a3f518660e3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/experiments/clouds.py"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 109959, "scanner": "repobility-threat-engine", "fingerprint": "c0296b8d79d84c5c9a643999c6fc8b81db6a56e8f4e5e86bc2754091dd545e8c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c0296b8d79d84c5c9a643999c6fc8b81db6a56e8f4e5e86bc2754091dd545e8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/build.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC007", "level": "none", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 109949, "scanner": "repobility-threat-engine", "fingerprint": "41edb369d8a5b020a846e6635ed651cb22c218fcdcd994e74f44b97b4f3c0103", "category": "deserialization", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'FullLoader' detected on same line", "evidence": {"match": "yaml.load(", "reason": "Safe pattern 'FullLoader' detected on same line", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|deserialization|token|33|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/generation/markdown_converter.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC007", "level": "none", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 109948, "scanner": "repobility-threat-engine", "fingerprint": "465664eb39d91143cdb17c3a28ad474402714231eb30414957e0d2430e60f8e3", "category": "deserialization", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'FullLoader' detected on same line", "evidence": {"match": "yaml.load(", "reason": "Safe pattern 'FullLoader' detected on same line", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|deserialization|site/build.py|16|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/build.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 109947, "scanner": "repobility-threat-engine", "fingerprint": "fd875f3d9c4d5650117e714c2c91f4dd9faf49713144ad16301273bb5bf79fd2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fd875f3d9c4d5650117e714c2c91f4dd9faf49713144ad16301273bb5bf79fd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/update_contributors.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED063", "level": "none", "message": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "properties": {"repobilityId": 109943, "scanner": "repobility-threat-engine", "fingerprint": "697a163c7b8668c6ec661fa65b23c89922f1d7db9e4b3da69b83ee8ff76925dc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "toctou-os-path-exists", "owasp": null, "cwe_ids": ["CWE-367"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348048+00:00", "triaged_in_corpus": 12, "observations_count": 90754, "ai_coder_pattern_id": 41}, "scanner": "repobility-threat-engine", "correlation_key": "fp|697a163c7b8668c6ec661fa65b23c89922f1d7db9e4b3da69b83ee8ff76925dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/experiments/clouds.py"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 109942, "scanner": "repobility-threat-engine", "fingerprint": "845dcaa3e63d52682aac036d1cf6961c911e58fd0560f70ff3896e354c6b75d2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|845dcaa3e63d52682aac036d1cf6961c911e58fd0560f70ff3896e354c6b75d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "release.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED009", "level": "none", "message": {"text": "[MINED009] Floats For Money (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 109939, "scanner": "repobility-threat-engine", "fingerprint": "12045eff8aadab62ebed6cee261b286aa2c73b4ebd8450dbbd3f3c951109ebf4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|12045eff8aadab62ebed6cee261b286aa2c73b4ebd8450dbbd3f3c951109ebf4", "aggregated_count": 3}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 109935, "scanner": "repobility-threat-engine", "fingerprint": "7b598fdaf383cfc36bb47487a6288f6c05331e134be3d9cad8f33bfe7c779478", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7b598fdaf383cfc36bb47487a6288f6c05331e134be3d9cad8f33bfe7c779478"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 109934, "scanner": "repobility-threat-engine", "fingerprint": "51af08cec98fea196bcd49eda2d04dda19aa841f33ed10b21a1d139a5e9c5ea3", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|109|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/shared/map_layers/tiles/infrastructure/persistance/PersistentTileCache.kt"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 109933, "scanner": "repobility-threat-engine", "fingerprint": "2a0f7f03d4df730d9853a381172a2e38075bf4aa384c57c0147c69d5eb738bdc", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|169|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/shared/io/FileSubsystem.kt"}, "region": {"startLine": 169}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 109932, "scanner": "repobility-threat-engine", "fingerprint": "a7f24fa13dfd64ac17ada68d6358a11a475736c1bc88a6becdf01acc052dc405", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|327|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/shared/extensions/GeoJsonExtensions.kt"}, "region": {"startLine": 327}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 109930, "scanner": "repobility-threat-engine", "fingerprint": "462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "properties": {"repobilityId": 109926, "scanner": "repobility-threat-engine", "fingerprint": "273f4901d453365aaaf98b3a4ae478e2a501c22c491b480a6fc69dacbee71abf", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|273f4901d453365aaaf98b3a4ae478e2a501c22c491b480a6fc69dacbee71abf"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 109922, "scanner": "repobility-threat-engine", "fingerprint": "c327acbe9976ceba1de19ca766780f323c8da649ff7573e261fede24c0ea35a7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c327acbe9976ceba1de19ca766780f323c8da649ff7573e261fede24c0ea35a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/sonarscan.sh"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 109921, "scanner": "repobility-threat-engine", "fingerprint": "5772cc02acf8ceac1b9a9abd0d16105db0841ba65d7ac40c71112db6d7ea4713", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5772cc02acf8ceac1b9a9abd0d16105db0841ba65d7ac40c71112db6d7ea4713"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/shared/sharing/MapSiteService.kt"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 109920, "scanner": "repobility-threat-engine", "fingerprint": "7be05479ec2bc40f08c141ec4fd9b11acf6a619e545546b755c069f19327d8a1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7be05479ec2bc40f08c141ec4fd9b11acf6a619e545546b755c069f19327d8a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/androidTest/java/com/kylecorry/trail_sense/tools/tides/infrastructure/io/NoaaHcAndMetadataTideTableConverterTest.kt"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED029", "level": "none", "message": {"text": "[MINED029] Kotlin Null Bang (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 109919, "scanner": "repobility-threat-engine", "fingerprint": "a250099bba0ca5968a6897c8cecead39f3e81fbf71cd324ddd238094d109a77b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a250099bba0ca5968a6897c8cecead39f3e81fbf71cd324ddd238094d109a77b", "aggregated_count": 8}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 109915, "scanner": "repobility-threat-engine", "fingerprint": "88bc83404cd2ee7008de79d63577b83ca6520a75ef847238a1ec8a3084ede646", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "parse_diff", "breakdown": {"if": 12, "or": 1, "for": 1, "elif": 1, "else": 1, "continue": 3, "nested_bonus": 19}, "aggregated": true, "complexity": 38, "correlation_key": "fp|88bc83404cd2ee7008de79d63577b83ca6520a75ef847238a1ec8a3084ede646", "aggregated_count": 5}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,504 bytes) committed to a repo that otherwise has 1753 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 110006, "scanner": "repobility-supply-chain", "fingerprint": "97956bb952ffb5296d47f0089f62bb85d2b097a6227d7bac0aa91455b42de43b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|97956bb952ffb5296d47f0089f62bb85d2b097a6227d7bac0aa91455b42de43b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `reactivecircus/android-emulator-runner` pinned to mutable ref `@v2`: `uses: reactivecircus/android-emulator-runner@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110005, "scanner": "repobility-supply-chain", "fingerprint": "7e6348de0927d30d2292b4bbb5df69fa9e9049695cc68a367cb5b9d22fb9ce87", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e6348de0927d30d2292b4bbb5df69fa9e9049695cc68a367cb5b9d22fb9ce87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/android-test.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/actions/setup-gradle` pinned to mutable ref `@v3`: `uses: gradle/actions/setup-gradle@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110004, "scanner": "repobility-supply-chain", "fingerprint": "4c5cb9f33618309a214c26add2c375295aa3ff6349d234698281fbf1f45d4857", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4c5cb9f33618309a214c26add2c375295aa3ff6349d234698281fbf1f45d4857"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/android-test.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110003, "scanner": "repobility-supply-chain", "fingerprint": "42164fd9e226b92a0cb214c4d91ebcd8ea81a8134d902ca46fdb5ec4ec6ebfa3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|42164fd9e226b92a0cb214c4d91ebcd8ea81a8134d902ca46fdb5ec4ec6ebfa3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/android-test.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110002, "scanner": "repobility-supply-chain", "fingerprint": "0c4ff66239416f09c102247edadd74279c34e17715f86fe6315d617e3c630ee0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0c4ff66239416f09c102247edadd74279c34e17715f86fe6315d617e3c630ee0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/android-test.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Shopify/upload-to-release` pinned to mutable ref `@v2.0.0`: `uses: Shopify/upload-to-release@v2.0.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110001, "scanner": "repobility-supply-chain", "fingerprint": "9aa6d35d32e7159a3ecf844abfb3d5070068625600def484449573a3911d2d24", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9aa6d35d32e7159a3ecf844abfb3d5070068625600def484449573a3911d2d24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110000, "scanner": "repobility-supply-chain", "fingerprint": "b06ffe89e293da575f5b7918ec978ab7696afd5ee41c4b185d240b61e0811809", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b06ffe89e293da575f5b7918ec978ab7696afd5ee41c4b185d240b61e0811809"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109999, "scanner": "repobility-supply-chain", "fingerprint": "0f2ff7d96043d786446d2fdfa1671a103d207ed8a53a8ce6b0e61531e81d1e0a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f2ff7d96043d786446d2fdfa1671a103d207ed8a53a8ce6b0e61531e81d1e0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109998, "scanner": "repobility-supply-chain", "fingerprint": "adaf78fdb5c6f145358caf65da0a0919f55131f1289872fa6044a3613da6aa17", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|adaf78fdb5c6f145358caf65da0a0919f55131f1289872fa6044a3613da6aa17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/debug-apk.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109997, "scanner": "repobility-supply-chain", "fingerprint": "88944e45317d4e779ee6fc3ccf1e99f3200a1fc6362b6f8214d243cfde1fee21", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88944e45317d4e779ee6fc3ccf1e99f3200a1fc6362b6f8214d243cfde1fee21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/debug-apk.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109996, "scanner": "repobility-supply-chain", "fingerprint": "24f4f7a5c9c313c8d357118a5cd3c6ce9cc9595fcca0fb14f05c66c995f8481b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|24f4f7a5c9c313c8d357118a5cd3c6ce9cc9595fcca0fb14f05c66c995f8481b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/debug-apk.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109995, "scanner": "repobility-supply-chain", "fingerprint": "6b2149e591a765e9f8d504a195fe8d7bf82302e39e7ec14e1874453edebdc84e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b2149e591a765e9f8d504a195fe8d7bf82302e39e7ec14e1874453edebdc84e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109994, "scanner": "repobility-supply-chain", "fingerprint": "991ac370ceb4713a5bca822c82cedbe60999c47d0ca23d098644390d2f475a98", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|991ac370ceb4713a5bca822c82cedbe60999c47d0ca23d098644390d2f475a98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109993, "scanner": "repobility-supply-chain", "fingerprint": "61264665a4b05a1b7e3959591eb6dce5dc5343a8f0dece3e95bf90a253ba0a8a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|61264665a4b05a1b7e3959591eb6dce5dc5343a8f0dece3e95bf90a253ba0a8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v2`: `uses: actions/setup-python@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109992, "scanner": "repobility-supply-chain", "fingerprint": "97be3433c7bba7529d32ba055317302e95f00f4f9bde2f7677f2a166af1dcb28", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|97be3433c7bba7529d32ba055317302e95f00f4f9bde2f7677f2a166af1dcb28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109991, "scanner": "repobility-supply-chain", "fingerprint": "663a5fae98c9a3342bd16052da8139a2acfeb39b838772c3a4b1e4856d9c20de", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|663a5fae98c9a3342bd16052da8139a2acfeb39b838772c3a4b1e4856d9c20de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109990, "scanner": "repobility-supply-chain", "fingerprint": "3ecb7e413e9008636a7b986e393c4916200bcb41fbaffbcd43aecb8169037100", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ecb7e413e9008636a7b986e393c4916200bcb41fbaffbcd43aecb8169037100"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/staging-smoke-test.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `reactivecircus/android-emulator-runner` pinned to mutable ref `@v2`: `uses: reactivecircus/android-emulator-runner@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109989, "scanner": "repobility-supply-chain", "fingerprint": "a276641d8f4e026920e25d4c515a739cca50fb7747c4f1afed24c636c3fdf3aa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a276641d8f4e026920e25d4c515a739cca50fb7747c4f1afed24c636c3fdf3aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/staging-smoke-test.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/actions/setup-gradle` pinned to mutable ref `@v3`: `uses: gradle/actions/setup-gradle@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109988, "scanner": "repobility-supply-chain", "fingerprint": "3acbfac3e18b29c60237a199de4f35ccf7708d0b1b91b0feecc6ec5baaff1c6b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3acbfac3e18b29c60237a199de4f35ccf7708d0b1b91b0feecc6ec5baaff1c6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/staging-smoke-test.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109987, "scanner": "repobility-supply-chain", "fingerprint": "da0f8980872f291c6d274e339a8740b3a65b7b55d2a54eaa93be30fb36b2bb97", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|da0f8980872f291c6d274e339a8740b3a65b7b55d2a54eaa93be30fb36b2bb97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/staging-smoke-test.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109986, "scanner": "repobility-supply-chain", "fingerprint": "e5d4ee9de6e6b95a752bfceaff4d63381aaada5cb86ad63ce84656c79ee88daa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e5d4ee9de6e6b95a752bfceaff4d63381aaada5cb86ad63ce84656c79ee88daa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/staging-smoke-test.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109985, "scanner": "repobility-supply-chain", "fingerprint": "9e270999b5a2b24b06777d919dc6efd139d27c03ca54abcba0647abdc5b416cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9e270999b5a2b24b06777d919dc6efd139d27c03ca54abcba0647abdc5b416cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/android.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109984, "scanner": "repobility-supply-chain", "fingerprint": "0cd93bcfebe78748cad350c0b5a81128441e735a95e2505f73fc66becf3d3fbc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0cd93bcfebe78748cad350c0b5a81128441e735a95e2505f73fc66becf3d3fbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/android.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v4`: `uses: github/codeql-action/analyze@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109983, "scanner": "repobility-supply-chain", "fingerprint": "c6a40159ee964a20e7d15b0cbdf0fc91836a32ce3c0f40bc0e370f662f72007d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c6a40159ee964a20e7d15b0cbdf0fc91836a32ce3c0f40bc0e370f662f72007d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v4`: `uses: github/codeql-action/init@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109982, "scanner": "repobility-supply-chain", "fingerprint": "64610d7ba059511a739247df68fdad1aceedeac27f6b486bd078ad184dbb5b07", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|64610d7ba059511a739247df68fdad1aceedeac27f6b486bd078ad184dbb5b07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 109981, "scanner": "repobility-supply-chain", "fingerprint": "09cb7cc8507af447a7499888249e27a46f51caf302d4b7393aeed42aecba624c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|09cb7cc8507af447a7499888249e27a46f51caf302d4b7393aeed42aecba624c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.__get_format_args` used but never assigned in __init__: Method `check` of class `FormattingDoesNotMatch` reads `self.__get_format_args`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 109979, "scanner": "repobility-ast-engine", "fingerprint": "2e38d8a058d27c09ddb58ea129a261f70b58c92b6867969519c6fee58dba9a1d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2e38d8a058d27c09ddb58ea129a261f70b58c92b6867969519c6fee58dba9a1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/string-fixer.py"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.__get_format_args` used but never assigned in __init__: Method `check` of class `FormattingDoesNotMatch` reads `self.__get_format_args`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 109978, "scanner": "repobility-ast-engine", "fingerprint": "8ae91804eeb0d1b8833f775d2ba9479ef4b37e111b3e9d4efa7024f2a743109c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8ae91804eeb0d1b8833f775d2ba9479ef4b37e111b3e9d4efa7024f2a743109c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/string-fixer.py"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.__get_urls` used but never assigned in __init__: Method `check` of class `URLMismatch` reads `self.__get_urls`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 109977, "scanner": "repobility-ast-engine", "fingerprint": "a4509f870db5dfa7b8ea5a140fd0509e83709b2b5975e6fc3d6f798eeaea0543", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a4509f870db5dfa7b8ea5a140fd0509e83709b2b5975e6fc3d6f798eeaea0543"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/string-fixer.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.__get_urls` used but never assigned in __init__: Method `check` of class `URLMismatch` reads `self.__get_urls`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 109976, "scanner": "repobility-ast-engine", "fingerprint": "bff62a784050490d9619d0d74bfdca4922a2e0a67bf2ffd615f6c3f3c996da9d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bff62a784050490d9619d0d74bfdca4922a2e0a67bf2ffd615f6c3f3c996da9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/string-fixer.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 109962, "scanner": "repobility-threat-engine", "fingerprint": "295d9814aa3088e60f2b74cde8683369c933af06a214ebd486d12906d36daac8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|295d9814aa3088e60f2b74cde8683369c933af06a214ebd486d12906d36daac8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "survival-guide-book/generate-book.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 109961, "scanner": "repobility-threat-engine", "fingerprint": "9463773c4dbfe81f78d3440deb5ebcd7a39d88733add3cd4cd8fb2c99a405ce3", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n          (device) => `\n                <details class=\"device\">\n                    <summary>$", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9463773c4dbfe81f78d3440deb5ebcd7a39d88733add3cd4cd8fb2c99a405ce3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/src/devices.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 109960, "scanner": "repobility-threat-engine", "fingerprint": "82102297f490b800fb5602d72c7e2e1aadfcd0a2a2f06ec5a93be1ec75a9685e", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = h", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|site/src/devices.js|40|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/src/devices.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 109951, "scanner": "repobility-threat-engine", "fingerprint": "0b8b9101e92f41416dfbf9265ac9e4e07936170ff66596b40a96b3c1770709e3", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(md_file_path, mode=\"r\", encoding=\"utf-8\") as input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|6|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/generation/markdown_converter.py"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 109950, "scanner": "repobility-threat-engine", "fingerprint": "1b596c4674ceeb76447b0901cad6ac3e619d40a5ec64bbb65c6ddfe07ef2d0e7", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "os.path.join(root, name), mode=\"r\", encoding=\"utf-8\") as input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|site/build.py|41|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/build.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 109946, "scanner": "repobility-threat-engine", "fingerprint": "4d8d8a2ebaa4fabcf32ffe2ee0d8c4f95654bbb95a1d9087e91730de623f81ee", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4d8d8a2ebaa4fabcf32ffe2ee0d8c4f95654bbb95a1d9087e91730de623f81ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/update_contributors.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED104", "level": "error", "message": {"text": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks."}, "properties": {"repobilityId": 109945, "scanner": "repobility-threat-engine", "fingerprint": "29c258b2df112d7735587e2a1a9ed5497c5f8611cba03c3b013e1a516c0b9f9e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "chmod-777", "owasp": "A05:2021", "cwe_ids": ["CWE-732", "CWE-276"], "languages": ["shell", "bash", "dockerfile"], "precision": 1.0, "promoted_at": "2026-05-19T13:00:00.000000+00:00", "triaged_in_corpus": 0, "observations_count": 0, "ai_coder_pattern_id": 47}, "scanner": "repobility-threat-engine", "correlation_key": "fp|29c258b2df112d7735587e2a1a9ed5497c5f8611cba03c3b013e1a516c0b9f9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/run-staging-smoke-test.sh"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 109940, "scanner": "repobility-threat-engine", "fingerprint": "803f72a84b2c909706997e753312cf63384e2e49e854dbf254e839ea391fe49f", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r'versionCode = (\\d+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|release.py|16|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "release.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 109938, "scanner": "repobility-threat-engine", "fingerprint": "4d0fe6e6bef5fe7eeacd1710f35a28f8be42f8378dcc9210e66d955295ccee17", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4d0fe6e6bef5fe7eeacd1710f35a28f8be42f8378dcc9210e66d955295ccee17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/tools/convert/ui/FragmentTimeConverter.kt"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 109937, "scanner": "repobility-threat-engine", "fingerprint": "9f41e1b1c3666826ed43f8ce149813c44c34e20ee385bc623186e10754e51a06", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9f41e1b1c3666826ed43f8ce149813c44c34e20ee385bc623186e10754e51a06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/tools/convert/ui/FragmentTemperatureConverter.kt"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 109936, "scanner": "repobility-threat-engine", "fingerprint": "acfbdc5cf76a6c9d84b455e1f0a92e3e17e29227bd488c1abbbf19ae3ae85c50", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|acfbdc5cf76a6c9d84b455e1f0a92e3e17e29227bd488c1abbbf19ae3ae85c50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/tools/convert/ui/FragmentDistanceConverter.kt"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 109929, "scanner": "repobility-threat-engine", "fingerprint": "fef12dd755fc2ec6f6c43263bd67221bfaad9df43c43bdd778fb1a7d8ae4f04f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fef12dd755fc2ec6f6c43263bd67221bfaad9df43c43bdd778fb1a7d8ae4f04f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/tools/beacons/infrastructure/share/BeaconGeoSender.kt"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 109928, "scanner": "repobility-threat-engine", "fingerprint": "2f7f07c55dff1402e20172ddb77c07600bfea0035af45b54da04455cb1039fff", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2f7f07c55dff1402e20172ddb77c07600bfea0035af45b54da04455cb1039fff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/shared/sharing/MapSiteService.kt"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 109927, "scanner": "repobility-threat-engine", "fingerprint": "4d2d052b8e60ee51d6f73ae7d790afbd189e59e22ba27e6577782a90606b4221", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4d2d052b8e60ee51d6f73ae7d790afbd189e59e22ba27e6577782a90606b4221"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/settings/ui/SettingsFragment.kt"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 109925, "scanner": "repobility-threat-engine", "fingerprint": "b4b750609a9ac9fdd4ccdc1b2150cbfb7ec7f66285cde9a3c42a6020180fcbfe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "appVersionFile.delete()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b4b750609a9ac9fdd4ccdc1b2150cbfb7ec7f66285cde9a3c42a6020180fcbfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/settings/backup/BackupService.kt"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 109924, "scanner": "repobility-threat-engine", "fingerprint": "855f735456cf3924b4ea1134ab841e67a235a6b31e1cfd12cac55c1c12eff721", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fileSystem.delete(filename)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|855f735456cf3924b4ea1134ab841e67a235a6b31e1cfd12cac55c1c12eff721"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/main/errors/BaseExceptionHandler.kt"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 109923, "scanner": "repobility-threat-engine", "fingerprint": "773faf76bf9aa50c61d75fae6ea73ab061efcafb1ea3a39fc5d20cdc257cb127", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cacheFiles.delete(\"clouds\", true)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|773faf76bf9aa50c61d75fae6ea73ab061efcafb1ea3a39fc5d20cdc257cb127"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/androidTest/java/com/kylecorry/trail_sense/weather/domain/clouds/CloudTrainingDataGenerator.kt"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 109918, "scanner": "repobility-threat-engine", "fingerprint": "6d006245558df69eb2f06e06b59d8bf3869124f69fa1860a0a1692058ed5f8c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d006245558df69eb2f06e06b59d8bf3869124f69fa1860a0a1692058ed5f8c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/shared/extensions/GeoJsonExtensions.kt"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 109917, "scanner": "repobility-threat-engine", "fingerprint": "be76fd57d362fed44090fc12f73cc34effc83a4febfa8a959d6d6afa15ca127a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|be76fd57d362fed44090fc12f73cc34effc83a4febfa8a959d6d6afa15ca127a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/shared/data/GeographicImageSource.kt"}, "region": {"startLine": 281}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 109916, "scanner": "repobility-threat-engine", "fingerprint": "29ffe5c47db953574799f66ab84ef1b1953ad1ccb0b0aa45b476f2aadf9e3eb6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|29ffe5c47db953574799f66ab84ef1b1953ad1ccb0b0aa45b476f2aadf9e3eb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/androidTest/java/com/kylecorry/trail_sense/tools/ToolsTest.kt"}, "region": {"startLine": 48}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `parse_diff` has cognitive complexity 38 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=3, elif=1, else=1, for=1, if=12, nested_bonus=19, or=1."}, "properties": {"repobilityId": 109912, "scanner": "repobility-threat-engine", "fingerprint": "677a1bf2f68a45cbb6d743507b5f9591b236fca964ae2800ea446c4194191d81", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 38 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "parse_diff", "breakdown": {"if": 12, "or": 1, "for": 1, "elif": 1, "else": 1, "continue": 3, "nested_bonus": 19}, "complexity": 38, "correlation_key": "fp|677a1bf2f68a45cbb6d743507b5f9591b236fca964ae2800ea446c4194191d81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/android-check-pr-translations/scripts/extract_pr_strings.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `locale` used but not imported: The file uses `locale.something(...)` but never imports `locale`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 109980, "scanner": "repobility-ast-engine", "fingerprint": "bdc5a4669cfce4d11e388bc8a774c1d1ca9d390d0cc0240dd7c550470cb4ff58", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bdc5a4669cfce4d11e388bc8a774c1d1ca9d390d0cc0240dd7c550470cb4ff58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/update-guide.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 109975, "scanner": "repobility-ast-engine", "fingerprint": "34df98aa4bbf9571813cbdee79b00787e13a54ebeb7e427c7d5567f9ca463a50", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|34df98aa4bbf9571813cbdee79b00787e13a54ebeb7e427c7d5567f9ca463a50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/build.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 109958, "scanner": "repobility-threat-engine", "fingerprint": "ea83504ec9ed2966c58a5844df67cb6308223e4561a36954fe7a7e00ac79829e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea83504ec9ed2966c58a5844df67cb6308223e4561a36954fe7a7e00ac79829e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/generation/markdown_converter.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 109957, "scanner": "repobility-threat-engine", "fingerprint": "90fb60c6835b9594edd9e7e7af0a4518ac94c3a257e8d80c3726f8a97244cca8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|90fb60c6835b9594edd9e7e7af0a4518ac94c3a257e8d80c3726f8a97244cca8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/build.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 109956, "scanner": "repobility-threat-engine", "fingerprint": "620e157911e519cd42483a64c8e3f94c5cf64ea5ca24b710cd5841b4728b5630", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|33|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/generation/markdown_converter.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 109955, "scanner": "repobility-threat-engine", "fingerprint": "5292267725450749c35eb0addb8b3e7531902292183ad20b3b2de2a585648eb6", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|site/build.py|16|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/build.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 109954, "scanner": "repobility-threat-engine", "fingerprint": "0f2073f9b1a02418db7dd60f0df2c91cd5288023993094533f486aa9fd55c417", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(metadata_text, Loader=yaml.FullLoader)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0f2073f9b1a02418db7dd60f0df2c91cd5288023993094533f486aa9fd55c417"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/generation/markdown_converter.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 109953, "scanner": "repobility-threat-engine", "fingerprint": "f3aa126cc58667956b012ce909e1ac91e54e9ffe1914c8d47e1d067e5e4ff39b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(input_file, Loader=yaml.FullLoader)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f3aa126cc58667956b012ce909e1ac91e54e9ffe1914c8d47e1d067e5e4ff39b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "site/build.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 109931, "scanner": "repobility-threat-engine", "fingerprint": "eb21949c1fe165838d3a6d8f76873cc9ec503dacff2bb3bfb43dd3056cffa643", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(stripes", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eb21949c1fe165838d3a6d8f76873cc9ec503dacff2bb3bfb43dd3056cffa643"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/com/kylecorry/trail_sense/shared/concurrency/StripedLock.kt"}, "region": {"startLine": 8}}}]}]}]}