{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-q34m-jh98-gwm2", "name": "werkzeug: GHSA-q34m-jh98-gwm2", "shortDescription": {"text": "werkzeug: GHSA-q34m-jh98-gwm2"}, "fullDescription": {"text": "Werkzeug possible resource exhaustion when parsing file data in forms"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hgf8-39gv-g3f2", "name": "werkzeug: GHSA-hgf8-39gv-g3f2", "shortDescription": {"text": "werkzeug: GHSA-hgf8-39gv-g3f2"}, "fullDescription": {"text": "Werkzeug safe_join() allows Windows special device names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f9vj-2wh5-fj8j", "name": "werkzeug: GHSA-f9vj-2wh5-fj8j", "shortDescription": {"text": "werkzeug: GHSA-f9vj-2wh5-fj8j"}, "fullDescription": {"text": "Werkzeug safe_join not safe on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-87hc-h4r5-73f7", "name": "werkzeug: GHSA-87hc-h4r5-73f7", "shortDescription": {"text": "werkzeug: GHSA-87hc-h4r5-73f7"}, "fullDescription": {"text": " Werkzeug safe_join() allows Windows special device names with compound extensions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-29vq-49wr-vm6x", "name": "werkzeug: GHSA-29vq-49wr-vm6x", "shortDescription": {"text": "werkzeug: GHSA-29vq-49wr-vm6x"}, "fullDescription": {"text": " Werkzeug safe_join() allows Windows special device names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-887c-mr87-cxwp", "name": "torch: GHSA-887c-mr87-cxwp", "shortDescription": {"text": "torch: GHSA-887c-mr87-cxwp"}, "fullDescription": {"text": "PyTorch Improper Resource Shutdown or Release vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gc5v-m9x4-r6x2", "name": "requests: GHSA-gc5v-m9x4-r6x2", "shortDescription": {"text": "requests: GHSA-gc5v-m9x4-r6x2"}, "fullDescription": {"text": "Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9hjg-9r4m-mvj7", "name": "requests: GHSA-9hjg-9r4m-mvj7", "shortDescription": {"text": "requests: GHSA-9hjg-9r4m-mvj7"}, "fullDescription": {"text": "Requests vulnerable to .netrc credentials leak via malicious URLs"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r73j-pqj5-w3x7", "name": "pillow: GHSA-r73j-pqj5-w3x7", "shortDescription": {"text": "pillow: GHSA-r73j-pqj5-w3x7"}, "fullDescription": {"text": "Pillow has a PDF Parsing Trailer Infinite Loop (DoS)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x3rm-644h-67m8", "name": "opencv-python: GHSA-x3rm-644h-67m8", "shortDescription": {"text": "opencv-python: GHSA-x3rm-644h-67m8"}, "fullDescription": {"text": "Out-of-bounds Read in OpenCV"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hxfw-jm98-v4mq", "name": "opencv-python: GHSA-hxfw-jm98-v4mq", "shortDescription": {"text": "opencv-python: GHSA-hxfw-jm98-v4mq"}, "fullDescription": {"text": "Divide By Zero in OpenCV."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image has no explicit tag", "shortDescription": {"text": "Dockerfile base image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "When dependency installation comes after COPY ., any source change invalidates the dependency layer and makes Docker rebuild much more slowly."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Splitting apt update and install across layers can reuse stale package indexes and make builds less reliable."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR013", "name": "Dockerfile ADD downloads remote content", "shortDescription": {"text": "Dockerfile ADD downloads remote content"}, "fullDescription": {"text": "ADD can fetch remote URLs without checksum verification. This makes builds dependent on mutable network content."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `attempt_load` has cognitive complexity 21 (SonarSource scale). Cognitive ", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `attempt_load` has cognitive complexity 21 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion "}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 21."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "MINED124", "name": "requirements.txt: `packaging  # Migration of deprecated pkg_resources packages` has no version pin", "shortDescription": {"text": "requirements.txt: `packaging  # Migration of deprecated pkg_resources packages` has no version pin"}, "fullDescription": {"text": "Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Pip's package cache increases image size and can preserve unnecessary artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "Package indexes increase image size and can expose stale metadata in the final image layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED069", "name": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.", "shortDescription": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-489 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g68-c3qc-8985", "name": "werkzeug: GHSA-2g68-c3qc-8985", "shortDescription": {"text": "werkzeug: GHSA-2g68-c3qc-8985"}, "fullDescription": {"text": "Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38jv-5279-wg99", "name": "urllib3: GHSA-38jv-5279-wg99", "shortDescription": {"text": "urllib3: GHSA-38jv-5279-wg99"}, "fullDescription": {"text": "Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-142", "name": "urllib3: PYSEC-2026-142", "shortDescription": {"text": "urllib3: PYSEC-2026-142"}, "fullDescription": {"text": "urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-141", "name": "urllib3: PYSEC-2026-141", "shortDescription": {"text": "urllib3: PYSEC-2026-141"}, "fullDescription": {"text": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-139", "name": "torch: PYSEC-2026-139", "shortDescription": {"text": "torch: PYSEC-2026-139"}, "fullDescription": {"text": "A vulnerability was identified in PyTorch 2.10.0. The affected element is an unknown function of the component pt2 Loading Handler. The manipulation leads to deserialization. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through a pull request but has not reacted yet."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-209", "name": "torch: PYSEC-2025-209", "shortDescription": {"text": "torch: PYSEC-2025-209"}, "fullDescription": {"text": "An issue in pytorch v2.7.0 can lead to a Denial of Service (DoS) when a PyTorch model consists of torch.Tensor.to_sparse() and torch.Tensor.to_dense() and is compiled by Inductor."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-208", "name": "torch: PYSEC-2025-208", "shortDescription": {"text": "torch: PYSEC-2025-208"}, "fullDescription": {"text": "A buffer overflow occurs in pytorch v2.7.0 when a PyTorch model consists of torch.nn.Conv2d, torch.nn.functional.hardshrink, and torch.Tensor.view-torch.mv() and is compiled by Inductor, leading to a Denial of Service (DoS)."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-207", "name": "torch: PYSEC-2025-207", "shortDescription": {"text": "torch: PYSEC-2025-207"}, "fullDescription": {"text": "A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists of torch.cummin and is compiled by Inductor, leading to a Denial of Service (DoS)."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-206", "name": "torch: PYSEC-2025-206", "shortDescription": {"text": "torch: PYSEC-2025-206"}, "fullDescription": {"text": "pytorch v2.8.0 was discovered to contain an integer overflow in the component torch.nan_to_num-.long()."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-205", "name": "torch: PYSEC-2025-205", "shortDescription": {"text": "torch: PYSEC-2025-205"}, "fullDescription": {"text": "A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS)."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-204", "name": "torch: PYSEC-2025-204", "shortDescription": {"text": "torch: PYSEC-2025-204"}, "fullDescription": {"text": "pytorch v2.8.0 was discovered to display unexpected behavior when the components torch.rot90 and torch.randn_like are used together."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-203", "name": "torch: PYSEC-2025-203", "shortDescription": {"text": "torch: PYSEC-2025-203"}, "fullDescription": {"text": "An issue in the component torch.linalg.lu of pytorch v2.8.0 allows attackers to cause a Denial of Service (DoS) when performing a slice operation."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-198", "name": "torch: PYSEC-2025-198", "shortDescription": {"text": "torch: PYSEC-2025-198"}, "fullDescription": {"text": "In PyTorch through 2.6.0, when eager is used, nn.PairwiseDistance(p=2) produces incorrect results."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-191", "name": "torch: PYSEC-2025-191", "shortDescription": {"text": "torch: PYSEC-2025-191"}, "fullDescription": {"text": "A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0+cu124. Affected by this issue is the function torch.mkldnn_max_pool2d. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The security policy of the project warns to use unknown models which might establish malicious effects."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2024-259", "name": "torch: PYSEC-2024-259", "shortDescription": {"text": "torch: PYSEC-2024-259"}, "fullDescription": {"text": "In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2024-252", "name": "torch: PYSEC-2024-252", "shortDescription": {"text": "torch: PYSEC-2024-252"}, "fullDescription": {"text": "PyTorch before v2.2.0 was discovered to contain a heap buffer overflow vulnerability in the component /runtime/vararg_functions.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2024-251", "name": "torch: PYSEC-2024-251", "shortDescription": {"text": "torch: PYSEC-2024-251"}, "fullDescription": {"text": "Pytorch before version v2.2.0 was discovered to contain a use-after-free vulnerability in torch/csrc/jit/mobile/interpreter.cpp."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2024-250", "name": "torch: PYSEC-2024-250", "shortDescription": {"text": "torch: PYSEC-2024-250"}, "fullDescription": {"text": "Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via the component torch/csrc/jit/mobile/flatbuffer_loader.cpp."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-49", "name": "setuptools: PYSEC-2025-49", "shortDescription": {"text": "setuptools: PYSEC-2025-49"}, "fullDescription": {"text": "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2023-114", "name": "scipy: PYSEC-2023-114", "shortDescription": {"text": "scipy: PYSEC-2023-114"}, "fullDescription": {"text": "** DISPUTED ** A use-after-free issue was discovered in Py_FindObjects() function in SciPy versions prior to 1.8.0. NOTE: the vendor and discoverer indicate that this is not a security issue."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2023-102", "name": "scipy: PYSEC-2023-102", "shortDescription": {"text": "scipy: PYSEC-2023-102"}, "fullDescription": {"text": "A refcounting issue which leads to potential memory leak was discovered in scipy commit 8627df31ab in Py_FindObjects() function."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-whj4-6x5x-4v2j", "name": "pillow: GHSA-whj4-6x5x-4v2j", "shortDescription": {"text": "pillow: GHSA-whj4-6x5x-4v2j"}, "fullDescription": {"text": "FITS GZIP decompression bomb in Pillow"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pwv6-vv43-88gr", "name": "pillow: GHSA-pwv6-vv43-88gr", "shortDescription": {"text": "pillow: GHSA-pwv6-vv43-88gr"}, "fullDescription": {"text": "Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cfh3-3jmp-rvhc", "name": "pillow: GHSA-cfh3-3jmp-rvhc", "shortDescription": {"text": "pillow: GHSA-cfh3-3jmp-rvhc"}, "fullDescription": {"text": "Pillow affected by out-of-bounds write when loading PSD images"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-165", "name": "pillow: PYSEC-2026-165", "shortDescription": {"text": "pillow: PYSEC-2026-165"}, "fullDescription": {"text": "Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q799-q27x-vp7w", "name": "opencv-python: GHSA-q799-q27x-vp7w", "shortDescription": {"text": "opencv-python: GHSA-q799-q27x-vp7w"}, "fullDescription": {"text": "Out-of-bounds Write in OpenCV"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fw99-f933-rgh8", "name": "opencv-python: GHSA-fw99-f933-rgh8", "shortDescription": {"text": "opencv-python: GHSA-fw99-f933-rgh8"}, "fullDescription": {"text": "Out-of-bounds Read and Out-of-bounds Write in OpenCV"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fm39-cw8h-3p63", "name": "opencv-python: GHSA-fm39-cw8h-3p63", "shortDescription": {"text": "opencv-python: GHSA-fm39-cw8h-3p63"}, "fullDescription": {"text": "Out-of-bounds Read in OpenCV"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8849-5h85-98qw", "name": "opencv-python: GHSA-8849-5h85-98qw", "shortDescription": {"text": "opencv-python: GHSA-8849-5h85-98qw"}, "fullDescription": {"text": "Out-of-bounds Write in OpenCV"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3448-vrgh-85xr", "name": "opencv-python: GHSA-3448-vrgh-85xr", "shortDescription": {"text": "opencv-python: GHSA-3448-vrgh-85xr"}, "fullDescription": {"text": "NULL Pointer Dereference in OpenCV."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2023-183", "name": "opencv-python: PYSEC-2023-183", "shortDescription": {"text": "opencv-python: PYSEC-2023-183"}, "fullDescription": {"text": "opencv-python versions before v4.8.1.78 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. opencv-python v4.8.1.78 upgrades the bundled libwebp binary to v1.3.2."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x2qx-6953-8485", "name": "gitpython: GHSA-x2qx-6953-8485", "shortDescription": {"text": "gitpython: GHSA-x2qx-6953-8485"}, "fullDescription": {"text": "GitPython: Unsafe option check validates multi_options before shlex.split transformation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v87r-6q3f-2j67", "name": "gitpython: GHSA-v87r-6q3f-2j67", "shortDescription": {"text": "gitpython: GHSA-v87r-6q3f-2j67"}, "fullDescription": {"text": "GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mv93-w799-cj2w", "name": "gitpython: GHSA-mv93-w799-cj2w", "shortDescription": {"text": "gitpython: GHSA-mv93-w799-cj2w"}, "fullDescription": {"text": "GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7545-fcxq-7j24", "name": "gitpython: GHSA-7545-fcxq-7j24", "shortDescription": {"text": "gitpython: GHSA-7545-fcxq-7j24"}, "fullDescription": {"text": "GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repository"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2mqj-m65w-jghx", "name": "gitpython: GHSA-2mqj-m65w-jghx", "shortDescription": {"text": "gitpython: GHSA-2mqj-m65w-jghx"}, "fullDescription": {"text": "Untrusted search path under some conditions on Windows allows arbitrary code execution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2023-165", "name": "gitpython: PYSEC-2023-165", "shortDescription": {"text": "gitpython: PYSEC-2023-165"}, "fullDescription": {"text": " GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2023-161", "name": "gitpython: PYSEC-2023-161", "shortDescription": {"text": "gitpython: PYSEC-2023-161"}, "fullDescription": {"text": " GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the `git` command, if a user runs GitPython from a repo has a `git.exe` or `git` executable, that program will be run instead of the one in the user's `PATH`. This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo. An attacker can trick a user to download a repository with a malicious `git` executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands. There is no fix currently available for windows users, however there are a few mitigations. 1: Default to an absolute path for the git program on Windows, like `C:\\\\Program Files\\\\Git\\\\cmd\\\\git.EXE` (default git path installation). "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2023-137", "name": "gitpython: PYSEC-2023-137", "shortDescription": {"text": "gitpython: PYSEC-2023-137"}, "fullDescription": {"text": "GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED034", "name": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.", "shortDescription": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED104", "name": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local pr", "shortDescription": {"text": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks."}, "fullDescription": {"text": "Use the least-privilege mode the file actually needs (e.g. 640 for configs, 750 for executables). For directories that genuinely need shared write access, use a group with chmod g+w and chown the right group."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED036", "name": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping.", "shortDescription": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `slackapi/slack-github-action` pinned to mutable ref `@v3.0.3`", "shortDescription": {"text": "Action `slackapi/slack-github-action` pinned to mutable ref `@v3.0.3`"}, "fullDescription": {"text": "`uses: slackapi/slack-github-action@v3.0.3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED119", "name": "Dockerfile `ADD https://ultralytics.com/assets/Arial.ttf`", "shortDescription": {"text": "Dockerfile `ADD https://ultralytics.com/assets/Arial.ttf`"}, "fullDescription": {"text": "Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `pytorch/pytorch:2.8.0-cuda12.8-cudnn9-runtime` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `pytorch/pytorch:2.8.0-cuda12.8-cudnn9-runtime` not pinned by digest"}, "fullDescription": {"text": "`FROM pytorch/pytorch:2.8.0-cuda12.8-cudnn9-runtime` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.count` used but never assigned in __init__", "shortDescription": {"text": "`self.count` used but never assigned in __init__"}, "fullDescription": {"text": "Method `__next__` of class `LoadImages` reads `self.count`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-53q9-r3pm-6pq6", "name": "torch: GHSA-53q9-r3pm-6pq6", "shortDescription": {"text": "torch: GHSA-53q9-r3pm-6pq6"}, "fullDescription": {"text": "PyTorch: `torch.load` with `weights_only=True` leads to remote code execution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-47fc-vmwq-366v", "name": "torch: GHSA-47fc-vmwq-366v", "shortDescription": {"text": "torch: GHSA-47fc-vmwq-366v"}, "fullDescription": {"text": "PyTorch vulnerable to arbitrary code execution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pr76-5cm5-w9cj", "name": "gitpython: GHSA-pr76-5cm5-w9cj", "shortDescription": {"text": "gitpython: GHSA-pr76-5cm5-w9cj"}, "fullDescription": {"text": "GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8q59-q68h-6hv4", "name": "pyyaml: GHSA-8q59-q68h-6hv4", "shortDescription": {"text": "pyyaml: GHSA-8q59-q68h-6hv4"}, "fullDescription": {"text": "Improper Input Validation in PyYAML"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.SLACK_WEBHOOK_URL_YOLO` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.SLACK_WEBHOOK_URL_YOLO` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK_URL_YOLO }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/904"}, "properties": {"repository": "ultralytics/yolov5", "repoUrl": "https://github.com/ultralytics/yolov5", "branch": "master"}, "results": [{"ruleId": "GHSA-q34m-jh98-gwm2", "level": "warning", "message": {"text": "werkzeug: GHSA-q34m-jh98-gwm2"}, "properties": {"repobilityId": 84462, "scanner": "osv-scanner", "fingerprint": "d9333f910303446b0a128f6e8e91f657a0badc299a0cab1238c2895b15e900bc", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-49767"], "package": "werkzeug", "rule_id": "GHSA-q34m-jh98-gwm2", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2024-49767|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/google_app_engine/additional_requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hgf8-39gv-g3f2", "level": "warning", "message": {"text": "werkzeug: GHSA-hgf8-39gv-g3f2"}, "properties": {"repobilityId": 84461, "scanner": "osv-scanner", "fingerprint": "51df4b30855ce203ba5879301ba26ad1976f167d40f1a57c77b47e990f9cbdbb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66221"], "package": "werkzeug", "rule_id": "GHSA-hgf8-39gv-g3f2", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2025-66221|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/google_app_engine/additional_requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f9vj-2wh5-fj8j", "level": "warning", "message": {"text": "werkzeug: GHSA-f9vj-2wh5-fj8j"}, "properties": {"repobilityId": 84460, "scanner": "osv-scanner", "fingerprint": "d08a28d2a40c886cc92de667ab28bb32d870deba03a8b4cbefe813f2a9a11421", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-49766"], "package": "werkzeug", "rule_id": "GHSA-f9vj-2wh5-fj8j", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2024-49766|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/google_app_engine/additional_requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-87hc-h4r5-73f7", "level": "warning", "message": {"text": "werkzeug: GHSA-87hc-h4r5-73f7"}, "properties": {"repobilityId": 84459, "scanner": "osv-scanner", "fingerprint": "9df06602be59f45e1318aca2873a0dca48cc2e5c81c7d6bf222f92c03dcb7723", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-21860"], "package": "werkzeug", "rule_id": "GHSA-87hc-h4r5-73f7", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2026-21860|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/google_app_engine/additional_requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-29vq-49wr-vm6x", "level": "warning", "message": {"text": "werkzeug: GHSA-29vq-49wr-vm6x"}, "properties": {"repobilityId": 84457, "scanner": "osv-scanner", "fingerprint": "d1d1d7e9efc4cfb883cc900ce614a0fd9894256b05503a48ddea053fe74aa754", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27199"], "package": "werkzeug", "rule_id": "GHSA-29vq-49wr-vm6x", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2026-27199|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/google_app_engine/additional_requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-887c-mr87-cxwp", "level": "warning", "message": {"text": "torch: GHSA-887c-mr87-cxwp"}, "properties": {"repobilityId": 84453, "scanner": "osv-scanner", "fingerprint": "cd9d29a18f3a471b652a188ecab309d7b384d6896b51dcb4aac681c221f407db", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-3730", "CVE-2025-3730"], "package": "torch", "rule_id": "GHSA-887c-mr87-cxwp", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-3730|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gc5v-m9x4-r6x2", "level": "warning", "message": {"text": "requests: GHSA-gc5v-m9x4-r6x2"}, "properties": {"repobilityId": 84433, "scanner": "osv-scanner", "fingerprint": "df69fc105f839b8858988bd945af94347c2e8a5ab6be2c5dec785fcd4d2fc827", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25645"], "package": "requests", "rule_id": "GHSA-gc5v-m9x4-r6x2", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2026-25645|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9hjg-9r4m-mvj7", "level": "warning", "message": {"text": "requests: GHSA-9hjg-9r4m-mvj7"}, "properties": {"repobilityId": 84432, "scanner": "osv-scanner", "fingerprint": "034eedde606d9526f151c4b574252cb5c7f7efabba940fadb09dc2a0d1598395", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-47081"], "package": "requests", "rule_id": "GHSA-9hjg-9r4m-mvj7", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2024-47081|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r73j-pqj5-w3x7", "level": "warning", "message": {"text": "pillow: GHSA-r73j-pqj5-w3x7"}, "properties": {"repobilityId": 84430, "scanner": "osv-scanner", "fingerprint": "2d968015b9f586005b40b03e00f6a5450f00049b67bb47791a9e397bd9744553", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-42310", "CVE-2026-42310"], "package": "pillow", "rule_id": "GHSA-r73j-pqj5-w3x7", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-42310|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x3rm-644h-67m8", "level": "warning", "message": {"text": "opencv-python: GHSA-x3rm-644h-67m8"}, "properties": {"repobilityId": 84426, "scanner": "osv-scanner", "fingerprint": "8bb677807e1c3c4d3872070e7b9fc1640ad39790df7e6f9b625742274a46c431", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2019-16249"], "package": "opencv-python", "rule_id": "GHSA-x3rm-644h-67m8", "scanner": "osv-scanner", "correlation_key": "vuln|opencv-python|CVE-2019-16249|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hxfw-jm98-v4mq", "level": "warning", "message": {"text": "opencv-python: GHSA-hxfw-jm98-v4mq"}, "properties": {"repobilityId": 84424, "scanner": "osv-scanner", "fingerprint": "aaf0eaffc23419538c9f4f0b0ce8bf7f9f5d10c7638981cdbd1316f5a1a81120", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2019-15939"], "package": "opencv-python", "rule_id": "GHSA-hxfw-jm98-v4mq", "scanner": "osv-scanner", "correlation_key": "vuln|opencv-python|CVE-2019-15939|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 84408, "scanner": "repobility-docker", "fingerprint": "171d2f68cbc70d5c877ea20836681e32da573a2136be254e17cf07b7bc46007f", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "gcr.io/google-appengine/python", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|171d2f68cbc70d5c877ea20836681e32da573a2136be254e17cf07b7bc46007f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/google_app_engine/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 84404, "scanner": "repobility-docker", "fingerprint": "49b34e5b68ff4561cfb9d5eeb551c5df83fccf24738c264ff70b37011b4dcc31", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "gcr.io/google-appengine/python", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|49b34e5b68ff4561cfb9d5eeb551c5df83fccf24738c264ff70b37011b4dcc31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/google_app_engine/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 84402, "scanner": "repobility-docker", "fingerprint": "106b846f17a25a5c90302467aa8ee9c097e06320855b3a65b353e8f7fce4ddf8", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "pytorch/pytorch:2.8.0-cuda12.8-cudnn9-runtime", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|106b846f17a25a5c90302467aa8ee9c097e06320855b3a65b353e8f7fce4ddf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/docker/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 84401, "scanner": "repobility-docker", "fingerprint": "ea72bbf6d924f2e9e5c8a6194d394d4cd330ae7928ca0c521b699eb3ea667baa", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 28 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 28, "correlation_key": "fp|ea72bbf6d924f2e9e5c8a6194d394d4cd330ae7928ca0c521b699eb3ea667baa", "dependency_install_line": 33}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/docker/Dockerfile"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 84398, "scanner": "repobility-docker", "fingerprint": "cbba0a8be890f936a8389824862c33147f4aeeb64681cdc20b619877ac057666", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|cbba0a8be890f936a8389824862c33147f4aeeb64681cdc20b619877ac057666", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/docker/Dockerfile"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 84396, "scanner": "repobility-docker", "fingerprint": "6c03705a0c3caadb55f361a4eb54dd487ba963716fdd5cded97ac964955d1649", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6c03705a0c3caadb55f361a4eb54dd487ba963716fdd5cded97ac964955d1649"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/docker/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 84395, "scanner": "repobility-docker", "fingerprint": "361427412ca5226468db348b79ef8205ab941c43f9418b254578990f00f6ea4c", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|361427412ca5226468db348b79ef8205ab941c43f9418b254578990f00f6ea4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/docker/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 84390, "scanner": "repobility-threat-engine", "fingerprint": "b558958e8a7222c580e9f06a84d6fa11d14e097c65f5087e482944f347c8ef9c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "debug=True", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b558958e8a7222c580e9f06a84d6fa11d14e097c65f5087e482944f347c8ef9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/flask_rest_api/restapi.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 84382, "scanner": "repobility-threat-engine", "fingerprint": "d7c3bdbaaf01019ea41bd5512d48978393cebd732e3a42aa9d769e3459f58f39", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.check_output([\"gsutil\", \"du\", url], shell=True", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|utils/downloads.py|29|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/downloads.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `attempt_load` has cognitive complexity 21 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=1, elif=1, for=3, if=5, nested_bonus=8, or=1, ternary=2."}, "properties": {"repobilityId": 84374, "scanner": "repobility-threat-engine", "fingerprint": "d025ba634aa10e9285f662790ba581b61b56ba12cc4cf847cb8d60682887bff0", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 21 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "attempt_load", "breakdown": {"if": 5, "or": 1, "and": 1, "for": 3, "elif": 1, "ternary": 2, "nested_bonus": 8}, "complexity": 21, "correlation_key": "fp|d025ba634aa10e9285f662790ba581b61b56ba12cc4cf847cb8d60682887bff0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/experimental.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `run` has cognitive complexity 21 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=2, for=2, if=6, nested_bonus=7, ternary=4."}, "properties": {"repobilityId": 84373, "scanner": "repobility-threat-engine", "fingerprint": "92d94ebabdfc60bb2dc2aee4c1e32eaab60a0a37452e1a07eb6814655cf4750a", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 21 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "run", "breakdown": {"if": 6, "for": 2, "else": 2, "ternary": 4, "nested_bonus": 7}, "complexity": 21, "correlation_key": "fp|92d94ebabdfc60bb2dc2aee4c1e32eaab60a0a37452e1a07eb6814655cf4750a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "classify/val.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 84369, "scanner": "repobility-agent-runtime", "fingerprint": "cfe625f82a76089292340cd973bb3146c1e92927e7d18e116d598ffa2a579f4d", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|cfe625f82a76089292340cd973bb3146c1e92927e7d18e116d598ffa2a579f4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "data/scripts/get_imagenet.sh"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `packaging  # Migration of deprecated pkg_resources packages` has no version pin"}, "properties": {"repobilityId": 84345, "scanner": "repobility-supply-chain", "fingerprint": "1874ddfee0b9df398ce6c6bcf66722ce036e1c74ddd7f1e53c2efa8abe854452", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1874ddfee0b9df398ce6c6bcf66722ce036e1c74ddd7f1e53c2efa8abe854452"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `psutil  # system resources` has no version pin"}, "properties": {"repobilityId": 84344, "scanner": "repobility-supply-chain", "fingerprint": "fe647071dcf7284540e848d433f650b07ec1aa06e0a1f120069e03a00fb51cdb", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe647071dcf7284540e848d433f650b07ec1aa06e0a1f120069e03a00fb51cdb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84343, "scanner": "repobility-ast-engine", "fingerprint": "32b07080a7df61b075e1c53eb8411b4452f34adf1c0a0832d4cc6ff4659a8acf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|32b07080a7df61b075e1c53eb8411b4452f34adf1c0a0832d4cc6ff4659a8acf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/segment/plots.py"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84342, "scanner": "repobility-ast-engine", "fingerprint": "936cff33306e5972d354610b18f0550eb72f4daf32fa3e050f2de43f23d3ab54", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|936cff33306e5972d354610b18f0550eb72f4daf32fa3e050f2de43f23d3ab54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/flask_rest_api/restapi.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84341, "scanner": "repobility-ast-engine", "fingerprint": "0efea61c50e11d00fc1a4639ebc273c5f83d1a9e3b1e5bb14689f2cf7e05e281", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0efea61c50e11d00fc1a4639ebc273c5f83d1a9e3b1e5bb14689f2cf7e05e281"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/yolo.py"}, "region": {"startLine": 492}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84340, "scanner": "repobility-ast-engine", "fingerprint": "23c4901582549eea252743cf41dade8c820e5cd554b9f7db024b3bc53a2bd962", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|23c4901582549eea252743cf41dade8c820e5cd554b9f7db024b3bc53a2bd962"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/plots.py"}, "region": {"startLine": 488}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84339, "scanner": "repobility-ast-engine", "fingerprint": "c5c0d6d841c0a092e21bda2dcaa6de65f9f9a9868c9c1c39ebc2fcd46820f23e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c5c0d6d841c0a092e21bda2dcaa6de65f9f9a9868c9c1c39ebc2fcd46820f23e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/downloads.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84338, "scanner": "repobility-ast-engine", "fingerprint": "c1618a37af5a3bdb132c67310a6ea471602324d0fa475c5b62d2e92b1c4e167c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c1618a37af5a3bdb132c67310a6ea471602324d0fa475c5b62d2e92b1c4e167c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/downloads.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84337, "scanner": "repobility-ast-engine", "fingerprint": "e17f935ca70a01c9a690ca00e84d895f35b300c5fae45337f1ec1567b179a79f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e17f935ca70a01c9a690ca00e84d895f35b300c5fae45337f1ec1567b179a79f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/downloads.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84336, "scanner": "repobility-ast-engine", "fingerprint": "773b295272e13a0256c5094a7741dc7aff1952387ac4167c6be48b6a1afdbcf1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|773b295272e13a0256c5094a7741dc7aff1952387ac4167c6be48b6a1afdbcf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/torch_utils.py"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84335, "scanner": "repobility-ast-engine", "fingerprint": "a828a56405cc5198722dfbc6ee438e3c67c842dbac098d94d5f1a8b08d9a203b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a828a56405cc5198722dfbc6ee438e3c67c842dbac098d94d5f1a8b08d9a203b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/torch_utils.py"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84334, "scanner": "repobility-ast-engine", "fingerprint": "44d02402c218ae830dbf32f14c80b3096ccb29fb62381af77335a2171e9efda6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|44d02402c218ae830dbf32f14c80b3096ccb29fb62381af77335a2171e9efda6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/torch_utils.py"}, "region": {"startLine": 182}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84333, "scanner": "repobility-ast-engine", "fingerprint": "327758cd43a27a4f5f66d419ac2ef8e72a36f8aeff24a203ac717d2503bc7d40", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|327758cd43a27a4f5f66d419ac2ef8e72a36f8aeff24a203ac717d2503bc7d40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/torch_utils.py"}, "region": {"startLine": 390}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84332, "scanner": "repobility-ast-engine", "fingerprint": "9d47eec812c89cefc872e44152d01ce2cc3216ac30b13610cc7d6da0f6c730b6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9d47eec812c89cefc872e44152d01ce2cc3216ac30b13610cc7d6da0f6c730b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/torch_utils.py"}, "region": {"startLine": 316}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84331, "scanner": "repobility-ast-engine", "fingerprint": "798bf5baf97d560111847600e57ff1a6053b65caa6e27504f572e6e99512ec14", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|798bf5baf97d560111847600e57ff1a6053b65caa6e27504f572e6e99512ec14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/torch_utils.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84330, "scanner": "repobility-ast-engine", "fingerprint": "7f363f006d98b85591f0a5dba0e3f5c8d41be534525aa8032a64da1fd64be94c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7f363f006d98b85591f0a5dba0e3f5c8d41be534525aa8032a64da1fd64be94c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 595}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84329, "scanner": "repobility-ast-engine", "fingerprint": "ee1f9dff5768d71b57ca23ecdfc7fbf3aad9527f7b63b37aeb41a5b10643a084", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ee1f9dff5768d71b57ca23ecdfc7fbf3aad9527f7b63b37aeb41a5b10643a084"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 1171}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84310, "scanner": "repobility-ast-engine", "fingerprint": "72ba3e03cc169fe4ecc90c2fc186eccd9e53250dbac190c073561ba25c040922", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|72ba3e03cc169fe4ecc90c2fc186eccd9e53250dbac190c073561ba25c040922"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/general.py"}, "region": {"startLine": 1274}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84309, "scanner": "repobility-ast-engine", "fingerprint": "2832885ae96cfb7b6a5cd2661f95725507c67dc2f46da3da60c52333c56a6ba1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2832885ae96cfb7b6a5cd2661f95725507c67dc2f46da3da60c52333c56a6ba1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/general.py"}, "region": {"startLine": 367}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84301, "scanner": "repobility-ast-engine", "fingerprint": "aef8415a39135b42862ede15595020afd5989339f336835468ac2370bd4f1bb5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aef8415a39135b42862ede15595020afd5989339f336835468ac2370bd4f1bb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "export.py"}, "region": {"startLine": 743}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84300, "scanner": "repobility-ast-engine", "fingerprint": "c11dcf8a86df819437d6d164718bd1b52fd07809c5017b0d481a6fa2ac6861bd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c11dcf8a86df819437d6d164718bd1b52fd07809c5017b0d481a6fa2ac6861bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "export.py"}, "region": {"startLine": 624}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84299, "scanner": "repobility-ast-engine", "fingerprint": "b7910b11b6e7c7100f881e5b681d883ea64ae9a9307a10fc61905ce102dcbb41", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b7910b11b6e7c7100f881e5b681d883ea64ae9a9307a10fc61905ce102dcbb41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hubconf.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 84298, "scanner": "repobility-ast-engine", "fingerprint": "5f63cad0592c25c8d8bda79e9f64e51d11c282d29e47285db6d4a8571d200561", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5f63cad0592c25c8d8bda79e9f64e51d11c282d29e47285db6d4a8571d200561"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks.py"}, "region": {"startLine": 204}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 84463, "scanner": "repobility-web-presence", "fingerprint": "db4d66358cbf7df441fea68e5b6c8eebf40045453004395f131f6153122e80d2", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|db4d66358cbf7df441fea68e5b6c8eebf40045453004395f131f6153122e80d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/links.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 84407, "scanner": "repobility-docker", "fingerprint": "32d7404675385872daa0b14827789a04e0aa46305b7cb4df9e379b4034ca5053", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|32d7404675385872daa0b14827789a04e0aa46305b7cb4df9e379b4034ca5053"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/google_app_engine/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 84406, "scanner": "repobility-docker", "fingerprint": "d14c123ac1517a32673b2019b8dba93209766f097abf19758b06edd10f12ab37", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d14c123ac1517a32673b2019b8dba93209766f097abf19758b06edd10f12ab37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/google_app_engine/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 84405, "scanner": "repobility-docker", "fingerprint": "39b4b2c5c99ce3dcc38c7ac252b63b326fc2917fed831d20ba2db2189c6284d5", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|39b4b2c5c99ce3dcc38c7ac252b63b326fc2917fed831d20ba2db2189c6284d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/google_app_engine/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 84403, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 84400, "scanner": "repobility-docker", "fingerprint": "a6c47f69da15579890aaf1198c4a2b5c9f14c6b53e91243f9ea3cf49f1d934fe", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|a6c47f69da15579890aaf1198c4a2b5c9f14c6b53e91243f9ea3cf49f1d934fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/docker/Dockerfile"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 84399, "scanner": "repobility-docker", "fingerprint": "b3b24748df70c70094ab29dc21c7789fe4bb94d9fe887c36bd38a0c96a4f5619", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|b3b24748df70c70094ab29dc21c7789fe4bb94d9fe887c36bd38a0c96a4f5619"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/docker/Dockerfile"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 84397, "scanner": "repobility-docker", "fingerprint": "445a58c3ada0b00df1248ed48457c7241c3fddf328657f8b60c8fb1da7b1f0c3", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|445a58c3ada0b00df1248ed48457c7241c3fddf328657f8b60c8fb1da7b1f0c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/docker/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84297, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5fb789ddda86d1482e177bdf394301520925039e9d03e755833220967590ed2b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "segment/val.py", "duplicate_line": 41, "correlation_key": "fp|5fb789ddda86d1482e177bdf394301520925039e9d03e755833220967590ed2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "val.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84296, "scanner": "repobility-ai-code-hygiene", "fingerprint": "335254dd3519c6227dec26b8ca991ee84177a42add60913231b868050d110160", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "detect.py", "duplicate_line": 16, "correlation_key": "fp|335254dd3519c6227dec26b8ca991ee84177a42add60913231b868050d110160"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "val.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84295, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cd33c957df6026d210075691f7512ed893302a0f352a3b4f43c6366882c32519", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "utils/plots.py", "duplicate_line": 128, "correlation_key": "fp|cd33c957df6026d210075691f7512ed893302a0f352a3b4f43c6366882c32519"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/segment/plots.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84294, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a7eec6be8b070f23ec2208124fb89b3492d4807c433e279f37335a6fb7ace39", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "utils/loss.py", "duplicate_line": 86, "correlation_key": "fp|3a7eec6be8b070f23ec2208124fb89b3492d4807c433e279f37335a6fb7ace39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/segment/loss.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84293, "scanner": "repobility-ai-code-hygiene", "fingerprint": "90592ab12ea6214453df3df06ea9c09f14490bf25018d528ce706f5d02b0d035", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "utils/augmentations.py", "duplicate_line": 120, "correlation_key": "fp|90592ab12ea6214453df3df06ea9c09f14490bf25018d528ce706f5d02b0d035"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/segment/augmentations.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84292, "scanner": "repobility-ai-code-hygiene", "fingerprint": "65d5de883a1e2d54a8efba958008a169d4f1e98f5b4c9ccdeef26046b8b6a091", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "train.py", "duplicate_line": 473, "correlation_key": "fp|65d5de883a1e2d54a8efba958008a169d4f1e98f5b4c9ccdeef26046b8b6a091"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/loggers/comet/hpo.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84291, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2e37ed23b9f572b7abb5cdae04453b00df821b4d244419ff92bd867c32b8a087", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "segment/train.py", "duplicate_line": 42, "correlation_key": "fp|2e37ed23b9f572b7abb5cdae04453b00df821b4d244419ff92bd867c32b8a087"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "train.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84290, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7aec2ac08a4fd94142b8cc7c156b6f21e207a098e724ade3c67893a1e52ab765", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "classify/predict.py", "duplicate_line": 78, "correlation_key": "fp|7aec2ac08a4fd94142b8cc7c156b6f21e207a098e724ade3c67893a1e52ab765"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "segment/predict.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84289, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b0bd41ecb0bf2a3d4aa761326123f4adb38e06f79a4d5995973f9f9f4deb7720", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "detect.py", "duplicate_line": 37, "correlation_key": "fp|b0bd41ecb0bf2a3d4aa761326123f4adb38e06f79a4d5995973f9f9f4deb7720"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "segment/predict.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84288, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c6ec7c761386fee6cbef194b41e4e711b6c46af60ad84d1a1cab546ff7e0d574", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "classify/predict.py", "duplicate_line": 134, "correlation_key": "fp|c6ec7c761386fee6cbef194b41e4e711b6c46af60ad84d1a1cab546ff7e0d574"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "detect.py"}, "region": {"startLine": 239}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84287, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2fb6cdaca5a30b610ddf92b38db5f2b43fc830f1625f75cf554c2d66484112df", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "classify/predict.py", "duplicate_line": 16, "correlation_key": "fp|2fb6cdaca5a30b610ddf92b38db5f2b43fc830f1625f75cf554c2d66484112df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "classify/val.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "properties": {"repobilityId": 84392, "scanner": "repobility-threat-engine", "fingerprint": "33b382616fe92bcf3308d20a2069cfa44e17a7d8f43705a8f48c22f88ab337ff", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "correlation_key": "fp|33b382616fe92bcf3308d20a2069cfa44e17a7d8f43705a8f48c22f88ab337ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/flask_rest_api/restapi.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 84389, "scanner": "repobility-threat-engine", "fingerprint": "55781006345df0c9f0c39899686d80044959e99c64576989eecb594cae5368b7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|55781006345df0c9f0c39899686d80044959e99c64576989eecb594cae5368b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/flask_rest_api/example_request.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 84388, "scanner": "repobility-threat-engine", "fingerprint": "86fe1e86dc408b9cbc31cd488c834f3f98c3745360e7b65928e90766909a152c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|86fe1e86dc408b9cbc31cd488c834f3f98c3745360e7b65928e90766909a152c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/downloads.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 84380, "scanner": "repobility-threat-engine", "fingerprint": "1cacb273ad574e8f2dfb43dcb167ca8833d38c6818f3d06670c88e1b97e4d91c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1cacb273ad574e8f2dfb43dcb167ca8833d38c6818f3d06670c88e1b97e4d91c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/loggers/wandb/wandb_utils.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 84379, "scanner": "repobility-threat-engine", "fingerprint": "d5c1d28dce4485bf301e17dc2c3802d9e70317a0b59870e9ae4c35fcc3161fe9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d5c1d28dce4485bf301e17dc2c3802d9e70317a0b59870e9ae4c35fcc3161fe9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/__init__.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 84377, "scanner": "repobility-threat-engine", "fingerprint": "e6c6594bad73c84e44e36dbad5db6e089ab80eb55578a95efe20788a9b9b897d", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line", "evidence": {"match": ".eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|models/experimental.py|107|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "models/experimental.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 84376, "scanner": "repobility-threat-engine", "fingerprint": "c9d09a1e3b01bc0be9d7a940594da633944a1c599f045147d70af90d1119a936", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line", "evidence": {"match": ".eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|classify/val.py|105|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "classify/val.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 84375, "scanner": "repobility-threat-engine", "fingerprint": "49c7adc690aaef0cba0539e188460f8671984ef7c4ebdb1c821d1535a2aa7f56", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "run", "breakdown": {"if": 15, "or": 2, "and": 2, "for": 2, "elif": 1, "else": 4, "ternary": 5, "nested_bonus": 36}, "aggregated": true, "complexity": 67, "correlation_key": "fp|49c7adc690aaef0cba0539e188460f8671984ef7c4ebdb1c821d1535a2aa7f56", "aggregated_count": 15}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 84371, "scanner": "repobility-threat-engine", "fingerprint": "9b7eea120d44c9cf2af5adb94bf2682fcfef3081af9803a6d6181f27bcc37914", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9b7eea120d44c9cf2af5adb94bf2682fcfef3081af9803a6d6181f27bcc37914"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "data/scripts/get_coco.sh"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 84370, "scanner": "repobility-threat-engine", "fingerprint": "6f2e4aaf5058b92e1e57704f925d273798440e26da195e859a354c0adee65f1a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6f2e4aaf5058b92e1e57704f925d273798440e26da195e859a354c0adee65f1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "classify/predict.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "GHSA-2g68-c3qc-8985", "level": "error", "message": {"text": "werkzeug: GHSA-2g68-c3qc-8985"}, "properties": {"repobilityId": 84458, "scanner": "osv-scanner", "fingerprint": "b29b159710dd0d52df6aa98eb9dcb5155736eb4483bb72c95eac9e03cc9c22b3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-34069"], "package": "werkzeug", "rule_id": "GHSA-2g68-c3qc-8985", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2024-34069|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/google_app_engine/additional_requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38jv-5279-wg99", "level": "error", "message": {"text": "urllib3: GHSA-38jv-5279-wg99"}, "properties": {"repobilityId": 84456, "scanner": "osv-scanner", "fingerprint": "7efc812025ab761a376ad0e88be78a767b579da26a39959de36b3ff8586ddf87", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-21441"], "package": "urllib3", "rule_id": "GHSA-38jv-5279-wg99", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-21441|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-142", "level": "error", "message": {"text": "urllib3: PYSEC-2026-142"}, "properties": {"repobilityId": 84455, "scanner": "osv-scanner", "fingerprint": "5f2e02d2c659d3ab15658789dfa42b355fce18e5357980b9a56ee43e7eb42b6a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44432", "GHSA-mf9v-mfxr-j63j"], "package": "urllib3", "rule_id": "PYSEC-2026-142", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-44432|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-mf9v-mfxr-j63j", "PYSEC-2026-142"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5f2e02d2c659d3ab15658789dfa42b355fce18e5357980b9a56ee43e7eb42b6a", "6bba33e0c2d8ac349b1ac06c49b7247b9b2fcff3ba63a1aa2c9b824716e5827b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-141", "level": "error", "message": {"text": "urllib3: PYSEC-2026-141"}, "properties": {"repobilityId": 84454, "scanner": "osv-scanner", "fingerprint": "c9782ea239ddf9652bd8aa66c5c6c4ebee4d2b704faaab015341940a64bb5ee3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44431", "GHSA-qccp-gfcp-xxvc"], "package": "urllib3", "rule_id": "PYSEC-2026-141", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-44431|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-qccp-gfcp-xxvc", "PYSEC-2026-141"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["8fea5709b1e04c1904accc4ad0dc76733fefc920773cbaba3c59a24994880532", "c9782ea239ddf9652bd8aa66c5c6c4ebee4d2b704faaab015341940a64bb5ee3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-139", "level": "error", "message": {"text": "torch: PYSEC-2026-139"}, "properties": {"repobilityId": 84452, "scanner": "osv-scanner", "fingerprint": "dd04c0ad63c2478c2f5bf965b08351817fd11582f15e756d7eaa4049b12b9b37", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2026-4538", "CVE-2026-4538"], "package": "torch", "rule_id": "PYSEC-2026-139", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2026-4538|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-209", "level": "error", "message": {"text": "torch: PYSEC-2025-209"}, "properties": {"repobilityId": 84450, "scanner": "osv-scanner", "fingerprint": "42dc64d7e946fcd4f6c5e1db1f508e2ad0c7ec675053124bc6fff8c89bf4c50d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-55560", "CVE-2025-55560"], "package": "torch", "rule_id": "PYSEC-2025-209", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-55560|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-208", "level": "error", "message": {"text": "torch: PYSEC-2025-208"}, "properties": {"repobilityId": 84449, "scanner": "osv-scanner", "fingerprint": "42d2fe6c091afc2d566f725ca0e7d1d47ae80d9d80fbbbf2e9fbf80c659d1e25", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-55558", "CVE-2025-55558"], "package": "torch", "rule_id": "PYSEC-2025-208", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-55558|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-207", "level": "error", "message": {"text": "torch: PYSEC-2025-207"}, "properties": {"repobilityId": 84448, "scanner": "osv-scanner", "fingerprint": "a13711f1a25054bab2d82002695e5bd578039bd1e7fbdc18325fd78cf2d65bd4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-55557", "CVE-2025-55557"], "package": "torch", "rule_id": "PYSEC-2025-207", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-55557|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-206", "level": "error", "message": {"text": "torch: PYSEC-2025-206"}, "properties": {"repobilityId": 84447, "scanner": "osv-scanner", "fingerprint": "8288c00698e4f0892ed7b4833bd3b85b41bf549f0a8ff7dc7effef4c13cac8bb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-55554", "CVE-2025-55554"], "package": "torch", "rule_id": "PYSEC-2025-206", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-55554|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-205", "level": "error", "message": {"text": "torch: PYSEC-2025-205"}, "properties": {"repobilityId": 84446, "scanner": "osv-scanner", "fingerprint": "e2f0e9323a6d6947382c5e7f6647d17e5b23df5113c8a42dd992fcf8b739a6f8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-55553", "CVE-2025-55553"], "package": "torch", "rule_id": "PYSEC-2025-205", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-55553|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-204", "level": "error", "message": {"text": "torch: PYSEC-2025-204"}, "properties": {"repobilityId": 84445, "scanner": "osv-scanner", "fingerprint": "f5f02114125d5df4d2b8f08f2a38f89f6013b40fb45d2ae71e53288ecc9629d4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-55552", "CVE-2025-55552"], "package": "torch", "rule_id": "PYSEC-2025-204", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-55552|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-203", "level": "error", "message": {"text": "torch: PYSEC-2025-203"}, "properties": {"repobilityId": 84444, "scanner": "osv-scanner", "fingerprint": "6d76e1f0602b84e5d6dcbd8bf77c316b96e80c8ca066aa399591e113b69e9434", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-55551", "CVE-2025-55551"], "package": "torch", "rule_id": "PYSEC-2025-203", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-55551|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-198", "level": "error", "message": {"text": "torch: PYSEC-2025-198"}, "properties": {"repobilityId": 84443, "scanner": "osv-scanner", "fingerprint": "a59b95d58cf638832ab597ccc6f9837276ead07c755d84fe289e8a1a4beac792", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-46148", "CVE-2025-46148"], "package": "torch", "rule_id": "PYSEC-2025-198", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-46148|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-191", "level": "error", "message": {"text": "torch: PYSEC-2025-191"}, "properties": {"repobilityId": 84442, "scanner": "osv-scanner", "fingerprint": "63e8713b990c785ec72715ef0f1e0b754d8f3c626fc497e0a3d76d1326d24588", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-2953", "CVE-2025-2953", "GHSA-3749-ghw9-m3mg"], "package": "torch", "rule_id": "PYSEC-2025-191", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-2953|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-3749-ghw9-m3mg", "PYSEC-2025-191"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["492066a5fc96408ca6ee982145de4989417144422d28bbd29091d96e590a5635", "63e8713b990c785ec72715ef0f1e0b754d8f3c626fc497e0a3d76d1326d24588"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2024-259", "level": "error", "message": {"text": "torch: PYSEC-2024-259"}, "properties": {"repobilityId": 84441, "scanner": "osv-scanner", "fingerprint": "17708c09eb52601bc52934f5ca22a58eeaaa42cb21622f2fc8f38ee826387573", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2024-48063", "CVE-2024-48063"], "package": "torch", "rule_id": "PYSEC-2024-259", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2024-48063|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2024-252", "level": "error", "message": {"text": "torch: PYSEC-2024-252"}, "properties": {"repobilityId": 84440, "scanner": "osv-scanner", "fingerprint": "0595a68604f49e6c27f734ce672833a26197c1f917a56484d5944eda71b4b5ba", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["BIT-pytorch-2024-31580", "CVE-2024-31580", "GHSA-5pcm-hx3q-hm94"], "package": "torch", "rule_id": "PYSEC-2024-252", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2024-31580|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-5pcm-hx3q-hm94", "PYSEC-2024-252"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0595a68604f49e6c27f734ce672833a26197c1f917a56484d5944eda71b4b5ba", "da10fe40295e0a01a7d60750f2598dd25cf4f1f79506be76943510b6099762f8"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2024-251", "level": "error", "message": {"text": "torch: PYSEC-2024-251"}, "properties": {"repobilityId": 84439, "scanner": "osv-scanner", "fingerprint": "ae53d1023c902920eecb0d88b6f1b2ee29750f9c6398bebd39ea0bdade6aace9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["BIT-pytorch-2024-31583", "CVE-2024-31583", "GHSA-pg7h-5qx3-wjr3"], "package": "torch", "rule_id": "PYSEC-2024-251", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2024-31583|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-pg7h-5qx3-wjr3", "PYSEC-2024-251"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["ae53d1023c902920eecb0d88b6f1b2ee29750f9c6398bebd39ea0bdade6aace9", "ea9ce8319fa69446ec49c54cfaf5a935f210b57b63032e37f7ac1979492fb67c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2024-250", "level": "error", "message": {"text": "torch: PYSEC-2024-250"}, "properties": {"repobilityId": 84438, "scanner": "osv-scanner", "fingerprint": "07b565418052ecd70aa399d07e69672e6b6d8ec7eebbb66904ef731364089c9e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2024-31584", "CVE-2024-31584"], "package": "torch", "rule_id": "PYSEC-2024-250", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2024-31584|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-49", "level": "error", "message": {"text": "setuptools: PYSEC-2025-49"}, "properties": {"repobilityId": 84436, "scanner": "osv-scanner", "fingerprint": "bac75dba776fc93334fffde1801fcc028be9f0619f67579af924089048400dfc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["BIT-setuptools-2025-47273", "CVE-2025-47273", "GHSA-5rjg-fvgr-3xxf"], "package": "setuptools", "rule_id": "PYSEC-2025-49", "scanner": "osv-scanner", "correlation_key": "vuln|setuptools|CVE-2025-47273|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-5rjg-fvgr-3xxf", "PYSEC-2025-49"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["4949b0df805d5751d83d96f8a72f63270132fc525ec4f9d828889d1df05a5b63", "bac75dba776fc93334fffde1801fcc028be9f0619f67579af924089048400dfc"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2023-114", "level": "error", "message": {"text": "scipy: PYSEC-2023-114"}, "properties": {"repobilityId": 84435, "scanner": "osv-scanner", "fingerprint": "0096bf7b0e89e4ae2694d76e2e9b8fee7dd7ed481c96ac565c0dc494ebbbf47c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-29824"], "package": "scipy", "rule_id": "PYSEC-2023-114", "scanner": "osv-scanner", "correlation_key": "vuln|scipy|CVE-2023-29824|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2023-102", "level": "error", "message": {"text": "scipy: PYSEC-2023-102"}, "properties": {"repobilityId": 84434, "scanner": "osv-scanner", "fingerprint": "31c7bc541891ae610625147e7c46a6b3b29cf748164cb82af8b11ec00d530d9f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-25399"], "package": "scipy", "rule_id": "PYSEC-2023-102", "scanner": "osv-scanner", "correlation_key": "vuln|scipy|CVE-2023-25399|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-whj4-6x5x-4v2j", "level": "error", "message": {"text": "pillow: GHSA-whj4-6x5x-4v2j"}, "properties": {"repobilityId": 84431, "scanner": "osv-scanner", "fingerprint": "ab9c5303f10ecea59f859c1e7a68f477494fb8f4a1f9a96d15f0c051b8af8d37", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-40192", "CVE-2026-40192"], "package": "pillow", "rule_id": "GHSA-whj4-6x5x-4v2j", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-40192|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pwv6-vv43-88gr", "level": "error", "message": {"text": "pillow: GHSA-pwv6-vv43-88gr"}, "properties": {"repobilityId": 84429, "scanner": "osv-scanner", "fingerprint": "448d12408dbd68671cd59b7187f414ae3afc2b14932fdc749eb5f8d71612cae9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-42311", "CVE-2026-42311"], "package": "pillow", "rule_id": "GHSA-pwv6-vv43-88gr", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-42311|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cfh3-3jmp-rvhc", "level": "error", "message": {"text": "pillow: GHSA-cfh3-3jmp-rvhc"}, "properties": {"repobilityId": 84428, "scanner": "osv-scanner", "fingerprint": "46ee21a969d6d144ec6c2a2e15778cda1d478d96e4a9303fec93631f10ca64fe", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-25990", "CVE-2026-25990"], "package": "pillow", "rule_id": "GHSA-cfh3-3jmp-rvhc", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-25990|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-165", "level": "error", "message": {"text": "pillow: PYSEC-2026-165"}, "properties": {"repobilityId": 84427, "scanner": "osv-scanner", "fingerprint": "b2d0c00c5823d4b04eec1c4e32d586e888ddbc60fa050a2a51719fa9a4ece963", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["BIT-pillow-2026-42308", "CVE-2026-42308", "GHSA-wjx4-4jcj-g98j"], "package": "pillow", "rule_id": "PYSEC-2026-165", "scanner": "osv-scanner", "correlation_key": "vuln|pillow|CVE-2026-42308|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-wjx4-4jcj-g98j", "PYSEC-2026-165"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["61ea0d010246eb729c784dba0206c629efa749d819d6f24cbe2dd9cbd4966e99", "b2d0c00c5823d4b04eec1c4e32d586e888ddbc60fa050a2a51719fa9a4ece963"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q799-q27x-vp7w", "level": "error", "message": {"text": "opencv-python: GHSA-q799-q27x-vp7w"}, "properties": {"repobilityId": 84425, "scanner": "osv-scanner", "fingerprint": "50e96b42f5922fac7a3af0531fb4ee2d7b0414dce4f3362c516291090e181b11", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2019-5064"], "package": "opencv-python", "rule_id": "GHSA-q799-q27x-vp7w", "scanner": "osv-scanner", "correlation_key": "vuln|opencv-python|CVE-2019-5064|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fw99-f933-rgh8", "level": "error", "message": {"text": "opencv-python: GHSA-fw99-f933-rgh8"}, "properties": {"repobilityId": 84423, "scanner": "osv-scanner", "fingerprint": "25358cf9537580f68d6096333936aacba8ce15fe93ac30bd33377d80a07dcfc0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2019-14492"], "package": "opencv-python", "rule_id": "GHSA-fw99-f933-rgh8", "scanner": "osv-scanner", "correlation_key": "vuln|opencv-python|CVE-2019-14492|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fm39-cw8h-3p63", "level": "error", "message": {"text": "opencv-python: GHSA-fm39-cw8h-3p63"}, "properties": {"repobilityId": 84422, "scanner": "osv-scanner", "fingerprint": "80d49d3b76809b4597ca64a349e815490279ac99f358474231526a2796e300d7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2019-14491"], "package": "opencv-python", "rule_id": "GHSA-fm39-cw8h-3p63", "scanner": "osv-scanner", "correlation_key": "vuln|opencv-python|CVE-2019-14491|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8849-5h85-98qw", "level": "error", "message": {"text": "opencv-python: GHSA-8849-5h85-98qw"}, "properties": {"repobilityId": 84421, "scanner": "osv-scanner", "fingerprint": "acc777f0041223020697daf0b0bf658a85ed180ce21343a600d2adcc916d478e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2019-9423"], "package": "opencv-python", "rule_id": "GHSA-8849-5h85-98qw", "scanner": "osv-scanner", "correlation_key": "vuln|opencv-python|CVE-2019-9423|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3448-vrgh-85xr", "level": "error", "message": {"text": "opencv-python: GHSA-3448-vrgh-85xr"}, "properties": {"repobilityId": 84420, "scanner": "osv-scanner", "fingerprint": "d5d99527fcfd7055fc580c6075cc79a78acb0f1d0ba5c8e52a7bc81fa3b1649d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2019-14493"], "package": "opencv-python", "rule_id": "GHSA-3448-vrgh-85xr", "scanner": "osv-scanner", "correlation_key": "vuln|opencv-python|CVE-2019-14493|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2023-183", "level": "error", "message": {"text": "opencv-python: PYSEC-2023-183"}, "properties": {"repobilityId": 84419, "scanner": "osv-scanner", "fingerprint": "59638500488661b930579f0382b5a4ff0db1411b6e238da67e747d17c1738905", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "package": "opencv-python", "rule_id": "PYSEC-2023-183", "scanner": "osv-scanner", "correlation_key": "vuln|opencv-python|CVE-2023-4863|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-qr4w-53vh-m672", "PYSEC-2023-183"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["59638500488661b930579f0382b5a4ff0db1411b6e238da67e747d17c1738905", "86aa346644319d81ff25974bbc3e730f62eb40aed38b729efa62692d87e810a3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x2qx-6953-8485", "level": "error", "message": {"text": "gitpython: GHSA-x2qx-6953-8485"}, "properties": {"repobilityId": 84418, "scanner": "osv-scanner", "fingerprint": "5947f48cac841910360efd21a25d35f29238df9f2d4ac8948faf34705e8377dc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42284"], "package": "gitpython", "rule_id": "GHSA-x2qx-6953-8485", "scanner": "osv-scanner", "correlation_key": "vuln|gitpython|CVE-2026-42284|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v87r-6q3f-2j67", "level": "error", "message": {"text": "gitpython: GHSA-v87r-6q3f-2j67"}, "properties": {"repobilityId": 84417, "scanner": "osv-scanner", "fingerprint": "07515e043d9eed87d2894e981cf7a51104ef00f3815fedcfa8ca19829ced325a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44244"], "package": "gitpython", "rule_id": "GHSA-v87r-6q3f-2j67", "scanner": "osv-scanner", "correlation_key": "vuln|gitpython|CVE-2026-44244|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mv93-w799-cj2w", "level": "error", "message": {"text": "gitpython: GHSA-mv93-w799-cj2w"}, "properties": {"repobilityId": 84415, "scanner": "osv-scanner", "fingerprint": "eec73881e8713db439eab77c2b78de878499fff18e38c2aecbd414ece6307bf6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "package": "gitpython", "rule_id": "GHSA-mv93-w799-cj2w", "scanner": "osv-scanner", "correlation_key": "vuln|gitpython|CVE-2026-42215|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-mv93-w799-cj2w", "GHSA-rpm5-65cw-6hj4"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5aa2854e21c30a799f278e97a686749f2a13c11fbbd76022966b4235ec48c747", "eec73881e8713db439eab77c2b78de878499fff18e38c2aecbd414ece6307bf6"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7545-fcxq-7j24", "level": "error", "message": {"text": "gitpython: GHSA-7545-fcxq-7j24"}, "properties": {"repobilityId": 84414, "scanner": "osv-scanner", "fingerprint": "0ed2df09cc3eb28f5712dc1379b76c656f9fc680e83085837b24ab641791e4ac", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44243"], "package": "gitpython", "rule_id": "GHSA-7545-fcxq-7j24", "scanner": "osv-scanner", "correlation_key": "vuln|gitpython|CVE-2026-44243|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2mqj-m65w-jghx", "level": "error", "message": {"text": "gitpython: GHSA-2mqj-m65w-jghx"}, "properties": {"repobilityId": 84413, "scanner": "osv-scanner", "fingerprint": "d405b8a3b3b310682248345afce6503368c94ccd26e8f3a2109879d761ec55f9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-22190", "PYSEC-2024-4"], "package": "gitpython", "rule_id": "GHSA-2mqj-m65w-jghx", "scanner": "osv-scanner", "correlation_key": "vuln|gitpython|CVE-2024-22190|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2023-165", "level": "error", "message": {"text": "gitpython: PYSEC-2023-165"}, "properties": {"repobilityId": 84412, "scanner": "osv-scanner", "fingerprint": "cc0bcefbdd4e6442ec89faafb7f6774ff2eb39b0faa860d20e4adf6a78405a8c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2023-41040", "GHSA-cwvm-v4w8-q58c"], "package": "gitpython", "rule_id": "PYSEC-2023-165", "scanner": "osv-scanner", "correlation_key": "vuln|gitpython|CVE-2023-41040|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-cwvm-v4w8-q58c", "PYSEC-2023-165"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["cc0bcefbdd4e6442ec89faafb7f6774ff2eb39b0faa860d20e4adf6a78405a8c", "d66aa99aa680fc62fa135440ce8b28c394af08b77b7b74f319fd8c4e805ee3c7"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2023-161", "level": "error", "message": {"text": "gitpython: PYSEC-2023-161"}, "properties": {"repobilityId": 84411, "scanner": "osv-scanner", "fingerprint": "cd61b99fea8aa30f247b8977c841b7ca30967843d26ccf7c3c61cd1053d9f80f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2023-40590", "GHSA-wfm5-v35h-vwf4"], "package": "gitpython", "rule_id": "PYSEC-2023-161", "scanner": "osv-scanner", "correlation_key": "vuln|gitpython|CVE-2023-40590|requirements.txt", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-wfm5-v35h-vwf4", "PYSEC-2023-161", "PYSEC-2024-4"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["54e03a47bdf1dd4080a77620ccb3fcccb9847ea08864903c1b6e09250d462f47", "8ab402541085185a459c3671b3bcc10558e139b33ac4ec85ff4f000e49eb55bc", "cd61b99fea8aa30f247b8977c841b7ca30967843d26ccf7c3c61cd1053d9f80f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2023-137", "level": "error", "message": {"text": "gitpython: PYSEC-2023-137"}, "properties": {"repobilityId": 84410, "scanner": "osv-scanner", "fingerprint": "c280fb71fc999acc2829d6e95cb047fe7d146792f01fa5b1ae18958a5ae58860", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-40267", "GHSA-pr76-5cm5-w9cj"], "package": "gitpython", "rule_id": "PYSEC-2023-137", "scanner": "osv-scanner", "correlation_key": "vuln|gitpython|CVE-2022-24439|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 84394, "scanner": "repobility-threat-engine", "fingerprint": "77fee430bb36ac6d0e9549b155b3c7a9a8832d8cfed1c3e15055777a39d130e1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|77fee430bb36ac6d0e9549b155b3c7a9a8832d8cfed1c3e15055777a39d130e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/loggers/wandb/wandb_utils.py"}, "region": {"startLine": 171}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 84393, "scanner": "repobility-threat-engine", "fingerprint": "a87d63c45bdfb216aa3b21b1f272a25eab22ebfefd3175ee20c9564dc159b034", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"_batch(\\d+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|182|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/loggers/clearml/clearml_utils.py"}, "region": {"startLine": 182}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 84391, "scanner": "repobility-threat-engine", "fingerprint": "2df378a293eea6b18b8ead78cd41a16cca56c192ff74eeb83329ccb5201b4575", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@app.route(DETECTION_URL, methods=[\"POST\"])", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2df378a293eea6b18b8ead78cd41a16cca56c192ff74eeb83329ccb5201b4575"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/flask_rest_api/restapi.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 84387, "scanner": "repobility-threat-engine", "fingerprint": "dcc47959069a0f124c169c105f9ecec2de861388b010b6d545c51b66deb863e1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dcc47959069a0f124c169c105f9ecec2de861388b010b6d545c51b66deb863e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/downloads.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 84386, "scanner": "repobility-threat-engine", "fingerprint": "4e18e0c09d24c362a2d4c89f19ef582b5927a3379128577cbfb03d8a8a1e889c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4e18e0c09d24c362a2d4c89f19ef582b5927a3379128577cbfb03d8a8a1e889c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/flask_rest_api/example_request.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 84385, "scanner": "repobility-threat-engine", "fingerprint": "818a68284702d5fccf2103924566a7637326ec41affe5e1e32c9a4c7b564b75b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.head(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|818a68284702d5fccf2103924566a7637326ec41affe5e1e32c9a4c7b564b75b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/downloads.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 84384, "scanner": "repobility-threat-engine", "fingerprint": "963910bda3236af0dd4f3ae3694ddf9adf988a44fd295587f94bc92418264c5b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(DETECTION_URL", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|963910bda3236af0dd4f3ae3694ddf9adf988a44fd295587f94bc92418264c5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/flask_rest_api/example_request.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 84383, "scanner": "repobility-threat-engine", "fingerprint": "fae50d3d751f71f30aa0ac64dcfe9e3da393d4d6bb5c32988584a3a586e02019", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "urllib.request.urlopen(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fae50d3d751f71f30aa0ac64dcfe9e3da393d4d6bb5c32988584a3a586e02019"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/downloads.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED104", "level": "error", "message": {"text": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks."}, "properties": {"repobilityId": 84381, "scanner": "repobility-threat-engine", "fingerprint": "3140a4cd29b7946af0692613ad061a9367afe8d43fa022aadad22e3f73e84424", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "chmod-777", "owasp": "A05:2021", "cwe_ids": ["CWE-732", "CWE-276"], "languages": ["shell", "bash", "dockerfile"], "precision": 1.0, "promoted_at": "2026-05-19T13:00:00.000000+00:00", "triaged_in_corpus": 0, "observations_count": 0, "ai_coder_pattern_id": 47}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3140a4cd29b7946af0692613ad061a9367afe8d43fa022aadad22e3f73e84424"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/aws/userdata.sh"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 84378, "scanner": "repobility-threat-engine", "fingerprint": "0fda74136420422c230e907d3c1de2114d357ac0a8418afad5d9f0d12e4fda2c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0fda74136420422c230e907d3c1de2114d357ac0a8418afad5d9f0d12e4fda2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/__init__.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `run` has cognitive complexity 67 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=2, elif=1, else=4, for=2, if=15, nested_bonus=36, or=2, ternary=5."}, "properties": {"repobilityId": 84372, "scanner": "repobility-threat-engine", "fingerprint": "673d9fdcbf8762256bc26bfa8b7f2a0f074161e47afafffb4b3614052946482c", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 67 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "run", "breakdown": {"if": 15, "or": 2, "and": 2, "for": 2, "elif": 1, "else": 4, "ternary": 5, "nested_bonus": 36}, "complexity": 67, "correlation_key": "fp|673d9fdcbf8762256bc26bfa8b7f2a0f074161e47afafffb4b3614052946482c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "classify/predict.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `slackapi/slack-github-action` pinned to mutable ref `@v3.0.3`"}, "properties": {"repobilityId": 84367, "scanner": "repobility-supply-chain", "fingerprint": "6292ac3dc7949b4b6f92701b79a77e979821f03f2df97233cd91b6db2629beb9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6292ac3dc7949b4b6f92701b79a77e979821f03f2df97233cd91b6db2629beb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-testing.yml"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 84366, "scanner": "repobility-supply-chain", "fingerprint": "d5c146995f0e7a9b095fda02007984f100b4647ce8f449a28e6d0d6c21ba0ab3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d5c146995f0e7a9b095fda02007984f100b4647ce8f449a28e6d0d6c21ba0ab3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-testing.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 84365, "scanner": "repobility-supply-chain", "fingerprint": "956af8863f906b0d8065d6f0730854fbe8568f40cef7eaff517765d5b48f2a49", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|956af8863f906b0d8065d6f0730854fbe8568f40cef7eaff517765d5b48f2a49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-testing.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 84364, "scanner": "repobility-supply-chain", "fingerprint": "b39e95af6e3800a9c258ca9d6e3b127c2f0b857ca2205df7243ca2c8ff79dd10", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b39e95af6e3800a9c258ca9d6e3b127c2f0b857ca2205df7243ca2c8ff79dd10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-testing.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 84363, "scanner": "repobility-supply-chain", "fingerprint": "8029e00c0f6bc59b9163d825306a4f2e3e6318e258e139ba47531373c60441f0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8029e00c0f6bc59b9163d825306a4f2e3e6318e258e139ba47531373c60441f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-testing.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 84362, "scanner": "repobility-supply-chain", "fingerprint": "8666e133d8a67b2f0eeddd27c5787439bb59ec9124631d64544b2503171e8b91", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8666e133d8a67b2f0eeddd27c5787439bb59ec9124631d64544b2503171e8b91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-testing.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 84361, "scanner": "repobility-supply-chain", "fingerprint": "6db7b99ae2b150d7a6417a9fb917729b7fac7ee90ae07db053d7ee74fe1e3f03", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6db7b99ae2b150d7a6417a9fb917729b7fac7ee90ae07db053d7ee74fe1e3f03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-testing.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 84360, "scanner": "repobility-supply-chain", "fingerprint": "6dda77fdfd42ce0a0948691bc66a77944c684a2f1e5613dc63232f1b04b922cc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6dda77fdfd42ce0a0948691bc66a77944c684a2f1e5613dc63232f1b04b922cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/merge-main-into-prs.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 84359, "scanner": "repobility-supply-chain", "fingerprint": "8fba357788b1c2ea0bc89b8e1b49958de465fec8d948f5d7bac939302e30cef5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8fba357788b1c2ea0bc89b8e1b49958de465fec8d948f5d7bac939302e30cef5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/merge-main-into-prs.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/stale` pinned to mutable ref `@v10`"}, "properties": {"repobilityId": 84358, "scanner": "repobility-supply-chain", "fingerprint": "1e41bae5fb4f0736da4c319ffd7449968cfe5b6454b3cc9b006cc85d4eec5925", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e41bae5fb4f0736da4c319ffd7449968cfe5b6454b3cc9b006cc85d4eec5925"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/stale.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ultralytics/actions` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 84354, "scanner": "repobility-supply-chain", "fingerprint": "ab79960cf0e0305ef6d1b09834e6def790a5d01bcf141f74404bede6f709aa80", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab79960cf0e0305ef6d1b09834e6def790a5d01bcf141f74404bede6f709aa80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/format.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `contributor-assistant/github-action` pinned to mutable ref `@v2.6.1`"}, "properties": {"repobilityId": 84353, "scanner": "repobility-supply-chain", "fingerprint": "22f690750dd2365c2c71595ccf201d64f07e109c9ed9c86cb23582a655a00286", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|22f690750dd2365c2c71595ccf201d64f07e109c9ed9c86cb23582a655a00286"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cla.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 84352, "scanner": "repobility-supply-chain", "fingerprint": "9fcef3fa64894af0d2d87a280bb967aa0d00e2fb441ac0d358b3704d3a08d8e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9fcef3fa64894af0d2d87a280bb967aa0d00e2fb441ac0d358b3704d3a08d8e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ultralytics/actions/retry` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 84351, "scanner": "repobility-supply-chain", "fingerprint": "4302bc0dc213024b05a03d7f29b26ba0b99b9b35fb2b92d9d583eb125e6696a8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4302bc0dc213024b05a03d7f29b26ba0b99b9b35fb2b92d9d583eb125e6696a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/links.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ultralytics/actions/retry` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 84350, "scanner": "repobility-supply-chain", "fingerprint": "81397c16659f8a775a4b1a35634fc0a58099155a321be4ec3c1b8ac423556ae5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|81397c16659f8a775a4b1a35634fc0a58099155a321be4ec3c1b8ac423556ae5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/links.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 84349, "scanner": "repobility-supply-chain", "fingerprint": "a2ca29505e434c5c5253ce631b2ca0aba66792a0a9093440c1736abaf09de1d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a2ca29505e434c5c5253ce631b2ca0aba66792a0a9093440c1736abaf09de1d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/links.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "Dockerfile `ADD https://ultralytics.com/assets/Arial.ttf`"}, "properties": {"repobilityId": 84348, "scanner": "repobility-supply-chain", "fingerprint": "773f16bfe3011a442c03f3350221f53f66c62ca08e170174af45057091ba53d3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|773f16bfe3011a442c03f3350221f53f66c62ca08e170174af45057091ba53d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/docker/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `pytorch/pytorch:2.8.0-cuda12.8-cudnn9-runtime` not pinned by digest"}, "properties": {"repobilityId": 84347, "scanner": "repobility-supply-chain", "fingerprint": "778385883f0cac867d3c943133db2bd5c0532d7d5be018a9a1efea21ccd27650", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|778385883f0cac867d3c943133db2bd5c0532d7d5be018a9a1efea21ccd27650"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/docker/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `gcr.io/google-appengine/python (no tag)` not pinned by digest"}, "properties": {"repobilityId": 84346, "scanner": "repobility-supply-chain", "fingerprint": "21ae04f8bbc4a149abbb28e0bf68ba3d5739c6bc9d16905572fd7fba11435f83", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|21ae04f8bbc4a149abbb28e0bf68ba3d5739c6bc9d16905572fd7fba11435f83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/google_app_engine/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.count` used but never assigned in __init__"}, "properties": {"repobilityId": 84328, "scanner": "repobility-ast-engine", "fingerprint": "3ff980b297ffcfe01bb98a6f878187e72f951b6c73298d899955ae094f37b97d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3ff980b297ffcfe01bb98a6f878187e72f951b6c73298d899955ae094f37b97d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 378}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.count` used but never assigned in __init__"}, "properties": {"repobilityId": 84327, "scanner": "repobility-ast-engine", "fingerprint": "250381e3bca8bbe16cf076744b920924aeec1da088ab85eba2aff0686c55d78d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|250381e3bca8bbe16cf076744b920924aeec1da088ab85eba2aff0686c55d78d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 376}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.count` used but never assigned in __init__"}, "properties": {"repobilityId": 84326, "scanner": "repobility-ast-engine", "fingerprint": "823551528aa564c733b0a32d3772444124bf042eecc50e2b7472f968745f3543", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|823551528aa564c733b0a32d3772444124bf042eecc50e2b7472f968745f3543"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 390}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.frame` used but never assigned in __init__"}, "properties": {"repobilityId": 84325, "scanner": "repobility-ast-engine", "fingerprint": "cb490a2d13119f9ed05db39681150cba6aa81aa3a6e0813d6159483a249870bc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cb490a2d13119f9ed05db39681150cba6aa81aa3a6e0813d6159483a249870bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 384}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.count` used but never assigned in __init__"}, "properties": {"repobilityId": 84324, "scanner": "repobility-ast-engine", "fingerprint": "50e304ce18dd2351a087b0a40260d53c7262b4755468dda21079336a4749328d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|50e304ce18dd2351a087b0a40260d53c7262b4755468dda21079336a4749328d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 369}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.count` used but never assigned in __init__"}, "properties": {"repobilityId": 84323, "scanner": "repobility-ast-engine", "fingerprint": "58e3aa9fe92294ad5f3b70b6293f36a3a723e48925dbdc142100e9429a4a392a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|58e3aa9fe92294ad5f3b70b6293f36a3a723e48925dbdc142100e9429a4a392a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 367}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.count` used but never assigned in __init__"}, "properties": {"repobilityId": 84322, "scanner": "repobility-ast-engine", "fingerprint": "6dac740911314af9ce84393f0856c2f6d556d53f777bfbb546129ca5f4dff152", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6dac740911314af9ce84393f0856c2f6d556d53f777bfbb546129ca5f4dff152"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 365}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.count` used but never assigned in __init__"}, "properties": {"repobilityId": 84321, "scanner": "repobility-ast-engine", "fingerprint": "df4d2bc479ad3cd689e6ed6304dc144438785fcbbd0a1c74b65063545e77dfaa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|df4d2bc479ad3cd689e6ed6304dc144438785fcbbd0a1c74b65063545e77dfaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 360}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.batch_sampler` used but never assigned in __init__"}, "properties": {"repobilityId": 84320, "scanner": "repobility-ast-engine", "fingerprint": "374ad6f6bcb0a87130f4e76e955d9638643ecc299354c598bd3129fa7cb62a7a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|374ad6f6bcb0a87130f4e76e955d9638643ecc299354c598bd3129fa7cb62a7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 236}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.dataset` used but never assigned in __init__"}, "properties": {"repobilityId": 84319, "scanner": "repobility-ast-engine", "fingerprint": "3a6419d31ed8f30424a9abb2e45e31b47fee817197c7c2c6da3c8275a063519c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3a6419d31ed8f30424a9abb2e45e31b47fee817197c7c2c6da3c8275a063519c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.rank` used but never assigned in __init__"}, "properties": {"repobilityId": 84318, "scanner": "repobility-ast-engine", "fingerprint": "76dcf082c0240837b7533839ce7aede5a791381e8230e13ed84db781a18de0f7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|76dcf082c0240837b7533839ce7aede5a791381e8230e13ed84db781a18de0f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.num_samples` used but never assigned in __init__"}, "properties": {"repobilityId": 84317, "scanner": "repobility-ast-engine", "fingerprint": "604e3a3c83094760ed6ab5b36b073e9aec852d5a1c78b760ee252cd148ced653", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|604e3a3c83094760ed6ab5b36b073e9aec852d5a1c78b760ee252cd148ced653"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.num_replicas` used but never assigned in __init__"}, "properties": {"repobilityId": 84316, "scanner": "repobility-ast-engine", "fingerprint": "71e7f8a09275ab6d78f79379ab87ef1b4485c29238ced12bd341c94863d11642", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|71e7f8a09275ab6d78f79379ab87ef1b4485c29238ced12bd341c94863d11642"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.num_samples` used but never assigned in __init__"}, "properties": {"repobilityId": 84315, "scanner": "repobility-ast-engine", "fingerprint": "41c6bae180a23ae35f25a8a328a70cebffc86647dd3fdac15cbdae2488c7c59b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|41c6bae180a23ae35f25a8a328a70cebffc86647dd3fdac15cbdae2488c7c59b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.epoch` used but never assigned in __init__"}, "properties": {"repobilityId": 84314, "scanner": "repobility-ast-engine", "fingerprint": "5e07f9285a4cfa2e451217a388c87b2387a25fcbe4b7f934d92d00dd82c610cc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5e07f9285a4cfa2e451217a388c87b2387a25fcbe4b7f934d92d00dd82c610cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.seed` used but never assigned in __init__"}, "properties": {"repobilityId": 84313, "scanner": "repobility-ast-engine", "fingerprint": "ceadc83718d96c2c71c6bb1d2970b8baa75ceee77cceb8512dc395d0a557f423", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ceadc83718d96c2c71c6bb1d2970b8baa75ceee77cceb8512dc395d0a557f423"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.shuffle` used but never assigned in __init__"}, "properties": {"repobilityId": 84312, "scanner": "repobility-ast-engine", "fingerprint": "73c7669344b86cc5c6d9f3c6f55f63e6e463360e7a9ba1b130b9e75c093d8bcd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|73c7669344b86cc5c6d9f3c6f55f63e6e463360e7a9ba1b130b9e75c093d8bcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.drop_last` used but never assigned in __init__"}, "properties": {"repobilityId": 84311, "scanner": "repobility-ast-engine", "fingerprint": "271e9fc854e6ff8a741741f59666013e382095fd5b728e810340e9566fe5fe2d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|271e9fc854e6ff8a741741f59666013e382095fd5b728e810340e9566fe5fe2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/dataloaders.py"}, "region": {"startLine": 147}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._timeout_handler` used but never assigned in __init__"}, "properties": {"repobilityId": 84308, "scanner": "repobility-ast-engine", "fingerprint": "5370238cba855158de4c96f9b1bfc4e136220aea476361ef365695942a551158", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5370238cba855158de4c96f9b1bfc4e136220aea476361ef365695942a551158"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/general.py"}, "region": {"startLine": 233}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.time` used but never assigned in __init__"}, "properties": {"repobilityId": 84307, "scanner": "repobility-ast-engine", "fingerprint": "c85a01e7a249af073af6aa165af2f0941ffccc0a9a4549d755896ca6d786b38c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c85a01e7a249af073af6aa165af2f0941ffccc0a9a4549d755896ca6d786b38c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/general.py"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.start` used but never assigned in __init__"}, "properties": {"repobilityId": 84306, "scanner": "repobility-ast-engine", "fingerprint": "ee2d9f0dfa260013c62362219c711d34576b8e8a72fcfac676febfbb9eeff399", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ee2d9f0dfa260013c62362219c711d34576b8e8a72fcfac676febfbb9eeff399"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/general.py"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.dt` used but never assigned in __init__"}, "properties": {"repobilityId": 84305, "scanner": "repobility-ast-engine", "fingerprint": "c726c570eb950af3e8ddaebab03267db4358684c9f650e178bf6635251f44bbd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c726c570eb950af3e8ddaebab03267db4358684c9f650e178bf6635251f44bbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/general.py"}, "region": {"startLine": 208}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.dt` used but never assigned in __init__"}, "properties": {"repobilityId": 84304, "scanner": "repobility-ast-engine", "fingerprint": "30319b510c3f662e58758dea584d8be8bbd4c556faf6c06b9a70151864836c5f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|30319b510c3f662e58758dea584d8be8bbd4c556faf6c06b9a70151864836c5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/general.py"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.time` used but never assigned in __init__"}, "properties": {"repobilityId": 84303, "scanner": "repobility-ast-engine", "fingerprint": "278305dfdd8cbb566b852c7fad786b4a69c89991e09c50ab233f8c861b985f8a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|278305dfdd8cbb566b852c7fad786b4a69c89991e09c50ab233f8c861b985f8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/general.py"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.start` used but never assigned in __init__"}, "properties": {"repobilityId": 84302, "scanner": "repobility-ast-engine", "fingerprint": "f30f59ca1620540d0a88797a88fd8e412ecc567c60b238d2854283ddc05cf5db", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f30f59ca1620540d0a88797a88fd8e412ecc567c60b238d2854283ddc05cf5db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/general.py"}, "region": {"startLine": 202}}}]}, {"ruleId": "GHSA-53q9-r3pm-6pq6", "level": "error", "message": {"text": "torch: GHSA-53q9-r3pm-6pq6"}, "properties": {"repobilityId": 84451, "scanner": "osv-scanner", "fingerprint": "cb163eabe6e98659ffce79dfb3881c9ec1fe645b8efd9f6920204fd4cc2a6d9c", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-32434", "CVE-2025-32434", "PYSEC-2025-41"], "package": "torch", "rule_id": "GHSA-53q9-r3pm-6pq6", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-32434|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-53q9-r3pm-6pq6", "PYSEC-2025-41"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["b4d68872de2f1e9e465cf9cff0cd126ed1b47e6daeff655e5c62251a55d18f75", "cb163eabe6e98659ffce79dfb3881c9ec1fe645b8efd9f6920204fd4cc2a6d9c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-47fc-vmwq-366v", "level": "error", "message": {"text": "torch: GHSA-47fc-vmwq-366v"}, "properties": {"repobilityId": 84437, "scanner": "osv-scanner", "fingerprint": "514eefb2841e5d5402e689b628f74cb09b2490218adf8769e22b8d5b19ab7031", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["BIT-pytorch-2022-45907", "CVE-2022-45907", "PYSEC-2022-43015"], "package": "torch", "rule_id": "GHSA-47fc-vmwq-366v", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2022-45907|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-47fc-vmwq-366v", "PYSEC-2022-43015"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["22921a4cf6f9857e97cdc8409d34d5eaf2a0b12bd8e6a96848ef7f0d2e85332c", "514eefb2841e5d5402e689b628f74cb09b2490218adf8769e22b8d5b19ab7031"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pr76-5cm5-w9cj", "level": "error", "message": {"text": "gitpython: GHSA-pr76-5cm5-w9cj"}, "properties": {"repobilityId": 84416, "scanner": "osv-scanner", "fingerprint": "8f48b38653ffdce0b631e4ebd7f6a556b5586c24868b84ff5a1da933b7c599c4", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-40267", "PYSEC-2023-137"], "package": "gitpython", "rule_id": "GHSA-pr76-5cm5-w9cj", "scanner": "osv-scanner", "correlation_key": "vuln|gitpython|CVE-2023-40267|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8q59-q68h-6hv4", "level": "error", "message": {"text": "pyyaml: GHSA-8q59-q68h-6hv4"}, "properties": {"repobilityId": 84409, "scanner": "osv-scanner", "fingerprint": "6f7314a3d9dfb1d7cba2c2b47926452927fdfe87f25dbac1f2b676d578f0fdfa", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2020-14343", "PYSEC-2021-142"], "package": "pyyaml", "rule_id": "GHSA-8q59-q68h-6hv4", "scanner": "osv-scanner", "correlation_key": "vuln|pyyaml|CVE-2020-14343|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-8q59-q68h-6hv4", "PYSEC-2021-142"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["200a764d76e2fd46436b93af9662bb3f230fb2978a7edb2ed565bf459d57d10a", "6f7314a3d9dfb1d7cba2c2b47926452927fdfe87f25dbac1f2b676d578f0fdfa"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_WEBHOOK_URL_YOLO` on a `pull_request` trigger"}, "properties": {"repobilityId": 84368, "scanner": "repobility-supply-chain", "fingerprint": "151059d0636f4dc6fa0920e37cb7030393f278eaf35e80b6e4a6041c8f6a9a83", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|151059d0636f4dc6fa0920e37cb7030393f278eaf35e80b6e4a6041c8f6a9a83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-testing.yml"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.BRAVE_API_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 84357, "scanner": "repobility-supply-chain", "fingerprint": "2d41729ff0c54330b4ab606227c3acdd4544fb31ecb2fddc7fc16fb1fa53d07e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2d41729ff0c54330b4ab606227c3acdd4544fb31ecb2fddc7fc16fb1fa53d07e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/format.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.OPENAI_API_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 84356, "scanner": "repobility-supply-chain", "fingerprint": "48caf28e05549c7423baf64b422a2312dc40e5c12c6f7eb527005ce18d45e9b3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|48caf28e05549c7423baf64b422a2312dc40e5c12c6f7eb527005ce18d45e9b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/format.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets._GITHUB_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 84355, "scanner": "repobility-supply-chain", "fingerprint": "c67f211d4512a1e6b4c06e68a4b7dc0eebc1cd2cfd01c8fa3fbff1179513b4fc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c67f211d4512a1e6b4c06e68a4b7dc0eebc1cd2cfd01c8fa3fbff1179513b4fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/format.yml"}, "region": {"startLine": 27}}}]}]}]}