{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `find_spec` has cognitive complexity 19 (SonarSource scale). Cognitive com", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `find_spec` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 19."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 739 lines (recommend <300)", "shortDescription": {"text": "Average file size is 739 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image has no explicit tag", "shortDescription": {"text": "Dockerfile base image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "MINED073", "name": "[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data \u2014 denial of ", "shortDescription": {"text": "[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data \u2014 denial of service."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1333,CWE-400 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED072", "name": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in.", "shortDescription": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 28 more): Same pattern found in 28 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 31 more): Same pattern found in 31 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 47 more): Same pattern found in 47 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-gui.exe` committed in source repo: `", "shortDescription": {"text": "[MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-gui.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-gui.exe` is a .exe binary (38,912 bytes) committed to a repo"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `amazonlinux:2023` unpinned: `container/services image: amazonlinux:2023` w", "shortDescription": {"text": "[MINED126] Workflow container/services image `amazonlinux:2023` unpinned: `container/services image: amazonlinux:2023` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-"}, "fullDescription": {"text": "Replace with `amazonlinux:2023@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images shou"}, "fullDescription": {"text": "Replace with: `FROM ubuntu:22.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "[MINED131] pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.14.14`: `.pre-commit", "shortDescription": {"text": "[MINED131] pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.14.14`: `.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev: v0.14.14`. If `{rev}` is a branch or ve"}, "fullDescription": {"text": "Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_warm` of class `UvProject` reads `self.setu", "shortDescription": {"text": "[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_warm` of class `UvProject` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time "}, "fullDescription": {"text": "Initialize `self.setup = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_publish_project: Test function `test_publish_project` runs code but contains no a", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_publish_project: Test function `test_publish_project` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC080", "name": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-", "shortDescription": {"text": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0)."}, "fullDescription": {"text": "Add `filter='data'` (Python \u2265 3.12) or manually validate member paths against `os.path.abspath`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED041", "name": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.", "shortDescription": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_PYX_TOKEN` on a `pull_request` trigger: This workflow triggers on `pul", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_PYX_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLISH_PYX_TOKEN }` lets a PR from any fo"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/202"}, "properties": {"repository": "astral-sh/uv", "repoUrl": "https://github.com/astral-sh/uv", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 49623, "scanner": "repobility-ast-engine", "fingerprint": "97086f40bb0951683b29e3efc21f5c0af2422e74817fe1de9a44d1f2ac5eed29", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|97086f40bb0951683b29e3efc21f5c0af2422e74817fe1de9a44d1f2ac5eed29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/registries-test.py"}, "region": {"startLine": 339}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 49622, "scanner": "repobility-ast-engine", "fingerprint": "7dd02c832d81a9b969e1758ac8a7ea43a635e0e0a37faaf18c401dd8922bb1dc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7dd02c832d81a9b969e1758ac8a7ea43a635e0e0a37faaf18c401dd8922bb1dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/registries-test.py"}, "region": {"startLine": 257}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 49599, "scanner": "repobility-threat-engine", "fingerprint": "950e4ecf5c33bdeb8e3ae3b7fa68ceb489c4b4fbb8a6e90889e33ca9ddcbba73", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logging.info(f\"Installing the package `{req", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|950e4ecf5c33bdeb8e3ae3b7fa68ceb489c4b4fbb8a6e90889e33ca9ddcbba73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check_system_python.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `find_spec` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, if=4, nested_bonus=11, recursion=1, ternary=2."}, "properties": {"repobilityId": 49594, "scanner": "repobility-threat-engine", "fingerprint": "c47028a95123e41bd8ce400246ab3064d59b2261f8c78944975029127377196e", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 19 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "find_spec", "breakdown": {"if": 4, "except": 1, "ternary": 2, "recursion": 1, "nested_bonus": 11}, "complexity": 19, "correlation_key": "fp|c47028a95123e41bd8ce400246ab3064d59b2261f8c78944975029127377196e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-virtualenv/src/_virtualenv.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `platform_tags` has cognitive complexity 22 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, for=4, if=5, nested_bonus=12."}, "properties": {"repobilityId": 49592, "scanner": "repobility-threat-engine", "fingerprint": "85553de199822bc22538d8ce1564f6ffd924f9df9007ed57ee456f86dc26421d", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 22 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "platform_tags", "breakdown": {"if": 5, "for": 4, "else": 1, "nested_bonus": 12}, "complexity": 22, "correlation_key": "fp|85553de199822bc22538d8ce1564f6ffd924f9df9007ed57ee456f86dc26421d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-python/python/packaging/_manylinux.py"}, "region": {"startLine": 214}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 739 lines (recommend <300)"}, "properties": {"repobilityId": 49554, "scanner": "repobility-core", "fingerprint": "bc66e7f3579d4158b55f287fdb3f4e93dea7f10751aac14f23482e587c7cf772", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|bc66e7f3579d4158b55f287fdb3f4e93dea7f10751aac14f23482e587c7cf772"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 6177, "scanner": "repobility-docker", "fingerprint": "81ce124cace7d3b8cf9a85e1ec0ffd4fd0ba81ca4617fc5d9f4d0a3b6836a491", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|81ce124cace7d3b8cf9a85e1ec0ffd4fd0ba81ca4617fc5d9f4d0a3b6836a491"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-trampoline/Dockerfile"}, "region": {"startLine": 63}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 6176, "scanner": "repobility-docker", "fingerprint": "67ae95a5ec19a92eb4028c2c39a4a777b47092824eb083ce45dc982b4aaa781a", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image reference has no tag or digest.", "evidence": {"image": "base", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|67ae95a5ec19a92eb4028c2c39a4a777b47092824eb083ce45dc982b4aaa781a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-trampoline/Dockerfile"}, "region": {"startLine": 63}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 6175, "scanner": "repobility-docker", "fingerprint": "83a77bd4a8ffd88b18af5e252dbb6fec92c530427656f1561ce81343345f027a", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image reference has no tag or digest.", "evidence": {"image": "base", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|83a77bd4a8ffd88b18af5e252dbb6fec92c530427656f1561ce81343345f027a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-trampoline/Dockerfile"}, "region": {"startLine": 50}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 6172, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 6171, "scanner": "repobility-threat-engine", "fingerprint": "e4d1a308174eca35b175b0887e126393a6ba34a946d037bc34b9a874381c987e", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.2 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password = \"<redacted>\"", "reason": "Low entropy value (2.2 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|crates/uv-auth/src/store.rs|49|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-auth/src/store.rs"}, "region": {"startLine": 493}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 6164, "scanner": "repobility-threat-engine", "fingerprint": "69f6bbab550a3f6f6a42508155cbae4e1a874ec9dffd92a5aad457ed3e03509b", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|32|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/repair-sdist-cargo-lock.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 6163, "scanner": "repobility-agent-runtime", "fingerprint": "f9b314dc85cc490d937dc8bb2d5d213989309306ef6b605b22f7c2bde802c308", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f9b314dc85cc490d937dc8bb2d5d213989309306ef6b605b22f7c2bde802c308"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/reference/installer.md"}, "region": {"startLine": 57}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 6162, "scanner": "repobility-agent-runtime", "fingerprint": "5d5d0efff30fd75170341f113df025a94935a91aa8844d9b9461a00d807490e2", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|5d5d0efff30fd75170341f113df025a94935a91aa8844d9b9461a00d807490e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/getting-started/installation.md"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6158, "scanner": "repobility-ai-code-hygiene", "fingerprint": "596a43309a1077c683a2a614c18f56e56cec7f9a4282957fe8d5710e393d25ff", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-distribution/src/index/registry_wheel_index.rs", "duplicate_line": 239, "correlation_key": "fp|596a43309a1077c683a2a614c18f56e56cec7f9a4282957fe8d5710e393d25ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-installer/src/satisfies.rs"}, "region": {"startLine": 322}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 732 lines (recommend <300)"}, "properties": {"repobilityId": 6147, "scanner": "repobility-core", "fingerprint": "8cfc6bc628b3d8d2aba13de92c205aabe0b1a175e4c1b4bd2eade76d9d0bed46", "category": "quality", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|8cfc6bc628b3d8d2aba13de92c205aabe0b1a175e4c1b4bd2eade76d9d0bed46"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49621, "scanner": "repobility-ai-code-hygiene", "fingerprint": "54aa2525ad2a99b44dd072b8bfae25d1fd48c6ba10fd05b441446d18531d19b6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv/src/commands/pip/freeze.rs", "duplicate_line": 40, "correlation_key": "fp|54aa2525ad2a99b44dd072b8bfae25d1fd48c6ba10fd05b441446d18531d19b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv/src/commands/pip/install.rs"}, "region": {"startLine": 226}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49620, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9f494cfdf7d605f72e2dbe8fe696e41ef3edbae351e08a89847a7307c6d7b672", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv/src/commands/pip/compile.rs", "duplicate_line": 204, "correlation_key": "fp|9f494cfdf7d605f72e2dbe8fe696e41ef3edbae351e08a89847a7307c6d7b672"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv/src/commands/pip/install.rs"}, "region": {"startLine": 158}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49619, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f529f5fed0ec7f62fd1d975df6e1ea1a108ff0670fff89bcb17fc06284ca9ee2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv/src/commands/cache_clean.rs", "duplicate_line": 13, "correlation_key": "fp|f529f5fed0ec7f62fd1d975df6e1ea1a108ff0670fff89bcb17fc06284ca9ee2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv/src/commands/cache_prune.rs"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49618, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8be0e99bff23b9463dd1cd3f1a0338912f0b57cef49e3660f168953ed5b16d77", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv/src/commands/auth/logout.rs", "duplicate_line": 31, "correlation_key": "fp|8be0e99bff23b9463dd1cd3f1a0338912f0b57cef49e3660f168953ed5b16d77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv/src/commands/auth/token.rs"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49617, "scanner": "repobility-ai-code-hygiene", "fingerprint": "541e4617de071fbfb75838eec36ef024725fff2b56ed82efc184d6a712bef0b2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-installer/src/preparer.rs", "duplicate_line": 205, "correlation_key": "fp|541e4617de071fbfb75838eec36ef024725fff2b56ed82efc184d6a712bef0b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-resolver/src/resolver/reporter.rs"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49616, "scanner": "repobility-ai-code-hygiene", "fingerprint": "02786f022699d6cfff57800aa2c3bbab327c70132e2edfde26835484bbb921aa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-bench/benches/uv.rs", "duplicate_line": 113, "correlation_key": "fp|02786f022699d6cfff57800aa2c3bbab327c70132e2edfde26835484bbb921aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-resolver/src/resolver/environment.rs"}, "region": {"startLine": 412}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49615, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b934391069635c24ce976b42ac03b145948a0e5731ce70203dc6d586d0512aaa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-resolver/src/lock/export/mod.rs", "duplicate_line": 83, "correlation_key": "fp|b934391069635c24ce976b42ac03b145948a0e5731ce70203dc6d586d0512aaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-resolver/src/lock/tree.rs"}, "region": {"startLine": 79}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49614, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0fccdbaa11b3bb6054349e2c12c4535d2d6437f75cc0c44a4edf406295380071", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-resolver/src/lock/export/mod.rs", "duplicate_line": 83, "correlation_key": "fp|0fccdbaa11b3bb6054349e2c12c4535d2d6437f75cc0c44a4edf406295380071"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-resolver/src/lock/installable.rs"}, "region": {"startLine": 104}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49613, "scanner": "repobility-ai-code-hygiene", "fingerprint": "af8af16cf3c3b77a712160c3943744595f18ee4423fa32c3c1ca1818ffb30ac0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-requirements/src/extras.rs", "duplicate_line": 14, "correlation_key": "fp|af8af16cf3c3b77a712160c3943744595f18ee4423fa32c3c1ca1818ffb30ac0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-requirements/src/unnamed.rs"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49612, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0933a3636a758b49922191351b4a8e2d6035ccad85d5f8706d1e484ceb798fe6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-requirements/src/extras.rs", "duplicate_line": 20, "correlation_key": "fp|0933a3636a758b49922191351b4a8e2d6035ccad85d5f8706d1e484ceb798fe6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-requirements/src/source_tree.rs"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49611, "scanner": "repobility-ai-code-hygiene", "fingerprint": "55fa5e39ce0c262ee0d7c6be1070e6834c2676a5f4454fa29d9d4216a4b9fc98", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-requirements/src/extras.rs", "duplicate_line": 20, "correlation_key": "fp|55fa5e39ce0c262ee0d7c6be1070e6834c2676a5f4454fa29d9d4216a4b9fc98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-requirements/src/lookahead.rs"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49610, "scanner": "repobility-ai-code-hygiene", "fingerprint": "48910bd4fcb703294155fdafe57a778b9ee44b72f26d154489d5b883fcf67f52", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-pypi-types/src/metadata/metadata_resolver.rs", "duplicate_line": 171, "correlation_key": "fp|48910bd4fcb703294155fdafe57a778b9ee44b72f26d154489d5b883fcf67f52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-pypi-types/src/metadata/requires_dist.rs"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49609, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4082bbabe21d432980f04bdd0c849c3395f23becade02ec4c00dc7e3ef4995ca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-publish/src/trusted_publishing/pypi.rs", "duplicate_line": 34, "correlation_key": "fp|4082bbabe21d432980f04bdd0c849c3395f23becade02ec4c00dc7e3ef4995ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-publish/src/trusted_publishing/pyx.rs"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49608, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cd1bc95aea36b637ba10b05a0fad94b759576c168e84694911f7dab965cbd743", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-platform-tags/src/abi_tag.rs", "duplicate_line": 62, "correlation_key": "fp|cd1bc95aea36b637ba10b05a0fad94b759576c168e84694911f7dab965cbd743"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-platform-tags/src/platform.rs"}, "region": {"startLine": 110}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49607, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d025bc146992a59097d815223b0453d8bc37c0c2e8d3a0a9199d9aff5bb95384", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-platform-tags/src/abi_tag.rs", "duplicate_line": 5, "correlation_key": "fp|d025bc146992a59097d815223b0453d8bc37c0c2e8d3a0a9199d9aff5bb95384"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-platform-tags/src/language_tag.rs"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49606, "scanner": "repobility-ai-code-hygiene", "fingerprint": "388534045f5ac6b5b8ad1e9efde1267453bcc168fc85d484220e39221e968842", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-normalize/src/extra_name.rs", "duplicate_line": 70, "correlation_key": "fp|388534045f5ac6b5b8ad1e9efde1267453bcc168fc85d484220e39221e968842"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-normalize/src/package_name.rs"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49605, "scanner": "repobility-ai-code-hygiene", "fingerprint": "86404209be7e8e0b00cb74f821f30566a044fb0bbca540e1553ac3661eecc625", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-normalize/src/dist_info_name.rs", "duplicate_line": 65, "correlation_key": "fp|86404209be7e8e0b00cb74f821f30566a044fb0bbca540e1553ac3661eecc625"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-normalize/src/lib.rs"}, "region": {"startLine": 128}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49604, "scanner": "repobility-ai-code-hygiene", "fingerprint": "74b7a880b44b49f0843c06c4f068b387c7919876dd657c4e632f181b152dd741", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-keyring/src/mock.rs", "duplicate_line": 162, "correlation_key": "fp|74b7a880b44b49f0843c06c4f068b387c7919876dd657c4e632f181b152dd741"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-keyring/src/windows.rs"}, "region": {"startLine": 498}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49603, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b03fb73344965aa941426b13f52e8a9dc4e03fe1ba96ae3d9ca7222bb32f4ca2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-distribution/src/index/registry_wheel_index.rs", "duplicate_line": 250, "correlation_key": "fp|b03fb73344965aa941426b13f52e8a9dc4e03fe1ba96ae3d9ca7222bb32f4ca2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-installer/src/satisfies.rs"}, "region": {"startLine": 386}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `_is_compatible` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, if=9, nested_bonus=4."}, "properties": {"repobilityId": 49593, "scanner": "repobility-threat-engine", "fingerprint": "9c049db155a6b24b3f35907f2007566c645e8267b229dbfe66cf95f2a4cf95f6", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 14 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_is_compatible", "breakdown": {"if": 9, "except": 1, "nested_bonus": 4}, "complexity": 14, "correlation_key": "fp|9c049db155a6b24b3f35907f2007566c645e8267b229dbfe66cf95f2a4cf95f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-python/python/packaging/_manylinux.py"}, "region": {"startLine": 178}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 6173, "scanner": "repobility-docker", "fingerprint": "cc8749fdcb3bced674d117681d384a85e3a5087e4d0a78af05466f4807e69bc6", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|cc8749fdcb3bced674d117681d384a85e3a5087e4d0a78af05466f4807e69bc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-trampoline/Dockerfile"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6161, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eb08b74c2df0f7dfae9a2201296c9a429b8c039bc6251f5e71d8322e0b4b3e89", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-keyring/src/macos.rs", "duplicate_line": 258, "correlation_key": "fp|eb08b74c2df0f7dfae9a2201296c9a429b8c039bc6251f5e71d8322e0b4b3e89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-keyring/src/windows.rs"}, "region": {"startLine": 490}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6160, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7de3d9fddf6c13c6991924a6df6165880e3642b41a488e4962bd952b5b5fca68", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-keyring/src/macos.rs", "duplicate_line": 258, "correlation_key": "fp|7de3d9fddf6c13c6991924a6df6165880e3642b41a488e4962bd952b5b5fca68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-keyring/src/secret_service.rs"}, "region": {"startLine": 438}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6159, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7c255554d05273c832cd800ba0ccdfaa0a8c3362632952931a47c32892313d35", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-keyring/src/macos.rs", "duplicate_line": 258, "correlation_key": "fp|7c255554d05273c832cd800ba0ccdfaa0a8c3362632952931a47c32892313d35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-keyring/src/mock.rs"}, "region": {"startLine": 154}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6157, "scanner": "repobility-ai-code-hygiene", "fingerprint": "db9317fa8920e2428d27f139d2273fcf35f0ef233359d66dc5c2fa1cceeebb2d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-fs/src/path.rs", "duplicate_line": 89, "correlation_key": "fp|db9317fa8920e2428d27f139d2273fcf35f0ef233359d66dc5c2fa1cceeebb2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-install-wheel/src/uninstall.rs"}, "region": {"startLine": 312}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6156, "scanner": "repobility-ai-code-hygiene", "fingerprint": "38bbf53db82137d06d75bf27a782dff0654e69373241d010c67619ef9d5f9a8e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-distribution/src/metadata/build_requires.rs", "duplicate_line": 118, "correlation_key": "fp|38bbf53db82137d06d75bf27a782dff0654e69373241d010c67619ef9d5f9a8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-distribution/src/metadata/requires_dist.rs"}, "region": {"startLine": 190}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6155, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6dc9b8bb289218ba3b48e9460694e38b4ff86821ad0ce9b0387de17abaa1d54c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-distribution/src/metadata/dependency_groups.rs", "duplicate_line": 112, "correlation_key": "fp|6dc9b8bb289218ba3b48e9460694e38b4ff86821ad0ce9b0387de17abaa1d54c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-distribution/src/metadata/requires_dist.rs"}, "region": {"startLine": 152}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6154, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d75925440cef6304d4dee19d07b800c18519ad8e4d46bf3d4c68896b2139b5b5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-dev/src/generate_options_reference.rs", "duplicate_line": 50, "correlation_key": "fp|d75925440cef6304d4dee19d07b800c18519ad8e4d46bf3d4c68896b2139b5b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-dev/src/generate_sysconfig_mappings.rs"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6153, "scanner": "repobility-ai-code-hygiene", "fingerprint": "02a0221c0d0e3da3108eeb758ee4c3697f8908df643bb0b5de5bd49f83af43b4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-dev/src/generate_cli_reference.rs", "duplicate_line": 28, "correlation_key": "fp|02a0221c0d0e3da3108eeb758ee4c3697f8908df643bb0b5de5bd49f83af43b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-dev/src/generate_sysconfig_mappings.rs"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6152, "scanner": "repobility-ai-code-hygiene", "fingerprint": "48fc9137f35470e70c639eb18707f792233acb589cc3e32c53e22a5d0755d1a1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-dev/src/generate_cli_reference.rs", "duplicate_line": 25, "correlation_key": "fp|48fc9137f35470e70c639eb18707f792233acb589cc3e32c53e22a5d0755d1a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-dev/src/generate_options_reference.rs"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6151, "scanner": "repobility-ai-code-hygiene", "fingerprint": "89bd87f0d93dd91e904e6d8ad69f81b7753203fb78f75889405b31a858a72550", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-dev/src/generate_json_schema.rs", "duplicate_line": 8, "correlation_key": "fp|89bd87f0d93dd91e904e6d8ad69f81b7753203fb78f75889405b31a858a72550"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-dev/src/generate_options_reference.rs"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6150, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d677914ec4cecb5262eed462bd05e765462541fda2fb2d4cef72b4b0723e01e3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-configuration/src/build_options.rs", "duplicate_line": 105, "correlation_key": "fp|d677914ec4cecb5262eed462bd05e765462541fda2fb2d4cef72b4b0723e01e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-configuration/src/sources.rs"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 6149, "scanner": "repobility-ai-code-hygiene", "fingerprint": "db8f06477eb289e2a65d008146a816922bbb8b26a3f2c3cb254eff1e81dfceaf", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|db8f06477eb289e2a65d008146a816922bbb8b26a3f2c3cb254eff1e81dfceaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv/src/commands/self_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 6148, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f6bd3bd4e193b6eaf39cbf8703b0152b6dc24652d669e4acca7c04cbaf86b209", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "clean", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|f6bd3bd4e193b6eaf39cbf8703b0152b6dc24652d669e4acca7c04cbaf86b209"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv/src/commands/cache_clean.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED073", "level": "none", "message": {"text": "[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data \u2014 denial of service."}, "properties": {"repobilityId": 49598, "scanner": "repobility-threat-engine", "fingerprint": "3a39c29af2a752c3414331b536ab6b192166065860aaab24b036d6655d0a2508", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "redos-greedy-quantifier", "owasp": "A06:2021", "cwe_ids": ["CWE-1333", "CWE-400"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348072+00:00", "triaged_in_corpus": 12, "observations_count": 12702, "ai_coder_pattern_id": 35}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3a39c29af2a752c3414331b536ab6b192166065860aaab24b036d6655d0a2508"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check_registry.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 49595, "scanner": "repobility-threat-engine", "fingerprint": "ea7e91dd5c7e64706a198254e066b520737d0337b0e2613fa045355b61c46188", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "platform_tags", "breakdown": {"if": 5, "for": 4, "else": 1, "nested_bonus": 12}, "aggregated": true, "complexity": 22, "correlation_key": "fp|ea7e91dd5c7e64706a198254e066b520737d0337b0e2613fa045355b61c46188", "aggregated_count": 12}}}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 49591, "scanner": "repobility-threat-engine", "fingerprint": "261a3f0d747d1488968b9d15d8f5251a3b93a537c554a6ca782bfcbdf8cec839", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|261a3f0d747d1488968b9d15d8f5251a3b93a537c554a6ca782bfcbdf8cec839"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-python/python/packaging/_elffile.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 49587, "scanner": "repobility-threat-engine", "fingerprint": "4f6b90d32e598a2e8b451fad2b610f26ccb55704fdb9f03738f42fc144ff3ee3", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "password = \"<redacted> ascii password\"", "reason": "Safe context pattern detected", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|28|password redacted ascii password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-keyring/src/mock.rs"}, "region": {"startLine": 286}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 49586, "scanner": "repobility-threat-engine", "fingerprint": "9a22336672f8eb2fb76d4ab7671c851ff41a605bfb058736772199ac2ea0f56e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9a22336672f8eb2fb76d4ab7671c851ff41a605bfb058736772199ac2ea0f56e", "aggregated_count": 3}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 49585, "scanner": "repobility-threat-engine", "fingerprint": "fd28f22331cf6a56375c94318c9e85821d3f5bc4735c10fe696368069c09dcfd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fd28f22331cf6a56375c94318c9e85821d3f5bc4735c10fe696368069c09dcfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-requirements/src/lookahead.rs"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 49584, "scanner": "repobility-threat-engine", "fingerprint": "0f392127d7a1b861692ebbf838a78708cea46dfccd3a93f3baa4dc107dffd67b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0f392127d7a1b861692ebbf838a78708cea46dfccd3a93f3baa4dc107dffd67b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-keyring/src/error.rs"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 49583, "scanner": "repobility-threat-engine", "fingerprint": "b986b90e3fab27a02172d0821e5d9c70024bc642967088c98fd443be6077c340", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b986b90e3fab27a02172d0821e5d9c70024bc642967088c98fd443be6077c340"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-extract/src/lib.rs"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 49579, "scanner": "repobility-threat-engine", "fingerprint": "855c74d20959b2ee13192b8b37a70038838060b9c9d64d0bb626119ecf77a63e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|855c74d20959b2ee13192b8b37a70038838060b9c9d64d0bb626119ecf77a63e", "aggregated_count": 7}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 49578, "scanner": "repobility-threat-engine", "fingerprint": "5fd1ae3eb20977e83c015d662721099eff5b7a51d1a93a45d09456e0242c4b22", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5fd1ae3eb20977e83c015d662721099eff5b7a51d1a93a45d09456e0242c4b22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-fs/src/which.rs"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 49577, "scanner": "repobility-threat-engine", "fingerprint": "f0f14d79d4a7729d1bc32556b90db9f56dc258fe8598a0d364d413f2de0c5ee8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f0f14d79d4a7729d1bc32556b90db9f56dc258fe8598a0d364d413f2de0c5ee8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-fastid/src/lib.rs"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 49576, "scanner": "repobility-threat-engine", "fingerprint": "9e93e4b0feba520bad31b63aa810517e6ad075c396e2de6040d67c1067698805", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9e93e4b0feba520bad31b63aa810517e6ad075c396e2de6040d67c1067698805"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-client/src/rkyvutil.rs"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 49575, "scanner": "repobility-threat-engine", "fingerprint": "deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "aggregated_count": 1}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 49574, "scanner": "repobility-threat-engine", "fingerprint": "adb1b5af92c1258e07e5f7921adb133fb25761df4793eedb9dba094ea49c5491", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|adb1b5af92c1258e07e5f7921adb133fb25761df4793eedb9dba094ea49c5491"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-configuration/src/trusted_host.rs"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 49573, "scanner": "repobility-threat-engine", "fingerprint": "1de4cb4f1e58918d1d091cad7d9dddfb04d8f36ed743baf9436b4d0e7453c78d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1de4cb4f1e58918d1d091cad7d9dddfb04d8f36ed743baf9436b4d0e7453c78d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-configuration/src/proxy_url.rs"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 49572, "scanner": "repobility-threat-engine", "fingerprint": "f770bd5c2e7577e559fcb9054462257a4073a87c084d1f3ddc5df778205fc1e6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f770bd5c2e7577e559fcb9054462257a4073a87c084d1f3ddc5df778205fc1e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-auth/src/realm.rs"}, "region": {"startLine": 279}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "properties": {"repobilityId": 49571, "scanner": "repobility-threat-engine", "fingerprint": "6ac04b78c4b3c37dca8c6c4206d4b9a516ac0f7cc75664fedb72ef9ef5fefd45", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 28 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6ac04b78c4b3c37dca8c6c4206d4b9a516ac0f7cc75664fedb72ef9ef5fefd45", "aggregated_count": 28}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 49570, "scanner": "repobility-threat-engine", "fingerprint": "cccdff06f31b5c277e0fdffb182595cce85c2000a05ff0c6a1270e3c3764061d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cccdff06f31b5c277e0fdffb182595cce85c2000a05ff0c6a1270e3c3764061d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-build/src/main.rs"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 49569, "scanner": "repobility-threat-engine", "fingerprint": "11f937d743e54e1aae1eed5218cd2456a19c1261b54c7713d155617c16344228", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|11f937d743e54e1aae1eed5218cd2456a19c1261b54c7713d155617c16344228"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-bench/benches/uv.rs"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 49568, "scanner": "repobility-threat-engine", "fingerprint": "92b4315a9eea51a8040f15aa00ce9d3f1e0a69469e2f578386ae1195feecc4bd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|92b4315a9eea51a8040f15aa00ce9d3f1e0a69469e2f578386ae1195feecc4bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-auth/src/providers.rs"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "properties": {"repobilityId": 49567, "scanner": "repobility-threat-engine", "fingerprint": "03477f3c225ccbb23c6eb223307bb8f56aa610a43b72f18b0967de2c27d05c02", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|03477f3c225ccbb23c6eb223307bb8f56aa610a43b72f18b0967de2c27d05c02"}}}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "properties": {"repobilityId": 49563, "scanner": "repobility-threat-engine", "fingerprint": "41a029ca729b97f86a910150bfab003ee786e7bfd0c1ad02dc98f7c60f6daf82", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 47 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|41a029ca729b97f86a910150bfab003ee786e7bfd0c1ad02dc98f7c60f6daf82", "aggregated_count": 47}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 49559, "scanner": "repobility-threat-engine", "fingerprint": "c9d6ba44ac47e0bf68a7226c75b0bbf3a5c2038db1134272b7cc8ca3b7dcdb20", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c9d6ba44ac47e0bf68a7226c75b0bbf3a5c2038db1134272b7cc8ca3b7dcdb20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/scenarios/generate.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 49558, "scanner": "repobility-threat-engine", "fingerprint": "5a3d26c2b7a336e56fd6f2a64e0b41c28d4b5a0299cce8527bb99440d84a7742", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5a3d26c2b7a336e56fd6f2a64e0b41c28d4b5a0299cce8527bb99440d84a7742"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-python/python/packaging/_elffile.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 49557, "scanner": "repobility-threat-engine", "fingerprint": "10ae01f7d04ae573f58218e929fe985c43e25867477bc5f6d348eceb229f48df", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|10ae01f7d04ae573f58218e929fe985c43e25867477bc5f6d348eceb229f48df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/post-edit-format.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 6170, "scanner": "repobility-threat-engine", "fingerprint": "e9e53f8c1f68b8354aa1f3913678b4319076067c21a6f4ed090e6797c25b4ec8", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "password = \"<redacted>\"", "reason": "Safe context pattern detected", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|100|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-auth/src/middleware.rs"}, "region": {"startLine": 1004}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 6169, "scanner": "repobility-threat-engine", "fingerprint": "2ea7fa18ecf9cf6ae3c54834b613d06662f76f8ce7c23c55555110d635a8d732", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "password = \"<redacted>\"", "reason": "Safe context pattern detected", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|168|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-client/src/registry_client.rs"}, "region": {"startLine": 1690}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 6166, "scanner": "repobility-threat-engine", "fingerprint": "17d601a5d405b5b6e5fc529ba51d4cf20a294e2438235fc187f3d563f6e56e31", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(f\"Added 1Password credentials for {registry_name}\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|scripts/registries-test.py|13|print f added 1password credentials for registry_name"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/registries-test.py"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-gui.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-gui.exe` is a .exe binary (38,912 bytes) committed to a repo that otherwise has 705 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 49681, "scanner": "repobility-supply-chain", "fingerprint": "a238baad3c1c0c645dbdb9a70375da9b18d8f3f24fb63479a60a253e5e80789c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a238baad3c1c0c645dbdb9a70375da9b18d8f3f24fb63479a60a253e5e80789c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-gui.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-console.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-console.exe` is a .exe binary (45,568 bytes) committed to a repo that otherwise has 705 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 49680, "scanner": "repobility-supply-chain", "fingerprint": "b519a0c823ec6e7b6f69cb04e0c42d45e6ec9e4550bd7121dd6f667bff4c99b9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b519a0c823ec6e7b6f69cb04e0c42d45e6ec9e4550bd7121dd6f667bff4c99b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-console.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-gui.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-gui.exe` is a .exe binary (46,080 bytes) committed to a repo that otherwise has 705 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 49679, "scanner": "repobility-supply-chain", "fingerprint": "f24f998b5b21628a50092c503cf166771314c5bac674662151b2b47c9e249200", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f24f998b5b21628a50092c503cf166771314c5bac674662151b2b47c9e249200"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-gui.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-console.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-console.exe` is a .exe binary (37,888 bytes) committed to a repo that otherwise has 705 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 49678, "scanner": "repobility-supply-chain", "fingerprint": "606d9275ef1f36caaa3d095617730aa2eba032a891f23fa10d2f81d18e88e6fc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|606d9275ef1f36caaa3d095617730aa2eba032a891f23fa10d2f81d18e88e6fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-console.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-gui.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-gui.exe` is a .exe binary (46,592 bytes) committed to a repo that otherwise has 705 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 49677, "scanner": "repobility-supply-chain", "fingerprint": "b8252891828138eadec3ecce7a1f4493f1268fc0cf2b539265ea994a4e3309da", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b8252891828138eadec3ecce7a1f4493f1268fc0cf2b539265ea994a4e3309da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-gui.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-console.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-console.exe` is a .exe binary (45,056 bytes) committed to a repo that otherwise has 705 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 49676, "scanner": "repobility-supply-chain", "fingerprint": "fb4c8c038715d5aff5c3e218a92e2d08d3fdd59fce5350b1fceb4bce1a126bdf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fb4c8c038715d5aff5c3e218a92e2d08d3fdd59fce5350b1fceb4bce1a126bdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-console.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `amazonlinux:2023` unpinned: `container/services image: amazonlinux:2023` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 49675, "scanner": "repobility-supply-chain", "fingerprint": "1ed48f455de20cb74270efa879688e47f69cdc1eeb41ecf1256b5f43d1947615", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ed48f455de20cb74270efa879688e47f69cdc1eeb41ecf1256b5f43d1947615"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-system.yml"}, "region": {"startLine": 790}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `alpine:latest` unpinned: `container/services image: alpine:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 49674, "scanner": "repobility-supply-chain", "fingerprint": "bfa9a59f9baefef288402f7b7cd5f7978a8c54888ee8223f900767a1c4ec77c1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bfa9a59f9baefef288402f7b7cd5f7978a8c54888ee8223f900767a1c4ec77c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-system.yml"}, "region": {"startLine": 377}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `pyston/pyston:2.3.5` unpinned: `container/services image: pyston/pyston:2.3.5` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 49673, "scanner": "repobility-supply-chain", "fingerprint": "884913e76d81245a8de45bfda7daacbfe9ea5919755332295c951d2074d8f9fb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|884913e76d81245a8de45bfda7daacbfe9ea5919755332295c951d2074d8f9fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-system.yml"}, "region": {"startLine": 299}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `python:3.7-buster` unpinned: `container/services image: python:3.7-buster` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 49672, "scanner": "repobility-supply-chain", "fingerprint": "e5370627fe57c5a9f5a3cb9cff3573ce325e50bf591cb15f675742d1b4952a5f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e5370627fe57c5a9f5a3cb9cff3573ce325e50bf591cb15f675742d1b4952a5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-system.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `python:3.6-buster` unpinned: `container/services image: python:3.6-buster` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 49671, "scanner": "repobility-supply-chain", "fingerprint": "9d0cc2f18cb8a4e92f521dd2c2b080c9f258a1258bf6307e4cdaa8f8b5e418ae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9d0cc2f18cb8a4e92f521dd2c2b080c9f258a1258bf6307e4cdaa8f8b5e418ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-system.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `alpine:latest` unpinned: `container/services image: alpine:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 49670, "scanner": "repobility-supply-chain", "fingerprint": "1034ceb68b6f7c7e109eae7738a4da3b625beac15548b671cbdacb385caf9c00", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1034ceb68b6f7c7e109eae7738a4da3b625beac15548b671cbdacb385caf9c00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-smoke.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `quay.io/pypa/manylinux2014` unpinned: `container/services image: quay.io/pypa/manylinux2014` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 49659, "scanner": "repobility-supply-chain", "fingerprint": "603e95951110b85421b2a95febc1d31af0aa2ad158c094a0343a73d6673859db", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|603e95951110b85421b2a95febc1d31af0aa2ad158c094a0343a73d6673859db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-release-binaries.yml"}, "region": {"startLine": 361}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 49658, "scanner": "repobility-supply-chain", "fingerprint": "11b71165406c381c4c06d325e422ea07aa84178d0ce7a097a9c2f717c93fc030", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|11b71165406c381c4c06d325e422ea07aa84178d0ce7a097a9c2f717c93fc030"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-dev/builder.dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.14.14`: `.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev: v0.14.14`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 49657, "scanner": "repobility-supply-chain", "fingerprint": "91b0361c8a73f0e4c56a1aa3429f226fd398ba9d92a842c2c6004bb5a419e283", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|91b0361c8a73f0e4c56a1aa3429f226fd398ba9d92a842c2c6004bb5a419e283"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/crate-ci/typos` pinned to mutable rev `v1.42.3`: `.pre-commit-config.yaml` references `https://github.com/crate-ci/typos` at `rev: v1.42.3`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 49656, "scanner": "repobility-supply-chain", "fingerprint": "b4e2dd60485125c3bcb7b037c637cc0893eb2128e3b9bd00a5167e2910222c94", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4e2dd60485125c3bcb7b037c637cc0893eb2128e3b9bd00a5167e2910222c94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/abravalheri/validate-pyproject` pinned to mutable rev `v0.24.1`: `.pre-commit-config.yaml` references `https://github.com/abravalheri/validate-pyproject` at `rev: v0.24.1`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 49655, "scanner": "repobility-supply-chain", "fingerprint": "ea9c2ac0ada25d82b4ae724b866b70f8897eb5145fb11c7562d09daca85e0933", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ea9c2ac0ada25d82b4ae724b866b70f8897eb5145fb11c7562d09daca85e0933"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_warm` of class `UvProject` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49654, "scanner": "repobility-ast-engine", "fingerprint": "68504de4a75f90a87938d11cd691b50cbb1758ea3cedb00f68fed573372a24f4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|68504de4a75f90a87938d11cd691b50cbb1758ea3cedb00f68fed573372a24f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 1079}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_cold` of class `UvProject` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49653, "scanner": "repobility-ast-engine", "fingerprint": "e9c1e97d165db4b787cbe5579b5f605a48fa68c6bf31d5d98578e164f64e0185", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e9c1e97d165db4b787cbe5579b5f605a48fa68c6bf31d5d98578e164f64e0185"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 1058}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.setup` used but never assigned in __init__: Method `install_warm` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49652, "scanner": "repobility-ast-engine", "fingerprint": "422155a5493ac07a795ece5e7f7d508687ea5bfc45e5c5ccb306ed9751b4ad25", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|422155a5493ac07a795ece5e7f7d508687ea5bfc45e5c5ccb306ed9751b4ad25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 810}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.setup` used but never assigned in __init__: Method `install_cold` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49651, "scanner": "repobility-ast-engine", "fingerprint": "2f36a6da4648be0a92da7d84b40d34095c2bdea264f8d463b1ae73507f74f223", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2f36a6da4648be0a92da7d84b40d34095c2bdea264f8d463b1ae73507f74f223"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 775}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_noop` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49650, "scanner": "repobility-ast-engine", "fingerprint": "2968cc773a9645fc7234ee6c38c4d40a704ce0ba2b25c83676d3907b8796e9ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2968cc773a9645fc7234ee6c38c4d40a704ce0ba2b25c83676d3907b8796e9ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 745}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_incremental` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49649, "scanner": "repobility-ast-engine", "fingerprint": "9897ce1a15f19d92e5770a6317d6cf1d2c45116d96e3215b654229816d856d03", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9897ce1a15f19d92e5770a6317d6cf1d2c45116d96e3215b654229816d856d03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 700}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_warm` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49648, "scanner": "repobility-ast-engine", "fingerprint": "eb5f9e41e3d26c51adef3e1ac1e14b877560d7f7cc2dc1886c3375ab9dd62b0a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eb5f9e41e3d26c51adef3e1ac1e14b877560d7f7cc2dc1886c3375ab9dd62b0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 678}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_cold` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49647, "scanner": "repobility-ast-engine", "fingerprint": "6d11a7cb4ae0b2192bcd130b51511f70697fc9dd9e342d5fef42a5a3833864eb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6d11a7cb4ae0b2192bcd130b51511f70697fc9dd9e342d5fef42a5a3833864eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 661}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.setup` used but never assigned in __init__: Method `install_warm` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49646, "scanner": "repobility-ast-engine", "fingerprint": "1b4b4df47463116c26bc8672d39efa195a3f9b1c76f1002c6546cccac44c628d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1b4b4df47463116c26bc8672d39efa195a3f9b1c76f1002c6546cccac44c628d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 581}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.setup` used but never assigned in __init__: Method `install_cold` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49645, "scanner": "repobility-ast-engine", "fingerprint": "64fe39fd8216ac40de33f60851822266f2a9e87ad9f012e9a2b7aca5d47d5ecf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|64fe39fd8216ac40de33f60851822266f2a9e87ad9f012e9a2b7aca5d47d5ecf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 536}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_noop` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49644, "scanner": "repobility-ast-engine", "fingerprint": "44668a2e172b1b55e998565f8fcff6a1ea23bd665f60603a25d578561c2e02cc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|44668a2e172b1b55e998565f8fcff6a1ea23bd665f60603a25d578561c2e02cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 499}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_incremental` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49643, "scanner": "repobility-ast-engine", "fingerprint": "86f6315127af6c5495a300c9819bc08e07ba454b8543be7c322a6155bd326834", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|86f6315127af6c5495a300c9819bc08e07ba454b8543be7c322a6155bd326834"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 443}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_warm` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49642, "scanner": "repobility-ast-engine", "fingerprint": "c5a61042846e18ecbb8cf343f1b95b79defb311a99b5ff054a77757f368e6670", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c5a61042846e18ecbb8cf343f1b95b79defb311a99b5ff054a77757f368e6670"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 416}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_cold` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49641, "scanner": "repobility-ast-engine", "fingerprint": "3162d5ccf6d669e1c9d6dd70e2183610a693dba8b1de8d3c6c6d83127e4e4b06", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3162d5ccf6d669e1c9d6dd70e2183610a693dba8b1de8d3c6c6d83127e4e4b06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 389}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.install_warm` used but never assigned in __init__: Method `command` of class `Suite` reads `self.install_warm`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49640, "scanner": "repobility-ast-engine", "fingerprint": "27a7415906b561393ae88f74e498e4bf208e0f6a88f79c9f8defc902e4ad7a8b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|27a7415906b561393ae88f74e498e4bf208e0f6a88f79c9f8defc902e4ad7a8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.install_cold` used but never assigned in __init__: Method `command` of class `Suite` reads `self.install_cold`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49639, "scanner": "repobility-ast-engine", "fingerprint": "ce0e12078798855e5716af18039d767d5ce75c9ee9c36a44af531f3c9805e52d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ce0e12078798855e5716af18039d767d5ce75c9ee9c36a44af531f3c9805e52d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.resolve_noop` used but never assigned in __init__: Method `command` of class `Suite` reads `self.resolve_noop`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49638, "scanner": "repobility-ast-engine", "fingerprint": "40829be780207246463c89ddc859969f25634d319fe10a700c55e28979e5cb9a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|40829be780207246463c89ddc859969f25634d319fe10a700c55e28979e5cb9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.resolve_incremental` used but never assigned in __init__: Method `command` of class `Suite` reads `self.resolve_incremental`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49637, "scanner": "repobility-ast-engine", "fingerprint": "cbc6de579a0f29d07e2a55f7f1b30eabca773278622dceb2467a2e46c8f243db", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cbc6de579a0f29d07e2a55f7f1b30eabca773278622dceb2467a2e46c8f243db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.resolve_warm` used but never assigned in __init__: Method `command` of class `Suite` reads `self.resolve_warm`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49636, "scanner": "repobility-ast-engine", "fingerprint": "a45e9105af9ee91fa4c569d356ea169e26c8842470482b9f40ba8cb732c684d0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a45e9105af9ee91fa4c569d356ea169e26c8842470482b9f40ba8cb732c684d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.resolve_cold` used but never assigned in __init__: Method `command` of class `Suite` reads `self.resolve_cold`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49635, "scanner": "repobility-ast-engine", "fingerprint": "de755718dca2ad389f0d15aec6897257aa2a66cfe6100557f8325fadb011fdd4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|de755718dca2ad389f0d15aec6897257aa2a66cfe6100557f8325fadb011fdd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.run` used but never assigned in __init__: Method `command` of class `Suite` reads `self.run`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49634, "scanner": "repobility-ast-engine", "fingerprint": "b3f32c1bda93e164a770dd6ac865dee6e67d0f86d6c66e46e252d6fb3baf4be7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b3f32c1bda93e164a770dd6ac865dee6e67d0f86d6c66e46e252d6fb3baf4be7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/tools.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.install_warm` used but never assigned in __init__: Method `command` of class `Suite` reads `self.install_warm`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49633, "scanner": "repobility-ast-engine", "fingerprint": "596aee03f1fa358ff21ab747981a9e503825ce1ec5bb1ee7d2106ad453b07e66", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|596aee03f1fa358ff21ab747981a9e503825ce1ec5bb1ee7d2106ad453b07e66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/tools.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.install_cold` used but never assigned in __init__: Method `command` of class `Suite` reads `self.install_cold`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49632, "scanner": "repobility-ast-engine", "fingerprint": "896f41f79e8d8248a7e16ad1fa0660647d6ccfeba50e845fcf2716f962c8d076", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|896f41f79e8d8248a7e16ad1fa0660647d6ccfeba50e845fcf2716f962c8d076"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/tools.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_publish_project: Test function `test_publish_project` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 49631, "scanner": "repobility-ast-engine", "fingerprint": "aae6633393d825f467a74bd36c460caf5276edab4b30508c9a3a32d34579d48a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aae6633393d825f467a74bd36c460caf5276edab4b30508c9a3a32d34579d48a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/publish/test_publish.py"}, "region": {"startLine": 688}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_reupload_modified_files: Test function `test_reupload_modified_files` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 49630, "scanner": "repobility-ast-engine", "fingerprint": "b688f2eef72100f8debc6e5098e00a27a6c5e7ace6b3295cdd8f02b054fef945", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b688f2eef72100f8debc6e5098e00a27a6c5e7ace6b3295cdd8f02b054fef945"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/publish/test_publish.py"}, "region": {"startLine": 630}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_reupload_with_check_url: Test function `test_reupload_with_check_url` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 49629, "scanner": "repobility-ast-engine", "fingerprint": "ce250f3c5a07b46128ec32b3a24fd55a18fbf7216ab93f5aeadee3a7dae844f1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ce250f3c5a07b46128ec32b3a24fd55a18fbf7216ab93f5aeadee3a7dae844f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/publish/test_publish.py"}, "region": {"startLine": 562}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_reupload_same_files: Test function `test_reupload_same_files` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 49628, "scanner": "repobility-ast-engine", "fingerprint": "09dd462add0c6ce384a6d6942134b2690dd1071fa79766e7075564e08653d412", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|09dd462add0c6ce384a6d6942134b2690dd1071fa79766e7075564e08653d412"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/publish/test_publish.py"}, "region": {"startLine": 506}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_fresh_upload: Test function `test_fresh_upload` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 49627, "scanner": "repobility-ast-engine", "fingerprint": "734ef5275d9f9ae902b717357818871389c9c87da454813703eeb5f9fe489518", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|734ef5275d9f9ae902b717357818871389c9c87da454813703eeb5f9fe489518"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/publish/test_publish.py"}, "region": {"startLine": 451}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.value` used but never assigned in __init__: Method `test_file` of class `TemplateKind` reads `self.value`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49626, "scanner": "repobility-ast-engine", "fingerprint": "9818470d2c02d91f963ce223b67a307c16bc9376d2755698ce055fd11d0c059c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9818470d2c02d91f963ce223b67a307c16bc9376d2755698ce055fd11d0c059c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/scenarios/generate.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.name` used but never assigned in __init__: Method `template_file` of class `TemplateKind` reads `self.name`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49625, "scanner": "repobility-ast-engine", "fingerprint": "68945b900d656b09b1ff7080ed3970726fa971350725377a6dffef0aec4de2d5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|68945b900d656b09b1ff7080ed3970726fa971350725377a6dffef0aec4de2d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/scenarios/generate.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_file: Test function `test_file` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 49624, "scanner": "repobility-ast-engine", "fingerprint": "04f219dfc05bc2d596ae739b8704bb56bbe39316911ad431bdd367442b4c8dcb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|04f219dfc05bc2d596ae739b8704bb56bbe39316911ad431bdd367442b4c8dcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/scenarios/generate.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 49602, "scanner": "repobility-threat-engine", "fingerprint": "8c2c501d81d7e6acf41493246f2cc66154beb6b51b3f5dc477631eb9fd23dcac", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(rf'pub const {const_name}: &str = \"([^\"]+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|81|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/sync-python-version-constants.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC080", "level": "error", "message": {"text": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0)."}, "properties": {"repobilityId": 49601, "scanner": "repobility-threat-engine", "fingerprint": "f2b9ec8c017fffbd592aa0ead40ead1abb4341ca850be748322be00d5d491858", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "tar.extractall(tmpdir)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC080", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f2b9ec8c017fffbd592aa0ead40ead1abb4341ca850be748322be00d5d491858"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/repair-sdist-cargo-lock.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 49600, "scanner": "repobility-threat-engine", "fingerprint": "062f8d13d3b08f2e39ddbe3aed2b1137891bc6e2dc3740e299f1b8ccf0441887", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hasher.update(chunk)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|062f8d13d3b08f2e39ddbe3aed2b1137891bc6e2dc3740e299f1b8ccf0441887"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/create-python-mirror.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 49597, "scanner": "repobility-threat-engine", "fingerprint": "35e1e1f80316b1c450269188ccede3a40ed6fc1102f54e839f80e67ebc85cd4a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|35e1e1f80316b1c450269188ccede3a40ed6fc1102f54e839f80e67ebc85cd4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/uv/__main__.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 49590, "scanner": "repobility-threat-engine", "fingerprint": "8a9b09064eed422c324863496f3aa45fea5b10c561859ae4f7e9ddd2894ded3a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8a9b09064eed422c324863496f3aa45fea5b10c561859ae4f7e9ddd2894ded3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv/src/commands/build_backend.rs"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 49589, "scanner": "repobility-threat-engine", "fingerprint": "c2f37d205bf6ff2af06b8730ce0e23a6ca5201b969cadb670b166980b7c1809d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c2f37d205bf6ff2af06b8730ce0e23a6ca5201b969cadb670b166980b7c1809d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-resolver/src/dependency_provider.rs"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 49588, "scanner": "repobility-threat-engine", "fingerprint": "030618b408e80dddbdc8788ac18dfaf8b0d5804af4f1775bd350d90ddaf04671", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|030618b408e80dddbdc8788ac18dfaf8b0d5804af4f1775bd350d90ddaf04671"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-macros/src/lib.rs"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 49582, "scanner": "repobility-threat-engine", "fingerprint": "ca4a0206015b3d0147a2307f446d69c47b438e2e538aa9bd9f66dbc6aa677c78", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ca4a0206015b3d0147a2307f446d69c47b438e2e538aa9bd9f66dbc6aa677c78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-platform/src/cpuinfo.rs"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 49581, "scanner": "repobility-threat-engine", "fingerprint": "34557110d9944241d5ddd8323ecc4807a0c87e36d881a86d9fa06092a027f6ac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|34557110d9944241d5ddd8323ecc4807a0c87e36d881a86d9fa06092a027f6ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-extract/src/hash.rs"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 49566, "scanner": "repobility-threat-engine", "fingerprint": "d255e1aa726418444bb1d9b1a5fd852b949be1dacc8fa9b1ed35510903c355b5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d255e1aa726418444bb1d9b1a5fd852b949be1dacc8fa9b1ed35510903c355b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-cache/src/wheel.rs"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 49565, "scanner": "repobility-threat-engine", "fingerprint": "454e2f8aa2b18c139d112e7626282827de52b537ee6819dc3259b26a30fcbe5c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|454e2f8aa2b18c139d112e7626282827de52b537ee6819dc3259b26a30fcbe5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-auth/src/service.rs"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 49564, "scanner": "repobility-threat-engine", "fingerprint": "5f0217de96f83fbdbd5a1b6db9766cebccca1708bf9791fe2a4b686b9b4aeb9d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5f0217de96f83fbdbd5a1b6db9766cebccca1708bf9791fe2a4b686b9b4aeb9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-auth/src/providers.rs"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 49562, "scanner": "repobility-threat-engine", "fingerprint": "242fbd95868217e4540e94fd1b921c6918aa98266971e4e2c7f6f5e58580df0e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|242fbd95868217e4540e94fd1b921c6918aa98266971e4e2c7f6f5e58580df0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-bench/benches/uv.rs"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 49561, "scanner": "repobility-threat-engine", "fingerprint": "b6aac438cd063a2e4d0608168cbf2e3b185065abc60c0a7a059cd086b744045d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b6aac438cd063a2e4d0608168cbf2e3b185065abc60c0a7a059cd086b744045d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-auth/src/providers.rs"}, "region": {"startLine": 209}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 49560, "scanner": "repobility-threat-engine", "fingerprint": "b6a14a94429daa6a56c48bfd89b066c1b507b0679013a05ab4ee3ffa259e1b4e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b6a14a94429daa6a56c48bfd89b066c1b507b0679013a05ab4ee3ffa259e1b4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-auth/src/index.rs"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 49556, "scanner": "repobility-threat-engine", "fingerprint": "355d0af1598eb0745a39f76bdbf87384c196d12db88579e12245e4b75ac409f6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|355d0af1598eb0745a39f76bdbf87384c196d12db88579e12245e4b75ac409f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-virtualenv/src/_virtualenv.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 49555, "scanner": "repobility-threat-engine", "fingerprint": "6d5322bf3d0c155805fa9ff1d45c3f0b30070ad94c551b419efbf748d18b13f2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d5322bf3d0c155805fa9ff1d45c3f0b30070ad94c551b419efbf748d18b13f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/post-edit-format.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 6174, "scanner": "repobility-docker", "fingerprint": "a750447f5b27ab5c30780993a55a6b40ad69fe3475172dcd6f75541df1217653", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a750447f5b27ab5c30780993a55a6b40ad69fe3475172dcd6f75541df1217653"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-trampoline/Dockerfile"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 6168, "scanner": "repobility-threat-engine", "fingerprint": "b3a430afe35507f7359e596a091d2dcbfd2f4b6d5a622bd8e767cfe77fe6a494", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|228|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 228}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 6167, "scanner": "repobility-threat-engine", "fingerprint": "a94733ea3386a3670de2ad9fe10990a672ee6e928f35e049f91947ac51f97b8d", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(request", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|scripts/publish-crates.py|80|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/publish-crates.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 6165, "scanner": "repobility-threat-engine", "fingerprint": "b97cbb3faf7ff3eac90a76a2d3f82dd61e48fad68f59fe67ebd26b3d9cbe2ebf", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": "branch = f\"update", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|38|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/update_schemastore.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_PYX_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLISH_PYX_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 49669, "scanner": "repobility-supply-chain", "fingerprint": "661974d8f867362e361c425f9045cedcb9eab40310b78a57fb786a215fdfcbdc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|661974d8f867362e361c425f9045cedcb9eab40310b78a57fb786a215fdfcbdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 408}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_CLOUDSMITH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLISH_CLOUDSMITH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 49668, "scanner": "repobility-supply-chain", "fingerprint": "8807002f835e5426d3145c1177e507c9f83d67d19e54dc96c05aeddaafb36f1d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8807002f835e5426d3145c1177e507c9f83d67d19e54dc96c05aeddaafb36f1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 407}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_CODEBERG_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLISH_CODEBERG_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 49667, "scanner": "repobility-supply-chain", "fingerprint": "c841b34c33594d23a91c64f794184654341a205d2167b8643e860d3109183e4f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c841b34c33594d23a91c64f794184654341a205d2167b8643e860d3109183e4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 406}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_GITLAB_PAT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLISH_GITLAB_PAT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 49666, "scanner": "repobility-supply-chain", "fingerprint": "4dd80e50f98e9702d51b23396f1623d0cdc324d7cb38993f5c3bd780641043a1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4dd80e50f98e9702d51b23396f1623d0cdc324d7cb38993f5c3bd780641043a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 405}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLISH_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 49665, "scanner": "repobility-supply-chain", "fingerprint": "a450b1930748f8e9a47b94369e0fae3a1f0ef3ba50dfc3cf676d091aa5132f99", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a450b1930748f8e9a47b94369e0fae3a1f0ef3ba50dfc3cf676d091aa5132f99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 404}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLISH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 49664, "scanner": "repobility-supply-chain", "fingerprint": "7e3e181510ebb4ed502eb7247a70ade4a94026e5ad94edff4c7d3bbc50dbaeff", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e3e181510ebb4ed502eb7247a70ade4a94026e5ad94edff4c7d3bbc50dbaeff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 403}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_TEXT_STORE` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLISH_TEXT_STORE }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 49663, "scanner": "repobility-supply-chain", "fingerprint": "7a9a79907e9fe817bd14de53e5b10ee26f5c6d35da75ff8c92cd2c17068323ae", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7a9a79907e9fe817bd14de53e5b10ee26f5c6d35da75ff8c92cd2c17068323ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 396}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_KEYRING` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLISH_KEYRING }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 49662, "scanner": "repobility-supply-chain", "fingerprint": "a79c400ddc515f2657c21df45e05c62705a7dbcd086b9103413dba8996e379f8", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a79c400ddc515f2657c21df45e05c62705a7dbcd086b9103413dba8996e379f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 390}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GITLAB_TEST_PUBLISH_ACCESS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GITLAB_TEST_PUBLISH_ACCESS_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 49661, "scanner": "repobility-supply-chain", "fingerprint": "468fee6d53a3af42d8a3612ceb848d0222a56cce30d9b8deeef6d19bd4e83483", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|468fee6d53a3af42d8a3612ceb848d0222a56cce30d9b8deeef6d19bd4e83483"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 353}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GITLAB_TEST_PUBLISH_TRIGGER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GITLAB_TEST_PUBLISH_TRIGGER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 49660, "scanner": "repobility-supply-chain", "fingerprint": "8357b2c3cbe5faa4fc24b4a9c0d0aa55b68c228e3286f62ca3378d50b9bb2174", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8357b2c3cbe5faa4fc24b4a9c0d0aa55b68c228e3286f62ca3378d50b9bb2174"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 352}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 49596, "scanner": "repobility-threat-engine", "fingerprint": "8ceb6bdf7f2f77e8728ac1ecaf800e4541c66e02d5094ad3c32836c97587127e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Require(_", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8ceb6bdf7f2f77e8728ac1ecaf800e4541c66e02d5094ad3c32836c97587127e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-requirements/src/source_tree.rs"}, "region": {"startLine": 212}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 49580, "scanner": "repobility-threat-engine", "fingerprint": "c2f5865933a7091d182d4198f9dbdb21191956acdd4632ac51f0a7870507620b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c2f5865933a7091d182d4198f9dbdb21191956acdd4632ac51f0a7870507620b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-configuration/src/proxy_url.rs"}, "region": {"startLine": 169}}}]}]}]}