{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "depends_on controls startup order, but without condition: service_healthy an app can start while the database is still initializing and fail intermittently."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Database exports and local database files can contain production data, credentials, or large binary payloads that slow Docker builds and can be copied into images by broad COPY instructions."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `api` image is selected through a build variable", "shortDescription": {"text": "Compose service `api` image is selected through a build variable"}, "fullDescription": {"text": "Variable-selected base images can be safe, but Repobility cannot verify that the resolved image is pinned."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/416"}, "properties": {"repository": "openmrs/openmrs-core", "repoUrl": "https://github.com/openmrs/openmrs-core.git", "branch": "master"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 16508, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Spring Boot"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC016", "level": "warning", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 16507, "scanner": "repobility-docker", "fingerprint": "88a20aafd7c89d959131e8be624514a4bda18734847596ebc77e2bd1ad2cf731", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dependency database has a healthcheck but the app does not use condition: service_healthy.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "api", "dependency": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|88a20aafd7c89d959131e8be624514a4bda18734847596ebc77e2bd1ad2cf731", "dependency_has_healthcheck": true}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 16503, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 16495, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "api/src/test/resources/org/openmrs/util/databasechange/openmrs-1.9.7.h2.db", "size_mb": 0.5}, {"path": "liquibase/scripts/create_openmrs_database.sql", "size_mb": 0.0}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 16493, "scanner": "repobility-threat-engine", "fingerprint": "9415bf8b2c365f5edf62d3bab0f538ba3647dd5d9ce0489e8065e6f56c1827f0", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.2 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD = \"<redacted>\"", "reason": "Low entropy value (3.2 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|106|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/org/openmrs/util/OpenmrsConstants.java"}, "region": {"startLine": 1070}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 16492, "scanner": "repobility-threat-engine", "fingerprint": "10defd392334b1a7c83628362b32d01faca6c717faca8a035f06ad10aa5888ac", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.8 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD = \"<redacted>\"", "reason": "Low entropy value (3.8 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|3|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "liquibase/src/main/java/org/openmrs/liquibase/CoreDataTuner.java"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16491, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fad1af926d0a23e7f737742ecf37e00149c3083e53776b73034a914e4564acc5", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/main/java/org/openmrs/BaseOpenmrsData.java", "duplicate_line": 34, "correlation_key": "fp|fad1af926d0a23e7f737742ecf37e00149c3083e53776b73034a914e4564acc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/org/openmrs/ConceptSet.java"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16490, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1faca98ba95d814f17271b88a392536effee78b34c165d829ac5149e81e26b2f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/main/java/org/openmrs/BaseReferenceRange.java", "duplicate_line": 21, "correlation_key": "fp|1faca98ba95d814f17271b88a392536effee78b34c165d829ac5149e81e26b2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/org/openmrs/ConceptNumeric.java"}, "region": {"startLine": 72}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16489, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fc61ad30dc71a7c90f7377a03e23c3cd733c31f2a15926fed94955967002cbc4", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/main/java/org/openmrs/ConceptDescription.java", "duplicate_line": 87, "correlation_key": "fp|fc61ad30dc71a7c90f7377a03e23c3cd733c31f2a15926fed94955967002cbc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/org/openmrs/ConceptNameTag.java"}, "region": {"startLine": 137}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16488, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7b5ef499ea22ed7ecbbbb2e2fdf0b980045ab0d7203b9a606eae36254fcb240c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/main/java/org/openmrs/ConceptName.java", "duplicate_line": 131, "correlation_key": "fp|7b5ef499ea22ed7ecbbbb2e2fdf0b980045ab0d7203b9a606eae36254fcb240c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/org/openmrs/ConceptNameTag.java"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16487, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e421f3b4fa12697b727e9116760fe187154ab49fe43d7b830932110b89e640ee", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/main/java/org/openmrs/BaseOpenmrsData.java", "duplicate_line": 34, "correlation_key": "fp|e421f3b4fa12697b727e9116760fe187154ab49fe43d7b830932110b89e640ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/org/openmrs/ConceptNameTag.java"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16486, "scanner": "repobility-ai-code-hygiene", "fingerprint": "39f6e5f18e6f3b31296ef4753e0f1b780519e96f90a4ffb469a2a7efa2637343", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/main/java/org/openmrs/BaseOpenmrsMetadata.java", "duplicate_line": 55, "correlation_key": "fp|39f6e5f18e6f3b31296ef4753e0f1b780519e96f90a4ffb469a2a7efa2637343"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/org/openmrs/ConceptNameTag.java"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16485, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f893772ba238ebd822d641aef7fd32ed59b8ce13ac1306197fbaa5ef41980474", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/main/java/org/openmrs/BaseOpenmrsData.java", "duplicate_line": 34, "correlation_key": "fp|f893772ba238ebd822d641aef7fd32ed59b8ce13ac1306197fbaa5ef41980474"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/org/openmrs/ConceptName.java"}, "region": {"startLine": 123}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16484, "scanner": "repobility-ai-code-hygiene", "fingerprint": "23827f65b80644ea97e48f201f6a02f640674ca1a695c24cbc44569517941460", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/main/java/org/openmrs/ConceptDescription.java", "duplicate_line": 65, "correlation_key": "fp|23827f65b80644ea97e48f201f6a02f640674ca1a695c24cbc44569517941460"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/org/openmrs/ConceptName.java"}, "region": {"startLine": 117}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16483, "scanner": "repobility-ai-code-hygiene", "fingerprint": "553e3d13b1a687bdd63103e4362cadff6ab1490d16e1093987c528f811c96c9f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/main/java/org/openmrs/BaseOpenmrsData.java", "duplicate_line": 34, "correlation_key": "fp|553e3d13b1a687bdd63103e4362cadff6ab1490d16e1093987c528f811c96c9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/org/openmrs/ConceptDescription.java"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16482, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b90fbc24f9c54a9097554ad902fbdd70a922f021fe33e25a16d601e71048bb41", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/main/java/org/openmrs/BaseOpenmrsData.java", "duplicate_line": 34, "correlation_key": "fp|b90fbc24f9c54a9097554ad902fbdd70a922f021fe33e25a16d601e71048bb41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/org/openmrs/ConceptAnswer.java"}, "region": {"startLine": 74}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16481, "scanner": "repobility-ai-code-hygiene", "fingerprint": "84452d2c8b90e5bcdfaaa362919d1551f8f0a07522b49af5833fe6001e26d6d0", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/main/java/org/openmrs/BaseOpenmrsData.java", "duplicate_line": 34, "correlation_key": "fp|84452d2c8b90e5bcdfaaa362919d1551f8f0a07522b49af5833fe6001e26d6d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/org/openmrs/BaseOpenmrsMetadata.java"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16480, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e977fd928b60ca3ca849271db118a36e8407c2d434deae5a4d69b4fcdf9248ed", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/main/java/org/openmrs/BaseCustomizableData.java", "duplicate_line": 23, "correlation_key": "fp|e977fd928b60ca3ca849271db118a36e8407c2d434deae5a4d69b4fcdf9248ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/org/openmrs/BaseCustomizableMetadata.java"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 16506, "scanner": "repobility-docker", "fingerprint": "f0af14d3794e5a4a7d50b25771553bfe9b10596cac6458df20ebde9abb880a74", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f0af14d3794e5a4a7d50b25771553bfe9b10596cac6458df20ebde9abb880a74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 16502, "scanner": "repobility-docker", "fingerprint": "b94d7ef865746b920e79efc369b016fa252bf57c1491c58d546119a9a946f558", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b94d7ef865746b920e79efc369b016fa252bf57c1491c58d546119a9a946f558"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 115}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 16500, "scanner": "repobility-docker", "fingerprint": "fee827a4603e665ee3b5722f830c4bf0ed7a721e5c8a420fc66b8a6032f2bc67", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fee827a4603e665ee3b5722f830c4bf0ed7a721e5c8a420fc66b8a6032f2bc67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 66}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 16497, "scanner": "repobility-docker", "fingerprint": "6156a9e38005fa1db7bf224d6d6039922f0a7289ced82774e7446cc165b9e687", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6156a9e38005fa1db7bf224d6d6039922f0a7289ced82774e7446cc165b9e687"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `api` image is selected through a build variable"}, "properties": {"repobilityId": 16505, "scanner": "repobility-docker", "fingerprint": "81d4c11400e3f41840d83bf5dabb061e7a51ce6470ef83ab3b51ff05ba343ed6", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "openmrs/openmrs-core:${TAG:-nightly}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|81d4c11400e3f41840d83bf5dabb061e7a51ce6470ef83ab3b51ff05ba343ed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 16501, "scanner": "repobility-docker", "fingerprint": "9a2cb2d531817e3e7564c42142ccf337a26e5e48c50fee04199ded8cef0ec587", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "tomcat:11-$RUNTIME_JDK", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|9a2cb2d531817e3e7564c42142ccf337a26e5e48c50fee04199ded8cef0ec587"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 113}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 16499, "scanner": "repobility-docker", "fingerprint": "5a84617762d186265108aa36ef75e81b6cb3039be7930377b71eb200ac66dde5", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "maven:3.9-$DEV_JDK", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|5a84617762d186265108aa36ef75e81b6cb3039be7930377b71eb200ac66dde5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 64}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 16496, "scanner": "repobility-docker", "fingerprint": "d355741b966c29a9572db460c7a44d9ce42742963f36da7c68bcca8a65d629b7", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "maven:3.9-$DEV_JDK", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d355741b966c29a9572db460c7a44d9ce42742963f36da7c68bcca8a65d629b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC012", "level": "none", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 16494, "scanner": "repobility-threat-engine", "fingerprint": "92fd87145c5150c57cfc47f5f295bb4a4405cf154020a450277e98122c42e843", "category": "path_traversal", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'startswith' detected on same line", "evidence": {"match": "Entry.getName()", "reason": "Safe pattern 'startswith' detected on same line", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|path_traversal|token|606|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/org/openmrs/module/ModuleUtil.java"}, "region": {"startLine": 606}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 22452, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 16498, "scanner": "repobility-docker", "fingerprint": "80e8585e9fc0aa49b69aacdd118f5ae790b7be945c28cbe3ed43a007d4115c6c", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|80e8585e9fc0aa49b69aacdd118f5ae790b7be945c28cbe3ed43a007d4115c6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 55}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 16504, "scanner": "repobility-docker", "fingerprint": "bbeb1912c23dc4c65e617c2778e96c2d52c5a50d0d7e86cb3b8aeb19e77265b4", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db", "variable": "MARIADB_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|bbeb1912c23dc4c65e617c2778e96c2d52c5a50d0d7e86cb3b8aeb19e77265b4", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}]}]}