{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `examples/org/aesh/readline/tty/terminal/TerminalConnection.class` committed in source repo", "shortDescription": {"text": "Binary file `examples/org/aesh/readline/tty/terminal/TerminalConnection.class` committed in source repo"}, "fullDescription": {"text": "`examples/org/aesh/readline/tty/terminal/TerminalConnection.class` is a .class binary (12,957 bytes) committed to a repo that otherwise has 380 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-java` pinned to mutable ref `@v5`", "shortDescription": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "fullDescription": {"text": "`uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1350"}, "properties": {"repository": "aeshell/aesh", "repoUrl": "https://github.com/aeshell/aesh", "branch": "master"}, "results": [{"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 137790, "scanner": "repobility-threat-engine", "fingerprint": "7a14d6e21cddc7015caeb504eb07bbd381718730b0b877a84970654de5a22247", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Pattern.compile(\"^\\\\$\\\\{((env:)|(sys:))?((\\\\.*\\\\w+)+", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7a14d6e21cddc7015caeb504eb07bbd381718730b0b877a84970654de5a22247"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "aesh/src/main/java/org/aesh/util/PropertiesLookup.java"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 137785, "scanner": "repobility-threat-engine", "fingerprint": "04c802355fe84d9e01e1041b2b92035e76774f8f02c28fd0a33d2aee9a38a6d9", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Arity max (\" + max + \") must be >= min (\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|04c802355fe84d9e01e1041b2b92035e76774f8f02c28fd0a33d2aee9a38a6d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "aesh/src/main/java/org/aesh/command/option/Arity.java"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 137784, "scanner": "repobility-threat-engine", "fingerprint": "2545e19bb87444c71c683338854c6f3d0dd24db099cbfb96d542d9286c356f99", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Command: \" + name + \" was not found.\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2545e19bb87444c71c683338854c6f3d0dd24db099cbfb96d542d9286c356f99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "aesh/src/main/java/org/aesh/command/impl/registry/MutableCommandRegistryImpl.java"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 137783, "scanner": "repobility-threat-engine", "fingerprint": "345dced4aea61f8761aa8e096d848547a3613686f1a266fffa6e5a299d1f8a91", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "LOGGER.warning(\"Failed to read variables from file \" + exportFile + \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|345dced4aea61f8761aa8e096d848547a3613686f1a266fffa6e5a299d1f8a91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "aesh/src/main/java/org/aesh/command/export/ExportManager.java"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137771, "scanner": "repobility-ai-code-hygiene", "fingerprint": "39f84adbb42a546c7f38e6932eeb2c92f7a87713fcbda2c0594a1dff7fd7ad8b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "aesh/src/main/java/org/aesh/command/alias/AliasCommand.java", "duplicate_line": 37, "correlation_key": "fp|39f84adbb42a546c7f38e6932eeb2c92f7a87713fcbda2c0594a1dff7fd7ad8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "aesh/src/main/java/org/aesh/command/alias/UnAliasCommand.java"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137770, "scanner": "repobility-ai-code-hygiene", "fingerprint": "42b67543663a0af305925e52c0cd6365b52886a47bd58dd6c8eab16c1a6f15af", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "aesh-tamboui/src/main/java/org/aesh/tamboui/TuiAppCommand.java", "duplicate_line": 25, "correlation_key": "fp|42b67543663a0af305925e52c0cd6365b52886a47bd58dd6c8eab16c1a6f15af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "aesh-tamboui/src/main/java/org/aesh/tamboui/TuiCommand.java"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC012", "level": "none", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 137789, "scanner": "repobility-threat-engine", "fingerprint": "aeaa82bd56f21cf3a268af40cf109868221382a831120abbfd2ed4eeb99c197c", "category": "path_traversal", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'startswith' detected on same line", "evidence": {"match": "entry.getName()", "reason": "Safe pattern 'startswith' detected on same line", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|path_traversal|token|91|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "aesh/src/main/java/org/aesh/io/scanner/ZipFileIterator.java"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 137786, "scanner": "repobility-threat-engine", "fingerprint": "5b5429ce103e0212fe1464cb57739bff2520dbc1282d1a7ac9eefe5666813e21", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5b5429ce103e0212fe1464cb57739bff2520dbc1282d1a7ac9eefe5666813e21"}}}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 137788, "scanner": "repobility-threat-engine", "fingerprint": "8b7c4f04f93804ecd200f8abf81f54e46d7f0cdfc9b5e360c5efc11dcba0216f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8b7c4f04f93804ecd200f8abf81f54e46d7f0cdfc9b5e360c5efc11dcba0216f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "aesh/src/main/java/org/aesh/command/impl/internal/ProcessedCommandBuilder.java"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 137787, "scanner": "repobility-threat-engine", "fingerprint": "ea9614b36ac3b4d46be20b538df8580fbf06d9c2653e0488630914e2f4df4fe4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ea9614b36ac3b4d46be20b538df8580fbf06d9c2653e0488630914e2f4df4fe4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "aesh/src/main/java/org/aesh/command/impl/converter/URLConverter.java"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `examples/org/aesh/readline/tty/terminal/TerminalConnection.class` committed in source repo"}, "properties": {"repobilityId": 137782, "scanner": "repobility-supply-chain", "fingerprint": "42a36bc446c8482e4500a76e876b202c3c272de2d950eef3df1e20ea4566204e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|42a36bc446c8482e4500a76e876b202c3c272de2d950eef3df1e20ea4566204e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/org/aesh/readline/tty/terminal/TerminalConnection.class"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `examples/dev/tamboui/backend/aesh/AeshBackend.class` committed in source repo"}, "properties": {"repobilityId": 137781, "scanner": "repobility-supply-chain", "fingerprint": "fdeb0d91d3d44f567d356776a74eff5903e168a6d31383a203e70cba3e3d2418", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fdeb0d91d3d44f567d356776a74eff5903e168a6d31383a203e70cba3e3d2418"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/dev/tamboui/backend/aesh/AeshBackend.class"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `examples/dev/tamboui/toolkit/app/ToolkitRunner.class` committed in source repo"}, "properties": {"repobilityId": 137780, "scanner": "repobility-supply-chain", "fingerprint": "f167c66b4117abc12b19e45917991676bcec5abacab4ec1adb12299302b6bed7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f167c66b4117abc12b19e45917991676bcec5abacab4ec1adb12299302b6bed7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/dev/tamboui/toolkit/app/ToolkitRunner.class"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `examples/dev/tamboui/tui/TerminalInputReader.class` committed in source repo"}, "properties": {"repobilityId": 137779, "scanner": "repobility-supply-chain", "fingerprint": "e011ccc5f59b18a5a93ba35f633021ffcf1eb15836b85633dd42454fd904ade5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e011ccc5f59b18a5a93ba35f633021ffcf1eb15836b85633dd42454fd904ade5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/dev/tamboui/tui/TerminalInputReader.class"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `examples/dev/tamboui/tui/TuiRunner.class` committed in source repo"}, "properties": {"repobilityId": 137778, "scanner": "repobility-supply-chain", "fingerprint": "034c3a56956d4c9aab05a7fb331c03f7e105cc7ce6b6648170eada3f3c776613", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|034c3a56956d4c9aab05a7fb331c03f7e105cc7ce6b6648170eada3f3c776613"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/dev/tamboui/tui/TuiRunner.class"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `examples/dev/tamboui/terminal/AbstractBackend.class` committed in source repo"}, "properties": {"repobilityId": 137777, "scanner": "repobility-supply-chain", "fingerprint": "5f836b7560af17cfb7711ddfeecb582fb7c698759a41c8b534d0b2d365672447", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f836b7560af17cfb7711ddfeecb582fb7c698759a41c8b534d0b2d365672447"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/dev/tamboui/terminal/AbstractBackend.class"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `examples/dev/tamboui/terminal/Backend.class` committed in source repo"}, "properties": {"repobilityId": 137776, "scanner": "repobility-supply-chain", "fingerprint": "5976408f942f5a93920b411efd15b31032c7e5124eed267e3fe978c58c462994", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5976408f942f5a93920b411efd15b31032c7e5124eed267e3fe978c58c462994"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/dev/tamboui/terminal/Backend.class"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 137775, "scanner": "repobility-supply-chain", "fingerprint": "ca02e1e4c38024f0d01f71a40632df4d6b0cf977c853af0e228093233bea3155", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca02e1e4c38024f0d01f71a40632df4d6b0cf977c853af0e228093233bea3155"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 137774, "scanner": "repobility-supply-chain", "fingerprint": "54b5f86f36fc3510700e5359aef4227f86c2f6741f87f50712af469215448a09", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54b5f86f36fc3510700e5359aef4227f86c2f6741f87f50712af469215448a09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 137773, "scanner": "repobility-supply-chain", "fingerprint": "b27c1fc18800599e296cf27273f9d3aeca69a48882dd6785a891e82170f19aee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b27c1fc18800599e296cf27273f9d3aeca69a48882dd6785a891e82170f19aee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 137772, "scanner": "repobility-supply-chain", "fingerprint": "91a9bcac6283a7ec62d6303b2a2a4021df6594cb1b3f94e4544e4abe5f58461c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|91a9bcac6283a7ec62d6303b2a2a4021df6594cb1b3f94e4544e4abe5f58461c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 10}}}]}]}]}