{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DEPCUR-NPM", "name": "npm package `node-addon-api` is 1 major version(s) behind (^7.1.1 -> 8.8.0)", "shortDescription": {"text": "npm package `node-addon-api` is 1 major version(s) behind (^7.1.1 -> 8.8.0)"}, "fullDescription": {"text": "`node-addon-api` is pinned/resolved at ^7.1.1 but the latest stable release on the npm registry is 8.8.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED075", "name": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL.", "shortDescription": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-690 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/708"}, "properties": {"repository": "boku7/Loki", "repoUrl": "https://github.com/boku7/Loki.git", "branch": "main"}, "results": [{"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `node-addon-api` is 1 major version(s) behind (^7.1.1 -> 8.8.0)"}, "properties": {"repobilityId": 56803, "scanner": "repobility-dependency-currency", "fingerprint": "56256a178abc273ad5c02defd7a7b4362dc6f2ae5d05cb9b27bcf44735b24d54", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "node-addon-api", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.8.0", "correlation_key": "fp|56256a178abc273ad5c02defd7a7b4362dc6f2ae5d05cb9b27bcf44735b24d54", "current_version": "^7.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/COFFLoader/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 56794, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 56810, "scanner": "repobility-threat-engine", "fingerprint": "fd3ba4b81462cf3b5c4a3c578f1c45baf79e0cc81c1d630dd3594bb4b35bcd6e", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|client/task-queue.js|168|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/task-queue.js"}, "region": {"startLine": 168}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56802, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2103fdfe7ad1a01377d9422bb973b218c10c4387492a64600773598759b9a0ca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dev/execute_assembly/node_assembly_execute.cpp", "duplicate_line": 28, "correlation_key": "fp|2103fdfe7ad1a01377d9422bb973b218c10c4387492a64600773598759b9a0ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/scexec/node_scexec.cpp"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56801, "scanner": "repobility-ai-code-hygiene", "fingerprint": "80d013c5ebcd9c24231a625c6623bd002b72e315b741fb76ab8d058c78707eb9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dev/loader/node_loader.cpp", "duplicate_line": 1, "correlation_key": "fp|80d013c5ebcd9c24231a625c6623bd002b72e315b741fb76ab8d058c78707eb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/scexec/node_scexec.cpp"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56800, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a53c3627347650b42f81e2b963ee9479aae23dffb2e79304b89af9d4db103da6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dev/execute_assembly/node_assembly_execute.cpp", "duplicate_line": 28, "correlation_key": "fp|a53c3627347650b42f81e2b963ee9479aae23dffb2e79304b89af9d4db103da6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/loader/node_loader.cpp"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56799, "scanner": "repobility-ai-code-hygiene", "fingerprint": "937614ee7b64ce9f994a2cbbc8c434d545866159ea4b43406f0f79a6cec32cb6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/renderer.js", "duplicate_line": 48, "correlation_key": "fp|937614ee7b64ce9f994a2cbbc8c434d545866159ea4b43406f0f79a6cec32cb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/COFFLoader/runBOF.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56798, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0387128ff187fb23e1a1055f8ff5734e65094a33ff565710913a3938a8c5e531", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/agent.js", "duplicate_line": 130, "correlation_key": "fp|0387128ff187fb23e1a1055f8ff5734e65094a33ff565710913a3938a8c5e531"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/explorer.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56797, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8550e2b9f25a617a54b4d8af3102c9e727ca82631e2bab215b667944d4665e00", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/renderer.js", "duplicate_line": 7, "correlation_key": "fp|8550e2b9f25a617a54b4d8af3102c9e727ca82631e2bab215b667944d4665e00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard.js"}, "region": {"startLine": 300}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56796, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5b8c8b6cc0b24d42bc03c1a16a86db1e89dccbf22ac2c47b7cb0089938cdd63a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/agent.js", "duplicate_line": 40, "correlation_key": "fp|5b8c8b6cc0b24d42bc03c1a16a86db1e89dccbf22ac2c47b7cb0089938cdd63a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/dashboard.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 56795, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a0f53ce14542c4f69d09b6275ba95b991905905c016c8d5906f2d2f066305e33", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backdoor/Cursor/init.js", "duplicate_line": 1, "correlation_key": "fp|a0f53ce14542c4f69d09b6275ba95b991905905c016c8d5906f2d2f066305e33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backdoor/QRLWallet/init.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 56812, "scanner": "repobility-threat-engine", "fingerprint": "fc9e23ea1aa34310951252ab7013ab48a20af1e113cd67d2bd3f8687b791dc20", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fc9e23ea1aa34310951252ab7013ab48a20af1e113cd67d2bd3f8687b791dc20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/COFFLoader/beacon_compatibility.c"}, "region": {"startLine": 162}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 56809, "scanner": "repobility-threat-engine", "fingerprint": "02faed3ffc3fab61214fcc4bedf7d5d9b583ae75a75bb108db137dc7cf911f7f", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|client/crypt.js|44|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/crypt.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 56808, "scanner": "repobility-threat-engine", "fingerprint": "4b3d1f5da7bc76208217d4630f94b5c604a37c1b24cbe552082771023e8fad2d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4b3d1f5da7bc76208217d4630f94b5c604a37c1b24cbe552082771023e8fad2d", "aggregated_count": 3}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 56807, "scanner": "repobility-threat-engine", "fingerprint": "de84bbe0f93edfa2deb05c9b0784e77fe10de37a5aedea5daa27be31366056dd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de84bbe0f93edfa2deb05c9b0784e77fe10de37a5aedea5daa27be31366056dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backdoor/QRLWallet/init.js"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 56806, "scanner": "repobility-threat-engine", "fingerprint": "b78352bd725dab05aa31c0dc143fab60947ba9f50cad36c0f950c5842ad5821b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b78352bd725dab05aa31c0dc143fab60947ba9f50cad36c0f950c5842ad5821b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backdoor/Cursor/init.js"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 56805, "scanner": "repobility-threat-engine", "fingerprint": "b271b4ec43509a11a412a97309a4595b90108f43d72c9a48bb4d439260a34145", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b271b4ec43509a11a412a97309a4595b90108f43d72c9a48bb4d439260a34145"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/renderer.js"}, "region": {"startLine": 158}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 56811, "scanner": "repobility-threat-engine", "fingerprint": "713d0844fd3515374c469680554ead11e2d87a402aac1e16ed4c624674a5a43f", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `\n        ${queuePosition ? `<div class=\"queue-position\">${queuePosition}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|713d0844fd3515374c469680554ead11e2d87a402aac1e16ed4c624674a5a43f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/task-queue.js"}, "region": {"startLine": 168}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 56813, "scanner": "gitleaks", "fingerprint": "eda607b8d3c7cf5e3e493f1a0d268256e5dd846c9501548e3980a8febd5c232f", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "keytar.node   hash : REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|readme.md|13|keytar.node hash : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 136}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 56804, "scanner": "repobility-threat-engine", "fingerprint": "d311ff9574cae3bb55b2fa4616cc7f1bb03875864c07b95b94dc58ccf8bfe8b7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d311ff9574cae3bb55b2fa4616cc7f1bb03875864c07b95b94dc58ccf8bfe8b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/renderer.js"}, "region": {"startLine": 48}}}]}]}]}