{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "[MINED109] Mutable default argument in `partition_files` (list): `def partition_files(... = []/{}/set())` \u2014 Python's def", "shortDescription": {"text": "[MINED109] Mutable default argument in `partition_files` (list): `def partition_files(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates "}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def partition_files(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `server` image has no explicit tag", "shortDescription": {"text": "Compose service `server` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `linuxclient` image uses the latest tag", "shortDescription": {"text": "Compose service `linuxclient` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Combine update and install in the same RUN instruction and clean package indexes in that layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC119", "name": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbo", "shortDescription": {"text": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets."}, "fullDescription": {"text": "Use 0600 (owner rw only) for secrets, 0644 for general files, 0700 for directories with secrets. Java: `setReadable(true, true)` (owner-only)."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 711 lines (recommend <300)", "shortDescription": {"text": "Average file size is 711 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `fetch_and_save` has cognitive complexity 10 (SonarSource scale). Cognitiv", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `fetch_and_save` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursio"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 10."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED077", "name": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.", "shortDescription": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-772 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED022", "name": "[MINED022] C Strcpy (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED022] C Strcpy (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-120 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED075", "name": "[MINED075] C Malloc No Check (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED075] C Malloc No Check (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-690 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED080", "name": "[MINED080] Cpp Using Namespace Std (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED080] Cpp Using Namespace Std (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED051", "name": "[MINED051] Csharp Null Forgive (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED051] Csharp Null Forgive (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `src/libraries/System.Reflection.Metadata/tests/Resources/Namespace/NamespaceForwardedCS.dll` com", "shortDescription": {"text": "[MINED134] Binary file `src/libraries/System.Reflection.Metadata/tests/Resources/Namespace/NamespaceForwardedCS.dll` committed in source repo: `src/libraries/System.Reflection.Metadata/tests/Resources/Namespace/NamespaceForwardedCS.dll` is "}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED130", "name": "[MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-lock.json` resolved URL for `no", "shortDescription": {"text": "[MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-lock.json` resolved URL for `node_modules/data-uri-to-buffer` is `https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/regist...` "}, "fullDescription": {"text": "Verify the host is intentional. If your org uses a private registry, add it to your scanner's allowlist (CANONICAL_NPM_HOSTS). Otherwise, regenerate the lockfile against the canonical registry."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-24.04` not pinned by digest: `FROM mcr.mi", "shortDescription": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-24.04` not pinned by digest: `FROM mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-24.04` resolves the tag at build time. The registry CAN re-push a different"}, "fullDescription": {"text": "Replace with: `FROM mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-24.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v3` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux-3.0-net11.0-cross-a", "shortDescription": {"text": "[MINED126] Workflow container/services image `mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux-3.0-net11.0-cross-amd64` unpinned: `container/services image: mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux-3.0-net11.0-cross-amd6"}, "fullDescription": {"text": "Replace with `mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux-3.0-net11.0-cross-amd64@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.target` used but never assigned in __init__: Method `parse_args` of class `OffsetsTool` reads `self.tar", "shortDescription": {"text": "[MINED108] `self.target` used but never assigned in __init__: Method `parse_args` of class `OffsetsTool` reads `self.target`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first tim"}, "fullDescription": {"text": "Initialize `self.target = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR004", "name": "Docker build secret exposed through ARG", "shortDescription": {"text": "Docker build secret exposed through ARG"}, "fullDescription": {"text": "Replace secret ARG usage with `RUN --mount=type=secret,id=name ...` and pass the value with `docker build --secret`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR015", "name": "Docker build context is very large", "shortDescription": {"text": "Docker build context is very large"}, "fullDescription": {"text": "Shrink the build context with .dockerignore, move generated/runtime data outside the build context, and copy only the manifest files needed for cached dependency layers."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC032", "name": "[SEC032] Unrestricted File Upload \u2014 no extension/MIME validation: File upload accepts the user's filename without valida", "shortDescription": {"text": "[SEC032] Unrestricted File Upload \u2014 no extension/MIME validation: File upload accepts the user's filename without validating extension, content-type, or magic bytes. Attackers upload `.php`, `.jsp`, or executable files to a web-served direc"}, "fullDescription": {"text": "Validate THREE things server-side:\n  1. Extension allowlist:\n       ALLOWED = {'.png', '.jpg', '.pdf'}\n       ext = Path(file.filename).suffix.lower()\n       if ext not in ALLOWED: abort(400)\n  2. Magic-byte check (don't trust the extension):\n       import magic\n       mime = magic.from_buffer(file.read(2048), mime=True)\n  3. Save with a random/UUID filename to a non-executable directory.\nSanitize with `werkzeug.secure_filename`. Never reuse the user's name."}, "properties": {"scanner": "repobility-threat-engine", "category": "file_upload", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC025", "name": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader: .NET XmlDocument and XmlTextReader expand externa", "shortDescription": {"text": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader: .NET XmlDocument and XmlTextReader expand external entities by default in pre-4.5.2 runtimes (and even later if XmlResolver is left at default). Allows file disclosure a"}, "fullDescription": {"text": "Set XmlResolver = null on XmlDocument before Load. On XmlReader, pass XmlReaderSettings { DtdProcessing = DtdProcessing.Prohibit, XmlResolver = null }. Prefer XDocument / XElement which don't expand external entities by default."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED017", "name": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic.", "shortDescription": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.COPILOT_PAT_0` on a `pull_request` trigger: This workflow triggers on `pull_request`, ", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.COPILOT_PAT_0` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_PAT_0 }` lets a PR from any fork exfiltrate the secret"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `os` used but not imported: The file uses `os.something(...)` but never imports `os`. This ra", "shortDescription": {"text": "[MINED107] Missing import: `os` used but not imported: The file uses `os.something(...)` but never imports `os`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import os` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC001", "name": "Compose service runs privileged", "shortDescription": {"text": "Compose service runs privileged"}, "fullDescription": {"text": "Remove privileged mode. Add the single capability, device, or mount that is actually required."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.98, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1240"}, "properties": {"repository": "dotnet/runtime", "repoUrl": "https://github.com/dotnet/runtime", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124837, "scanner": "repobility-ast-engine", "fingerprint": "cf572daee3d74342436103ccf72e667814d345961efc562e06b647dfbaeeef4e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cf572daee3d74342436103ccf72e667814d345961efc562e06b647dfbaeeef4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/native/external/brotli/setup.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124836, "scanner": "repobility-ast-engine", "fingerprint": "a66edfc4a8de1a6bb878bd7d0fc0bae8b81eabb0e8027565b3ed33539385d8df", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a66edfc4a8de1a6bb878bd7d0fc0bae8b81eabb0e8027565b3ed33539385d8df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_collect_setup.py"}, "region": {"startLine": 418}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `partition_files` (list): `def partition_files(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 124835, "scanner": "repobility-ast-engine", "fingerprint": "0cb59c0da11d11d9251e0f4c65dafbd3d53605efc9146f37e4cc23041a9a9619", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0cb59c0da11d11d9251e0f4c65dafbd3d53605efc9146f37e4cc23041a9a9619"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_collect_setup.py"}, "region": {"startLine": 380}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124829, "scanner": "repobility-ast-engine", "fingerprint": "08b5efe0e0206d7a5109bcae021f85c02591fce814e71482294d2f5a7985cc38", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|08b5efe0e0206d7a5109bcae021f85c02591fce814e71482294d2f5a7985cc38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/jitutil.py"}, "region": {"startLine": 585}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124828, "scanner": "repobility-ast-engine", "fingerprint": "dcd5671b29e825df890ff5a6850f7bc083cf87e0aec019149819e26827c9c748", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dcd5671b29e825df890ff5a6850f7bc083cf87e0aec019149819e26827c9c748"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/jitutil.py"}, "region": {"startLine": 578}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124819, "scanner": "repobility-ast-engine", "fingerprint": "52830489748794a6d5b96473c075997be3b0cd51c67f7c27e232d512de47fc23", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|52830489748794a6d5b96473c075997be3b0cd51c67f7c27e232d512de47fc23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_aspnet2.py"}, "region": {"startLine": 401}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124818, "scanner": "repobility-ast-engine", "fingerprint": "88debb8bd0e9a24d535269bbd73ab1eba8c32de2dd2d978057e236b589539559", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|88debb8bd0e9a24d535269bbd73ab1eba8c32de2dd2d978057e236b589539559"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_aspnet2.py"}, "region": {"startLine": 408}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124817, "scanner": "repobility-ast-engine", "fingerprint": "2446f7d7e3c2001c63a635fa4492a73a8f45398e324e97656c883421174c035e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2446f7d7e3c2001c63a635fa4492a73a8f45398e324e97656c883421174c035e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_aspnet2.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124816, "scanner": "repobility-ast-engine", "fingerprint": "9bc7bbe380f3e927325728513be76cf50fe7a97390f7c3dbc0f0e76624411bde", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9bc7bbe380f3e927325728513be76cf50fe7a97390f7c3dbc0f0e76624411bde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_aspnet2.py"}, "region": {"startLine": 390}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124809, "scanner": "repobility-ast-engine", "fingerprint": "65d563658dd7b50897cf7db63053a3b4c5c91896d8eab23484e259ebbe939766", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|65d563658dd7b50897cf7db63053a3b4c5c91896d8eab23484e259ebbe939766"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi.py"}, "region": {"startLine": 2553}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124808, "scanner": "repobility-ast-engine", "fingerprint": "9ac592fad5c515399e6e2df13b583398b36bf44e37ec2db141343d6a140bfe3a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9ac592fad5c515399e6e2df13b583398b36bf44e37ec2db141343d6a140bfe3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi.py"}, "region": {"startLine": 2447}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124807, "scanner": "repobility-ast-engine", "fingerprint": "be5bba534ef2921db53cba3a35043fa303121e1ada8cfa9068cfdc50dc42ea08", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|be5bba534ef2921db53cba3a35043fa303121e1ada8cfa9068cfdc50dc42ea08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi.py"}, "region": {"startLine": 795}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124790, "scanner": "repobility-ast-engine", "fingerprint": "c2c4fc14f0a489097698884947097603a42a14b7d1afbd97ea8eed0fc4036c28", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c2c4fc14f0a489097698884947097603a42a14b7d1afbd97ea8eed0fc4036c28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mono/mono/mini/genmdesc.py"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124789, "scanner": "repobility-ast-engine", "fingerprint": "8498ed4fffa24d39531d12626e535bd342eb978729f8d99fb1550b11b2fdafd2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8498ed4fffa24d39531d12626e535bd342eb978729f8d99fb1550b11b2fdafd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tests/run.py"}, "region": {"startLine": 1438}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124788, "scanner": "repobility-ast-engine", "fingerprint": "b178bf640d567f08fb03a60a7eb73a0e2e79f51cc29ed73583a2e71379c3317f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b178bf640d567f08fb03a60a7eb73a0e2e79f51cc29ed73583a2e71379c3317f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tests/run.py"}, "region": {"startLine": 646}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124787, "scanner": "repobility-ast-engine", "fingerprint": "23facd37ee977c8ff70d6067c7f8a4c4d78a3fe6fcd0e0d1aa751ec96c6fd64c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|23facd37ee977c8ff70d6067c7f8a4c4d78a3fe6fcd0e0d1aa751ec96c6fd64c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tests/run.py"}, "region": {"startLine": 712}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124786, "scanner": "repobility-ast-engine", "fingerprint": "0b2b75afba15482ca82ce82c23d3ab4fe4ee49c7b119806a1e65480739889459", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0b2b75afba15482ca82ce82c23d3ab4fe4ee49c7b119806a1e65480739889459"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tests/run.py"}, "region": {"startLine": 590}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124782, "scanner": "repobility-ast-engine", "fingerprint": "b13eaa7bbf498b121f3a0df1a51fc10cad9d2ef4712b3fde0c4b71b2800224c9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b13eaa7bbf498b121f3a0df1a51fc10cad9d2ef4712b3fde0c4b71b2800224c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/validate_results.py"}, "region": {"startLine": 449}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124781, "scanner": "repobility-ast-engine", "fingerprint": "17dea6aaa6d0c8a9311adb752c45bf9261a6eb41e2c4edfb704b0813a2c981c6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|17dea6aaa6d0c8a9311adb752c45bf9261a6eb41e2c4edfb704b0813a2c981c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/fetch_helix_logs.py"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124780, "scanner": "repobility-ast-engine", "fingerprint": "25ca7e2dba087b2ffb84b383e5a3008c632b3db5b6835eb4967aacec564a1871", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|25ca7e2dba087b2ffb84b383e5a3008c632b3db5b6835eb4967aacec564a1871"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/update_github.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124767, "scanner": "repobility-ast-engine", "fingerprint": "f68edd9dc6bff0565a20d531eeaea6ee08f442954d6a794c9aa1ebb8754ad755", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f68edd9dc6bff0565a20d531eeaea6ee08f442954d6a794c9aa1ebb8754ad755"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/extract_failed_tests.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 124766, "scanner": "repobility-ast-engine", "fingerprint": "af6cc6dbdd15f873aa415f8db3df465123e856f67793d7691c42c9754d5c5fb9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|af6cc6dbdd15f873aa415f8db3df465123e856f67793d7691c42c9754d5c5fb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/common/cross/install-debs.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `server` image has no explicit tag"}, "properties": {"repobilityId": 124759, "scanner": "repobility-docker", "fingerprint": "f8cd0c97bf352c02a4f3ab159b1cd22c993197c7fb74fc8c09939dceafb6c46d", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "httpstress", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f8cd0c97bf352c02a4f3ab159b1cd22c993197c7fb74fc8c09939dceafb6c46d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Http/tests/StressTests/HttpStress/docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `client` image has no explicit tag"}, "properties": {"repobilityId": 124756, "scanner": "repobility-docker", "fingerprint": "78188da1bb801185926c8d7c80f79b473b2f20cc64f432a4143965e8f9f1aa18", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "httpstress", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|78188da1bb801185926c8d7c80f79b473b2f20cc64f432a4143965e8f9f1aa18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Http/tests/StressTests/HttpStress/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `linuxclient` image uses the latest tag"}, "properties": {"repobilityId": 124752, "scanner": "repobility-docker", "fingerprint": "5383dc6e74a916115fbe9ea74e7dba7cec0491b357c50bea5214503a868185ad", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "linuxclient:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5383dc6e74a916115fbe9ea74e7dba7cec0491b357c50bea5214503a868185ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/docker-compose.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `altweb` image uses the latest tag"}, "properties": {"repobilityId": 124751, "scanner": "repobility-docker", "fingerprint": "0b73bb666f8877d36f6c85846a90dfbc6f2e6b92aa17889f6787d52e42715f07", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "apacheweb:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0b73bb666f8877d36f6c85846a90dfbc6f2e6b92aa17889f6787d52e42715f07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/docker-compose.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `apacheweb` image uses the latest tag"}, "properties": {"repobilityId": 124747, "scanner": "repobility-docker", "fingerprint": "00ce2a28af7b6cfe43019439f6698b78a6b6f05cf758314383bdc42a4190330d", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "apacheweb:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|00ce2a28af7b6cfe43019439f6698b78a6b6f05cf758314383bdc42a4190330d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `kdc` image uses the latest tag"}, "properties": {"repobilityId": 124744, "scanner": "repobility-docker", "fingerprint": "b4e14d9e72d1e827b6fa778bac918a1e59607a53626d756fd00a5605700ad2ff", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "kdc:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b4e14d9e72d1e827b6fa778bac918a1e59607a53626d756fd00a5605700ad2ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 124743, "scanner": "repobility-docker", "fingerprint": "9a06453e53e4573a8fe6eb4938a74cc86ce46b22f087562c088f5e67d7eb5948", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$SDK_BASE_IMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9a06453e53e4573a8fe6eb4938a74cc86ce46b22f087562c088f5e67d7eb5948"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Security/tests/StressTests/SslStress/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 124742, "scanner": "repobility-docker", "fingerprint": "ac1e7b1b5285e82632a24643973bfe15d8814bcccb7755ddac9fd071485b5fae", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|ac1e7b1b5285e82632a24643973bfe15d8814bcccb7755ddac9fd071485b5fae", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Security/tests/StressTests/SslStress/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 124740, "scanner": "repobility-docker", "fingerprint": "522942a8ccabd7ff8f83f5352f335a3afbb2904f24f9c64da4a55d4d771bdfde", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$SDK_BASE_IMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|522942a8ccabd7ff8f83f5352f335a3afbb2904f24f9c64da4a55d4d771bdfde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Http/tests/StressTests/HttpStress/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 124739, "scanner": "repobility-docker", "fingerprint": "36b0e932d37156fd669667cc7f2c10d51efe6a1ae60646adbf2c63db3a0a449c", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|36b0e932d37156fd669667cc7f2c10d51efe6a1ae60646adbf2c63db3a0a449c", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Http/tests/StressTests/HttpStress/Dockerfile"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 124735, "scanner": "repobility-docker", "fingerprint": "7316e0197b698fec2d704672d769c60351f29244af53c361918ec016c2b70e31", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-24.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7316e0197b698fec2d704672d769c60351f29244af53c361918ec016c2b70e31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/linuxclient/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 124733, "scanner": "repobility-docker", "fingerprint": "0e04a237a936492bd859c784db598a54e8cfa58bb59bdcf7a53814482da8c245", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-24.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0e04a237a936492bd859c784db598a54e8cfa58bb59bdcf7a53814482da8c245"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/kdc/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 124731, "scanner": "repobility-docker", "fingerprint": "147c7c451e8b3efcc3bb124c581546b7dba80d98b71f215d8fb4dac96dede45d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-24.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|147c7c451e8b3efcc3bb124c581546b7dba80d98b71f215d8fb4dac96dede45d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/apacheweb/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 124728, "scanner": "repobility-docker", "fingerprint": "ede696a18f02947a1aaa5e1cf939d6912d763c50e38f185fb6c01329a1b5e0df", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux-3.0-net10.0-cross-amd64", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ede696a18f02947a1aaa5e1cf939d6912d763c50e38f185fb6c01329a1b5e0df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/nativeaot/docs/Dockerfile.cross-build-x64-x64"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 124727, "scanner": "repobility-docker", "fingerprint": "c6b990ed2131f53346a8327e75f0bbb9afad128af1f8ccc53c8632d9b4f8f499", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux-3.0-net10.0-cross-arm64", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c6b990ed2131f53346a8327e75f0bbb9afad128af1f8ccc53c8632d9b4f8f499"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/nativeaot/docs/Dockerfile.cross-build-x64-arm64"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 124726, "scanner": "repobility-docker", "fingerprint": "251ca04a6b844b93c2c5407366f638252a2dde87fe01c44991638a88a16a0699", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/devcontainers/dotnet:${VARIANT}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|251ca04a6b844b93c2c5407366f638252a2dde87fe01c44991638a88a16a0699"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/wasm-multiThreaded/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 124723, "scanner": "repobility-docker", "fingerprint": "823dc0a4dbaeb0dad352d98714b793ed0e5fd5d837486c0d9359b9002fd88fce", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|823dc0a4dbaeb0dad352d98714b793ed0e5fd5d837486c0d9359b9002fd88fce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/wasm-multiThreaded/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 124721, "scanner": "repobility-docker", "fingerprint": "fa48f59cfbb5dffa3c81df1f31ad0382287f94d44dd1a2b843563605c52126ca", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/devcontainers/dotnet:${VARIANT}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fa48f59cfbb5dffa3c81df1f31ad0382287f94d44dd1a2b843563605c52126ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/wasm/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 124718, "scanner": "repobility-docker", "fingerprint": "63387f711e2a8891929b1ff52738063fdc99e42b907d1b561b32cf222fca7d23", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|63387f711e2a8891929b1ff52738063fdc99e42b907d1b561b32cf222fca7d23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/wasm/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 124716, "scanner": "repobility-docker", "fingerprint": "7278525b1e2d24fd2775afc39dba9eff5207f79dcde8fe0cf04987bc43cb8674", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/devcontainers/dotnet:${VARIANT}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7278525b1e2d24fd2775afc39dba9eff5207f79dcde8fe0cf04987bc43cb8674"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/android/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 124715, "scanner": "repobility-docker", "fingerprint": "6355acc2aa86899bb7cd13fa2b352d6b9c1c140826b98891f625b9f77c3938e2", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6355acc2aa86899bb7cd13fa2b352d6b9c1c140826b98891f625b9f77c3938e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/android/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 124712, "scanner": "repobility-docker", "fingerprint": "e09a301585bb675c217cbb4f2f226e3f91a78c61b568c20cf5e57d59308163f9", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/devcontainers/dotnet:${VARIANT}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e09a301585bb675c217cbb4f2f226e3f91a78c61b568c20cf5e57d59308163f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 124679, "scanner": "repobility-ai-code-hygiene", "fingerprint": "efc8cde3eb4ca83d91195daded6eb1199c78c4f8f87d0bff1dfe3af849e222c1", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "update", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "src/mono/mono/metadata/metadata.c", "correlation_key": "fp|efc8cde3eb4ca83d91195daded6eb1199c78c4f8f87d0bff1dfe3af849e222c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mono/mono/metadata/metadata-update.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC119", "level": "warning", "message": {"text": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets."}, "properties": {"repobilityId": 124676, "scanner": "repobility-threat-engine", "fingerprint": "ca27e317fb72d505e53d5a18624d6a66f9df11efbbeb59750911c4a813779348", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.chmod(bootstrapPath, 0o751)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC119", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|131|sec119"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/jitformat.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 124675, "scanner": "repobility-threat-engine", "fingerprint": "6b0ec447c60630d7df97f5e54e7bced9be37288b6eb8a7b56e141c670b1be2b2", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n                pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6b0ec447c60630d7df97f5e54e7bced9be37288b6eb8a7b56e141c670b1be2b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/coreclr_arguments.py"}, "region": {"startLine": 140}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 124641, "scanner": "repobility-threat-engine", "fingerprint": "06e6e6987c200479206886f7810c7a0e18142c162394bfbb37dfdcf543ecce2f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "}\n            catch (FileNotFoundException)\n            {\n                return null;\n            }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|06e6e6987c200479206886f7810c7a0e18142c162394bfbb37dfdcf543ecce2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/nativeaot/System.Private.CoreLib/src/System/Reflection/Assembly.NativeAot.cs"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 124640, "scanner": "repobility-threat-engine", "fingerprint": "18e62df78abf2c6caeb03bee33aaf58215ca8b78bc5039dd43409fd812a10e0a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "}\n            catch (FileNotFoundException)\n            {\n                return null;\n            }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|18e62df78abf2c6caeb03bee33aaf58215ca8b78bc5039dd43409fd812a10e0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/System.Private.CoreLib/src/System/Reflection/Assembly.CoreCLR.cs"}, "region": {"startLine": 38}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 711 lines (recommend <300)"}, "properties": {"repobilityId": 124614, "scanner": "repobility-core", "fingerprint": "aba39fbab866c9ce1e2885ad94391cf45e7a8fb85b98ac3cc8602be2e29d0d22", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|aba39fbab866c9ce1e2885ad94391cf45e7a8fb85b98ac3cc8602be2e29d0d22"}}}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 124765, "scanner": "repobility-docker", "fingerprint": "cb1719539d19b6f38c0ff801367a31a62bef21571ff480ad278ee852107d1115", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cb1719539d19b6f38c0ff801367a31a62bef21571ff480ad278ee852107d1115"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Security/tests/StressTests/SslStress/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 124764, "scanner": "repobility-docker", "fingerprint": "541d1def2a6f694e8ffb729c80b99b662baf1a37254fc100fbf8da416eb2319e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|541d1def2a6f694e8ffb729c80b99b662baf1a37254fc100fbf8da416eb2319e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Security/tests/StressTests/SslStress/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 124763, "scanner": "repobility-docker", "fingerprint": "b32375df3af4f4340b8e55891effa331e1de0cc2f46e0075a9583931e07cc5b0", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "client", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b32375df3af4f4340b8e55891effa331e1de0cc2f46e0075a9583931e07cc5b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Security/tests/StressTests/SslStress/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 124762, "scanner": "repobility-docker", "fingerprint": "402424e3fe5acc5757c3c8214913db852a71bcb4eb3b94fc262735c2d0c89912", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "client", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|402424e3fe5acc5757c3c8214913db852a71bcb4eb3b94fc262735c2d0c89912"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Security/tests/StressTests/SslStress/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 124761, "scanner": "repobility-docker", "fingerprint": "f8af6cfeab2f6465125c9b438b0a5f52f8a1eda0431f15d0e5ee2caea360145b", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f8af6cfeab2f6465125c9b438b0a5f52f8a1eda0431f15d0e5ee2caea360145b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Http/tests/StressTests/HttpStress/docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 124760, "scanner": "repobility-docker", "fingerprint": "c3e1bd08d0baab9992a79dc3548c8eb541245d0d1dff6643eef586e863b67ea9", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c3e1bd08d0baab9992a79dc3548c8eb541245d0d1dff6643eef586e863b67ea9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Http/tests/StressTests/HttpStress/docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 124758, "scanner": "repobility-docker", "fingerprint": "ab4d4f5243b0de144f5fa18ec4322437921ea73fe1041852671b3c62d84e43e1", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "client", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ab4d4f5243b0de144f5fa18ec4322437921ea73fe1041852671b3c62d84e43e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Http/tests/StressTests/HttpStress/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 124757, "scanner": "repobility-docker", "fingerprint": "cdb42182bef777524c67a7c3bf0d799381d6f0521edfc2907cd323fd7490ff5d", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "client", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cdb42182bef777524c67a7c3bf0d799381d6f0521edfc2907cd323fd7490ff5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Http/tests/StressTests/HttpStress/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 124755, "scanner": "repobility-docker", "fingerprint": "8cd5c0a8d4505242beb8bebe0b72e1e6aab71fd8d4c9540f596c1d69438102f9", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "linuxclient", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8cd5c0a8d4505242beb8bebe0b72e1e6aab71fd8d4c9540f596c1d69438102f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/docker-compose.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 124754, "scanner": "repobility-docker", "fingerprint": "96c368daaad3f61ca8f0defd6c1daed7750a47df4a880cb91c0434edf9ae26e1", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "linuxclient", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|96c368daaad3f61ca8f0defd6c1daed7750a47df4a880cb91c0434edf9ae26e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/docker-compose.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 124750, "scanner": "repobility-docker", "fingerprint": "43104fcc599e618fbcc851c61701c67a7d7f61b123f1ebdbd6fc5bae7b6c55eb", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apacheweb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|43104fcc599e618fbcc851c61701c67a7d7f61b123f1ebdbd6fc5bae7b6c55eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 124749, "scanner": "repobility-docker", "fingerprint": "e58b9c5a649372a1653b45eef1f1fa12afa3dc7f35c30b2627fb6834ee112dba", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apacheweb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e58b9c5a649372a1653b45eef1f1fa12afa3dc7f35c30b2627fb6834ee112dba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 124746, "scanner": "repobility-docker", "fingerprint": "a189c78b3aad24a628044388f63e0e7b8f6a0b058814bcd970e80d42da1eaade", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "kdc", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a189c78b3aad24a628044388f63e0e7b8f6a0b058814bcd970e80d42da1eaade"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 124745, "scanner": "repobility-docker", "fingerprint": "f9619613c61acaf6aa217d6b32d7ded15bff3cae59635d46e41b01a8da4709cd", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "kdc", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f9619613c61acaf6aa217d6b32d7ded15bff3cae59635d46e41b01a8da4709cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 124738, "scanner": "repobility-docker", "fingerprint": "d3b14809b71724a3d2454731fa8513c18bf4102a636efe437c6fabd3495ae025", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d3b14809b71724a3d2454731fa8513c18bf4102a636efe437c6fabd3495ae025"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Http/tests/StressTests/HttpStress/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 124737, "scanner": "repobility-docker", "fingerprint": "94af218715d39eb7177b00fba8bdbe9a95251339f91ca710c154660de73cb8b2", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|94af218715d39eb7177b00fba8bdbe9a95251339f91ca710c154660de73cb8b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Http/tests/StressTests/HttpStress/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 124734, "scanner": "repobility-docker", "fingerprint": "d3a870e910a915d8a5d59abad7e0bf49fd53d4d5047c9aafa5f6eb542807d29b", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d3a870e910a915d8a5d59abad7e0bf49fd53d4d5047c9aafa5f6eb542807d29b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/linuxclient/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 124732, "scanner": "repobility-docker", "fingerprint": "91c8f46d8fa8c216969d49b2399744a99e98083d4973f4e812d55d39fcff694e", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|91c8f46d8fa8c216969d49b2399744a99e98083d4973f4e812d55d39fcff694e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/kdc/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 124729, "scanner": "repobility-docker", "fingerprint": "e588382edac83410f9477ba2c3e07272c4cba106e292d7edb72465fd849cef86", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|e588382edac83410f9477ba2c3e07272c4cba106e292d7edb72465fd849cef86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/apacheweb/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 124725, "scanner": "repobility-docker", "fingerprint": "2f8178a1fd550d26a9534fde5a3712fee4e0877f4c37354974fb92b0fd76b2af", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2f8178a1fd550d26a9534fde5a3712fee4e0877f4c37354974fb92b0fd76b2af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/wasm-multiThreaded/Dockerfile"}, "region": {"startLine": 57}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 124724, "scanner": "repobility-docker", "fingerprint": "50e184d14bfa21c1372c637ea0b7fd05984a76c92882a174e46576697bc498a8", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|50e184d14bfa21c1372c637ea0b7fd05984a76c92882a174e46576697bc498a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/wasm-multiThreaded/Dockerfile"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 124720, "scanner": "repobility-docker", "fingerprint": "9512880a76a9570e5768145c8a6339e5f922c90bca717025a7958cb9bd62d26c", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9512880a76a9570e5768145c8a6339e5f922c90bca717025a7958cb9bd62d26c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/wasm/Dockerfile"}, "region": {"startLine": 56}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 124719, "scanner": "repobility-docker", "fingerprint": "07bdca48551b1fb7cc0ff0dc6a7cb414bda6c8c8a56338d31c2fcb9174f25d10", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|07bdca48551b1fb7cc0ff0dc6a7cb414bda6c8c8a56338d31c2fcb9174f25d10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/wasm/Dockerfile"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 124713, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124709, "scanner": "repobility-ai-code-hygiene", "fingerprint": "61e8965090363e6cf6b4ab1ff423717a1df27d684bb924a4a00d7d4562210aed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/gc/unix/gcenv.unix.cpp", "duplicate_line": 643, "correlation_key": "fp|61e8965090363e6cf6b4ab1ff423717a1df27d684bb924a4a00d7d4562210aed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/gc/wasm/gcenv.cpp"}, "region": {"startLine": 171}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124708, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d680b8d84bc9e2e97dc037238474e3da2279df012bdf84e59c190fbe77a5118d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/gc/vxsort/machine_traits.avx2.h", "duplicate_line": 107, "correlation_key": "fp|d680b8d84bc9e2e97dc037238474e3da2279df012bdf84e59c190fbe77a5118d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/gc/vxsort/machine_traits.neon.h"}, "region": {"startLine": 123}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124707, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e603cd4ac801fe8172339bd44e0c40d3aab1c29be70f67e7662299248dc9bd4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/gc/vxsort/machine_traits.avx2.h", "duplicate_line": 41, "correlation_key": "fp|4e603cd4ac801fe8172339bd44e0c40d3aab1c29be70f67e7662299248dc9bd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/gc/vxsort/machine_traits.avx512.h"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124706, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cff4ed45ace274042e1a386b10bfa82945b6891caf00b23503b84aba34ec0826", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/gc/gcimpl.h", "duplicate_line": 80, "correlation_key": "fp|cff4ed45ace274042e1a386b10bfa82945b6891caf00b23503b84aba34ec0826"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/gc/gcinterface.h"}, "region": {"startLine": 335}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124705, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bbb0b5079577e5126f1a27c57c63e6e11c97ecb773a08349599aaa17205822b9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/shared/loongarch64/primitives.cpp", "duplicate_line": 1, "correlation_key": "fp|bbb0b5079577e5126f1a27c57c63e6e11c97ecb773a08349599aaa17205822b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/shared/riscv64/primitives.cpp"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124704, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6594e5708d092520d80747c85a47926220273686ef5e6c84d2b0e514448696d6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/inc/arm_primitives.h", "duplicate_line": 5, "correlation_key": "fp|6594e5708d092520d80747c85a47926220273686ef5e6c84d2b0e514448696d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/inc/riscv64/primitives.h"}, "region": {"startLine": 96}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124703, "scanner": "repobility-ai-code-hygiene", "fingerprint": "228b009fd3c488c073e020d9e3f356cd16ee13b374541cbd9687a8abbaa93d5e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/inc/loongarch64/primitives.h", "duplicate_line": 46, "correlation_key": "fp|228b009fd3c488c073e020d9e3f356cd16ee13b374541cbd9687a8abbaa93d5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/inc/riscv64/primitives.h"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124702, "scanner": "repobility-ai-code-hygiene", "fingerprint": "851be5a835a3f9d0ff0791dad6ca0ea11e55bcb8caee424f9da0471d6a4d828b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/inc/arm64/primitives.h", "duplicate_line": 2, "correlation_key": "fp|851be5a835a3f9d0ff0791dad6ca0ea11e55bcb8caee424f9da0471d6a4d828b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/inc/riscv64/primitives.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124701, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b410f58d662102044b0f8f64334f0d0ddff6f4703192bc1fd5496c11258084a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/inc/arm_primitives.h", "duplicate_line": 1, "correlation_key": "fp|2b410f58d662102044b0f8f64334f0d0ddff6f4703192bc1fd5496c11258084a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/inc/loongarch64/primitives.h"}, "region": {"startLine": 92}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124700, "scanner": "repobility-ai-code-hygiene", "fingerprint": "12d69257a18f7db51fe19dfe749e4b52f183d355552f9c5580c85fa16d7a39ce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/inc/arm64/primitives.h", "duplicate_line": 2, "correlation_key": "fp|12d69257a18f7db51fe19dfe749e4b52f183d355552f9c5580c85fa16d7a39ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/inc/loongarch64/primitives.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124699, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fbb93dc5d982d2b9ed301d819e35578ae4748117a748d2017ec497e8eaf592a8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/ee/arm/primitives.cpp", "duplicate_line": 3, "correlation_key": "fp|fbb93dc5d982d2b9ed301d819e35578ae4748117a748d2017ec497e8eaf592a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/ee/riscv64/primitives.cpp"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124698, "scanner": "repobility-ai-code-hygiene", "fingerprint": "33a8ea3d8419addaa303115762880ee6349099779e141962a5c040be0ba335b4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/ee/arm64/walker.cpp", "duplicate_line": 11, "correlation_key": "fp|33a8ea3d8419addaa303115762880ee6349099779e141962a5c040be0ba335b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/ee/loongarch64/walker.cpp"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124697, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0712a0cf412707b54a364bf387746b0486d073f75292dbddb70afb5a5a94aed9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/ee/arm/primitives.cpp", "duplicate_line": 3, "correlation_key": "fp|0712a0cf412707b54a364bf387746b0486d073f75292dbddb70afb5a5a94aed9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/ee/loongarch64/primitives.cpp"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124696, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1d6db88fe9fcb3f8272b23c9672448207d2625eb2368a416e72ae65eb5e61786", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/ee/amd64/debuggerregdisplayhelper.cpp", "duplicate_line": 7, "correlation_key": "fp|1d6db88fe9fcb3f8272b23c9672448207d2625eb2368a416e72ae65eb5e61786"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/ee/i386/debuggerregdisplayhelper.cpp"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124695, "scanner": "repobility-ai-code-hygiene", "fingerprint": "30833e1d8d841065df4c36264419ae6a71681bbc5f914ea30d91c9c88e6c8355", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/ee/arm/primitives.cpp", "duplicate_line": 3, "correlation_key": "fp|30833e1d8d841065df4c36264419ae6a71681bbc5f914ea30d91c9c88e6c8355"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/ee/arm64/primitives.cpp"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124694, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d3c813b66265189f1dffcdac49071c9e612f533446982af2562de4154240445a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/di/dbgtransportpipeline.cpp", "duplicate_line": 33, "correlation_key": "fp|d3c813b66265189f1dffcdac49071c9e612f533446982af2562de4154240445a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/di/windowspipeline.cpp"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124693, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7f080eae6b3ee70d01662d669e46386cae35c69c3f5ec07d0313230197e60938", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/di/remoteeventchannel.cpp", "duplicate_line": 38, "correlation_key": "fp|7f080eae6b3ee70d01662d669e46386cae35c69c3f5ec07d0313230197e60938"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/di/shimremotedatatarget.cpp"}, "region": {"startLine": 92}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124692, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9777a8f7d59d6ae1321e07769b0ded56f60d9da96e8913d2625e2a33a954b93b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/di/shimlocaldatatarget.cpp", "duplicate_line": 6, "correlation_key": "fp|9777a8f7d59d6ae1321e07769b0ded56f60d9da96e8913d2625e2a33a954b93b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/di/shimremotedatatarget.cpp"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124691, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d60d44708d87d59e8e2265f214f03272a4a7b0cc33edc62e1a8a4f4137b95604", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/di/localeventchannel.cpp", "duplicate_line": 7, "correlation_key": "fp|d60d44708d87d59e8e2265f214f03272a4a7b0cc33edc62e1a8a4f4137b95604"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/di/remoteeventchannel.cpp"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124690, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3246f440a36d4318fd4a965dab7dd74f33e9c50a62dcd862157f06724d5812c9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/di/arm64/cordbregisterset.cpp", "duplicate_line": 141, "correlation_key": "fp|3246f440a36d4318fd4a965dab7dd74f33e9c50a62dcd862157f06724d5812c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/di/loongarch64/cordbregisterset.cpp"}, "region": {"startLine": 148}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124689, "scanner": "repobility-ai-code-hygiene", "fingerprint": "00892244f8fdd1cc348ce1c8e820134374eb6c154a85a154608d55b03a148c78", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/di/arm/cordbregisterset.cpp", "duplicate_line": 73, "correlation_key": "fp|00892244f8fdd1cc348ce1c8e820134374eb6c154a85a154608d55b03a148c78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/di/i386/cordbregisterset.cpp"}, "region": {"startLine": 134}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124688, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bda9e9bffefec7446d47a0010aba57cbc01084a66b93c0bf238a4e9575b69379", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/debug/di/amd64/cordbregisterset.cpp", "duplicate_line": 66, "correlation_key": "fp|bda9e9bffefec7446d47a0010aba57cbc01084a66b93c0bf238a4e9575b69379"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/di/i386/cordbregisterset.cpp"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124687, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e9150c7700cd4443caf1d26f9cb00c5976d0b27f238d5516320796cc9d0e8b43", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/System.Private.CoreLib/src/System/Runtime/CompilerServices/AsyncHelpers.TaskContinuation.cs", "duplicate_line": 14, "correlation_key": "fp|e9150c7700cd4443caf1d26f9cb00c5976d0b27f238d5516320796cc9d0e8b43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/System.Private.CoreLib/src/System/Runtime/CompilerServices/RuntimeAsyncTaskContinuation.cs"}, "region": {"startLine": 84}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124686, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32a316dced5f90502b971c231443c09bb201877d564e6c263382b27367ae8694", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/System.Private.CoreLib/src/System/Reflection/RuntimeAssembly.cs", "duplicate_line": 236, "correlation_key": "fp|32a316dced5f90502b971c231443c09bb201877d564e6c263382b27367ae8694"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/System.Private.CoreLib/src/System/Reflection/RuntimePropertyInfo.cs"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124685, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e8a8552f3c5d233f160827f030c82854b98334fd18398fae29c9e3e5e8ac392", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/System.Private.CoreLib/src/System/Reflection/RuntimeAssembly.cs", "duplicate_line": 236, "correlation_key": "fp|4e8a8552f3c5d233f160827f030c82854b98334fd18398fae29c9e3e5e8ac392"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/System.Private.CoreLib/src/System/Reflection/RuntimeModule.cs"}, "region": {"startLine": 274}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124684, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4018361a91fdbdd4c4af4efa646ccc291985cfa8d403819e214fa081d7785442", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/System.Private.CoreLib/src/System/Reflection/RuntimeConstructorInfo.CoreCLR.cs", "duplicate_line": 24, "correlation_key": "fp|4018361a91fdbdd4c4af4efa646ccc291985cfa8d403819e214fa081d7785442"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/System.Private.CoreLib/src/System/Reflection/RuntimeMethodInfo.CoreCLR.cs"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124683, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1d3ee86c068d24cd96056c4928314313084114107ff90608aa231561945e4fd5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/System.Private.CoreLib/src/System/Reflection/RuntimeAssembly.cs", "duplicate_line": 236, "correlation_key": "fp|1d3ee86c068d24cd96056c4928314313084114107ff90608aa231561945e4fd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/System.Private.CoreLib/src/System/Reflection/RuntimeFieldInfo.cs"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124682, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1c99078ecfcd230adc4dc0114f6e315f77eefaca25be72d70c7c784ddda41bc3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/System.Private.CoreLib/src/System/Reflection/RuntimeAssembly.cs", "duplicate_line": 236, "correlation_key": "fp|1c99078ecfcd230adc4dc0114f6e315f77eefaca25be72d70c7c784ddda41bc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/System.Private.CoreLib/src/System/Reflection/RuntimeEventInfo.cs"}, "region": {"startLine": 62}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 124681, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6f806fb1a5f4ed466278744820041ca09a5861187dd0b795fdc682b23c07d3d4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/coreclr/System.Private.CoreLib/src/System/Reflection/RuntimeAssembly.cs", "duplicate_line": 236, "correlation_key": "fp|6f806fb1a5f4ed466278744820041ca09a5861187dd0b795fdc682b23c07d3d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/System.Private.CoreLib/src/System/Reflection/RuntimeConstructorInfo.CoreCLR.cs"}, "region": {"startLine": 94}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 124680, "scanner": "repobility-ai-code-hygiene", "fingerprint": "03809f2927c4791d46d31d81e9e2e8627c9d291ecfe1f8cda36a956666c57366", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|03809f2927c4791d46d31d81e9e2e8627c9d291ecfe1f8cda36a956666c57366"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mono/mono/metadata/metadata-update.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 124660, "scanner": "repobility-threat-engine", "fingerprint": "4bf74fdfddbfbcbabbd56b1bb01d252c888ac47b810f63b8dc9fa9c5a4a63c93", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\" EventXplatEnabled\" + eventName + \"();\\n\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4bf74fdfddbfbcbabbd56b1bb01d252c888ac47b810f63b8dc9fa9c5a4a63c93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/genEventingTests.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 124659, "scanner": "repobility-threat-engine", "fingerprint": "21e52eb3dd928a65a7fe6845d59c4c896b51dff161da981c34b0471f710d5efb", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"#define NO_OF_ETW_PROVIDERS \" + str(numOfProviders) + \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|21e52eb3dd928a65a7fe6845d59c4c896b51dff161da981c34b0471f710d5efb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/genEtwProvider.py"}, "region": {"startLine": 165}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 124658, "scanner": "repobility-threat-engine", "fingerprint": "e1d7cde7c663e363eaafb4f1a1f9862bfe247f2957370712f129baa28adf9f91", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"#define \" + SymbolicName + \" SMAKEHR(0x\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e1d7cde7c663e363eaafb4f1a1f9862bfe247f2957370712f129baa28adf9f91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/inc/genheaders/genheaders.cs"}, "region": {"startLine": 51}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `fetch_and_save` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=1, if=5, nested_bonus=3, ternary=1."}, "properties": {"repobilityId": 124628, "scanner": "repobility-threat-engine", "fingerprint": "78f298a59be75d28c488e4c32d1575841ea2b1e0d4fcf81ff4426074ff56ee64", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "fetch_and_save", "breakdown": {"if": 5, "for": 1, "ternary": 1, "nested_bonus": 3}, "complexity": 10, "correlation_key": "fp|78f298a59be75d28c488e4c32d1575841ea2b1e0d4fcf81ff4426074ff56ee64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/fetch_helix_logs.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=2, if=4, nested_bonus=2."}, "properties": {"repobilityId": 124627, "scanner": "repobility-threat-engine", "fingerprint": "206c16dcaf94675f4ee6226ca0222de4cd8a2a310e788f1dc01aab0564d9a6b6", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 4, "for": 2, "nested_bonus": 2}, "complexity": 8, "correlation_key": "fp|206c16dcaf94675f4ee6226ca0222de4cd8a2a310e788f1dc01aab0564d9a6b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/extract_failed_tests.py"}, "region": {"startLine": 227}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 124741, "scanner": "repobility-docker", "fingerprint": "1a98ec52887883b45c942914aeebf2a7e95551f60fb2c020ad27a5ff0b4325dd", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$SDK_BASE_IMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|1a98ec52887883b45c942914aeebf2a7e95551f60fb2c020ad27a5ff0b4325dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Security/tests/StressTests/SslStress/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 124736, "scanner": "repobility-docker", "fingerprint": "e5b3637c866bef460f9703386de98dc56438d31e403c3c1aa4f213adf5b31cab", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$SDK_BASE_IMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|e5b3637c866bef460f9703386de98dc56438d31e403c3c1aa4f213adf5b31cab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Http/tests/StressTests/HttpStress/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 124722, "scanner": "repobility-docker", "fingerprint": "0da97a9d465f15e459fffaa91e635c109ec4e196149288d756fe5dc79333ad45", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "mcr.microsoft.com/devcontainers/dotnet:${VARIANT}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|0da97a9d465f15e459fffaa91e635c109ec4e196149288d756fe5dc79333ad45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/wasm-multiThreaded/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 124717, "scanner": "repobility-docker", "fingerprint": "ed091e56300e6fb80f064ace45099bbe7259dd6088297fbbf6d4fa6c6b92cefe", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "mcr.microsoft.com/devcontainers/dotnet:${VARIANT}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ed091e56300e6fb80f064ace45099bbe7259dd6088297fbbf6d4fa6c6b92cefe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/wasm/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 124714, "scanner": "repobility-docker", "fingerprint": "12d27eca48f6f718b2b76689e3be516797cdfe9ed98238318ecf42359569c045", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "mcr.microsoft.com/devcontainers/dotnet:${VARIANT}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|12d27eca48f6f718b2b76689e3be516797cdfe9ed98238318ecf42359569c045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/android/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 124711, "scanner": "repobility-docker", "fingerprint": "be0b8d3313ec22a72b48539b1312df5fbae576eaa5d6eddf2b7c67f037b4ce25", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "mcr.microsoft.com/devcontainers/dotnet:${VARIANT}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|be0b8d3313ec22a72b48539b1312df5fbae576eaa5d6eddf2b7c67f037b4ce25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 124677, "scanner": "repobility-threat-engine", "fingerprint": "09e3d7cde386de013ae18a48f702da152905632a693cfac59d9b42ca806299b7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|09e3d7cde386de013ae18a48f702da152905632a693cfac59d9b42ca806299b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/jitformat.py"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 124674, "scanner": "repobility-threat-engine", "fingerprint": "ee65a794112cf82fd548514f0645f4308a57f04132efbeef3f06f8adafe73703", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ee65a794112cf82fd548514f0645f4308a57f04132efbeef3f06f8adafe73703"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/nativeaot/System.Private.CoreLib/src/System/Diagnostics/Debugger.cs"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED022", "level": "none", "message": {"text": "[MINED022] C Strcpy (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 124673, "scanner": "repobility-threat-engine", "fingerprint": "58fe92dfe6e97b6adfe63db871e448034175d2b56584210bf8112c2ee07eac96", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|58fe92dfe6e97b6adfe63db871e448034175d2b56584210bf8112c2ee07eac96", "aggregated_count": 1}}}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 124669, "scanner": "repobility-threat-engine", "fingerprint": "008cf5cb4a6d001a21b9b079a6ea304b3e2a8e1a8ed47e19e1e699385013451b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|008cf5cb4a6d001a21b9b079a6ea304b3e2a8e1a8ed47e19e1e699385013451b", "aggregated_count": 1}}}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 124668, "scanner": "repobility-threat-engine", "fingerprint": "dbeecb9fb08dcdda01591ce36b7300c3152cc9496b37bc07f3a57409b389cfe4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dbeecb9fb08dcdda01591ce36b7300c3152cc9496b37bc07f3a57409b389cfe4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/pal/src/include/pal/synchcache.hpp"}, "region": {"startLine": 288}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 124667, "scanner": "repobility-threat-engine", "fingerprint": "f8d125115ac1d2bcfaca29c030f6c2d33be661e761a4f0e9fe3e7fbe2b22fe11", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f8d125115ac1d2bcfaca29c030f6c2d33be661e761a4f0e9fe3e7fbe2b22fe11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/jit/alloc.cpp"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 124666, "scanner": "repobility-threat-engine", "fingerprint": "4cb17498df98d864297371c26abafce5901c149a1000334be14965baa9714712", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4cb17498df98d864297371c26abafce5901c149a1000334be14965baa9714712"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/interpreter/eeinterp.cpp"}, "region": {"startLine": 259}}}]}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 124665, "scanner": "repobility-threat-engine", "fingerprint": "a51fc5b757daa107ff993d54388f809af87b26cac35292629b20c635c24267fc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a51fc5b757daa107ff993d54388f809af87b26cac35292629b20c635c24267fc", "aggregated_count": 1}}}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 124661, "scanner": "repobility-threat-engine", "fingerprint": "0a93f04a20a5455ea1d5583f76d6ecf7b16d6848f2b1fa2649ea0d3237642e97", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0a93f04a20a5455ea1d5583f76d6ecf7b16d6848f2b1fa2649ea0d3237642e97"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 124656, "scanner": "repobility-threat-engine", "fingerprint": "4be3e45e42f5d27202232489c0898def8198c89617d4afd827418eb5f86ed595", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4be3e45e42f5d27202232489c0898def8198c89617d4afd827418eb5f86ed595"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/hosts/corerun/wasm/libCorerun.js"}, "region": {"startLine": 186}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 124655, "scanner": "repobility-threat-engine", "fingerprint": "0b621d20ae5e0d96f997acc8afb96005da338ff99ed43e96ae90937183625e20", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0b621d20ae5e0d96f997acc8afb96005da338ff99ed43e96ae90937183625e20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/hosts/corerun/wasm/libCorerun.extpost.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 124654, "scanner": "repobility-threat-engine", "fingerprint": "550998366cf72c8ea2b2babcb3776288c395221066c2caf28edbde0e395b9cd3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|550998366cf72c8ea2b2babcb3776288c395221066c2caf28edbde0e395b9cd3", "aggregated_count": 1}}}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "properties": {"repobilityId": 124653, "scanner": "repobility-threat-engine", "fingerprint": "c7467433d64c6a184b86a0b982000fac539bf4d01ee4d72eb9f310f90eadc59d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c7467433d64c6a184b86a0b982000fac539bf4d01ee4d72eb9f310f90eadc59d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/gc/vxsort/standalone/demo/demo.cpp"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "properties": {"repobilityId": 124652, "scanner": "repobility-threat-engine", "fingerprint": "5380eae5dad7123aa8d0eb3ade1a68859ac92da3af78a128a46cb2ed5444853b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5380eae5dad7123aa8d0eb3ade1a68859ac92da3af78a128a46cb2ed5444853b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/gc/vxsort/smallsort/bitonic_sort.h"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "properties": {"repobilityId": 124651, "scanner": "repobility-threat-engine", "fingerprint": "a527db641cebde1625b14e4238e6ede4d3dfd8ebac0d23744286629b3ae916c3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a527db641cebde1625b14e4238e6ede4d3dfd8ebac0d23744286629b3ae916c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/gc/vxsort/alignment.h"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 124650, "scanner": "repobility-threat-engine", "fingerprint": "2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58"}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 124645, "scanner": "repobility-threat-engine", "fingerprint": "97102752084b444be276dbf00f7b883dfa222ca36de815912d08595cb1f5243b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|97102752084b444be276dbf00f7b883dfa222ca36de815912d08595cb1f5243b", "aggregated_count": 4}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 124644, "scanner": "repobility-threat-engine", "fingerprint": "45bfa129f2f817bf91c865eaf6576ff4e463104e407fc6363d93f861a65c139f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|45bfa129f2f817bf91c865eaf6576ff4e463104e407fc6363d93f861a65c139f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/di/rsassembly.cpp"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 124643, "scanner": "repobility-threat-engine", "fingerprint": "6d3ff87b22297042ec81418e8945aa199e53822716fed4150e376917c3e193e5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d3ff87b22297042ec81418e8945aa199e53822716fed4150e376917c3e193e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/createdump/createdumpunix.cpp"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 124642, "scanner": "repobility-threat-engine", "fingerprint": "df98d17d40814d1e3e84f496f10ff13cd7509fed0addfab37a5c3e63917a05d6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|df98d17d40814d1e3e84f496f10ff13cd7509fed0addfab37a5c3e63917a05d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/binder/applicationcontext.cpp"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 124639, "scanner": "repobility-threat-engine", "fingerprint": "f2223a9322d9363538f885943a9f1018812913ab35967624875c1f66b6b3ab2e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f2223a9322d9363538f885943a9f1018812913ab35967624875c1f66b6b3ab2e", "aggregated_count": 6}}}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 124638, "scanner": "repobility-threat-engine", "fingerprint": "118fbea49bdb229851246114f19bb7b3198fbf86c335c0837cbd6512f6417ac6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|118fbea49bdb229851246114f19bb7b3198fbf86c335c0837cbd6512f6417ac6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/System.Private.CoreLib/src/System/Reflection/Emit/RuntimeConstructorBuilder.cs"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 124637, "scanner": "repobility-threat-engine", "fingerprint": "501e30065bacd43e0ef39853a9c65aa3e4fbb87788917c964d3e2946fbd5380e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|501e30065bacd43e0ef39853a9c65aa3e4fbb87788917c964d3e2946fbd5380e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/System.Private.CoreLib/src/System/Enum.CoreCLR.cs"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 124636, "scanner": "repobility-threat-engine", "fingerprint": "ddf084a99385d92ca6a93c4a0ff457e7b91f5388c8e00bdde0163c02ee45979b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ddf084a99385d92ca6a93c4a0ff457e7b91f5388c8e00bdde0163c02ee45979b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/System.Private.CoreLib/src/System/Diagnostics/StackFrameHelper.cs"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 124635, "scanner": "repobility-threat-engine", "fingerprint": "88a5ffd44e99f61041c7009d54cf584edf172d728dc9471e1640ed0b479dea8b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|88a5ffd44e99f61041c7009d54cf584edf172d728dc9471e1640ed0b479dea8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/common/cross/tizen-fetch.sh"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 124633, "scanner": "repobility-threat-engine", "fingerprint": "8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b"}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "properties": {"repobilityId": 124629, "scanner": "repobility-threat-engine", "fingerprint": "45af6889f41d225896654b4e8bce4a06163b95f6afa9f4f2920d6273da56e139", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "fetch_failed_tests", "breakdown": {"if": 8, "or": 2, "for": 2, "break": 5, "while": 1, "except": 5, "nested_bonus": 29}, "aggregated": true, "complexity": 52, "correlation_key": "fp|45af6889f41d225896654b4e8bce4a06163b95f6afa9f4f2920d6273da56e139", "aggregated_count": 25}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 124625, "scanner": "repobility-threat-engine", "fingerprint": "6d615cd9bf2c60be3662322ca99aa5e1e9b7c14e2c3cd8301d83186c4e081a22", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d615cd9bf2c60be3662322ca99aa5e1e9b7c14e2c3cd8301d83186c4e081a22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/setup_and_fetch_builds.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 124624, "scanner": "repobility-threat-engine", "fingerprint": "7dc0326cc74887a2f64751b8224e7fb2dd758b79b372a0d96cf77241689a52c6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7dc0326cc74887a2f64751b8224e7fb2dd758b79b372a0d96cf77241689a52c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/extract_failed_tests.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 124623, "scanner": "repobility-threat-engine", "fingerprint": "ce43fb957ea3aa959ee1c5c30046785ded098bc464c9c412b1310cf033cb16ac", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ce43fb957ea3aa959ee1c5c30046785ded098bc464c9c412b1310cf033cb16ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/fuzzlyn_run.py"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 124622, "scanner": "repobility-threat-engine", "fingerprint": "a8e36f0f7d981a37e2d84d45766d62094e30b629f9a0765f3a14518ba97b6861", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a8e36f0f7d981a37e2d84d45766d62094e30b629f9a0765f3a14518ba97b6861"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/coreclr_arguments.py"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 124621, "scanner": "repobility-threat-engine", "fingerprint": "0655d66a13458a6573be6b705214311d4cbbb5d7d7b392dcc6ae51e196713ff3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0655d66a13458a6573be6b705214311d4cbbb5d7d7b392dcc6ae51e196713ff3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/extract_failed_tests.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 124620, "scanner": "repobility-threat-engine", "fingerprint": "87bb6029333cb62d92390df61966a05609ecc83529b9d92bc59cc9a7912106aa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|87bb6029333cb62d92390df61966a05609ecc83529b9d92bc59cc9a7912106aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/extract_failed_tests.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 124617, "scanner": "repobility-threat-engine", "fingerprint": "49181cabb38f7bf32474faa51ac03c4a566e525f28f1c27b176d20e5d2d728dc", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'timeout\\s*=' detected on same line", "evidence": {"match": "requests.get(", "reason": "Safe pattern 'timeout\\s*=' detected on same line", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|49181cabb38f7bf32474faa51ac03c4a566e525f28f1c27b176d20e5d2d728dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/setup_and_fetch_builds.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 124616, "scanner": "repobility-threat-engine", "fingerprint": "3b1ce90195f78f013c24cbb0d183beb03d5f2c33ab3f89419459717806c9cb6d", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'timeout\\s*=' detected on same line", "evidence": {"match": "requests.get(", "reason": "Safe pattern 'timeout\\s*=' detected on same line", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|3b1ce90195f78f013c24cbb0d183beb03d5f2c33ab3f89419459717806c9cb6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/extract_failed_tests.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 124615, "scanner": "repobility-threat-engine", "fingerprint": "215f075c2c3e8a4364821ae45e10a607344e36a766459c9a5d6b11dbdc2c37b3", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "print(\"Error getting token from az cli: empty access token.\", file=sys.stderr)", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|. token|7|print error getting token from az cli: empty access token. file sys.stderr"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/extract_failed_tests.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Reflection.Metadata/tests/Resources/Namespace/NamespaceForwardedCS.dll` committed in source repo: `src/libraries/System.Reflection.Metadata/tests/Resources/Namespace/NamespaceForwardedCS.dll` is a .dll binary (3,072 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124925, "scanner": "repobility-supply-chain", "fingerprint": "8bda8b01c36aa5c9bb7d0b7461b2246738f85ebc61bd913fbd8492c6ed387631", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8bda8b01c36aa5c9bb7d0b7461b2246738f85ebc61bd913fbd8492c6ed387631"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Reflection.Metadata/tests/Resources/Namespace/NamespaceForwardedCS.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Reflection.Metadata/tests/Resources/Namespace/NamespaceTests.dll` committed in source repo: `src/libraries/System.Reflection.Metadata/tests/Resources/Namespace/NamespaceTests.dll` is a .dll binary (4,608 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124924, "scanner": "repobility-supply-chain", "fingerprint": "a62183d088b6e19e58ef6f76c9e182ddc705f4f527fa718ff04abde7daa5497a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a62183d088b6e19e58ef6f76c9e182ddc705f4f527fa718ff04abde7daa5497a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Reflection.Metadata/tests/Resources/Namespace/NamespaceTests.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Reflection.Metadata/tests/Resources/Misc/Debug.dll` committed in source repo: `src/libraries/System.Reflection.Metadata/tests/Resources/Misc/Debug.dll` is a .dll binary (3,584 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124923, "scanner": "repobility-supply-chain", "fingerprint": "94fe13c18f58c2e66797ff65637ee8a96eea50bd750a0e50313bb10778a64d73", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|94fe13c18f58c2e66797ff65637ee8a96eea50bd750a0e50313bb10778a64d73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Reflection.Metadata/tests/Resources/Misc/Debug.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Reflection.Metadata/tests/Resources/Misc/Deterministic.dll` committed in source repo: `src/libraries/System.Reflection.Metadata/tests/Resources/Misc/Deterministic.dll` is a .dll binary (3,072 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124922, "scanner": "repobility-supply-chain", "fingerprint": "706922ebb97380f5f968b96dcd43193b0b1e072e4330d900da26af5e9b55219f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|706922ebb97380f5f968b96dcd43193b0b1e072e4330d900da26af5e9b55219f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Reflection.Metadata/tests/Resources/Misc/Deterministic.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Reflection.Metadata/tests/Resources/Misc/Members.dll` committed in source repo: `src/libraries/System.Reflection.Metadata/tests/Resources/Misc/Members.dll` is a .dll binary (4,608 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124921, "scanner": "repobility-supply-chain", "fingerprint": "e9afe83d7838036316757c8918341d6bf837b774c0c40effe3a2ccb413703ba6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e9afe83d7838036316757c8918341d6bf837b774c0c40effe3a2ccb413703ba6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Reflection.Metadata/tests/Resources/Misc/Members.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Reflection.Metadata/tests/Resources/Misc/SatelliteAssembly.resources.dll` committed in source repo: `src/libraries/System.Reflection.Metadata/tests/Resources/Misc/SatelliteAssembly.resources.dll` is a .dll binary (3,584 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build script"}, "properties": {"repobilityId": 124920, "scanner": "repobility-supply-chain", "fingerprint": "9ac3ea1f8b864e0dd02ac6525307b6ff68c7dedf8a04e7679dbd51d856e7d172", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ac3ea1f8b864e0dd02ac6525307b6ff68c7dedf8a04e7679dbd51d856e7d172"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Reflection.Metadata/tests/Resources/Misc/SatelliteAssembly.resources.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Reflection.Metadata/tests/Resources/Misc/Signed.exe` committed in source repo: `src/libraries/System.Reflection.Metadata/tests/Resources/Misc/Signed.exe` is a .exe binary (4,096 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124919, "scanner": "repobility-supply-chain", "fingerprint": "2fbc301316a7e6ff6f25046ca6f54ec5b5de5879ce9a05955a8bb2a15a710c99", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2fbc301316a7e6ff6f25046ca6f54ec5b5de5879ce9a05955a8bb2a15a710c99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Reflection.Metadata/tests/Resources/Misc/Signed.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Reflection.Metadata/tests/Resources/Misc/EmptyType.dll` committed in source repo: `src/libraries/System.Reflection.Metadata/tests/Resources/Misc/EmptyType.dll` is a .dll binary (2,048 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124918, "scanner": "repobility-supply-chain", "fingerprint": "2c960eb2c5b8f409224099dbf0a7ef74f1662b69c40514d359ea6a6f7e8a0469", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2c960eb2c5b8f409224099dbf0a7ef74f1662b69c40514d359ea6a6f7e8a0469"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Reflection.Metadata/tests/Resources/Misc/EmptyType.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Reflection.Metadata/tests/Resources/Interop/OtherAccessors.dll` committed in source repo: `src/libraries/System.Reflection.Metadata/tests/Resources/Interop/OtherAccessors.dll` is a .dll binary (2,560 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124917, "scanner": "repobility-supply-chain", "fingerprint": "a07ecb52d312ab0d4de54fa7cc8a3dbf8e2392bda8f46c11aba537dac8287888", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a07ecb52d312ab0d4de54fa7cc8a3dbf8e2392bda8f46c11aba537dac8287888"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Reflection.Metadata/tests/Resources/Interop/OtherAccessors.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Reflection.Metadata/tests/Resources/Interop/Interop.Mock01.dll` committed in source repo: `src/libraries/System.Reflection.Metadata/tests/Resources/Interop/Interop.Mock01.dll` is a .dll binary (8,192 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124916, "scanner": "repobility-supply-chain", "fingerprint": "fc00e29fd6dcc7acd2eeb5cd91e9eb55939f8fe8618d55dce0615c2f4aa51e8e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc00e29fd6dcc7acd2eeb5cd91e9eb55939f8fe8618d55dce0615c2f4aa51e8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Reflection.Metadata/tests/Resources/Interop/Interop.Mock01.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Reflection.Metadata/tests/Resources/Interop/Interop.Mock01.Impl.dll` committed in source repo: `src/libraries/System.Reflection.Metadata/tests/Resources/Interop/Interop.Mock01.Impl.dll` is a .dll binary (5,632 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124915, "scanner": "repobility-supply-chain", "fingerprint": "363f8da45cc7be3ded4ac936a07d3f5e761835ab89288c94364393f94bf2521e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|363f8da45cc7be3ded4ac936a07d3f5e761835ab89288c94364393f94bf2521e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Reflection.Metadata/tests/Resources/Interop/Interop.Mock01.Impl.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Reflection.Metadata/tests/Resources/Interop/IndexerWithByRefParam.dll` committed in source repo: `src/libraries/System.Reflection.Metadata/tests/Resources/Interop/IndexerWithByRefParam.dll` is a .dll binary (2,048 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124914, "scanner": "repobility-supply-chain", "fingerprint": "443feec6ba312a14c2ba8342dffad737a3221d55f779b7a60a4dd0a2179998a1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|443feec6ba312a14c2ba8342dffad737a3221d55f779b7a60a4dd0a2179998a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Reflection.Metadata/tests/Resources/Interop/IndexerWithByRefParam.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Reflection.Metadata/tests/Resources/PortablePdbs/Documents.Embedded.dll` committed in source repo: `src/libraries/System.Reflection.Metadata/tests/Resources/PortablePdbs/Documents.Embedded.dll` is a .dll binary (4,096 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124913, "scanner": "repobility-supply-chain", "fingerprint": "ff7c099203c1f9812f6cdb53b84d8efdd633e7538f9ec540f1c15818d7f6bcf8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ff7c099203c1f9812f6cdb53b84d8efdd633e7538f9ec540f1c15818d7f6bcf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Reflection.Metadata/tests/Resources/PortablePdbs/Documents.Embedded.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Reflection.Metadata/tests/Resources/PortablePdbs/Documents.dll` committed in source repo: `src/libraries/System.Reflection.Metadata/tests/Resources/PortablePdbs/Documents.dll` is a .dll binary (3,584 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124912, "scanner": "repobility-supply-chain", "fingerprint": "046eb6e30e372219139a8247955357263849964763e9edf24b062e0946c9ee6c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|046eb6e30e372219139a8247955357263849964763e9edf24b062e0946c9ee6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Reflection.Metadata/tests/Resources/PortablePdbs/Documents.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Reflection.Metadata/tests/Resources/NetModule/AppCS.exe` committed in source repo: `src/libraries/System.Reflection.Metadata/tests/Resources/NetModule/AppCS.exe` is a .exe binary (6,144 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124911, "scanner": "repobility-supply-chain", "fingerprint": "cc42268fff7645d0efd1adb1c29dfcdf525403fc6cb3570ef5822e883cd576e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc42268fff7645d0efd1adb1c29dfcdf525403fc6cb3570ef5822e883cd576e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Reflection.Metadata/tests/Resources/NetModule/AppCS.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Diagnostics.FileVersionInfo/tests/System.Diagnostics.FileVersionInfo.Tests/NativeConsoleApp.exe` committed in source repo: `src/libraries/System.Diagnostics.FileVersionInfo/tests/System.Diagnostics.FileVersionInfo.Tests/NativeConsoleApp.exe` is a .exe binary (11,776 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips"}, "properties": {"repobilityId": 124910, "scanner": "repobility-supply-chain", "fingerprint": "ad25ded2d8612aeb014bb33ba1e4244da362ce6385a90045703f3455c0b37bc4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad25ded2d8612aeb014bb33ba1e4244da362ce6385a90045703f3455c0b37bc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Diagnostics.FileVersionInfo/tests/System.Diagnostics.FileVersionInfo.Tests/NativeConsoleApp.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Diagnostics.FileVersionInfo/tests/System.Diagnostics.FileVersionInfo.Tests/SecondNativeLibrary.dll` committed in source repo: `src/libraries/System.Diagnostics.FileVersionInfo/tests/System.Diagnostics.FileVersionInfo.Tests/SecondNativeLibrary.dll` is a .dll binary (11,776 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR"}, "properties": {"repobilityId": 124909, "scanner": "repobility-supply-chain", "fingerprint": "f589f69214f0516bf22d18d5d46772a90cba6c2c6a6a776578e42dae38d340e4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f589f69214f0516bf22d18d5d46772a90cba6c2c6a6a776578e42dae38d340e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Diagnostics.FileVersionInfo/tests/System.Diagnostics.FileVersionInfo.Tests/SecondNativeLibrary.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Diagnostics.FileVersionInfo/tests/System.Diagnostics.FileVersionInfo.Tests/NativeLibrary.dll` committed in source repo: `src/libraries/System.Diagnostics.FileVersionInfo/tests/System.Diagnostics.FileVersionInfo.Tests/NativeLibrary.dll` is a .dll binary (11,776 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a "}, "properties": {"repobilityId": 124908, "scanner": "repobility-supply-chain", "fingerprint": "c433c635ff95363dcd047b26c0a9eace5a9477db346aa6a713dee47fab479139", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c433c635ff95363dcd047b26c0a9eace5a9477db346aa6a713dee47fab479139"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Diagnostics.FileVersionInfo/tests/System.Diagnostics.FileVersionInfo.Tests/NativeLibrary.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Private.Xml/tests/Xslt/TestFiles/TestData/xsltc/baseline/sft36.dll` committed in source repo: `src/libraries/System.Private.Xml/tests/Xslt/TestFiles/TestData/xsltc/baseline/sft36.dll` is a .dll binary (5,120 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124907, "scanner": "repobility-supply-chain", "fingerprint": "77f224eb8e34864c80fc583510979dd6fddd0b535e1df61cefc66c9e3abf86eb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|77f224eb8e34864c80fc583510979dd6fddd0b535e1df61cefc66c9e3abf86eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Private.Xml/tests/Xslt/TestFiles/TestData/xsltc/baseline/sft36.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/System.Private.Xml/tests/Xslt/TestFiles/TestData/xsltc/baseline/pft8.dll` committed in source repo: `src/libraries/System.Private.Xml/tests/Xslt/TestFiles/TestData/xsltc/baseline/pft8.dll` is a .dll binary (4,096 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124906, "scanner": "repobility-supply-chain", "fingerprint": "a820d1a93b49dfc8290dc0528eea7c9787af021f7f4a8d81ba53527278fa3c7c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a820d1a93b49dfc8290dc0528eea7c9787af021f7f4a8d81ba53527278fa3c7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Private.Xml/tests/Xslt/TestFiles/TestData/xsltc/baseline/pft8.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/libraries/Common/tests/Data/TinyAssembly.dll` committed in source repo: `src/libraries/Common/tests/Data/TinyAssembly.dll` is a .dll binary (1,536 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124905, "scanner": "repobility-supply-chain", "fingerprint": "0fb0f997071f900aa7bec3eee518e6e948ee709483ae17f9b4fed395862c7fe2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0fb0f997071f900aa7bec3eee518e6e948ee709483ae17f9b4fed395862c7fe2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/Data/TinyAssembly.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/mono/wasm/testassets/native-libs/variadic.o` committed in source repo: `src/mono/wasm/testassets/native-libs/variadic.o` is a .o binary (549 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124904, "scanner": "repobility-supply-chain", "fingerprint": "1c9a1b63414434840afdcc8590e698b8ee23daca3d60855b475fc0a8c0bee9dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1c9a1b63414434840afdcc8590e698b8ee23daca3d60855b475fc0a8c0bee9dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mono/wasm/testassets/native-libs/variadic.o"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/mono/wasm/testassets/native-libs/native-lib.o` committed in source repo: `src/mono/wasm/testassets/native-libs/native-lib.o` is a .o binary (617 bytes) committed to a repo that otherwise has 37635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 124903, "scanner": "repobility-supply-chain", "fingerprint": "e3d5a12d370796a287aaab71f09e91cb63bf40fd517a223e909fa9d0c52ec262", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e3d5a12d370796a287aaab71f09e91cb63bf40fd517a223e909fa9d0c52ec262"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mono/wasm/testassets/native-libs/native-lib.o"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED130", "level": "error", "message": {"text": "[MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-lock.json` resolved URL for `node_modules/data-uri-to-buffer` is `https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/regist...` \u2014 host `pkgs.dev.azure.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry."}, "properties": {"repobilityId": 124902, "scanner": "repobility-supply-chain", "fingerprint": "f9f84bdc3f1ee5a579240407e1d1a0cb54a64317ad85be4457ca888361373e45", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-lockfile-off-registry", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f9f84bdc3f1ee5a579240407e1d1a0cb54a64317ad85be4457ca888361373e45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.Http/tests/FunctionalTests/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED130", "level": "error", "message": {"text": "[MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-lock.json` resolved URL for `node_modules/ws` is `https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/regist...` \u2014 host `pkgs.dev.azure.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry."}, "properties": {"repobilityId": 124901, "scanner": "repobility-supply-chain", "fingerprint": "7d88a575b7cf55925fff407b417029317916420c8d397f19a79aa2d12489395e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-lockfile-off-registry", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d88a575b7cf55925fff407b417029317916420c8d397f19a79aa2d12489395e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/System.Net.WebSockets.Client/tests/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-24.04` not pinned by digest: `FROM mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 124900, "scanner": "repobility-supply-chain", "fingerprint": "0b5ae6a2f20ab48cec55d513ceaf3156d064d810ba938c28381dfa748eee48a2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0b5ae6a2f20ab48cec55d513ceaf3156d064d810ba938c28381dfa748eee48a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/kdc/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-24.04` not pinned by digest: `FROM mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 124899, "scanner": "repobility-supply-chain", "fingerprint": "df0d1005a164b93cdcf5ee9f7a7ca1082cba45cc8d846cf6824af34d278aa510", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df0d1005a164b93cdcf5ee9f7a7ca1082cba45cc8d846cf6824af34d278aa510"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/linuxclient/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-24.04` not pinned by digest: `FROM mcr.microsoft.com/dotnet-buildtools/prereqs:ubuntu-24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 124898, "scanner": "repobility-supply-chain", "fingerprint": "a19f3d278a613465583f9c2e96e7a54a9993ac60728694d52995ee0b8dd45baf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a19f3d278a613465583f9c2e96e7a54a9993ac60728694d52995ee0b8dd45baf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/apacheweb/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124897, "scanner": "repobility-supply-chain", "fingerprint": "dd8abcd1f067824c242bc18f10b2f1a97b3e656411c50152cbbaf8d8101e0e91", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dd8abcd1f067824c242bc18f10b2f1a97b3e656411c50152cbbaf8d8101e0e91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/native/external/libunwind/.github/workflows/CI-win.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/stale` pinned to mutable ref `@v5`: `uses: actions/stale@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124896, "scanner": "repobility-supply-chain", "fingerprint": "957b5424b3423ef4eb4c1416f1116d5361a35ec42d0cbe1dd3bb65c2b0aea50c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|957b5424b3423ef4eb4c1416f1116d5361a35ec42d0cbe1dd3bb65c2b0aea50c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/native/external/libunwind/.github/workflows/groom-issues.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124895, "scanner": "repobility-supply-chain", "fingerprint": "3a1f811e9c0a2eed3c1ce290b6582f7be0c1e6fd0f5d4eed8c80f5958ebd5380", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3a1f811e9c0a2eed3c1ce290b6582f7be0c1e6fd0f5d4eed8c80f5958ebd5380"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/native/external/libunwind/.github/workflows/CI-unix.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124894, "scanner": "repobility-supply-chain", "fingerprint": "24885288c4cab93f05f943c7d0e65b11112cbad4b943ec7fd9d768ef8d471d17", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|24885288c4cab93f05f943c7d0e65b11112cbad4b943ec7fd9d768ef8d471d17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/native/external/libunwind/.github/workflows/CI-unix.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v2`: `uses: github/codeql-action/analyze@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124893, "scanner": "repobility-supply-chain", "fingerprint": "e27cf5226bbdfa6069a5002aea801e01efc82b1083fd6d38b70c5f51c15e23ae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e27cf5226bbdfa6069a5002aea801e01efc82b1083fd6d38b70c5f51c15e23ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/native/external/libunwind/.github/workflows/codeql-analysis.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/autobuild` pinned to mutable ref `@v2`: `uses: github/codeql-action/autobuild@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124892, "scanner": "repobility-supply-chain", "fingerprint": "e7d512e4cbea7283497a28531dee3ad25f8ec9c49032855fd3b802240850d0d5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e7d512e4cbea7283497a28531dee3ad25f8ec9c49032855fd3b802240850d0d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/native/external/libunwind/.github/workflows/codeql-analysis.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v2`: `uses: github/codeql-action/init@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124891, "scanner": "repobility-supply-chain", "fingerprint": "743d03b0752ba4750adb178bc0a86db5310a0e11453ff03d1d0e1719b306d79e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|743d03b0752ba4750adb178bc0a86db5310a0e11453ff03d1d0e1719b306d79e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/native/external/libunwind/.github/workflows/codeql-analysis.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124890, "scanner": "repobility-supply-chain", "fingerprint": "bf3bef39d9f4369004f8415d75279631f86d9d2cca328e3ec52a09c0548d2c25", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf3bef39d9f4369004f8415d75279631f86d9d2cca328e3ec52a09c0548d2c25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/native/external/libunwind/.github/workflows/codeql-analysis.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux-3.0-net10.0-cross-amd64` not pinned by digest: `FROM mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux-3.0-net10.0-cross-amd64` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 124889, "scanner": "repobility-supply-chain", "fingerprint": "cfa466658ee4d0798e6d791e1e72f502f755121784b4264c07c643d0e40d1c5a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cfa466658ee4d0798e6d791e1e72f502f755121784b4264c07c643d0e40d1c5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/nativeaot/docs/Dockerfile.cross-build-x64-x64"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux-3.0-net10.0-cross-arm64` not pinned by digest: `FROM mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux-3.0-net10.0-cross-arm64` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 124888, "scanner": "repobility-supply-chain", "fingerprint": "6cc1dca1f6b9b627b45c82e29fd74f82210b175f91dbc96f0eefc853a51cf8f7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6cc1dca1f6b9b627b45c82e29fd74f82210b175f91dbc96f0eefc853a51cf8f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/nativeaot/docs/Dockerfile.cross-build-x64-arm64"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED130", "level": "error", "message": {"text": "[MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-lock.json` resolved URL for `node_modules/@bytecodealliance/componentize-js` is `https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/regist...` \u2014 host `pkgs.dev.azure.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry."}, "properties": {"repobilityId": 124887, "scanner": "repobility-supply-chain", "fingerprint": "4f3a9c052919c8a7ff83435c3c6acebd72994ba71bbf7c4d6becbadc8320db9b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-lockfile-off-registry", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f3a9c052919c8a7ff83435c3c6acebd72994ba71bbf7c4d6becbadc8320db9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mono/sample/wasi/jco/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED130", "level": "error", "message": {"text": "[MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-lock.json` resolved URL for `node_modules/@rollup/rollup-android-arm-eabi` is `https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/regist...` \u2014 host `pkgs.dev.azure.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry."}, "properties": {"repobilityId": 124886, "scanner": "repobility-supply-chain", "fingerprint": "069702d45984e313bcf752c64488511642aa7ee0ad554c8d4024ac7ecfd46e10", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-lockfile-off-registry", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|069702d45984e313bcf752c64488511642aa7ee0ad554c8d4024ac7ecfd46e10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mono/browser/runtime/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED130", "level": "error", "message": {"text": "[MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-lock.json` resolved URL for `node_modules/@rollup/rollup-android-arm-eabi` is `https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/regist...` \u2014 host `pkgs.dev.azure.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry."}, "properties": {"repobilityId": 124885, "scanner": "repobility-supply-chain", "fingerprint": "20719f18d7a4029dfb1aa5a929ef70911c7e424bd54a6fd90c78ec54caafcae0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-lockfile-off-registry", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|20719f18d7a4029dfb1aa5a929ef70911c7e424bd54a6fd90c78ec54caafcae0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/native/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dotnet/arcade/.github/workflows/backport-base.yml` pinned to mutable ref `@main`: `uses: dotnet/arcade/.github/workflows/backport-base.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124884, "scanner": "repobility-supply-chain", "fingerprint": "20791c25d9d316982a04ff691d76f81e5417243faabfacbbbec0791c580d1373", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|20791c25d9d316982a04ff691d76f81e5417243faabfacbbbec0791c580d1373"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backport.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux-3.0-net11.0-cross-amd64` unpinned: `container/services image: mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux-3.0-net11.0-cross-amd64` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 124883, "scanner": "repobility-supply-chain", "fingerprint": "337710ec643553cf16a67daa3e98f26f48da62814ff090ef87de4cb0bc60a694", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|337710ec643553cf16a67daa3e98f26f48da62814ff090ef87de4cb0bc60a694"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/jit-format.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124882, "scanner": "repobility-supply-chain", "fingerprint": "b6ab02ac8ca065422c6af0d12998dff3312f58832a42bc25d3fc3259e5873393", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b6ab02ac8ca065422c6af0d12998dff3312f58832a42bc25d3fc3259e5873393"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/jit-format.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124881, "scanner": "repobility-supply-chain", "fingerprint": "e809015df4c88e92b4a640dda95cf85c91c533d63160a3aa4788b82d557b12f5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e809015df4c88e92b4a640dda95cf85c91c533d63160a3aa4788b82d557b12f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/jit-format.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124880, "scanner": "repobility-supply-chain", "fingerprint": "1e6be822710503e3653938a50e748603188b7d3c8b7885485bf6cd1fbfa890a2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e6be822710503e3653938a50e748603188b7d3c8b7885485bf6cd1fbfa890a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/jit-format.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v5`: `uses: actions/setup-dotnet@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124879, "scanner": "repobility-supply-chain", "fingerprint": "622e0e5d2a77a98c0715e387565f79714e589bdc2551b6a9122f274fc2eedc24", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|622e0e5d2a77a98c0715e387565f79714e589bdc2551b6a9122f274fc2eedc24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/jit-format.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124878, "scanner": "repobility-supply-chain", "fingerprint": "d04c8aae32742a6bee441b096e40573dc0815858a49d91eee8d4ca61688875ce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d04c8aae32742a6bee441b096e40573dc0815858a49d91eee8d4ca61688875ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/locker.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124877, "scanner": "repobility-supply-chain", "fingerprint": "7beb123e8ba4a7137cc9aa7303e70818adf728de1ed1fbe1edde991fd8bfa260", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7beb123e8ba4a7137cc9aa7303e70818adf728de1ed1fbe1edde991fd8bfa260"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/locker.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124876, "scanner": "repobility-supply-chain", "fingerprint": "bf0a773095859828d94304ca067bdafb7f2ab5429cb8cb9f7081748064408f46", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf0a773095859828d94304ca067bdafb7f2ab5429cb8cb9f7081748064408f46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/skill-validation.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124875, "scanner": "repobility-supply-chain", "fingerprint": "026f113c2d5b50d4b5323e5bcbf773e56a44d622a6ff9d55ad6a3d8c9ba75f8f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|026f113c2d5b50d4b5323e5bcbf773e56a44d622a6ff9d55ad6a3d8c9ba75f8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/markdownlint.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124874, "scanner": "repobility-supply-chain", "fingerprint": "e2c152d9b00cb76bd0d57fe5d13a100c4ff9ae73e51b0fe7f003f38e5f340a97", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2c152d9b00cb76bd0d57fe5d13a100c4ff9ae73e51b0fe7f003f38e5f340a97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/markdownlint.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124873, "scanner": "repobility-supply-chain", "fingerprint": "2ea69f9ed78372a4c2cc3d3d47757e574448274808a10478020297f88d074ebb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ea69f9ed78372a4c2cc3d3d47757e574448274808a10478020297f88d074ebb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dotnet/arcade/.github/workflows/inter-branch-merge-base.yml` pinned to mutable ref `@main`: `uses: dotnet/arcade/.github/workflows/inter-branch-merge-base.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124872, "scanner": "repobility-supply-chain", "fingerprint": "83f09066ae1180640459e1ed08fba90594ca85ba0a646fa9aade5bb055c2c871", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|83f09066ae1180640459e1ed08fba90594ca85ba0a646fa9aade5bb055c2c871"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/inter-branch-merge-flow.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124871, "scanner": "repobility-supply-chain", "fingerprint": "2e87607f0f9532b9157f59b8224f2913b4d3f94f2562c70ad1a23ff059ba8920", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2e87607f0f9532b9157f59b8224f2913b4d3f94f2562c70ad1a23ff059ba8920"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bump-chrome-version.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124870, "scanner": "repobility-supply-chain", "fingerprint": "3501f281af1fc930df7e15c6779bfd1cdd8f9daab618c1bbf64d019b43d110ca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3501f281af1fc930df7e15c6779bfd1cdd8f9daab618c1bbf64d019b43d110ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bump-chrome-version.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124844, "scanner": "repobility-supply-chain", "fingerprint": "5ad2d3c2b06fcd318c817faea7b36bf01b799e72f0768e166cc910d734ec55ad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5ad2d3c2b06fcd318c817faea7b36bf01b799e72f0768e166cc910d734ec55ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/aspnetcore-sync.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124843, "scanner": "repobility-supply-chain", "fingerprint": "ec5138723c7961c9805cdaece7c6fd3cc8f3628618e4616c2e93ba919b50f91a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ec5138723c7961c9805cdaece7c6fd3cc8f3628618e4616c2e93ba919b50f91a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/aspnetcore-sync.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 124842, "scanner": "repobility-supply-chain", "fingerprint": "823d5a385e9f68ce74fb1bf778cd479dc690de74821c3988e4467a72170f9d90", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|823d5a385e9f68ce74fb1bf778cd479dc690de74821c3988e4467a72170f9d90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/aspnetcore-sync.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/dotnet (no tag)` not pinned by digest: `FROM mcr.microsoft.com/devcontainers/dotnet (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 124841, "scanner": "repobility-supply-chain", "fingerprint": "cfb1840ad087d54eefd2f453b6d11a00b10bcdafae66215d073d2890edb702fc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cfb1840ad087d54eefd2f453b6d11a00b10bcdafae66215d073d2890edb702fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/android/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/dotnet (no tag)` not pinned by digest: `FROM mcr.microsoft.com/devcontainers/dotnet (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 124840, "scanner": "repobility-supply-chain", "fingerprint": "df11ef252b87968c7ab5bec3a8f4adf561232d4e547e3a3590c0c32a2f59de7e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df11ef252b87968c7ab5bec3a8f4adf561232d4e547e3a3590c0c32a2f59de7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/wasm/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/dotnet (no tag)` not pinned by digest: `FROM mcr.microsoft.com/devcontainers/dotnet (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 124839, "scanner": "repobility-supply-chain", "fingerprint": "88ff59484d99a9e85b9e1371366f05892f2c35daccf110314876cf78f694aa93", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88ff59484d99a9e85b9e1371366f05892f2c35daccf110314876cf78f694aa93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/wasm-multiThreaded/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/dotnet (no tag)` not pinned by digest: `FROM mcr.microsoft.com/devcontainers/dotnet (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 124838, "scanner": "repobility-supply-chain", "fingerprint": "8e197831c65655ef8d9a04fd544ecf95411f49c838d8c522855927a3ac081ebf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e197831c65655ef8d9a04fd544ecf95411f49c838d8c522855927a3ac081ebf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.target` used but never assigned in __init__: Method `parse_args` of class `OffsetsTool` reads `self.target`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124800, "scanner": "repobility-ast-engine", "fingerprint": "cae2b0ee1a8148f3bd1ba9de4621f3423cd775afd12086ba2964762464d2824f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cae2b0ee1a8148f3bd1ba9de4621f3423cd775afd12086ba2964762464d2824f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mono/mono/offsets/offsets-tool.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.sys_includes` used but never assigned in __init__: Method `parse_args` of class `OffsetsTool` reads `self.sys_includes`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124799, "scanner": "repobility-ast-engine", "fingerprint": "be5d792d71db7c92eb9147c2f40e68da528af0a8d216c6f9245fff950bebcf4c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|be5d792d71db7c92eb9147c2f40e68da528af0a8d216c6f9245fff950bebcf4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mono/mono/offsets/offsets-tool.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.target` used but never assigned in __init__: Method `parse_args` of class `OffsetsTool` reads `self.target`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124798, "scanner": "repobility-ast-engine", "fingerprint": "a3ed92e3fc56c0ce954e242965bd06a18c772f94ce3d16011dd389f90c762a25", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a3ed92e3fc56c0ce954e242965bd06a18c772f94ce3d16011dd389f90c762a25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mono/mono/offsets/offsets-tool.py"}, "region": {"startLine": 236}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.target_args` used but never assigned in __init__: Method `parse_args` of class `OffsetsTool` reads `self.target_args`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124797, "scanner": "repobility-ast-engine", "fingerprint": "e0f8fa8f368f4a42e391239fc9da5ed67d08bc4787aa5037c4bd8268d3d1e7eb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e0f8fa8f368f4a42e391239fc9da5ed67d08bc4787aa5037c4bd8268d3d1e7eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mono/mono/offsets/offsets-tool.py"}, "region": {"startLine": 234}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.target_args` used but never assigned in __init__: Method `parse_args` of class `OffsetsTool` reads `self.target_args`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124796, "scanner": "repobility-ast-engine", "fingerprint": "7b78b99e6a14463921283901157265f465875d3d16fc82bdba392724d6ed65eb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7b78b99e6a14463921283901157265f465875d3d16fc82bdba392724d6ed65eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mono/mono/offsets/offsets-tool.py"}, "region": {"startLine": 233}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.sys_includes` used but never assigned in __init__: Method `parse_args` of class `OffsetsTool` reads `self.sys_includes`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124795, "scanner": "repobility-ast-engine", "fingerprint": "e43d885db7ec8d3a4949b513699223e3db7cba94f803fa0f53cb5a67ff6ace19", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e43d885db7ec8d3a4949b513699223e3db7cba94f803fa0f53cb5a67ff6ace19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mono/mono/offsets/offsets-tool.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.args` used but never assigned in __init__: Method `parse_args` of class `OffsetsTool` reads `self.args`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124794, "scanner": "repobility-ast-engine", "fingerprint": "9e8eb3412f0a87538afd90a0fd08ec1a8304cbcba5c591216bde5de4a1aea776", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9e8eb3412f0a87538afd90a0fd08ec1a8304cbcba5c591216bde5de4a1aea776"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mono/mono/offsets/offsets-tool.py"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.target_args` used but never assigned in __init__: Method `parse_args` of class `OffsetsTool` reads `self.target_args`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124793, "scanner": "repobility-ast-engine", "fingerprint": "cef8743690dea9be7bd1a45f1b2b9fa53ea7913a890712fcdb41c260264fae7c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cef8743690dea9be7bd1a45f1b2b9fa53ea7913a890712fcdb41c260264fae7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mono/mono/offsets/offsets-tool.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.target` used but never assigned in __init__: Method `parse_args` of class `OffsetsTool` reads `self.target`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124792, "scanner": "repobility-ast-engine", "fingerprint": "f768f00f573e75d828ab22fe69520092322328ed76e5af008fa4bd76908af8f2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f768f00f573e75d828ab22fe69520092322328ed76e5af008fa4bd76908af8f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mono/mono/offsets/offsets-tool.py"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.sys_includes` used but never assigned in __init__: Method `parse_args` of class `OffsetsTool` reads `self.sys_includes`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124791, "scanner": "repobility-ast-engine", "fingerprint": "9dec7e00d1842c232725b025b7b09176429bda35c49c2fc14abada2ac0a935b4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9dec7e00d1842c232725b025b7b09176429bda35c49c2fc14abada2ac0a935b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mono/mono/offsets/offsets-tool.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.wrapper` used but never assigned in __init__: Method `write_repro` of class `DebugEnv` reads `self.wrapper`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124785, "scanner": "repobility-ast-engine", "fingerprint": "823a1c4733bb56e842d9c7dccdde4c091247123571fd739b0ed31bcefa0e82da", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|823a1c4733bb56e842d9c7dccdde4c091247123571fd739b0ed31bcefa0e82da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tests/run.py"}, "region": {"startLine": 354}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.wrapper` used but never assigned in __init__: Method `__create_bash_wrapper__` of class `DebugEnv` reads `self.wrapper`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124784, "scanner": "repobility-ast-engine", "fingerprint": "2f8a06e2ebcb3824f956f2ed17b82967d5787cb96e9ac0929b9a34f75aacf0ab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2f8a06e2ebcb3824f956f2ed17b82967d5787cb96e9ac0929b9a34f75aacf0ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tests/run.py"}, "region": {"startLine": 346}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.wrapper` used but never assigned in __init__: Method `__create_batch_wrapper__` of class `DebugEnv` reads `self.wrapper`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124783, "scanner": "repobility-ast-engine", "fingerprint": "66637fcd5050ea1baa4013d1832737af06ed54b75773c19bc19c559e6ac7e9f2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|66637fcd5050ea1baa4013d1832737af06ed54b75773c19bc19c559e6ac7e9f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tests/run.py"}, "region": {"startLine": 309}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_stamp_path` used but never assigned in __init__: Method `_one_failure` of class `IssueGenerator` reads `self.get_stamp_path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124779, "scanner": "repobility-ast-engine", "fingerprint": "861c0c57de77433bb2505502e17d1aee2d844590f5304200eba7b53ce57022f1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|861c0c57de77433bb2505502e17d1aee2d844590f5304200eba7b53ce57022f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/update_github.py"}, "region": {"startLine": 222}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_stamp_path` used but never assigned in __init__: Method `_one_failure` of class `IssueGenerator` reads `self.get_stamp_path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124778, "scanner": "repobility-ast-engine", "fingerprint": "4b74ac946a0583907cc5d938fa83657bf586dd6a88a1314ff93d0382ddd4e1fe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4b74ac946a0583907cc5d938fa83657bf586dd6a88a1314ff93d0382ddd4e1fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/update_github.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._one_failure` used but never assigned in __init__: Method `generate_issues` of class `IssueGenerator` reads `self._one_failure`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124777, "scanner": "repobility-ast-engine", "fingerprint": "23d1f87538f84ff72604022b819f153385743f367e3d971674b490068ab970a5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|23d1f87538f84ff72604022b819f153385743f367e3d971674b490068ab970a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/update_github.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generate_issues` used but never assigned in __init__: Method `generate` of class `IssueGenerator` reads `self.generate_issues`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124776, "scanner": "repobility-ast-engine", "fingerprint": "04460bb8ad5fac79710b3720adb1daab2da53a426d2feb35b04a2602219c346f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|04460bb8ad5fac79710b3720adb1daab2da53a426d2feb35b04a2602219c346f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/update_github.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.probe_configuration` used but never assigned in __init__: Method `generate` of class `IssueGenerator` reads `self.probe_configuration`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124775, "scanner": "repobility-ast-engine", "fingerprint": "b31afd984aa544a1678014a1fecec20b32d704d2252e78cee7ad90dbaf466f69", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b31afd984aa544a1678014a1fecec20b32d704d2252e78cee7ad90dbaf466f69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/update_github.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._one_failure` used but never assigned in __init__: Method `_failure_details` of class `ReportGenerator` reads `self._one_failure`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124774, "scanner": "repobility-ast-engine", "fingerprint": "79c3f9b9cab5c9d99fca79d07652b01ce6e0564602138884f066cbbcb80c2c76", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|79c3f9b9cab5c9d99fca79d07652b01ce6e0564602138884f066cbbcb80c2c76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/generate_report.py"}, "region": {"startLine": 197}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._footer` used but never assigned in __init__: Method `generate` of class `ReportGenerator` reads `self._footer`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124773, "scanner": "repobility-ast-engine", "fingerprint": "dde30763d8d14aaf2ae96d5936182663c47922a518d2e958b166c867a467ef16", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dde30763d8d14aaf2ae96d5936182663c47922a518d2e958b166c867a467ef16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/generate_report.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._action_items` used but never assigned in __init__: Method `generate` of class `ReportGenerator` reads `self._action_items`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124772, "scanner": "repobility-ast-engine", "fingerprint": "94827f4bcf664d88af16bd1fb09d5ba2fcb1b784ba15f08f0f4a1acd4048a328", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|94827f4bcf664d88af16bd1fb09d5ba2fcb1b784ba15f08f0f4a1acd4048a328"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/generate_report.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._github_issue_summary` used but never assigned in __init__: Method `generate` of class `ReportGenerator` reads `self._github_issue_summary`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124771, "scanner": "repobility-ast-engine", "fingerprint": "d37e820d5a846ffd1a9795c8fbed860994380e0db22524ae39496a93d0b3dffd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d37e820d5a846ffd1a9795c8fbed860994380e0db22524ae39496a93d0b3dffd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/generate_report.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._failure_details` used but never assigned in __init__: Method `generate` of class `ReportGenerator` reads `self._failure_details`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124770, "scanner": "repobility-ast-engine", "fingerprint": "8041b05bb2e33e918ffb114f574425b832dc5162e743f7d3655fce8a5927cd5a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8041b05bb2e33e918ffb114f574425b832dc5162e743f7d3655fce8a5927cd5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/generate_report.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._pipeline_summary` used but never assigned in __init__: Method `generate` of class `ReportGenerator` reads `self._pipeline_summary`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124769, "scanner": "repobility-ast-engine", "fingerprint": "cd7982f5395982508102940099243f5b17c1c3295980e0abbc5dfa22ae4596ef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cd7982f5395982508102940099243f5b17c1c3295980e0abbc5dfa22ae4596ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/generate_report.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._header` used but never assigned in __init__: Method `generate` of class `ReportGenerator` reads `self._header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 124768, "scanner": "repobility-ast-engine", "fingerprint": "970fb255e9de778208bc5102faa77ea09c24dbcdb6293929cbec9a87d9be0866", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|970fb255e9de778208bc5102faa77ea09c24dbcdb6293929cbec9a87d9be0866"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/generate_report.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKR004", "level": "error", "message": {"text": "Docker build secret exposed through ARG"}, "properties": {"repobilityId": 124730, "scanner": "repobility-docker", "fingerprint": "a7b4452f998169a5625e29ae4ed087f75d199d44ff37f82d8d8de94be6f907f6", "category": "docker", "severity": "high", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ARG name looks secret-bearing; BuildKit secret mounts are the safer pattern.", "evidence": {"rule_id": "DKR004", "scanner": "repobility-docker", "variable": "FTP_PASSWORD", "references": ["https://docs.docker.com/build/building/secrets/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a7b4452f998169a5625e29ae4ed087f75d199d44ff37f82d8d8de94be6f907f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/apacheweb/Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKR015", "level": "error", "message": {"text": "Docker build context is very large"}, "properties": {"repobilityId": 124710, "scanner": "repobility-docker", "fingerprint": "b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Estimated Docker build context exceeds Repobility's size or file-count threshold.", "evidence": {"capped": true, "rule_id": "DKR015", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "largest_paths": [{"path": "src/tests/JIT/jit64/opt/cse/hugeexpr1.cs", "size_mb": 23.0}, {"path": "src/tests/JIT/jit64/opt/cse/HugeField2.cs", "size_mb": 10.2}, {"path": "src/tests/JIT/jit64/opt/cse/HugeField1.cs", "size_mb": 10.2}, {"path": "src/tests/JIT/jit64/opt/cse/HugeArray1.cs", "size_mb": 9.6}, {"path": "src/libraries/Common/tests/System/Xml/XmlCoreTest/TestData.g.cs", "size_mb": 9.4}], "included_files": 50000, "context_size_mb": 563.0, "correlation_key": "fp|b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC032", "level": "error", "message": {"text": "[SEC032] Unrestricted File Upload \u2014 no extension/MIME validation: File upload accepts the user's filename without validating extension, content-type, or magic bytes. Attackers upload `.php`, `.jsp`, or executable files to a web-served directory, then visit the URL to trigger RCE. CWE-434. Examples: Apache Struts (CVE-2017-9805), countless WordPress plugin RCEs."}, "properties": {"repobilityId": 124678, "scanner": "repobility-threat-engine", "fingerprint": "860af8f73c0b5bc53cac9382b32cf8d340eb3a5b2852579d218fabb1c5259d74", "category": "file_upload", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "open(self.filename,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC032", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|860af8f73c0b5bc53cac9382b32cf8d340eb3a5b2852579d218fabb1c5259d74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/utilities.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 124664, "scanner": "repobility-threat-engine", "fingerprint": "f12b32fb955dbceec114ba5ecc67ffca8f5e671abc846f8fb13cd3eb417839d5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f12b32fb955dbceec114ba5ecc67ffca8f5e671abc846f8fb13cd3eb417839d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/tools/Common/Internal/Runtime/ReadyToRunInstructionSet.cs"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 124663, "scanner": "repobility-threat-engine", "fingerprint": "0fb0c5b5cb5b75d98100ca353d5e909dca75ccadb05386b64e40918735132b21", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0fb0c5b5cb5b75d98100ca353d5e909dca75ccadb05386b64e40918735132b21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/tools/Common/Internal/Metadata/NativeFormat/NativeFormatReaderCommonGen.cs"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 124662, "scanner": "repobility-threat-engine", "fingerprint": "5af70d56afec5726c6ae492ec1500641b4f2a2ee8bac3018bc441259975461df", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5af70d56afec5726c6ae492ec1500641b4f2a2ee8bac3018bc441259975461df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/inc/md5.h"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC025", "level": "error", "message": {"text": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader: .NET XmlDocument and XmlTextReader expand external entities by default in pre-4.5.2 runtimes (and even later if XmlResolver is left at default). Allows file disclosure and SSRF via XXE."}, "properties": {"repobilityId": 124657, "scanner": "repobility-threat-engine", "fingerprint": "a4ad44ad6a6b25f961b82ff5e1a7ccef9d69a6395cdf7898d19617783265ef9d", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "XmlReader.Create(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC025", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a4ad44ad6a6b25f961b82ff5e1a7ccef9d69a6395cdf7898d19617783265ef9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/inc/genheaders/genheaders.cs"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 124649, "scanner": "repobility-threat-engine", "fingerprint": "9a559cfb37cbb26baaa05d5d003f131da01b6a911a8904fe1c1e122e64f48702", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "filenames.update(expanded_filenames)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9a559cfb37cbb26baaa05d5d003f131da01b6a911a8904fe1c1e122e64f48702"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/pgocheck.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 124648, "scanner": "repobility-threat-engine", "fingerprint": "c4def5537b319be06dc73ea1601d9434ae6924cc0f1109c31d05f0c11e03625a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "m_MiniMd.m_StringHeap.Delete();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c4def5537b319be06dc73ea1601d9434ae6924cc0f1109c31d05f0c11e03625a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/md/inc/liteweightstgdb.h"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 124647, "scanner": "repobility-threat-engine", "fingerprint": "4512eb79b8f162cfe09614dc8da16685329d8f38377bcc7f18d8c636c0e5b913", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "m_sLock.Destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4512eb79b8f162cfe09614dc8da16685329d8f38377bcc7f18d8c636c0e5b913"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/debug/di/dbgtransportmanager.cpp"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED017", "level": "error", "message": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "properties": {"repobilityId": 124646, "scanner": "repobility-threat-engine", "fingerprint": "708a96c64c564a35c0692b72560b4b27045123095fa2c05bf1eb4cb686f8d723", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347937+00:00", "triaged_in_corpus": 15, "observations_count": 77748, "ai_coder_pattern_id": 132}, "scanner": "repobility-threat-engine", "correlation_key": "fp|708a96c64c564a35c0692b72560b4b27045123095fa2c05bf1eb4cb686f8d723"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/binder/defaultassemblybinder.cpp"}, "region": {"startLine": 219}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 124634, "scanner": "repobility-threat-engine", "fingerprint": "4e5e592d0c4b7fb5b3bb6ccaa7a8c83f8315f80fa125d6568c8601158332ec0b", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r'exit code[:\\s]+(-?\\d+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|52|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/fetch_helix_logs.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 124632, "scanner": "repobility-threat-engine", "fingerprint": "e05d3ea3ddaba129ac0ed52f8fb97694fe8afd75d751b9bcf7a7d5b1ae4d7243", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(D", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e05d3ea3ddaba129ac0ed52f8fb97694fe8afd75d751b9bcf7a7d5b1ae4d7243"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/tools/Common/TypeSystem/Ecma/SymbolReader/PortablePdbSymbolReader.cs"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 124631, "scanner": "repobility-threat-engine", "fingerprint": "de629c7c09f13c5566c25b345e587e233962d26ac24aff495b8210f4c199acd2", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|de629c7c09f13c5566c25b345e587e233962d26ac24aff495b8210f4c199acd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/jitformat.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 124630, "scanner": "repobility-threat-engine", "fingerprint": "efe076d7ac0c9e653f2a227be4e0dd957d953b03bb34461203172beacb1a9992", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "urllib.request.urlopen(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|efe076d7ac0c9e653f2a227be4e0dd957d953b03bb34461203172beacb1a9992"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/fetch_helix_logs.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `fetch_failed_tests` has cognitive complexity 52 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=5, except=5, for=2, if=8, nested_bonus=29, or=2, while=1."}, "properties": {"repobilityId": 124626, "scanner": "repobility-threat-engine", "fingerprint": "48ba53851e2231031882c9f97cf0ad54d3786747c06953288037f8aeade0f205", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 52 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "fetch_failed_tests", "breakdown": {"if": 8, "or": 2, "for": 2, "break": 5, "while": 1, "except": 5, "nested_bonus": 29}, "complexity": 52, "correlation_key": "fp|48ba53851e2231031882c9f97cf0ad54d3786747c06953288037f8aeade0f205"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/extract_failed_tests.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 124619, "scanner": "repobility-threat-engine", "fingerprint": "0c423eb777eed3a17622f263a62ec21ec597547e632c3bad8411c01e17a6841c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0c423eb777eed3a17622f263a62ec21ec597547e632c3bad8411c01e17a6841c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/coreclr_arguments.py"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 124618, "scanner": "repobility-threat-engine", "fingerprint": "b66ee1e5d10faa1ce8f3f7ae8aee6ed1ebfd182bdc77a9aa03a2b8f7ccb34539", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b66ee1e5d10faa1ce8f3f7ae8aee6ed1ebfd182bdc77a9aa03a2b8f7ccb34539"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skills/ci-pipeline-monitor/scripts/extract_failed_tests.py"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_PAT_0` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_PAT_0 }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124869, "scanner": "repobility-supply-chain", "fingerprint": "bd9c2a055bdd755d1122b62673ec04ef21eac4e18ee8728099e6307cb972c957", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd9c2a055bdd755d1122b62673ec04ef21eac4e18ee8728099e6307cb972c957"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 1317}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124868, "scanner": "repobility-supply-chain", "fingerprint": "bb493912db9a8938d3df0bf1f16f3cdf0741d458eac3481f16841b104f2651de", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bb493912db9a8938d3df0bf1f16f3cdf0741d458eac3481f16841b104f2651de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 1060}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124867, "scanner": "repobility-supply-chain", "fingerprint": "2e6fc962f75a315ae2b7da3d22a6eb8a98818d9d5b91947d28e78b937943fe8a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2e6fc962f75a315ae2b7da3d22a6eb8a98818d9d5b91947d28e78b937943fe8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 1027}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124866, "scanner": "repobility-supply-chain", "fingerprint": "ac39c15c7b7059048f27729229833049385f3839286bb1cac8976a81e557c7b5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ac39c15c7b7059048f27729229833049385f3839286bb1cac8976a81e557c7b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 1013}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124865, "scanner": "repobility-supply-chain", "fingerprint": "be2f6aee2bd2be56e32572ed3f4e0bcc772fbfd5e87053fed0cc94d709cd2d6f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be2f6aee2bd2be56e32572ed3f4e0bcc772fbfd5e87053fed0cc94d709cd2d6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 999}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124864, "scanner": "repobility-supply-chain", "fingerprint": "634a9d9fb82b8816daa6f13f389ce0b26c83bcd685d0d31fdec86eaaf342918e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|634a9d9fb82b8816daa6f13f389ce0b26c83bcd685d0d31fdec86eaaf342918e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 983}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124863, "scanner": "repobility-supply-chain", "fingerprint": "abe31b75f59ede08cc6624df23fe359a272514b2af352deea4189a5da7dc78f6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|abe31b75f59ede08cc6624df23fe359a272514b2af352deea4189a5da7dc78f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 809}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124862, "scanner": "repobility-supply-chain", "fingerprint": "c9572ee8be4f98e24a4cfb13bf68d73375a0568a399e7d916ba83c330443552c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c9572ee8be4f98e24a4cfb13bf68d73375a0568a399e7d916ba83c330443552c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 808}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_PAT_9` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_PAT_9 }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124861, "scanner": "repobility-supply-chain", "fingerprint": "380360693ed0e6461d7be65b5018b23fab0a4aec9a14d2945fffb9169457984f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|380360693ed0e6461d7be65b5018b23fab0a4aec9a14d2945fffb9169457984f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 807}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_PAT_8` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_PAT_8 }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124860, "scanner": "repobility-supply-chain", "fingerprint": "4e7298c97b590f01214856ff6d774022dd0aa89a59152546ade5cb4a96d869c9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e7298c97b590f01214856ff6d774022dd0aa89a59152546ade5cb4a96d869c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 806}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_PAT_7` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_PAT_7 }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124859, "scanner": "repobility-supply-chain", "fingerprint": "7be0bc9072c5c582ab89b32bafda7000fef2901ebb51bd7bd3fb66c4f9450d8e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7be0bc9072c5c582ab89b32bafda7000fef2901ebb51bd7bd3fb66c4f9450d8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 805}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_PAT_6` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_PAT_6 }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124858, "scanner": "repobility-supply-chain", "fingerprint": "c78bae5d237b3ab49b5060072319620f4d8772c12e901a65ac6508cbc60a319d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c78bae5d237b3ab49b5060072319620f4d8772c12e901a65ac6508cbc60a319d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 804}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_PAT_5` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_PAT_5 }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124857, "scanner": "repobility-supply-chain", "fingerprint": "425f6b1e58e4a5499e8a9a9e31f6d42f7aecb51f6b96dc358b1d24b6a67bc0dc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|425f6b1e58e4a5499e8a9a9e31f6d42f7aecb51f6b96dc358b1d24b6a67bc0dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 803}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_PAT_4` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_PAT_4 }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124856, "scanner": "repobility-supply-chain", "fingerprint": "144fc639c9b673f542d75437140c6b0d9a26cad8db5f000af676140cedfe9739", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|144fc639c9b673f542d75437140c6b0d9a26cad8db5f000af676140cedfe9739"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 802}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_PAT_3` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_PAT_3 }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124855, "scanner": "repobility-supply-chain", "fingerprint": "f1fb5ece149c553aa5f8be4b4ed9699faae6b5967c532571a38246e6bfd75045", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f1fb5ece149c553aa5f8be4b4ed9699faae6b5967c532571a38246e6bfd75045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 801}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_PAT_2` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_PAT_2 }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124854, "scanner": "repobility-supply-chain", "fingerprint": "827890485c00e579a39eb233795c9ff31520493041afa64e3ecb2969a562101a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|827890485c00e579a39eb233795c9ff31520493041afa64e3ecb2969a562101a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 800}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_PAT_1` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_PAT_1 }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124853, "scanner": "repobility-supply-chain", "fingerprint": "0365dd2d9c14d7b1ebe0e7715fadadde04373582a19bbc3cf785ab0d814d8f05", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0365dd2d9c14d7b1ebe0e7715fadadde04373582a19bbc3cf785ab0d814d8f05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 799}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_PAT_0` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_PAT_0 }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124852, "scanner": "repobility-supply-chain", "fingerprint": "6ec15d0dd3ff1b769e45efb0981a5f3257520158c1aa8736ca931ff8fe5c55e7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ec15d0dd3ff1b769e45efb0981a5f3257520158c1aa8736ca931ff8fe5c55e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 798}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124851, "scanner": "repobility-supply-chain", "fingerprint": "274ffde80a9ecad6c6dc685fa83c397ed454611c47b675be4f36931b809afa4d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|274ffde80a9ecad6c6dc685fa83c397ed454611c47b675be4f36931b809afa4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 797}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124850, "scanner": "repobility-supply-chain", "fingerprint": "746770818d63ff11c39c562e3759c2f595a67f8241e45ec2d7ced04766361b6f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|746770818d63ff11c39c562e3759c2f595a67f8241e45ec2d7ced04766361b6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 745}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124849, "scanner": "repobility-supply-chain", "fingerprint": "76dd8a00d8b6065b859130b808346ad9879ceb68bd66d3aedbed4d57bf341502", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76dd8a00d8b6065b859130b808346ad9879ceb68bd66d3aedbed4d57bf341502"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 625}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124848, "scanner": "repobility-supply-chain", "fingerprint": "ae2c08b15bd9cce394243d9b8257c41637885cac97c21624e1a63dd3d975e836", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae2c08b15bd9cce394243d9b8257c41637885cac97c21624e1a63dd3d975e836"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 436}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124847, "scanner": "repobility-supply-chain", "fingerprint": "c1e776dbd80594b3cdb6c2fb6f18d147810bdf409b73266758e679f02727d330", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c1e776dbd80594b3cdb6c2fb6f18d147810bdf409b73266758e679f02727d330"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 435}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124846, "scanner": "repobility-supply-chain", "fingerprint": "9bb4f56532ddcaadc3c40cdc5119d70e58329deb454ed13e5def558a1a23f4ae", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9bb4f56532ddcaadc3c40cdc5119d70e58329deb454ed13e5def558a1a23f4ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 419}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 124845, "scanner": "repobility-supply-chain", "fingerprint": "93566f960c97c5cdf52f69ea70d65e21751b5310164c0c03c27585ab8d0e55cf", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93566f960c97c5cdf52f69ea70d65e21751b5310164c0c03c27585ab8d0e55cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-review.lock.yml"}, "region": {"startLine": 417}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `os` used but not imported: The file uses `os.something(...)` but never imports `os`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124834, "scanner": "repobility-ast-engine", "fingerprint": "8f5c7353ae64f6a2e7bfac139bff2363332754000dba38c6d2225a21a70ccbf4", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8f5c7353ae64f6a2e7bfac139bff2363332754000dba38c6d2225a21a70ccbf4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_diffs.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124833, "scanner": "repobility-ast-engine", "fingerprint": "9a648e4c1029a1a4c503e26c7fcab75251d1f72d2900b59b332f56818a4d52e1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9a648e4c1029a1a4c503e26c7fcab75251d1f72d2900b59b332f56818a4d52e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/genDummyProvider.py"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `argparse` used but not imported: The file uses `argparse.something(...)` but never imports `argparse`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124832, "scanner": "repobility-ast-engine", "fingerprint": "56dfa5f1062da3395cf72543b999ed147c154ae070ff1df55e426297d27a4a4c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|56dfa5f1062da3395cf72543b999ed147c154ae070ff1df55e426297d27a4a4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/genDummyProvider.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124831, "scanner": "repobility-ast-engine", "fingerprint": "c97849c68e3dbac4271795fe07cf4086cb1d7acad73e260e3e06b9f079753475", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c97849c68e3dbac4271795fe07cf4086cb1d7acad73e260e3e06b9f079753475"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_diffs_summarize.py"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `subprocess` used but not imported: The file uses `subprocess.something(...)` but never imports `subprocess`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124830, "scanner": "repobility-ast-engine", "fingerprint": "597aa0be1dbeb2e21c6b18c5da80ec456fcde35b858f7f10f271739cb56a0fe7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|597aa0be1dbeb2e21c6b18c5da80ec456fcde35b858f7f10f271739cb56a0fe7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/jitrollingbuild.py"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124827, "scanner": "repobility-ast-engine", "fingerprint": "bce81f4f149cde40b8e5936f6ca6bca74ba0f4256ad2edc551f993448888142e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bce81f4f149cde40b8e5936f6ca6bca74ba0f4256ad2edc551f993448888142e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/fuzzlyn_run.py"}, "region": {"startLine": 242}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124826, "scanner": "repobility-ast-engine", "fingerprint": "5acc6e3cd5d0930caebf3eee06303db85bc2f93f2c0dadc30fe49bb9b72b378d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5acc6e3cd5d0930caebf3eee06303db85bc2f93f2c0dadc30fe49bb9b72b378d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/fuzzlyn_run.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124825, "scanner": "repobility-ast-engine", "fingerprint": "1e22937353d495ba7ec7e954a02dfd4769d9eef5f147d8e46d9c4e296792bc10", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1e22937353d495ba7ec7e954a02dfd4769d9eef5f147d8e46d9c4e296792bc10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/fuzzer_setup.py"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124824, "scanner": "repobility-ast-engine", "fingerprint": "748a6ee07975949cf1d3be900c07c2d3589a84b05225feb7e6df31679d814b4f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|748a6ee07975949cf1d3be900c07c2d3589a84b05225feb7e6df31679d814b4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/fuzzer_setup.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124823, "scanner": "repobility-ast-engine", "fingerprint": "24db7a5b049cbc30e40c5d0d623e0b7e7f4e6c706d1f09fab3f64baeb8b319dd", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|24db7a5b049cbc30e40c5d0d623e0b7e7f4e6c706d1f09fab3f64baeb8b319dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_replay_setup.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124822, "scanner": "repobility-ast-engine", "fingerprint": "f5b37d096b4877dbb7307039d1e0e890f96489494c9ddfd80bf118059dedc4d2", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f5b37d096b4877dbb7307039d1e0e890f96489494c9ddfd80bf118059dedc4d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_asmdiffs_checked_release_setup.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124821, "scanner": "repobility-ast-engine", "fingerprint": "89ab239f881f3de51c46322ddaf94ff9321afa70686470aed73591c925d11042", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|89ab239f881f3de51c46322ddaf94ff9321afa70686470aed73591c925d11042"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_asmdiffs_checked_release_setup.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124820, "scanner": "repobility-ast-engine", "fingerprint": "653ee01ea11a360ec316891ff9d338af532caba3586e20fbc49e3290b1df595a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|653ee01ea11a360ec316891ff9d338af532caba3586e20fbc49e3290b1df595a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_replay.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124815, "scanner": "repobility-ast-engine", "fingerprint": "09bf675a4cfbbf68e595311af36adf0082c07da12c1d0c1d8021234be9e1b03d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|09bf675a4cfbbf68e595311af36adf0082c07da12c1d0c1d8021234be9e1b03d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_diffs_setup.py"}, "region": {"startLine": 347}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `subprocess` used but not imported: The file uses `subprocess.something(...)` but never imports `subprocess`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124814, "scanner": "repobility-ast-engine", "fingerprint": "2de0c5f5fd1d623f372c424cbbff5b4a4e54c8368dfc1bc96b81a350a10ccd37", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2de0c5f5fd1d623f372c424cbbff5b4a4e54c8368dfc1bc96b81a350a10ccd37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_diffs_setup.py"}, "region": {"startLine": 225}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124813, "scanner": "repobility-ast-engine", "fingerprint": "f297c6ad965ccc419cc697d436e1fba087e10a58b185a15f9721ec9105b8a679", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f297c6ad965ccc419cc697d436e1fba087e10a58b185a15f9721ec9105b8a679"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_diffs_setup.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `collections` used but not imported: The file uses `collections.something(...)` but never imports `collections`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124812, "scanner": "repobility-ast-engine", "fingerprint": "d61bd88f46ed7520b9c421c0eb87aa1fd3bffefb050af3d081ac718597f4e15e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d61bd88f46ed7520b9c421c0eb87aa1fd3bffefb050af3d081ac718597f4e15e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_diffs_setup.py"}, "region": {"startLine": 282}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124811, "scanner": "repobility-ast-engine", "fingerprint": "635c808db0ddb786c25790b740d2f5642ef2d43dc03f6eefe977991d7aec8e21", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|635c808db0ddb786c25790b740d2f5642ef2d43dc03f6eefe977991d7aec8e21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_asmdiffs_checked_release.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124810, "scanner": "repobility-ast-engine", "fingerprint": "e47bd2847131753c0aae8c00777f327661606a7ef7b6e40c4412601cf88abc1b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e47bd2847131753c0aae8c00777f327661606a7ef7b6e40c4412601cf88abc1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_benchmarks.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124806, "scanner": "repobility-ast-engine", "fingerprint": "ad2099207bdf7bda54436aaf47780cc85f9b9297b14368b8ee103c60cd4f1536", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ad2099207bdf7bda54436aaf47780cc85f9b9297b14368b8ee103c60cd4f1536"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/antigen_run.py"}, "region": {"startLine": 232}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124805, "scanner": "repobility-ast-engine", "fingerprint": "dac12f67bb26d7be9037b85824778c8b15b09ebbc50741e8f79765b4df5879bc", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dac12f67bb26d7be9037b85824778c8b15b09ebbc50741e8f79765b4df5879bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/antigen_run.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `subprocess` used but not imported: The file uses `subprocess.something(...)` but never imports `subprocess`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124804, "scanner": "repobility-ast-engine", "fingerprint": "13daa369f23039a370aa86b037139c344d97401b6042cda3b8afeb9ce6be894a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|13daa369f23039a370aa86b037139c344d97401b6042cda3b8afeb9ce6be894a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_aspnet.py"}, "region": {"startLine": 250}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124803, "scanner": "repobility-ast-engine", "fingerprint": "7c6cc3ed7d6413e12b69c0d60ddaf1eb0358defc3b9eebb1122761d738343207", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7c6cc3ed7d6413e12b69c0d60ddaf1eb0358defc3b9eebb1122761d738343207"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_aspnet.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `os` used but not imported: The file uses `os.something(...)` but never imports `os`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124802, "scanner": "repobility-ast-engine", "fingerprint": "093ce54c92cd79aeddf5b6188dce6cc41c82d0eee0ac2b0a3efc0a4d7df06288", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|093ce54c92cd79aeddf5b6188dce6cc41c82d0eee0ac2b0a3efc0a4d7df06288"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/superpmi_aspnet.py"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 124801, "scanner": "repobility-ast-engine", "fingerprint": "94bd45916fcbdbed6ec47dcf8fd917b48a13d864d2f501ad739787ddbf992bac", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|94bd45916fcbdbed6ec47dcf8fd917b48a13d864d2f501ad739787ddbf992bac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/scripts/fuzzlyn_summarize.py"}, "region": {"startLine": 249}}}]}, {"ruleId": "DKC001", "level": "error", "message": {"text": "Compose service runs privileged"}, "properties": {"repobilityId": 124753, "scanner": "repobility-docker", "fingerprint": "03ebc552f89019d56aab0c4797fbb9b44894ab27e8f7043f020653ff31b4e818", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "privileged: true was set on the service.", "evidence": {"rule_id": "DKC001", "scanner": "repobility-docker", "service": "linuxclient", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|03ebc552f89019d56aab0c4797fbb9b44894ab27e8f7043f020653ff31b4e818"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/docker-compose.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKC001", "level": "error", "message": {"text": "Compose service runs privileged"}, "properties": {"repobilityId": 124748, "scanner": "repobility-docker", "fingerprint": "34593de7f69f76347f3a59183156097796ef5b13117ea1ebb521d5e68eaa5916", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "privileged: true was set on the service.", "evidence": {"rule_id": "DKC001", "scanner": "repobility-docker", "service": "apacheweb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|34593de7f69f76347f3a59183156097796ef5b13117ea1ebb521d5e68eaa5916"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/libraries/Common/tests/System/Net/EnterpriseTests/setup/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 124672, "scanner": "repobility-threat-engine", "fingerprint": "8a035ff74759fe4d804902c9ab9b1bbc04531dec5cfffa258821560e2b004630", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8a035ff74759fe4d804902c9ab9b1bbc04531dec5cfffa258821560e2b004630"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/nativeaot/Runtime/RhConfig.cpp"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 124671, "scanner": "repobility-threat-engine", "fingerprint": "79fb894e111a191e50907421ecfc75487ea893ffc35b302bd1ff886515f944b4", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|79fb894e111a191e50907421ecfc75487ea893ffc35b302bd1ff886515f944b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/jit/sm.cpp"}, "region": {"startLine": 175}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 124670, "scanner": "repobility-threat-engine", "fingerprint": "0be4a88b5bdbb49ab1cfd5efe1ab1087f3f255adc32441793ae3fe3db1249759", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0be4a88b5bdbb49ab1cfd5efe1ab1087f3f255adc32441793ae3fe3db1249759"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/coreclr/interpreter/methodset.cpp"}, "region": {"startLine": 31}}}]}]}]}