{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require() loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require() loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n ALLOWED = {'images.example.com', 'cdn.example.com'}\n host = urlparse(url).hostname\n if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 18 more): Same pattern found in 18 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 36 more): Same pattern found in 36 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 36 more): Same pattern found in 36 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 31 more): Same pattern found in 31 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 102 more): Same pattern found in 102 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 102 more): Same pattern found in 102 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 16 more): Same pattern found in 16 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `packages/salesforcedx-vscode-apex/jars/apex-jorje-lsp.jar` committed in source repo: `packages/s", "shortDescription": {"text": "[MINED134] Binary file `packages/salesforcedx-vscode-apex/jars/apex-jorje-lsp.jar` committed in source repo: `packages/salesforcedx-vscode-apex/jars/apex-jorje-lsp.jar` is a .jar binary (24,584,338 bytes) committed to a repo that otherwise "}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-r", "shortDescription": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025"}, "fullDescription": {"text": "Replace with: `uses: actions/setup-node@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `codemirror` pulled from URL/Git: `devDependencies.codemirror` = `git://github.com/codemirro", "shortDescription": {"text": "[MINED122] package.json dep `codemirror` pulled from URL/Git: `devDependencies.codemirror` = `git://github.com/codemirror/CodeMirror.git` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the UR"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED031", "name": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.", "shortDescription": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1312"}, "properties": {"repository": "forcedotcom/salesforcedx-vscode", "repoUrl": "https://github.com/forcedotcom/salesforcedx-vscode", "branch": "main"}, "results": [{"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 133958, "scanner": "repobility-journey-contract", "fingerprint": "38996191f4cef05a12912a568cc5ed8c3e8d09b6d2077010934da3739af2a5a6", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|3871|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-lightning/src/resources/aura/AuraClientService.js"}, "region": {"startLine": 3871}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 133926, "scanner": "repobility-threat-engine", "fingerprint": "47b4245163f03251a5bdb1563288dd84b8588aaa55d8985fc1578f9c6d313fea", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "key, callback);\n }\n }.bind(this), Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|47b4245163f03251a5bdb1563288dd84b8588aaa55d8985fc1578f9c6d313fea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-lightning/src/resources/aura/util/Mutex.js"}, "region": {"startLine": 109}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 133910, "scanner": "repobility-threat-engine", "fingerprint": "7ee34718c38b8731c41a368d9304bf49f9c80e385b747dcd4b40a6f37fe721e1", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7ee34718c38b8731c41a368d9304bf49f9c80e385b747dcd4b40a6f37fe721e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-lwc/src/telemetry/index.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 133909, "scanner": "repobility-threat-engine", "fingerprint": "53b1c2a803f380e442c87c646699cf14cc445c33199badf28918fc3c9f4327b4", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|53b1c2a803f380e442c87c646699cf14cc445c33199badf28918fc3c9f4327b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-vscode-ext/src/pages/commands.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 133895, "scanner": "repobility-threat-engine", "fingerprint": "9531da11dc3d08d686518fea78a066224ce9c0352bce747ca84c669a8fc15aae", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|93|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-lwc-language-server/src/typing.ts"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 133894, "scanner": "repobility-threat-engine", "fingerprint": "2a12392be52de228a039a449668c4a8e46ed77f6ca871f5283dc0fe1613a2275", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|79|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/queryBuilderHtmlI18nKeys.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 133893, "scanner": "repobility-threat-engine", "fingerprint": "09cc7c06dccc9bcba0986142e0518a156d26680a9d49b20c0ea70400b7602d77", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|78|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/i18nUtils.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 133959, "scanner": "repobility-web-presence", "fingerprint": "78d6a98e46c7ee4e8db0483087b470cd1122948047ad6cdfeaa72755b641a6e9", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|78d6a98e46c7ee4e8db0483087b470cd1122948047ad6cdfeaa72755b641a6e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/validate-issue/lib/index.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133957, "scanner": "repobility-ai-code-hygiene", "fingerprint": "60e839e275adea13bf670d184300a925a4d4238e4b5981f13d7141f81af7aa22", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/eslint-local-rules/scripts/eslint-plugin-version-hook.js", "duplicate_line": 1, "correlation_key": "fp|60e839e275adea13bf670d184300a925a4d4238e4b5981f13d7141f81af7aa22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-i18n/scripts/vscode-i18n-version-hook.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133956, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fa3cfa84f6db97487060bd5c846dc36e2cdd51fa509df3f3d599d1c7064cef7c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/salesforcedx-utils-vscode/src/commands/commandletExecutors.ts", "duplicate_line": 52, "correlation_key": "fp|fa3cfa84f6db97487060bd5c846dc36e2cdd51fa509df3f3d599d1c7064cef7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-core/src/commands/util/sfCommandletExecutor.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133955, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9a04851291b165b91a131f4ba90078fdfb4f70a38d247daba083bc1e325d4bac", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/salesforcedx-visualforce-language-server/src/modes/javascriptMode.ts", "duplicate_line": 445, "correlation_key": "fp|9a04851291b165b91a131f4ba90078fdfb4f70a38d247daba083bc1e325d4bac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-visualforce-markup-language-server/src/services/htmlFormatter.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133954, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d964fced42bc1d55fd51b9b3ab123094a9cc5a55fd9488c74581042adc3618af", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/salesforcedx-utils-vscode/src/helpers/utils.ts", "duplicate_line": 79, "correlation_key": "fp|d964fced42bc1d55fd51b9b3ab123094a9cc5a55fd9488c74581042adc3618af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-utils/src/helpers/utils.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133953, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7e41a869cd1819fa1ddd08721ffdf193b3637b5942aecd84f90970680707b00a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/salesforcedx-apex-debugger/src/core/cliCommandExecution.ts", "duplicate_line": 23, "correlation_key": "fp|7e41a869cd1819fa1ddd08721ffdf193b3637b5942aecd84f90970680707b00a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-utils-vscode/src/cli/commandExecutor.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133952, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d8eb01c894ff6bfb23b44bc732a05d1ef6cd8831290f999115bdaadcf58d4a8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/salesforcedx-apex-debugger/src/core/cliCommandExecutor.ts", "duplicate_line": 14, "correlation_key": "fp|9d8eb01c894ff6bfb23b44bc732a05d1ef6cd8831290f999115bdaadcf58d4a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-utils-vscode/src/cli/commandExecutor.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133951, "scanner": "repobility-ai-code-hygiene", "fingerprint": "52238fd00504189c6074339a838d9a057de0f2265358ad93a5cbb497b9e846b3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/playwright-vscode-ext/src/orgs/minimalScratchOrgSetup.ts", "duplicate_line": 15, "correlation_key": "fp|52238fd00504189c6074339a838d9a057de0f2265358ad93a5cbb497b9e846b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-vscode-ext/src/orgs/nonTrackingScratchOrgSetup.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133950, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1b1fd7156e95fc5036cc3167ca1a601916d9432e01728d4a7578b427a7d80aa2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/eslint-local-rules/src/packageJsonCommandRefs.ts", "duplicate_line": 41, "correlation_key": "fp|1b1fd7156e95fc5036cc3167ca1a601916d9432e01728d4a7578b427a7d80aa2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/packageJsonViewRefs.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133949, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f10a3a02be7a33e919ddd8c3049b12e7e03d2af55133eea3f19c6539e5046644", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/eslint-local-rules/src/packageJsonCommandRefs.ts", "duplicate_line": 41, "correlation_key": "fp|f10a3a02be7a33e919ddd8c3049b12e7e03d2af55133eea3f19c6539e5046644"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/packageJsonSalesforceDepVersions.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133948, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7f606fab28d78d1c7ba00a30e271c3040856c9c60eeb3c303b0de261017bf1f2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/eslint-local-rules/src/packageJsonCommandRefs.ts", "duplicate_line": 41, "correlation_key": "fp|7f606fab28d78d1c7ba00a30e271c3040856c9c60eeb3c303b0de261017bf1f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/packageJsonRequireRootInstall.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133947, "scanner": "repobility-ai-code-hygiene", "fingerprint": "240c02733bdddf27f75a3cdcde74a7e5c049b61658ee482cda3e9d9fa0da1295", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/eslint-local-rules/src/packageJsonCommandRefs.ts", "duplicate_line": 41, "correlation_key": "fp|240c02733bdddf27f75a3cdcde74a7e5c049b61658ee482cda3e9d9fa0da1295"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/packageJsonNoDefaultTrue.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133946, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ef4b6569038d0a7d8ed3beede9a9846f758aa96cb52699213da967e4e928f8eb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/eslint-local-rules/src/packageJsonCommandRefs.ts", "duplicate_line": 41, "correlation_key": "fp|ef4b6569038d0a7d8ed3beede9a9846f758aa96cb52699213da967e4e928f8eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/packageJsonIconPaths.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133945, "scanner": "repobility-ai-code-hygiene", "fingerprint": "51caae4d2c2af1128e2a1bab41ef8f700d8c520e1b8b2e8e3fdd050b756b361e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/eslint-local-rules/src/noVscodeProgressTitleLiterals.ts", "duplicate_line": 30, "correlation_key": "fp|51caae4d2c2af1128e2a1bab41ef8f700d8c520e1b8b2e8e3fdd050b756b361e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/noVscodeValidateInputLiterals.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133944, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6474acb049aedb468cba68f65eb7c58a2498812ee47a95851d3a442067bb7844", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/eslint-local-rules/src/noVscodeProgressTitleLiterals.ts", "duplicate_line": 30, "correlation_key": "fp|6474acb049aedb468cba68f65eb7c58a2498812ee47a95851d3a442067bb7844"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/noVscodeQuickpickDescriptionLiterals.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133943, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06c00e7bbb2a0c57e031f5452407cd3577511007e0f00f63b6b4afb003c89e02", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/eslint-local-rules/src/noVscodeMessageLiterals.ts", "duplicate_line": 1, "correlation_key": "fp|06c00e7bbb2a0c57e031f5452407cd3577511007e0f00f63b6b4afb003c89e02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/noVscodeQuickpickDescriptionLiterals.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133942, "scanner": "repobility-ai-code-hygiene", "fingerprint": "df4c844570c5eb474388d8934095b502c579b8044d358c8217d4d49c91e7f19c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/eslint-local-rules/src/noVscodeMessageLiterals.ts", "duplicate_line": 1, "correlation_key": "fp|df4c844570c5eb474388d8934095b502c579b8044d358c8217d4d49c91e7f19c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/noVscodeProgressTitleLiterals.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133941, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2f862f78585fdbb01815eb2088f14b19008aaa00ad8194dffd4e92b07302057a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".github/actions/validate-issue/lib/index.js", "duplicate_line": 52, "correlation_key": "fp|2f862f78585fdbb01815eb2088f14b19008aaa00ad8194dffd4e92b07302057a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/validate-issue/src/index.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133940, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c602170519ecba24194146973e3b5eca75caf00d79e2d9bf05b5c3b1d682d6f6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".github/actions/new-issue/lib/index.js", "duplicate_line": 24, "correlation_key": "fp|c602170519ecba24194146973e3b5eca75caf00d79e2d9bf05b5c3b1d682d6f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/new-issue/src/index.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 133927, "scanner": "repobility-threat-engine", "fingerprint": "ec006de7c88163b481f0b94aaf074117586f96c9262d26123df3dcf15953f285", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = s", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|61|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-lightning/src/resources/aura/util/Style.js"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 133924, "scanner": "repobility-threat-engine", "fingerprint": "e27b612112e393f5cac546c75e7c11df9417255709f3f0d413dedec0a18caed8", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Controller for endpoint ' + endpoint + ' does not exist'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e27b612112e393f5cac546c75e7c11df9417255709f3f0d413dedec0a18caed8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-lightning/src/resources/aura/modules/AuraExportsInterop.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 133923, "scanner": "repobility-threat-engine", "fingerprint": "089cb10b047ada5e1264ab4f2f795d276173af632b224f2bc4e50068420b68c6", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Hydrating the component\" + descriptor + \" failed.\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|089cb10b047ada5e1264ab4f2f795d276173af632b224f2bc4e50068420b68c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-lightning/src/resources/aura/library/LibraryIncludeRegistry.js"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 133922, "scanner": "repobility-threat-engine", "fingerprint": "3e8f415d753830078bc45b84bab281df98fdaf157f1aecf891002f7d207cc089", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"function(Ctor) {return function \" + className + \"(config) { Ctor.call(this, config); }}\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3e8f415d753830078bc45b84bab281df98fdaf157f1aecf891002f7d207cc089"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-lightning/src/resources/aura/component/ComponentClassRegistry.js"}, "region": {"startLine": 202}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal: require() loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 133938, "scanner": "repobility-threat-engine", "fingerprint": "de8558fc5ce91faa4ff4c48c140d95beaf8559b1109ce6788dd9bb21288ef25e", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.json' detected on same line", "evidence": {"match": "require(`${", "reason": "Safe pattern '\\.json' detected on same line", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|de8558fc5ce91faa4ff4c48c140d95beaf8559b1109ce6788dd9bb21288ef25e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/vsce-bundled-extension.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 133937, "scanner": "repobility-threat-engine", "fingerprint": "fc41f85aef4f5d463965147e8021cde6a8163c91689055c9b14438746d0a11aa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fc41f85aef4f5d463965147e8021cde6a8163c91689055c9b14438746d0a11aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bundling/process-global.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 133934, "scanner": "repobility-threat-engine", "fingerprint": "884d03f1e9c1cfc2c59c9c5a2a8cb5d7664217b56a8634c7361b620629f2055f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|884d03f1e9c1cfc2c59c9c5a2a8cb5d7664217b56a8634c7361b620629f2055f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/xsd/jsonToXsdConverter.ts"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 133933, "scanner": "repobility-threat-engine", "fingerprint": "34c580b6b241231f073e39cae5aab6a36a72ea04cd19d607405ad6e6153cddf1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|34c580b6b241231f073e39cae5aab6a36a72ea04cd19d607405ad6e6153cddf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-services/src/core/executeAnonymousService.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 133932, "scanner": "repobility-threat-engine", "fingerprint": "a9b589c80d3c15f1efd745c4118e5adac0e19fd6e81c1dc9ca5b098fc6cb99fb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a9b589c80d3c15f1efd745c4118e5adac0e19fd6e81c1dc9ca5b098fc6cb99fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-org/src/messages/i18n.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 133931, "scanner": "repobility-threat-engine", "fingerprint": "788ee997fd4d6227e8d564d7ee810ae1337d429b479500779cbec7d61d3465d6", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|66|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-lwc/src/testSupport/testRunner/testRunner.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 133930, "scanner": "repobility-threat-engine", "fingerprint": "41b4108b96dfff1a4678b060f4d04011d7079cc42a49f5fa7044175d875ebc6b", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|29|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-lwc/src/testSupport/commands/lwcTestDebugAction.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 133929, "scanner": "repobility-threat-engine", "fingerprint": "70f77bea530a1a7fba7882dcc80249639ee1306b4df8b220399f39c0dff61191", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|70f77bea530a1a7fba7882dcc80249639ee1306b4df8b220399f39c0dff61191"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/package-lock.validation.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 133928, "scanner": "repobility-threat-engine", "fingerprint": "3fde3f6f4569f70641c72662251bb5917d6c3ee6b4ce5f633ce894192cdbf859", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3fde3f6f4569f70641c72662251bb5917d6c3ee6b4ce5f633ce894192cdbf859"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-lwc/src/messages/i18n.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 133920, "scanner": "repobility-threat-engine", "fingerprint": "bd6ce8ae33fa5495123305f485838e78f6d5369d38896033bc1c5262ddd6ce9f", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "console.error(`[esbuild] Failed to get web config from org ${process.env.ESBUILD_WEB_ORG_ALIAS}:`, e", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|10|console.error esbuild failed to get web config from org token : e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-services/esbuild.config.mjs"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 133919, "scanner": "repobility-threat-engine", "fingerprint": "6b2c6ff336f1ff19ede13dfaadb32b4694ca28dfa223d94014b4f3d8b22141cc", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('Error refreshing access token: ', text)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|8|console.error error refreshing access token: text"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-utils-vscode/src/context/workspaceContextUtil.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 133918, "scanner": "repobility-threat-engine", "fingerprint": "8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 133914, "scanner": "repobility-threat-engine", "fingerprint": "b98826a496e2c244206dacb96a98f930d8c279872e9506ee2677167c314ee386", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b98826a496e2c244206dacb96a98f930d8c279872e9506ee2677167c314ee386"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 36 more): Same pattern found in 36 additional files. Review if needed."}, "properties": {"repobilityId": 133908, "scanner": "repobility-threat-engine", "fingerprint": "ff6a29f76b46f08711bdb564be87911d2e8218558ddda1a3e3cc08a0dba0e0ae", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 36 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ff6a29f76b46f08711bdb564be87911d2e8218558ddda1a3e3cc08a0dba0e0ae", "aggregated_count": 36}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 133907, "scanner": "repobility-threat-engine", "fingerprint": "09c0e3c4bfb087b58aa2a7160263d4d24bc58cd0e19f91a43cd3d8d0682b2498", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|09c0e3c4bfb087b58aa2a7160263d4d24bc58cd0e19f91a43cd3d8d0682b2498"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-vscode-ext/src/utils/dreamhouseScratchOrgSetup.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 133906, "scanner": "repobility-threat-engine", "fingerprint": "4f5a058751241a01582be9cd1b85e19ac7325a9a181364bc94e6c6f6f1308865", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4f5a058751241a01582be9cd1b85e19ac7325a9a181364bc94e6c6f6f1308865"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-vscode-ext/src/pages/problems.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 133905, "scanner": "repobility-threat-engine", "fingerprint": "e363859d627d60b628aaa08d683dd61b80e2a58cbb1fc96fb93db7c85df1bd4f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e363859d627d60b628aaa08d683dd61b80e2a58cbb1fc96fb93db7c85df1bd4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-vscode-ext/src/pages/commands.ts"}, "region": {"startLine": 218}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 133904, "scanner": "repobility-threat-engine", "fingerprint": "9538f1e64abc06611cb760d4cf74131bb8d1179208b0f6494ae6336a088ba74b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9538f1e64abc06611cb760d4cf74131bb8d1179208b0f6494ae6336a088ba74b", "aggregated_count": 2}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 133903, "scanner": "repobility-threat-engine", "fingerprint": "dacf37aafb9454d6ee4ef6b6369ecdc074f7dbd85b01a803344254ae26db40b8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dacf37aafb9454d6ee4ef6b6369ecdc074f7dbd85b01a803344254ae26db40b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-apex-debugger/src/index.ts"}, "region": {"startLine": 235}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 133902, "scanner": "repobility-threat-engine", "fingerprint": "9580f2713224fd1476c81d18c65fb8e8a109120b6a32a24098700e3501056d34", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9580f2713224fd1476c81d18c65fb8e8a109120b6a32a24098700e3501056d34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-utils-vscode/src/commands/notificationService.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 133901, "scanner": "repobility-threat-engine", "fingerprint": "ebf26ab73c92b4aaffb57b84cc5df6b83fcfdca0771466f81c71fa28f876c039", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ebf26ab73c92b4aaffb57b84cc5df6b83fcfdca0771466f81c71fa28f876c039"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/packageJsonRequireRootInstall.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "properties": {"repobilityId": 133900, "scanner": "repobility-threat-engine", "fingerprint": "785a9d8b5575ed128b1c6b814ce12a095307d8a866ec53112aa4851d54a340f5", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|785a9d8b5575ed128b1c6b814ce12a095307d8a866ec53112aa4851d54a340f5", "aggregated_count": 31}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 133899, "scanner": "repobility-threat-engine", "fingerprint": "6a88ad7930bdd0bd065d388e19daa4720ea83e314867f9b16812d3aa0c482c9f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a88ad7930bdd0bd065d388e19daa4720ea83e314867f9b16812d3aa0c482c9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/packageJsonIconPaths.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 133898, "scanner": "repobility-threat-engine", "fingerprint": "8103e7770adc7880e321a9a1ea5773d581dd7bcdfca2593ec78a41fb80590401", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8103e7770adc7880e321a9a1ea5773d581dd7bcdfca2593ec78a41fb80590401"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/packageJsonI18nDescriptions.ts"}, "region": {"startLine": 176}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 133897, "scanner": "repobility-threat-engine", "fingerprint": "0b2df115bf25dd74dbef6653bab408a9cd8009d88e1cb6520271c61d615f377c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0b2df115bf25dd74dbef6653bab408a9cd8009d88e1cb6520271c61d615f377c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/packageJsonCommandRefs.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 133896, "scanner": "repobility-threat-engine", "fingerprint": "69b8d1ab6ebdf0e67a4943a9d246df28ccefb397d7d029799319621fefe41b25", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|69b8d1ab6ebdf0e67a4943a9d246df28ccefb397d7d029799319621fefe41b25"}}}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 133892, "scanner": "repobility-threat-engine", "fingerprint": "307b83d0878b11fa19a7733164345f24af7c2d92857c6a47165c71bc989c75ca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|307b83d0878b11fa19a7733164345f24af7c2d92857c6a47165c71bc989c75ca"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 102 more): Same pattern found in 102 additional files. Review if needed."}, "properties": {"repobilityId": 133886, "scanner": "repobility-threat-engine", "fingerprint": "67a0519becd0964b6962e8b33b6d80e9ec26fd74102c14ee26ed86d9f02ffdaa", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 102 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|67a0519becd0964b6962e8b33b6d80e9ec26fd74102c14ee26ed86d9f02ffdaa", "aggregated_count": 102}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 133885, "scanner": "repobility-threat-engine", "fingerprint": "78e799d7a53a7b926b1f47df091c09777e7e37be3aa3c4a9259f16330d1a5e0e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|78e799d7a53a7b926b1f47df091c09777e7e37be3aa3c4a9259f16330d1a5e0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-vscode-ext/src/orgs/shared.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 133884, "scanner": "repobility-threat-engine", "fingerprint": "9aaea57d7759f8887c8eb7b3f6f5b9996bfd28a24ba8679e71e9c2f3bde082ea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9aaea57d7759f8887c8eb7b3f6f5b9996bfd28a24ba8679e71e9c2f3bde082ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/new-issue/src/index.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 133883, "scanner": "repobility-threat-engine", "fingerprint": "cd6c0692e1d2be4a6d01006478422b37ba5efbd62721e781b3213c69c8383f63", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cd6c0692e1d2be4a6d01006478422b37ba5efbd62721e781b3213c69c8383f63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/check-feature-request/src/index.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 133882, "scanner": "repobility-threat-engine", "fingerprint": "dfdc63590a34c89a05d4027ebc97c0dc96c520971f72e978d1818aaac095f684", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dfdc63590a34c89a05d4027ebc97c0dc96c520971f72e978d1818aaac095f684"}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `packages/salesforcedx-vscode-apex/jars/apex-jorje-lsp.jar` committed in source repo: `packages/salesforcedx-vscode-apex/jars/apex-jorje-lsp.jar` is a .jar binary (24,584,338 bytes) committed to a repo that otherwise has 1635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 133994, "scanner": "repobility-supply-chain", "fingerprint": "0477d21084ce0c3c7ec90baca655d83b6f31b7a89aee4da92089e4357b331188", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0477d21084ce0c3c7ec90baca655d83b6f31b7a89aee4da92089e4357b331188"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-apex/jars/apex-jorje-lsp.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `yourkit-distro/bin/linux-x86-64/libyjpagent.so` committed in source repo: `yourkit-distro/bin/linux-x86-64/libyjpagent.so` is a .so binary (12,126,824 bytes) committed to a repo that otherwise has 1635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 133993, "scanner": "repobility-supply-chain", "fingerprint": "700d0754b9de4b07a24a0994f8525d63d50955ad9e1b591357ac6150231fbd87", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|700d0754b9de4b07a24a0994f8525d63d50955ad9e1b591357ac6150231fbd87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yourkit-distro/bin/linux-x86-64/libyjpagent.so"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `yourkit-distro/bin/windows-x86-32/yjpagent.dll` committed in source repo: `yourkit-distro/bin/windows-x86-32/yjpagent.dll` is a .dll binary (9,123,576 bytes) committed to a repo that otherwise has 1635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 133992, "scanner": "repobility-supply-chain", "fingerprint": "c3ba0a59e0d88add5f44dfd08ec6d219fbd2d22e90694301c2f057c18958ee7d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c3ba0a59e0d88add5f44dfd08ec6d219fbd2d22e90694301c2f057c18958ee7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yourkit-distro/bin/windows-x86-32/yjpagent.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `yourkit-distro/bin/linux-arm-64/libyjpagent.so` committed in source repo: `yourkit-distro/bin/linux-arm-64/libyjpagent.so` is a .so binary (11,294,416 bytes) committed to a repo that otherwise has 1635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 133991, "scanner": "repobility-supply-chain", "fingerprint": "25e115e9dc9031233c51dc05598c5086028dc14a359271365e2edf7c83c7f8a9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|25e115e9dc9031233c51dc05598c5086028dc14a359271365e2edf7c83c7f8a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yourkit-distro/bin/linux-arm-64/libyjpagent.so"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `yourkit-distro/bin/linux-arm-32/libyjpagent.so` committed in source repo: `yourkit-distro/bin/linux-arm-32/libyjpagent.so` is a .so binary (8,094,108 bytes) committed to a repo that otherwise has 1635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 133990, "scanner": "repobility-supply-chain", "fingerprint": "696cf24085a68664c57876246e26d9f510d8acd607b483eb172f26bafc8a4778", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|696cf24085a68664c57876246e26d9f510d8acd607b483eb172f26bafc8a4778"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yourkit-distro/bin/linux-arm-32/libyjpagent.so"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `yourkit-distro/bin/linux-x86-32/libyjpagent.so` committed in source repo: `yourkit-distro/bin/linux-x86-32/libyjpagent.so` is a .so binary (11,443,360 bytes) committed to a repo that otherwise has 1635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 133989, "scanner": "repobility-supply-chain", "fingerprint": "03d4a1f7a49250aae7a40c7b9644d25aca884d4235c8dfc541c9eb8372f2f9d3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03d4a1f7a49250aae7a40c7b9644d25aca884d4235c8dfc541c9eb8372f2f9d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yourkit-distro/bin/linux-x86-32/libyjpagent.so"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `yourkit-distro/bin/mac/libyjpagent.dylib` committed in source repo: `yourkit-distro/bin/mac/libyjpagent.dylib` is a .dylib binary (20,686,720 bytes) committed to a repo that otherwise has 1635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 133988, "scanner": "repobility-supply-chain", "fingerprint": "2ae3a62f0d7853fb7b9e47cd086c594f53cc373ae8284a24f609ccdf58da5b65", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ae3a62f0d7853fb7b9e47cd086c594f53cc373ae8284a24f609ccdf58da5b65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yourkit-distro/bin/mac/libyjpagent.dylib"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `yourkit-distro/bin/windows-x86-64/yjpagent.dll` committed in source repo: `yourkit-distro/bin/windows-x86-64/yjpagent.dll` is a .dll binary (10,808,056 bytes) committed to a repo that otherwise has 1635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 133987, "scanner": "repobility-supply-chain", "fingerprint": "37a1c75edaef36970c1e68ec821d8215ca0e6cab6c4d348c662b74bd12d54267", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|37a1c75edaef36970c1e68ec821d8215ca0e6cab6c4d348c662b74bd12d54267"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yourkit-distro/bin/windows-x86-64/yjpagent.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `yourkit-distro/bin/windows-arm-64/yjpagent.dll` committed in source repo: `yourkit-distro/bin/windows-arm-64/yjpagent.dll` is a .dll binary (10,369,784 bytes) committed to a repo that otherwise has 1635 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 133986, "scanner": "repobility-supply-chain", "fingerprint": "9202cfcb45761b3a26fa315f53baa4a023c1cefe20419f77128f7949bed1ab19", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9202cfcb45761b3a26fa315f53baa4a023c1cefe20419f77128f7949bed1ab19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yourkit-distro/bin/windows-arm-64/yjpagent.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133985, "scanner": "repobility-supply-chain", "fingerprint": "5e56ee4a267c4b033b574b67b004bc696513ba49547f309d3c242697b8f17488", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e56ee4a267c4b033b574b67b004bc696513ba49547f309d3c242697b8f17488"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/servicesE2E.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133984, "scanner": "repobility-supply-chain", "fingerprint": "92a58875eac4993a418160aacdc23e37b9a2e19a95b8812bd8287dcfee54ddc2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|92a58875eac4993a418160aacdc23e37b9a2e19a95b8812bd8287dcfee54ddc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/servicesE2E.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133983, "scanner": "repobility-supply-chain", "fingerprint": "cd0d54970e68f939d4409e576d2c798ba8bea7c70cc9391446f7d91e58baf5b7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd0d54970e68f939d4409e576d2c798ba8bea7c70cc9391446f7d91e58baf5b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validateUpdatedIssues.yml"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133982, "scanner": "repobility-supply-chain", "fingerprint": "c6db20b61c09104ef9825a99a671ec0381c4bc197e827acdb52680afe8bfe38c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c6db20b61c09104ef9825a99a671ec0381c4bc197e827acdb52680afe8bfe38c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validateUpdatedIssues.yml"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133981, "scanner": "repobility-supply-chain", "fingerprint": "75dfdeaffcf2a01c454d294950324842378ca3759abebbe2542bdc9ebe8489a8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|75dfdeaffcf2a01c454d294950324842378ca3759abebbe2542bdc9ebe8489a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validateUpdatedIssues.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133980, "scanner": "repobility-supply-chain", "fingerprint": "87ca2f5c1ea6b43159b95eb5e066f5f286136b4e39f12a27dad04de24b0b9c52", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|87ca2f5c1ea6b43159b95eb5e066f5f286136b4e39f12a27dad04de24b0b9c52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validateUpdatedIssues.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133979, "scanner": "repobility-supply-chain", "fingerprint": "47371400b633150931d0b237630a0bf14abf2f6ff163ab65f08dee3b7535e551", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47371400b633150931d0b237630a0bf14abf2f6ff163ab65f08dee3b7535e551"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validateUpdatedIssues.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133978, "scanner": "repobility-supply-chain", "fingerprint": "ef21948f70f94b9cac0403b61c0511fcb9d331be023f53298a8a5958329ca8f6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef21948f70f94b9cac0403b61c0511fcb9d331be023f53298a8a5958329ca8f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validateUpdatedIssues.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133977, "scanner": "repobility-supply-chain", "fingerprint": "85b96de19f80ffdcab39bd3476537b10a0a9cde3a0d2516a2cfc335c0c851730", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|85b96de19f80ffdcab39bd3476537b10a0a9cde3a0d2516a2cfc335c0c851730"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validateUpdatedIssues.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133976, "scanner": "repobility-supply-chain", "fingerprint": "1edc6420547f0657a9ccba11b715ab2503cd58827db1f51bf20fdadf823a02da", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1edc6420547f0657a9ccba11b715ab2503cd58827db1f51bf20fdadf823a02da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validateUpdatedIssues.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `salesforcecli/github-workflows/.github/workflows/npmPublish.yml` pinned to mutable ref `@main`: `uses: salesforcecli/github-workflows/.github/workflows/npmPublish.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133975, "scanner": "repobility-supply-chain", "fingerprint": "1dc5c907ed8ec7f6956fde0c3cde7d8e07986358999fd79b5bc1ad19adb767bd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1dc5c907ed8ec7f6956fde0c3cde7d8e07986358999fd79b5bc1ad19adb767bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publishI18nPackage.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133974, "scanner": "repobility-supply-chain", "fingerprint": "e260bb8bbd7afb8f6edc8dd35f163a4c2258812b7ba6ec073baf941d5736a9c7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e260bb8bbd7afb8f6edc8dd35f163a4c2258812b7ba6ec073baf941d5736a9c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publishI18nPackage.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `salesforcecli/github-workflows/.github/actions/getGithubUserInfo` pinned to mutable ref `@main`: `uses: salesforcecli/github-workflows/.github/actions/getGithubUserInfo@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133973, "scanner": "repobility-supply-chain", "fingerprint": "6070cb188880ede242f19a116503e412aa362ca770afc842a35a65e9362f2bdc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6070cb188880ede242f19a116503e412aa362ca770afc842a35a65e9362f2bdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publishI18nPackage.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133972, "scanner": "repobility-supply-chain", "fingerprint": "493e8560dbf922f33345372d24243f1531943a24754c393adb3c267551f9687a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|493e8560dbf922f33345372d24243f1531943a24754c393adb3c267551f9687a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/testBuildAndRelease.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133971, "scanner": "repobility-supply-chain", "fingerprint": "d06a297f814f1ad1dcca72fbb81b5506e47f9ec79a7888fa563a3ef5f5cfc8ee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d06a297f814f1ad1dcca72fbb81b5506e47f9ec79a7888fa563a3ef5f5cfc8ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwrightVscodeExtE2E.yml"}, "region": {"startLine": 218}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133970, "scanner": "repobility-supply-chain", "fingerprint": "f0ddfaef26a8327fd732a37fedbd50e3438bd0cabc0fef124b0fd873771c1d46", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0ddfaef26a8327fd732a37fedbd50e3438bd0cabc0fef124b0fd873771c1d46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwrightVscodeExtE2E.yml"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `salesforcecli/github-workflows/.github/actions/retry` pinned to mutable ref `@main`: `uses: salesforcecli/github-workflows/.github/actions/retry@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133969, "scanner": "repobility-supply-chain", "fingerprint": "15e9c0ddeac91018acb2b0c84d4e241f5a10e0f39568470a22f58d14ab8fc261", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|15e9c0ddeac91018acb2b0c84d4e241f5a10e0f39568470a22f58d14ab8fc261"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwrightVscodeExtE2E.yml"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `salesforcecli/github-workflows/.github/actions/npmInstallWithRetries` pinned to mutable ref `@main`: `uses: salesforcecli/github-workflows/.github/actions/npmInstallWithRetries@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133968, "scanner": "repobility-supply-chain", "fingerprint": "ad6e54172c3ce6ef26883655ce3cabf72f916a25b38c3cf27be05117018529fe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad6e54172c3ce6ef26883655ce3cabf72f916a25b38c3cf27be05117018529fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwrightVscodeExtE2E.yml"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133967, "scanner": "repobility-supply-chain", "fingerprint": "a6f5f30cd06b997bb6c70a5972da65e8c712c0344e1ed532da9370e6a19beeee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a6f5f30cd06b997bb6c70a5972da65e8c712c0344e1ed532da9370e6a19beeee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwrightVscodeExtE2E.yml"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133966, "scanner": "repobility-supply-chain", "fingerprint": "edf423b54a13fa50281733c4119f72577229fc1dc6825f35f9a72cf2f37b7785", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|edf423b54a13fa50281733c4119f72577229fc1dc6825f35f9a72cf2f37b7785"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwrightVscodeExtE2E.yml"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133965, "scanner": "repobility-supply-chain", "fingerprint": "f20a635b900436f0e20343e408fdd93dd940da564e34f431249e6d87b2c3ae36", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f20a635b900436f0e20343e408fdd93dd940da564e34f431249e6d87b2c3ae36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwrightVscodeExtE2E.yml"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133964, "scanner": "repobility-supply-chain", "fingerprint": "529ce15de0ebe00127d9fa0e00066511aa01393e72a2b31c86dbdd6e64cd590a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|529ce15de0ebe00127d9fa0e00066511aa01393e72a2b31c86dbdd6e64cd590a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwrightVscodeExtE2E.yml"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `salesforcecli/github-workflows/.github/actions/npmInstallWithRetries` pinned to mutable ref `@main`: `uses: salesforcecli/github-workflows/.github/actions/npmInstallWithRetries@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133963, "scanner": "repobility-supply-chain", "fingerprint": "eb109db3b8d910cb3a012c2f2e5f458ebdb5b23cb7bc1a93f4ecc5266f1ea672", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb109db3b8d910cb3a012c2f2e5f458ebdb5b23cb7bc1a93f4ecc5266f1ea672"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwrightVscodeExtE2E.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133962, "scanner": "repobility-supply-chain", "fingerprint": "24d7ac4d94a4aa0944c42316b437a1df151cec020ab4eda06f99d906e9bd80dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|24d7ac4d94a4aa0944c42316b437a1df151cec020ab4eda06f99d906e9bd80dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwrightVscodeExtE2E.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133961, "scanner": "repobility-supply-chain", "fingerprint": "8c1246ea3cbf78da36d4fd8cfaf5869a0159adeeec1263d771ac1037714a13f4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8c1246ea3cbf78da36d4fd8cfaf5869a0159adeeec1263d771ac1037714a13f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwrightVscodeExtE2E.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `codemirror` pulled from URL/Git: `devDependencies.codemirror` = `git://github.com/codemirror/CodeMirror.git` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 133960, "scanner": "repobility-supply-chain", "fingerprint": "460868406344fcf96ed9a870d776d1ce7c6dbd694fe8a07995454d871600832a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|460868406344fcf96ed9a870d776d1ce7c6dbd694fe8a07995454d871600832a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-aura-language-server/src/tern/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED031", "level": "error", "message": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "properties": {"repobilityId": 133939, "scanner": "repobility-threat-engine", "fingerprint": "d1c71e0abb313e830bae2fa56ee5ebd6d40a441a55927f7c0e9ffb3106736398", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-direct-state-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347971+00:00", "triaged_in_corpus": 15, "observations_count": 6168, "ai_coder_pattern_id": 137}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d1c71e0abb313e830bae2fa56ee5ebd6d40a441a55927f7c0e9ffb3106736398"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test-workspaces/standard-workspace/src/modules/example/app/app.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 133936, "scanner": "repobility-threat-engine", "fingerprint": "997900d8f3c47103b42954d24df8f601783e56b90c871c2caafdd9ff5a091e6f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|997900d8f3c47103b42954d24df8f601783e56b90c871c2caafdd9ff5a091e6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-services/scripts/spanFileServer.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 133935, "scanner": "repobility-threat-engine", "fingerprint": "8d77fee5ae3067af3549facfe6cb5424ccc9b214f927d9a48e7bcfe991de1333", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin', '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8d77fee5ae3067af3549facfe6cb5424ccc9b214f927d9a48e7bcfe991de1333"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-services/scripts/o11yDebugServer.ts"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 133921, "scanner": "repobility-threat-engine", "fingerprint": "cb7af9c381c5803ce12798e89bd21ae833decb9821a3d565ffef3166a212c8c1", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new XMLParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cb7af9c381c5803ce12798e89bd21ae833decb9821a3d565ffef3166a212c8c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-vscode-apex-oas/src/commands/oasDocumentChecker.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 133917, "scanner": "repobility-threat-engine", "fingerprint": "5e1336939dae336f364e0553cda96af4d28b0a4e510cf6f3441244b415935321", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(\n m", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5e1336939dae336f364e0553cda96af4d28b0a4e510cf6f3441244b415935321"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-visualforce-markup-language-server/src/services/htmlLinks.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 133916, "scanner": "repobility-threat-engine", "fingerprint": "cdad576d1fbf191e478fb2b6684dece711ffa2a8ef79ccf2ff8cf9359dbdd3d6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cdad576d1fbf191e478fb2b6684dece711ffa2a8ef79ccf2ff8cf9359dbdd3d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-apex-debugger/src/requestService/requestService.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 133915, "scanner": "repobility-threat-engine", "fingerprint": "3a7699f7deeebc864b1931e9c568ed7d174d92ac4b3eca255652bbb84f49afa7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3a7699f7deeebc864b1931e9c568ed7d174d92ac4b3eca255652bbb84f49afa7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-apex-debugger/src/core/streamingService.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 133913, "scanner": "repobility-threat-engine", "fingerprint": "3ffebcc4fdf47b1883242e6fed4d89d17bee00c3f8ef01bf7751290d6cc842a2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Position.create(babelRange.end.line - 1, babelRange.end.column)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3ffebcc4fdf47b1883242e6fed4d89d17bee00c3f8ef01bf7751290d6cc842a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-lwc-language-server/src/javascript/compiler.ts"}, "region": {"startLine": 153}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 133912, "scanner": "repobility-threat-engine", "fingerprint": "0a666f05877c51e403cb77d0994cdff7647cd113e8153323df6ed665ba89c7e6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.AURA_TAGS.delete(tag);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0a666f05877c51e403cb77d0994cdff7647cd113e8153323df6ed665ba89c7e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-aura-language-server/src/aura-indexer/indexer.ts"}, "region": {"startLine": 165}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 133911, "scanner": "repobility-threat-engine", "fingerprint": "c5a528568876cfe4b5bc093666f0cc1d7fb703beba8436ec2a44091982b5c788", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.exceptionBreakpointCache.delete(info.typeref);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c5a528568876cfe4b5bc093666f0cc1d7fb703beba8436ec2a44091982b5c788"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/salesforcedx-apex-debugger/src/core/breakpointService.ts"}, "region": {"startLine": 231}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp() \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 133891, "scanner": "repobility-threat-engine", "fingerprint": "87ad291e1172b722e82312809ef6e5b5b99fa0ba5183448c39646e6541c639df", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(I18N_MEMBER_RE", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|87ad291e1172b722e82312809ef6e5b5b99fa0ba5183448c39646e6541c639df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/queryBuilderHtmlI18nKeys.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp() \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 133890, "scanner": "repobility-threat-engine", "fingerprint": "e477cab662cb78f2a186a900a744bdc906140d195a3dab67d2612faf282ee3a9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e477cab662cb78f2a186a900a744bdc906140d195a3dab67d2612faf282ee3a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/noUnusedI18nMessages.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp() \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 133889, "scanner": "repobility-threat-engine", "fingerprint": "cf4846a2b6cf96cbd0547d8084a1de623c480d0c402144e17a3b897be6f1a1dd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cf4846a2b6cf96cbd0547d8084a1de623c480d0c402144e17a3b897be6f1a1dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-local-rules/src/commandMustBeInPackageJson.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any