{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "[MINED109] Mutable default argument in `main` (list): `def main(... = []/{}/set())` \u2014 Python's default value is construc", "shortDescription": {"text": "[MINED109] Mutable default argument in `main` (list): `def main(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future ca"}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def main(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC127", "name": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedEr", "shortDescription": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or "}, "fullDescription": {"text": "Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `load_method_results` has cognitive complexity 20 (SonarSource scale). Cog", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `load_method_results` has cognitive complexity 20 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and rec"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 20."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.45, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 18 more): Same pattern found in 18 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-r", "shortDescription": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025"}, "fullDescription": {"text": "Replace with: `uses: actions/setup-node@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "[MINED110] Blocking call `time.sleep` inside async function `async_search`: `time.sleep` is a synchronous (blocking) cal", "shortDescription": {"text": "[MINED110] Blocking call `time.sleep` inside async function `async_search`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from mak"}, "fullDescription": {"text": "Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.async_search` used but never assigned in __init__: Method `async_run` of class `CustomRetrieval` reads ", "shortDescription": {"text": "[MINED108] `self.async_search` used but never assigned in __init__: Method `async_run` of class `CustomRetrieval` reads `self.async_search`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeErro"}, "fullDescription": {"text": "Initialize `self.async_search = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/132"}, "properties": {"repository": "zilliztech/claude-context", "repoUrl": "https://github.com/zilliztech/claude-context.git", "branch": "master"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 39377, "scanner": "repobility-ast-engine", "fingerprint": "328d4eb207e4c3b1314ab0d8130097f3b973772b6399601a0f2c716898e7a73e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|328d4eb207e4c3b1314ab0d8130097f3b973772b6399601a0f2c716898e7a73e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/utils/format.py"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 39376, "scanner": "repobility-ast-engine", "fingerprint": "a46fd9c0c2701b586f60939865041294c4b0c1e5ad852f5824e7ebbc86d344ee", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a46fd9c0c2701b586f60939865041294c4b0c1e5ad852f5824e7ebbc86d344ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/servers/read_server.py"}, "region": {"startLine": 266}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 39375, "scanner": "repobility-ast-engine", "fingerprint": "4545d787e8f03595e959558e4110a910ab29221e6ded145e97ac483fc7e34263", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4545d787e8f03595e959558e4110a910ab29221e6ded145e97ac483fc7e34263"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/servers/read_server.py"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 39374, "scanner": "repobility-ast-engine", "fingerprint": "29f8b8ddbf3d53eb2dc55722a6ed572ebc94c23872a9ebe079b9b8afc3992330", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|29f8b8ddbf3d53eb2dc55722a6ed572ebc94c23872a9ebe079b9b8afc3992330"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/servers/read_server.py"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 39373, "scanner": "repobility-ast-engine", "fingerprint": "43f9d837abc18f7039839e1cab379867d480921a4070009190eb075118be70a5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|43f9d837abc18f7039839e1cab379867d480921a4070009190eb075118be70a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/servers/grep_server.py"}, "region": {"startLine": 211}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `main` (list): `def main(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 39344, "scanner": "repobility-ast-engine", "fingerprint": "37010635165f49c23fff1a4d623c4a06cb3491a48ca23da6231a5a494563e6ad", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|37010635165f49c23fff1a4d623c4a06cb3491a48ca23da6231a5a494563e6ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/run_evaluation.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 39343, "scanner": "repobility-ast-engine", "fingerprint": "ee6a4809962767ae049dac6538ca375d0b592a5e3effc7e8e8164df22a69d1ab", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ee6a4809962767ae049dac6538ca375d0b592a5e3effc7e8e8164df22a69d1ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/analyze_and_plot_mcp_efficiency.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 39341, "scanner": "repobility-ast-engine", "fingerprint": "d262fd9d49c6458d98c73b5fcc4b52c5f114bd42794a94b1e3513215f9c55a8a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d262fd9d49c6458d98c73b5fcc4b52c5f114bd42794a94b1e3513215f9c55a8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/test_endtoend.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 39337, "scanner": "repobility-ast-engine", "fingerprint": "cf4fdc86014dca28a323a37e3b92f50ee095c8ea87280842cc8014f66d464ec2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cf4fdc86014dca28a323a37e3b92f50ee095c8ea87280842cc8014f66d464ec2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ts_executor.py"}, "region": {"startLine": 302}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 39313, "scanner": "repobility-threat-engine", "fingerprint": "b8798eff77981b6ff75f7e50afde53629856f4c55893db40d51dd97ce7700bbd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def build_index(self, repo_path: str) -> Any:\n        raise NotImplementedError", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b8798eff77981b6ff75f7e50afde53629856f4c55893db40d51dd97ce7700bbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/base.py"}, "region": {"startLine": 176}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `load_method_results` has cognitive complexity 20 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, except=1, for=2, if=2, nested_bonus=7, ternary=6."}, "properties": {"repobilityId": 39308, "scanner": "repobility-threat-engine", "fingerprint": "1c62e6c713a89ea1138848adbdd3ecb115224e40b9d95b187dda04fce2cd7709", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 20 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "load_method_results", "breakdown": {"if": 2, "for": 2, "except": 1, "ternary": 6, "continue": 2, "nested_bonus": 7}, "complexity": 20, "correlation_key": "fp|1c62e6c713a89ea1138848adbdd3ecb115224e40b9d95b187dda04fce2cd7709"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/analyze_and_plot_mcp_efficiency.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 4464, "scanner": "repobility-threat-engine", "fingerprint": "c623cef1c9907458dabe1ea1a2b20ffb5cccd392a447b665d0a4b2e7ddade845", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "Math.random()", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|packages/mcp/src/sync.ts|94|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/src/sync.ts"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 4146, "scanner": "repobility-threat-engine", "fingerprint": "678b05ee6beafca933d95de36f999923382a6dd180d9cad0512f62a1989d89db", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "Math.random()", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|packages/mcp/src/sync.ts|47|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/src/sync.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC020", "level": "warning", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 4144, "scanner": "repobility-threat-engine", "fingerprint": "5d20e253fe40072b806e9e0554b622b7543c8ad13512c3bf4797cc1cee3eb252", "category": "credential_exposure", "severity": "medium", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Console output includes secret length metadata, not the direct value.", "evidence": {"match": "console.log(`[DEBUG]   GEMINI_API_KEY: <redacted>'GEMINI_API_KEY')", "reason": "Console output includes secret length metadata, not the direct value.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "secret|packages/mcp/src/config.ts|14|console.log debug gemini_api_key: redacted gemini_api_key"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/src/config.ts"}, "region": {"startLine": 143}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 3191, "scanner": "repobility-threat-engine", "fingerprint": "d479882f5aa76ae15780b3667033c1d1d2fc064efd903faf2a8213aa8c5c36f4", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "Math.random()", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|packages/mcp/src/sync.ts|45|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/src/sync.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC020", "level": "warning", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 3187, "scanner": "repobility-threat-engine", "fingerprint": "733805fa1d4946cb661328dfc074a690ba15a5440ed8a7721b28e18af23ae352", "category": "credential_exposure", "severity": "medium", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Console output includes secret length metadata, not the direct value.", "evidence": {"match": "console.log(`[DEBUG]   GEMINI_API_KEY: <redacted>'GEMINI_API_KEY')", "reason": "Console output includes secret length metadata, not the direct value.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "secret|packages/mcp/src/config.ts|13|console.log debug gemini_api_key: redacted gemini_api_key"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/src/config.ts"}, "region": {"startLine": 134}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3183, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8717c5147372e5e8638c65751561a92883cee030c45e522148889e9ce8142206", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/chrome-extension/src/stubs/milvus-vectordb-stub.ts", "duplicate_line": 1, "correlation_key": "fp|8717c5147372e5e8638c65751561a92883cee030c45e522148889e9ce8142206"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/vectordb/types.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3181, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1564bb74bd5a11ed07ff7ea86c8e9f05f7a145a1f81c54f2919bc74f3541684a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/chrome-extension/src/stubs/milvus-vectordb-stub.ts", "duplicate_line": 38, "correlation_key": "fp|1564bb74bd5a11ed07ff7ea86c8e9f05f7a145a1f81c54f2919bc74f3541684a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/vectordb/milvus-restful-vectordb.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=2, if=2, nested_bonus=4, ternary=1."}, "properties": {"repobilityId": 39309, "scanner": "repobility-threat-engine", "fingerprint": "df0e7a1cfdc3c1fd3a304d67f45dfdc1dbc0c55f80c89d8c88ab6e3e1579b426", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 2, "for": 2, "ternary": 1, "nested_bonus": 4}, "complexity": 9, "correlation_key": "fp|df0e7a1cfdc3c1fd3a304d67f45dfdc1dbc0c55f80c89d8c88ab6e3e1579b426"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/generate_subset_json.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 3190, "scanner": "repobility-threat-engine", "fingerprint": "ade2e73704765f47c11e0fc2966c259f98fcdaf197e583c55c81366493667ba5", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = r", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|223|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vscode-extension/src/webview/scripts/semanticSearch.js"}, "region": {"startLine": 223}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 3189, "scanner": "repobility-threat-engine", "fingerprint": "253816504e8cfdf34fe7d5d7d5d9ee530149b252b8f7c7e477b4db7a793e96b8", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|41|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/chrome-extension/src/content.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3184, "scanner": "repobility-ai-code-hygiene", "fingerprint": "52f611838988539c25b52632f0de945ac8d228f09f6aa55beea9b91065b05959", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/vscode-extension/src/commands/indexCommand.ts", "duplicate_line": 6, "correlation_key": "fp|52f611838988539c25b52632f0de945ac8d228f09f6aa55beea9b91065b05959"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vscode-extension/src/commands/syncCommand.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3182, "scanner": "repobility-ai-code-hygiene", "fingerprint": "728a7821faa1e162c08c6315ff8ab1076ff7688b4721433ece4f8c3e87717cc2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/vectordb/milvus-restful-vectordb.ts", "duplicate_line": 52, "correlation_key": "fp|728a7821faa1e162c08c6315ff8ab1076ff7688b4721433ece4f8c3e87717cc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/vectordb/milvus-vectordb.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 39333, "scanner": "repobility-threat-engine", "fingerprint": "60ef712aa103d51933e5bad69cbe14ef4a61b95a034b7e57531ead6289bfa38a", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|60ef712aa103d51933e5bad69cbe14ef4a61b95a034b7e57531ead6289bfa38a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vscode-extension/src/commands/searchCommand.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 39330, "scanner": "repobility-threat-engine", "fingerprint": "77c15976f0768a666e6053652fdae4975605bc47b9aed04f29b3262667fd5d8b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|77c15976f0768a666e6053652fdae4975605bc47b9aed04f29b3262667fd5d8b", "aggregated_count": 5}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 39329, "scanner": "repobility-threat-engine", "fingerprint": "6853f2008b9a43f27ab71fa32034c4278cf71d496233480244660cbd5d721bb8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6853f2008b9a43f27ab71fa32034c4278cf71d496233480244660cbd5d721bb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/splitter/ast-splitter.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 39328, "scanner": "repobility-threat-engine", "fingerprint": "937128c0dc2e6207724b4a2d87224b80dc1b5898868a9e756fefdfa642cba7c1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|937128c0dc2e6207724b4a2d87224b80dc1b5898868a9e756fefdfa642cba7c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/embedding/ollama-embedding.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 39327, "scanner": "repobility-threat-engine", "fingerprint": "17e0b4c822caed6b22bb7d755631c071d9640d3a3703f2556a7e74c698028596", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|17e0b4c822caed6b22bb7d755631c071d9640d3a3703f2556a7e74c698028596"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/embedding/gemini-embedding.ts"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 39325, "scanner": "repobility-threat-engine", "fingerprint": "cbf6547d9f643e95684a65906e45e71aa8a38aa27576546abef5efe92c852f3e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cbf6547d9f643e95684a65906e45e71aa8a38aa27576546abef5efe92c852f3e", "aggregated_count": 18}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 39324, "scanner": "repobility-threat-engine", "fingerprint": "3297c8c9bdda40619cac4d8cd5b161c50a982ff6275fe25d9f0836c3e14c7f92", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3297c8c9bdda40619cac4d8cd5b161c50a982ff6275fe25d9f0836c3e14c7f92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/chrome-extension/src/milvus/chromeMilvusAdapter.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 39322, "scanner": "repobility-threat-engine", "fingerprint": "fbdb98c2d729970e4a5f99e9ce9184e0772942fddfb993e2cd3f2c0015c5c3e3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fbdb98c2d729970e4a5f99e9ce9184e0772942fddfb993e2cd3f2c0015c5c3e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/chrome-extension/src/config/milvusConfig.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 39321, "scanner": "repobility-threat-engine", "fingerprint": "a25f0b79f9ef7a46277085855830dc373d92a4e6ad48b40cde371ed425572312", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a25f0b79f9ef7a46277085855830dc373d92a4e6ad48b40cde371ed425572312"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-usage/index.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 39319, "scanner": "repobility-threat-engine", "fingerprint": "86ba1835d70968651e1fbb2569a4d94211de579a814cf34a5d1e1e2eafe3f130", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|86ba1835d70968651e1fbb2569a4d94211de579a814cf34a5d1e1e2eafe3f130", "aggregated_count": 1}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 39317, "scanner": "repobility-threat-engine", "fingerprint": "de4a4a3b6709272f294a9bee4f16e2e589735301922707271af31e41826bbbfe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de4a4a3b6709272f294a9bee4f16e2e589735301922707271af31e41826bbbfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/servers/read_server.py"}, "region": {"startLine": 257}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 39316, "scanner": "repobility-threat-engine", "fingerprint": "8ab93b9c234d0a0ebfe395fcf9ecf732fcc029cce02a83a5543dce0deb8bcc26", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8ab93b9c234d0a0ebfe395fcf9ecf732fcc029cce02a83a5543dce0deb8bcc26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/servers/grep_server.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 39315, "scanner": "repobility-threat-engine", "fingerprint": "77abe7d47d71b407db12a76ab58fd966183603307b2cd9268608c876f0c7e1e7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|77abe7d47d71b407db12a76ab58fd966183603307b2cd9268608c876f0c7e1e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/base.py"}, "region": {"startLine": 177}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 39311, "scanner": "repobility-threat-engine", "fingerprint": "7195ad2ed9d17b05fb3343deb30e489e47b88806e32e44e36b1ae21ff4fb7c7d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "load_method_results", "breakdown": {"if": 2, "for": 2, "except": 1, "ternary": 6, "continue": 2, "nested_bonus": 7}, "aggregated": true, "complexity": 20, "correlation_key": "fp|7195ad2ed9d17b05fb3343deb30e489e47b88806e32e44e36b1ae21ff4fb7c7d", "aggregated_count": 6}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 39307, "scanner": "repobility-threat-engine", "fingerprint": "aff44d500d19c4423050d737972bcb06584ec6776003bd702a1183d1868689a4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aff44d500d19c4423050d737972bcb06584ec6776003bd702a1183d1868689a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/chrome-extension/src/milvus/chromeMilvusAdapter.ts"}, "region": {"startLine": 230}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 39306, "scanner": "repobility-threat-engine", "fingerprint": "988235a86a6563d78ac8927d4cfad17dfc78e70231bf692d6791a3756ad7e276", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|988235a86a6563d78ac8927d4cfad17dfc78e70231bf692d6791a3756ad7e276"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-usage/index.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 39305, "scanner": "repobility-threat-engine", "fingerprint": "8bde680842ba6031199d6b69b2f53ed5d2a841d4a2b59b68abbeb6edfb7c23ac", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8bde680842ba6031199d6b69b2f53ed5d2a841d4a2b59b68abbeb6edfb7c23ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/analyze_and_plot_mcp_efficiency.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 39304, "scanner": "repobility-threat-engine", "fingerprint": "d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 39303, "scanner": "repobility-threat-engine", "fingerprint": "ec8e0bac49ebebe08479f515b0087a6b934f921365217b172aea723e087848c2", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`[OllamaEmbedding] \ud83d\udccf Detected Ollama embedding dimension: ${this.dimension} for model: $", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|6|console.log ollamaembedding detected ollama embedding dimension: this.dimension for model:"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/embedding/ollama-embedding.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 39302, "scanner": "repobility-threat-engine", "fingerprint": "11ab1f76ea998560c19d1377da75d7560a8f4466867c070b966350658baeb59d", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "console.log('\\n\ud83d\udca1 Please make sure to set the correct OPENAI_API_KEY environment variable')", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|10|console.log n please make sure to set the correct openai_api_key environment variable"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-usage/index.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 4145, "scanner": "repobility-threat-engine", "fingerprint": "17899434e8fca97aa6d93276d50a57739862b4ca1cf98b965ac27a806af8db42", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "evidence": {"match": "print(f\"\ud83d\udce5 Input Tokens:  {usage['input_tokens']:,}\")", "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|evaluation/utils/format.py|32|print f input tokens: usage input_tokens :"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/utils/format.py"}, "region": {"startLine": 329}}}]}, {"ruleId": "SEC002", "level": "none", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 3192, "scanner": "repobility-threat-engine", "fingerprint": "6a48dcf04905e2eb1d63c6bc380c11083586d30d4b98348de9f4a1953b704836", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential | [R34 auto-suppress: documentation/example path]", "evidence": {"match": "API_KEY=\"<redacted>\"", "reason": "Value looks like a development placeholder, not a live credential | [R34 auto-suppress: documentation/example path]", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|10|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/basic-usage/index.ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 3188, "scanner": "repobility-threat-engine", "fingerprint": "3c1512ec1e531167a3aa928d567398e9cb8cbf7ff40fccf993810ebf40229e88", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3c1512ec1e531167a3aa928d567398e9cb8cbf7ff40fccf993810ebf40229e88"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 3186, "scanner": "repobility-threat-engine", "fingerprint": "9607bd4c20e9bf7653f726657fa2d4a005dd806626861fcf5e57ae8c3e371da7", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Legacy SEC020 finding reclassified by non-secret token context", "evidence": {"match": "console.log(`[Context] \ud83d\udd04 Processing batch of ${chunks.length} chunks (~${estimatedTokens} tokens)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|88|console.log context processing batch of chunks.length chunks estimatedtokens tokens"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/context.ts"}, "region": {"startLine": 884}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 39383, "scanner": "repobility-supply-chain", "fingerprint": "cf83f865530d059ba102ac0a9b5a0499f751753f3265c9a718b301b04d4560f2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cf83f865530d059ba102ac0a9b5a0499f751753f3265c9a718b301b04d4560f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 39382, "scanner": "repobility-supply-chain", "fingerprint": "2f2695fcef4084ddf85067a62dceb58d0f614d850debcbc3a24454bca8ce058c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2f2695fcef4084ddf85067a62dceb58d0f614d850debcbc3a24454bca8ce058c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 39381, "scanner": "repobility-supply-chain", "fingerprint": "33a420863592ffc57fff56ed4061fdd98d540d2a3febb78d0a02df196c4f4845", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|33a420863592ffc57fff56ed4061fdd98d540d2a3febb78d0a02df196c4f4845"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 39380, "scanner": "repobility-supply-chain", "fingerprint": "321536574ac29ee2830de2340e75d6ec38262120494a9f95aeecf589ff295807", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|321536574ac29ee2830de2340e75d6ec38262120494a9f95aeecf589ff295807"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 39379, "scanner": "repobility-supply-chain", "fingerprint": "eb9929507a33bbc7a1f202d09dea65cdc959d13fab77aedc6637f79a59af17b6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb9929507a33bbc7a1f202d09dea65cdc959d13fab77aedc6637f79a59af17b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 39378, "scanner": "repobility-supply-chain", "fingerprint": "98feeddc9033b60b9bfc2f7cedb3c98bcac6b999a9ea8682d2804fc358000461", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|98feeddc9033b60b9bfc2f7cedb3c98bcac6b999a9ea8682d2804fc358000461"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `async_search`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 39372, "scanner": "repobility-ast-engine", "fingerprint": "1d9f7b8cc04a3c5c900aa63755044e62f5efb9c70ea940ac16ee3421884534a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1d9f7b8cc04a3c5c900aa63755044e62f5efb9c70ea940ac16ee3421884534a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 316}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `async_build_index`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 39371, "scanner": "repobility-ast-engine", "fingerprint": "d0eb4f622303aa4fe3025e947e58e5ba876a0ee0305de4c5900eb98c994e8456", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d0eb4f622303aa4fe3025e947e58e5ba876a0ee0305de4c5900eb98c994e8456"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 286}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `async_build_index`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 39370, "scanner": "repobility-ast-engine", "fingerprint": "3ac31b38e3e96cf364d6257d12a25ab10c8ef6772e940001567648357405564a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3ac31b38e3e96cf364d6257d12a25ab10c8ef6772e940001567648357405564a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 276}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `async_build_index`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 39369, "scanner": "repobility-ast-engine", "fingerprint": "bc2e8ffeedd3149be6b0c3c73243e2a3fdda9250bec329931561741240495593", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bc2e8ffeedd3149be6b0c3c73243e2a3fdda9250bec329931561741240495593"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 278}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.async_search` used but never assigned in __init__: Method `async_run` of class `CustomRetrieval` reads `self.async_search`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39368, "scanner": "repobility-ast-engine", "fingerprint": "e257b6e8247986deb0767971f9f02c1faca60f0cfb8c12eea5e0ca0199a20027", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e257b6e8247986deb0767971f9f02c1faca60f0cfb8c12eea5e0ca0199a20027"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 352}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.async_build_index` used but never assigned in __init__: Method `async_run` of class `CustomRetrieval` reads `self.async_build_index`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39367, "scanner": "repobility-ast-engine", "fingerprint": "191150aed59cae74ec4d4417ece923db8ad249550e85e368729ea2d24f2d2efd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|191150aed59cae74ec4d4417ece923db8ad249550e85e368729ea2d24f2d2efd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 344}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.output_dir` used but never assigned in __init__: Method `async_run` of class `CustomRetrieval` reads `self.output_dir`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39366, "scanner": "repobility-ast-engine", "fingerprint": "9cf45ee7ca917776236e8e644b3bb2f5a91bed0e088a79ead380c7eaf47785f5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9cf45ee7ca917776236e8e644b3bb2f5a91bed0e088a79ead380c7eaf47785f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 336}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.instances` used but never assigned in __init__: Method `async_run` of class `CustomRetrieval` reads `self.instances`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39365, "scanner": "repobility-ast-engine", "fingerprint": "1da6a36a85d523418a5ee4d0bf43baf295401a0e772127e4043571ed17b96c17", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1da6a36a85d523418a5ee4d0bf43baf295401a0e772127e4043571ed17b96c17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 329}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.async_run` used but never assigned in __init__: Method `run` of class `CustomRetrieval` reads `self.async_run`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39364, "scanner": "repobility-ast-engine", "fingerprint": "47139599ba7d4e59fa7dd9e793799e180755e5202383e8009a288d250160f2c7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|47139599ba7d4e59fa7dd9e793799e180755e5202383e8009a288d250160f2c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 326}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.prompt` used but never assigned in __init__: Method `async_search` of class `CustomRetrieval` reads `self.prompt`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39363, "scanner": "repobility-ast-engine", "fingerprint": "68d1d5a3f915b041fb2781aff0a2d7821a73005706ba17b9b1d970315c43f0e7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|68d1d5a3f915b041fb2781aff0a2d7821a73005706ba17b9b1d970315c43f0e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 297}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.mcp_sessions_context` used but never assigned in __init__: Method `async_search` of class `CustomRetrieval` reads `self.mcp_sessions_context`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39362, "scanner": "repobility-ast-engine", "fingerprint": "ff8544b445d081eb2e2e2a7990d0a080b90794b69b8d5b86307f0371a3038456", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ff8544b445d081eb2e2e2a7990d0a080b90794b69b8d5b86307f0371a3038456"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 294}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.async_search` used but never assigned in __init__: Method `search` of class `CustomRetrieval` reads `self.async_search`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39361, "scanner": "repobility-ast-engine", "fingerprint": "0c4c0337acfbd2193fa25f55a8e9c7f102ff3700ab85d0c5625b003f99f95034", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0c4c0337acfbd2193fa25f55a8e9c7f102ff3700ab85d0c5625b003f99f95034"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 291}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.mcp_sessions_context` used but never assigned in __init__: Method `async_build_index` of class `CustomRetrieval` reads `self.mcp_sessions_context`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39360, "scanner": "repobility-ast-engine", "fingerprint": "0dfbbb283451077e0dcf8084e48f5f22186bc967597b95784c314bb96635df79", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0dfbbb283451077e0dcf8084e48f5f22186bc967597b95784c314bb96635df79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 254}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.async_build_index` used but never assigned in __init__: Method `build_index` of class `CustomRetrieval` reads `self.async_build_index`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39359, "scanner": "repobility-ast-engine", "fingerprint": "6c5775ac81f4f9569d0aa1ddb788534350070fcdcb9f08bf6448fdaa3134fa92", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6c5775ac81f4f9569d0aa1ddb788534350070fcdcb9f08bf6448fdaa3134fa92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 247}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._load_tools_from_sessions` used but never assigned in __init__: Method `mcp_sessions_context` of class `CustomRetrieval` reads `self._load_tools_from_sessions`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39358, "scanner": "repobility-ast-engine", "fingerprint": "cbec736f1b94a42a133075bd6573d012d12e216218d5297683b173e17f411864", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cbec736f1b94a42a133075bd6573d012d12e216218d5297683b173e17f411864"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._load_tools_from_sessions` used but never assigned in __init__: Method `mcp_sessions_context` of class `CustomRetrieval` reads `self._load_tools_from_sessions`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39357, "scanner": "repobility-ast-engine", "fingerprint": "9ee6b49446cedd663f07096d56a2b9c3bfa6f0a26c3bfdf8413d3d144c0727f3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9ee6b49446cedd663f07096d56a2b9c3bfa6f0a26c3bfdf8413d3d144c0727f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._load_tools_from_sessions` used but never assigned in __init__: Method `mcp_sessions_context` of class `CustomRetrieval` reads `self._load_tools_from_sessions`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39356, "scanner": "repobility-ast-engine", "fingerprint": "b4bdf3833530c4bab51bb38dae81035c0e5cb5fb578b8176a797a267aec943f1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b4bdf3833530c4bab51bb38dae81035c0e5cb5fb578b8176a797a267aec943f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._load_tools_from_sessions` used but never assigned in __init__: Method `mcp_sessions_context` of class `CustomRetrieval` reads `self._load_tools_from_sessions`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39355, "scanner": "repobility-ast-engine", "fingerprint": "20f23a858a3687b7330f2b0f14323ba817f4bb3c588eeba702b70d4ce1e55ca1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|20f23a858a3687b7330f2b0f14323ba817f4bb3c588eeba702b70d4ce1e55ca1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/custom.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.output_file` used but never assigned in __init__: Method `run` of class `BaseRetrieval` reads `self.output_file`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39354, "scanner": "repobility-ast-engine", "fingerprint": "4b7aa0fe9c23d847212c4d0e968c771a5bb6df390609c203ebf1ddfc1065ad9d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4b7aa0fe9c23d847212c4d0e968c771a5bb6df390609c203ebf1ddfc1065ad9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/base.py"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.output_file` used but never assigned in __init__: Method `run` of class `BaseRetrieval` reads `self.output_file`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39348, "scanner": "repobility-ast-engine", "fingerprint": "97f2e028ce802d39f60a3663a7ecde5c0070665a64a387928fd41aa59ea3cd2d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|97f2e028ce802d39f60a3663a7ecde5c0070665a64a387928fd41aa59ea3cd2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/base.py"}, "region": {"startLine": 201}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.search` used but never assigned in __init__: Method `run` of class `BaseRetrieval` reads `self.search`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39347, "scanner": "repobility-ast-engine", "fingerprint": "3e8d6d92b75594d391b8e2a96639d20f50b5b43606a978480c02084dd74a8a18", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3e8d6d92b75594d391b8e2a96639d20f50b5b43606a978480c02084dd74a8a18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/base.py"}, "region": {"startLine": 197}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.build_index` used but never assigned in __init__: Method `run` of class `BaseRetrieval` reads `self.build_index`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39346, "scanner": "repobility-ast-engine", "fingerprint": "cf28b1eaea4fc1e20c6decb81615cae97b063f2d014a401bcba6a9477df63e9d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cf28b1eaea4fc1e20c6decb81615cae97b063f2d014a401bcba6a9477df63e9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/base.py"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._filter_existing_instances` used but never assigned in __init__: Method `_prepare_instances` of class `BaseRetrieval` reads `self._filter_existing_instances`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39345, "scanner": "repobility-ast-engine", "fingerprint": "06c4c22501bfc31c3927575aadc9516f8a21efa424abe7c98f0a2669a68119c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|06c4c22501bfc31c3927575aadc9516f8a21efa424abe7c98f0a2669a68119c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/base.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.async_run` used but never assigned in __init__: Method `run` of class `Evaluator` reads `self.async_run`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39342, "scanner": "repobility-ast-engine", "fingerprint": "737ca59dccf6d5840bf02175dc564a074e4e5bae31d4ddb3743cfa24f22f5f88", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|737ca59dccf6d5840bf02175dc564a074e4e5bae31d4ddb3743cfa24f22f5f88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/client.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._create_wrapper_script` used but never assigned in __init__: Method `call_method` of class `TypeScriptExecutor` reads `self._create_wrapper_script`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 39336, "scanner": "repobility-ast-engine", "fingerprint": "6935db6b1e9cdb4990da4a2806a0b80a4339d02a3332f959349402e96448adc8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6935db6b1e9cdb4990da4a2806a0b80a4339d02a3332f959349402e96448adc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ts_executor.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 39334, "scanner": "repobility-threat-engine", "fingerprint": "53c148e02c5ee064b7fbe17e4b9ea4ad55a16383ee584e5257a75ecd8f9857ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|53c148e02c5ee064b7fbe17e4b9ea4ad55a16383ee584e5257a75ecd8f9857ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/build-benchmark.js"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 39332, "scanner": "repobility-threat-engine", "fingerprint": "1af1ca720a8f46e9d2bf09a151bf3db259d0fb15ca53eef496e5dabb782d959a", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|packages/mcp/src/utils.ts|23|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/src/utils.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 39331, "scanner": "repobility-threat-engine", "fingerprint": "cfb9762c619fe074e5ca554db138519a670ff0c0c42c3ad5528bb843d7b16d27", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(rootPath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cfb9762c619fe074e5ca554db138519a670ff0c0c42c3ad5528bb843d7b16d27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/scripts/path-resolution-e2e.mjs"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 39326, "scanner": "repobility-threat-engine", "fingerprint": "db65349bb11cae9fa9814f11a6cb7e670589b8391e634fd0f64fcc5c5095c41b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(m", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|db65349bb11cae9fa9814f11a6cb7e670589b8391e634fd0f64fcc5c5095c41b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/chrome-extension/src/options.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 39320, "scanner": "repobility-threat-engine", "fingerprint": "b363a0b9bf819c1f35c5a7a0a33209c55961e88f72949bf356df86710d534841", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b363a0b9bf819c1f35c5a7a0a33209c55961e88f72949bf356df86710d534841"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/servers/read_server.py"}, "region": {"startLine": 256}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `_prepare_instances` has cognitive complexity 35 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=2, else=4, for=1, if=11, nested_bonus=16, ternary=1."}, "properties": {"repobilityId": 39310, "scanner": "repobility-threat-engine", "fingerprint": "2eafc2efff9aaf851affb90addf9d79b44e7b42330640edd0f429a5eacfc8ebd", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 35 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_prepare_instances", "breakdown": {"if": 11, "for": 1, "elif": 2, "else": 4, "ternary": 1, "nested_bonus": 16}, "complexity": 35, "correlation_key": "fp|2eafc2efff9aaf851affb90addf9d79b44e7b42330640edd0f429a5eacfc8ebd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/retrieval/base.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 3185, "scanner": "repobility-threat-engine", "fingerprint": "1da801e27195b8a2a98e2267180ca72324ccfe9fcf473b44bbf109e2f9347362", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "false_positive", "verdict": "confirmed", "isResolved": true, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "print(f\"    Avg Tokens: {results['avg_tokens']:.0f} \u00b1 {results['std_tokens']:.0f}\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|12|print f avg tokens: results avg_tokens :.0f results std_tokens :.0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evaluation/analyze_and_plot_mcp_efficiency.py"}, "region": {"startLine": 128}}}]}]}]}