{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /to"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /report."}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 35.1% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 35.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `browser4` image uses the latest tag", "shortDescription": {"text": "Compose service `browser4` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Store the interval id and return a useEffect cleanup that calls clearInterval. Also clear the interval in explicit stop/end handlers when relevant."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "Add regression tests for anonymous denial, cross-user object denial, admin role limits, and super_admin-only behavior."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `create_connection` has cognitive complexity 10 (SonarSource scale). Cogni", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `create_connection` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recur"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 10."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC016", "name": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prom", "shortDescription": {"text": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL injection: an attacker can craft input tha"}, "fullDescription": {"text": "1) Separate user content from instructions: use the 'user' role for user text and 'system' role for your instructions \u2014 never concatenate them into one string. 2) Validate and constrain: limit input length, strip control characters, and reject known injection patterns. 3) Use structured output (JSON mode / function calling) so the model returns data, not freeform actions. 4) Apply output validation: check the AI's response before acting on it. 5) Consider a prompt injection detection layer (e.g. Anthropic's constitutional AI, prompt-guard models)."}, "properties": {"scanner": "repobility-threat-engine", "category": "llm_injection", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 42 more): Same pattern found in 42 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 6 more): Same pattern found in 6 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `rust:1.94-bookworm` not pinned by digest: `FROM rust:1.94-bookworm` resolves the tag at buil", "shortDescription": {"text": "[MINED118] Dockerfile FROM `rust:1.94-bookworm` not pinned by digest: `FROM rust:1.94-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production"}, "fullDescription": {"text": "Replace with: `FROM rust:1.94-bookworm@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_entry_height_too_small` of class `TestGet", "shortDescription": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_entry_height_too_small` of class `TestGetBoundingBoxMessages` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). "}, "fullDescription": {"text": "Initialize `self.assertTrue = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /{id}/result."}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC024", "name": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default.", "shortDescription": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of servic"}, "fullDescription": {"text": "Disable DTDs and external entities before parsing:\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n  factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n  factory.setXIncludeAware(false);\nOr set FEATURE_SECURE_PROCESSING on the factory."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED029", "name": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety.", "shortDescription": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1042"}, "properties": {"repository": "platonai/Browser4", "repoUrl": "https://github.com/platonai/Browser4", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 102572, "scanner": "repobility-ast-engine", "fingerprint": "3c4d514522482db3edd4af66f32f943a71ad5fc756ca2a759517a510c32bbf10", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3c4d514522482db3edd4af66f32f943a71ad5fc756ca2a759517a510c32bbf10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "coworker/scripts/workers/count-total-token-usage.py"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 102571, "scanner": "repobility-ast-engine", "fingerprint": "d1ed30e182c0100667b10698563be92e463010007d2f50d877715b8d7497d793", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d1ed30e182c0100667b10698563be92e463010007d2f50d877715b8d7497d793"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "coworker/scripts/workers/count-total-token-usage.py"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 102556, "scanner": "repobility-ast-engine", "fingerprint": "8290fa9ac811c28da3f78705f0d1c89523d09333ed67b4bc023ee803ca31efba", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8290fa9ac811c28da3f78705f0d1c89523d09333ed67b4bc023ee803ca31efba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/mcp-builder/scripts/evaluation.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 102555, "scanner": "repobility-ast-engine", "fingerprint": "11796870735c4e6f40050b5a97d33022ac46ec79cc2439e46e559423e2d3145c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|11796870735c4e6f40050b5a97d33022ac46ec79cc2439e46e559423e2d3145c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/mcp-builder/scripts/evaluation.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 102553, "scanner": "repobility-ast-engine", "fingerprint": "3aae1fab327084026857ca0b577e964416aa4b671db64de1132b3bca38738012", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3aae1fab327084026857ca0b577e964416aa4b671db64de1132b3bca38738012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/quality/fix-links.py"}, "region": {"startLine": 381}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 102552, "scanner": "repobility-ast-engine", "fingerprint": "e863873fe8b16ce8b8f324652f5b72fd19d298e0be26543d3d1f4e6a22cda03d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e863873fe8b16ce8b8f324652f5b72fd19d298e0be26543d3d1f4e6a22cda03d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/quality/fix-links.py"}, "region": {"startLine": 282}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 102551, "scanner": "repobility-ast-engine", "fingerprint": "76cf0a8fa176b8086d77fd1942168d01d8b13505e21e8d2846ed0c604beefe5f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|76cf0a8fa176b8086d77fd1942168d01d8b13505e21e8d2846ed0c604beefe5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/quality/fix-links.py"}, "region": {"startLine": 185}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 102550, "scanner": "repobility-ast-engine", "fingerprint": "d6a6283dbf4782b6520d1f34e3e13fcce1e72cc0c7f78b9c870005ddcb2a0609", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d6a6283dbf4782b6520d1f34e3e13fcce1e72cc0c7f78b9c870005ddcb2a0609"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/quality/fix-links.py"}, "region": {"startLine": 549}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 102539, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 102535, "scanner": "repobility-journey-contract", "fingerprint": "dd8046234d2449c209e5549d2f844735be958aa79ade1a01d86ea9033d5aad70", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/endpoint", "correlation_key": "fp|dd8046234d2449c209e5549d2f844735be958aa79ade1a01d86ea9033d5aad70", "backend_endpoint_count": 37}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-tests/browser4-tests-common/src/main/resources/static/assets/network-tab/network.html"}, "region": {"startLine": 15}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /tools."}, "properties": {"repobilityId": 102533, "scanner": "repobility-access-control", "fingerprint": "35e32d55f7401207ec31d400c5c1ebc7dc4cb7b99be73c5345a842a0d97735ea", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/tools", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|236|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-rest/src/main/kotlin/ai/platon/pulsar/rest/mcp/controller/MCPToolController.kt"}, "region": {"startLine": 236}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /call-tool."}, "properties": {"repobilityId": 102532, "scanner": "repobility-access-control", "fingerprint": "522febc696c96dd9a27e5d6123189ae1119402ea781b84c1d5c2bf5bdbb2a080", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/call-tool", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|196|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-rest/src/main/kotlin/ai/platon/pulsar/rest/mcp/controller/MCPToolController.kt"}, "region": {"startLine": 196}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /report."}, "properties": {"repobilityId": 102531, "scanner": "repobility-access-control", "fingerprint": "1100b2e4d7c39d8a195a152b71aa08c81dc8a0d46cb100fa8d193aa81cf283ed", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/report", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|40|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-rest/src/main/kotlin/ai/platon/pulsar/rest/api/controller/SystemController.kt"}, "region": {"startLine": 40}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /health."}, "properties": {"repobilityId": 102530, "scanner": "repobility-access-control", "fingerprint": "3501bf6df14c57dc73cefba148fef20ca345ff43e36f71aba2845f748841c13f", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/health", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|22|auc004", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-rest/src/main/kotlin/ai/platon/pulsar/rest/api/controller/SystemController.kt"}, "region": {"startLine": 22}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /api/system."}, "properties": {"repobilityId": 102529, "scanner": "repobility-access-control", "fingerprint": "cd9e217ea07f4498eb6f84043e7401ad395e209705800b902d4152783a90d0d0", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/system", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|16|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-rest/src/main/kotlin/ai/platon/pulsar/rest/api/controller/SystemController.kt"}, "region": {"startLine": 16}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 35.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 102522, "scanner": "repobility-access-control", "fingerprint": "bcb60ac2d809faac89fc8430e46ecb5c1ffd7e937d4c15eb5865758a24c9135f", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 37, "correlation_key": "fp|bcb60ac2d809faac89fc8430e46ecb5c1ffd7e937d4c15eb5865758a24c9135f", "auth_visible_percent": 35.1}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 102521, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Spring Boot"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `browser4` image uses the latest tag"}, "properties": {"repobilityId": 102518, "scanner": "repobility-docker", "fingerprint": "d2595cb5fd8ad1f0b7bda03d94348b90dccb0a9f74e7fe318a6f6b6b4283971c", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "galaxyeye88/browser4:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d2595cb5fd8ad1f0b7bda03d94348b90dccb0a9f74e7fe318a6f6b6b4283971c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `proxy-hub` image uses the latest tag"}, "properties": {"repobilityId": 102515, "scanner": "repobility-docker", "fingerprint": "0d10b07b887f74465b91790c425163f11f122a3a9b532a02ad63e0c670b3128e", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "galaxyeye88/proxy-hub:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0d10b07b887f74465b91790c425163f11f122a3a9b532a02ad63e0c670b3128e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `mongodb` image uses the latest tag"}, "properties": {"repobilityId": 102513, "scanner": "repobility-docker", "fingerprint": "16377ec9cdf75d176f076341b265d391d2e23c9706d2f0ad9269ebdb5bd8e2ce", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "mongo:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|16377ec9cdf75d176f076341b265d391d2e23c9706d2f0ad9269ebdb5bd8e2ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 102509, "scanner": "repobility-docker", "fingerprint": "848e2f1b208b409d7b07949823a19149f59fefb8cd134ec969f94a26e4643dcc", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "rust:1.94-bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|848e2f1b208b409d7b07949823a19149f59fefb8cd134ec969f94a26e4643dcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/docker/Dockerfile.build"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 102506, "scanner": "repobility-docker", "fingerprint": "8d96a8720df6ff3371ada3609e8a4cdc0299734c753ccb5d1621ad974e89f1e5", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|8d96a8720df6ff3371ada3609e8a4cdc0299734c753ccb5d1621ad974e89f1e5", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 102505, "scanner": "repobility-agent-runtime", "fingerprint": "b42f0957c3669d812df3fafb9e09bc5f56bd6b82b860af80e899dc52e333be22", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|b42f0957c3669d812df3fafb9e09bc5f56bd6b82b860af80e899dc52e333be22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-tests/browser4-tests-common/src/main/resources/static/assets/reading-list/react-dom_15.7.0.js"}, "region": {"startLine": 17355}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 102486, "scanner": "repobility-threat-engine", "fingerprint": "62ffdded2955b0e30ab95225cd69d7957331db3391e83632a4c8cc7cbe81d6bf", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Pattern.compile(\"\\\"[^\\\"\\\\\\\\]*(?:\\\\\\\\.[^\\\"\\\\\\\\]*)*", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|62ffdded2955b0e30ab95225cd69d7957331db3391e83632a4c8cc7cbe81d6bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-core/browser4-skeleton/src/main/kotlin/ai/platon/pulsar/skeleton/common/options/PulsarOptions.kt"}, "region": {"startLine": 140}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 102481, "scanner": "repobility-threat-engine", "fingerprint": "069e5eb90640c16455920e30e92b67ff5c553bd1a3d675df46ff6c92802eadc6", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|069e5eb90640c16455920e30e92b67ff5c553bd1a3d675df46ff6c92802eadc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-core/browser4-browser/src/main/resources/js/dom_settle.js"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 102466, "scanner": "repobility-threat-engine", "fingerprint": "872fefc74803770336f5023f050048167b626b2ac2afa8b1f82d0647dd5807a1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"John Doe\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|872fefc74803770336f5023f050048167b626b2ac2afa8b1f82d0647dd5807a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/form-filling/scripts/example-usage.kts"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 102465, "scanner": "repobility-threat-engine", "fingerprint": "a69dcf1b490b4704f3fe3b054b38423830a92be0a9dad978986dd2fd723afa78", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"John Doe\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a69dcf1b490b4704f3fe3b054b38423830a92be0a9dad978986dd2fd723afa78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/data-validation/scripts/example-usage.kts"}, "region": {"startLine": 76}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 102538, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 102537, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 102534, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Spring Boot"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 102520, "scanner": "repobility-docker", "fingerprint": "17cb54154d6b434d05df20d4d203926d9d6f2442476794b981578eda4278ce49", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "browser4", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|17cb54154d6b434d05df20d4d203926d9d6f2442476794b981578eda4278ce49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 102519, "scanner": "repobility-docker", "fingerprint": "1610b87f48b642d5e51fdb512ed25a04e0d909dc41390bb226cb7d9ca96a543d", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "browser4", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1610b87f48b642d5e51fdb512ed25a04e0d909dc41390bb226cb7d9ca96a543d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 102517, "scanner": "repobility-docker", "fingerprint": "bd0c463a123dc280e407ab9cdf2baad08fe1451f1f3081cb3be33a6b459b8afb", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "proxy-hub", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bd0c463a123dc280e407ab9cdf2baad08fe1451f1f3081cb3be33a6b459b8afb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 102516, "scanner": "repobility-docker", "fingerprint": "f658543e7457a0fe50f05c1acd4d0e6c9468d8ca9393783d58f3310d6601065b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "proxy-hub", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f658543e7457a0fe50f05c1acd4d0e6c9468d8ca9393783d58f3310d6601065b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 102512, "scanner": "repobility-docker", "fingerprint": "59ddd5e2c1edbb9709e8e429745bf7ba37ea2ebf17f28195c025fc0fefef4f2d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "build-single", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|59ddd5e2c1edbb9709e8e429745bf7ba37ea2ebf17f28195c025fc0fefef4f2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/docker/docker-compose.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 102511, "scanner": "repobility-docker", "fingerprint": "004ba9f4837f4345d415fae792fa868a38f89da2646f49c003ad00614da44c50", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "build-windows", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|004ba9f4837f4345d415fae792fa868a38f89da2646f49c003ad00614da44c50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/docker/docker-compose.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 102510, "scanner": "repobility-docker", "fingerprint": "46e3a8db5c3fa360b2f315ca1f00f503bd1a6f6d29270d6245a0018b521eef7a", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "build-linux", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|46e3a8db5c3fa360b2f315ca1f00f503bd1a6f6d29270d6245a0018b521eef7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/docker/docker-compose.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 102508, "scanner": "repobility-docker", "fingerprint": "a77397043f8ae8173a49b6c0d37d6160feb39866e44a4aa9a73ae75d85817e95", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a77397043f8ae8173a49b6c0d37d6160feb39866e44a4aa9a73ae75d85817e95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/docker/Dockerfile.build"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 102507, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 102504, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1eb127a601743c62ed8727d4c95295af280d2c358a4ce4a14ccecf41926d7173", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "browser4-agentic/src/main/kotlin/ai/platon/pulsar/agentic/tools/AgenticCliRunner.kt", "duplicate_line": 392, "correlation_key": "fp|1eb127a601743c62ed8727d4c95295af280d2c358a4ce4a14ccecf41926d7173"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-rest/src/main/kotlin/ai/platon/pulsar/rest/mcp/controller/MCPToolController.kt"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 102503, "scanner": "repobility-ai-code-hygiene", "fingerprint": "390a938c74c2d2df0c8a086a729bbdcb4f269d44f413d4193a0103c566329e50", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "browser4-agentic/src/main/kotlin/ai/platon/pulsar/agentic/tools/AgenticCliRunner.kt", "duplicate_line": 722, "correlation_key": "fp|390a938c74c2d2df0c8a086a729bbdcb4f269d44f413d4193a0103c566329e50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-rest/src/main/kotlin/ai/platon/pulsar/rest/mcp/controller/ArgumentNormalizers.kt"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 102502, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff0279f93413fc6b97c8c13f44eedc06b70f9aa34951cc64c340a8b770e0d71b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "browser4-agent-tools/src/main/kotlin/ai/platon/pulsar/agentic/tools/advanced/crawl/service/ScrapeService.kt", "duplicate_line": 45, "correlation_key": "fp|ff0279f93413fc6b97c8c13f44eedc06b70f9aa34951cc64c340a8b770e0d71b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-rest/src/main/kotlin/ai/platon/pulsar/rest/api/service/ScrapeService.kt"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 102501, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3c0a5034c02f0a3ef56bb295660a157300ee2939d82f71aed596b800cb14fcb8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "browser4-rest/src/main/kotlin/ai/platon/pulsar/rest/api/controller/DefaultController.kt", "duplicate_line": 12, "correlation_key": "fp|3c0a5034c02f0a3ef56bb295660a157300ee2939d82f71aed596b800cb14fcb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-rest/src/main/kotlin/ai/platon/pulsar/rest/api/controller/SystemController.kt"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 102500, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c50ea55fc80d1718970aaae3927b98f2a36a59f811fd5b29bd88be4525eeec52", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "browser4-core/browser4-skeleton/src/main/kotlin/ai/platon/pulsar/skeleton/workflow/common/url/CompletableListenableHyperlink.kt", "duplicate_line": 6, "correlation_key": "fp|c50ea55fc80d1718970aaae3927b98f2a36a59f811fd5b29bd88be4525eeec52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-core/browser4-skeleton/src/main/kotlin/ai/platon/pulsar/skeleton/workflow/common/url/StatefulListenableHyperlink.kt"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 102499, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f5083fb4d4c11a640da705eac402199fd631665807bb7b31b5011bc83a2c61dd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "browser4-core/browser4-browser/src/main/kotlin/ai/platon/pulsar/browser/detail/DualWorldScriptLoader.kt", "duplicate_line": 114, "correlation_key": "fp|f5083fb4d4c11a640da705eac402199fd631665807bb7b31b5011bc83a2c61dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-core/browser4-browser/src/main/kotlin/ai/platon/pulsar/browser/detail/ScriptLoader.kt"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 102498, "scanner": "repobility-ai-code-hygiene", "fingerprint": "887da0e928c936a04f37c7dc68330fe016b1e4f22d2d2df7d6d94ae40b05e7b2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "browser4-apps/browser4-bundle/src/main/kotlin/ai/platon/pulsar/apps/Browser4BundleApplication.kt", "duplicate_line": 18, "correlation_key": "fp|887da0e928c936a04f37c7dc68330fe016b1e4f22d2d2df7d6d94ae40b05e7b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-apps/browser4-standalone/src/main/kotlin/ai/platon/pulsar/apps/Browser4StandaloneApplication.kt"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 102492, "scanner": "repobility-threat-engine", "fingerprint": "3d284873c74181a537a2c8d85806db40c3c3560d0a00ecf4bd6add494472d6cd", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|7|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-tests/browser4-tests-common/src/main/resources/static/assets/input/mouse-helper.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `create_connection` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=2, else=1, if=4, nested_bonus=3."}, "properties": {"repobilityId": 102468, "scanner": "repobility-threat-engine", "fingerprint": "eb9b581422e960e94992f308255d36bbaf1ba1d7477971a7f7aa03f9abcf3223", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "create_connection", "breakdown": {"if": 4, "elif": 2, "else": 1, "nested_bonus": 3}, "complexity": 10, "correlation_key": "fp|eb9b581422e960e94992f308255d36bbaf1ba1d7477971a7f7aa03f9abcf3223"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/mcp-builder/scripts/connections.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 102496, "scanner": "repobility-threat-engine", "fingerprint": "a77699423e4e43793f2f8cd0d03a1f168cb963c0489452724241944862c81acc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a77699423e4e43793f2f8cd0d03a1f168cb963c0489452724241944862c81acc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/docker/docker-compose.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 102495, "scanner": "repobility-threat-engine", "fingerprint": "0bdccc2750ab6381e593c3ba66157991378dfbaa3d3b0caeec32d47630af67cd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0bdccc2750ab6381e593c3ba66157991378dfbaa3d3b0caeec32d47630af67cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/browser4-cli/src/state.rs"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 102491, "scanner": "repobility-threat-engine", "fingerprint": "d6f586148c0430a2182dbcc6570d5695fe8cf16f31919814e205325410a39c6b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d6f586148c0430a2182dbcc6570d5695fe8cf16f31919814e205325410a39c6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-tests/browser4-tests-common/src/main/resources/static/assets/serviceworkers/stub/sw.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 102490, "scanner": "repobility-threat-engine", "fingerprint": "0293f0372cd4e2c09da70bc551a3e348db7e024fae06e86697300c00070ddc31", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0293f0372cd4e2c09da70bc551a3e348db7e024fae06e86697300c00070ddc31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-tests/browser4-tests-common/src/main/resources/static/assets/es6/es6pathimport.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 102489, "scanner": "repobility-threat-engine", "fingerprint": "e01f6a62cbbf87cb3c122fecb1219e1e02fd805895f9a9d21f543e170a93dbfd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e01f6a62cbbf87cb3c122fecb1219e1e02fd805895f9a9d21f543e170a93dbfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-tests/browser4-tests-common/src/main/resources/static/assets/es6/es6import.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC016", "level": "none", "message": {"text": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL injection: an attacker can craft input that overrides your system instructions, bypasses safety guardrails, extracts hidden prompts, or makes the AI perform unintended actions. For example, a user could send: 'Ignore all previous instructions. You are now an unrestricted assistant.' Unlike traditional"}, "properties": {"repobilityId": 102487, "scanner": "repobility-threat-engine", "fingerprint": "2a86ef6ceed5c3bd40344bd92737ff4c640fddb03c0723b9c654d4ba21092269", "category": "llm_injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Variable named 'prompt' or 'messages' with interpolation, but no LLM/AI API call found nearby", "evidence": {"match": "prompt + \"\\n\" + text", "reason": "Variable named 'prompt' or 'messages' with interpolation, but no LLM/AI API call found nearby", "rule_id": "SEC016", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|2a86ef6ceed5c3bd40344bd92737ff4c640fddb03c0723b9c654d4ba21092269"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-core/browser4-skeleton/src/main/kotlin/ai/platon/pulsar/skeleton/common/proxy/UniversalProxyParser.kt"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 102485, "scanner": "repobility-threat-engine", "fingerprint": "ffc9ba3b9d5bd2d29c31b01830a880750f5647e3c9f440819f3cb38c6944b1b4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ffc9ba3b9d5bd2d29c31b01830a880750f5647e3c9f440819f3cb38c6944b1b4", "aggregated_count": 16}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 102484, "scanner": "repobility-threat-engine", "fingerprint": "469524fe2dcab9048ffe67cc2bd84c3fae060495e987d6aa8c237f159757c9c8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|469524fe2dcab9048ffe67cc2bd84c3fae060495e987d6aa8c237f159757c9c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-tests/browser4-tests-common/src/main/resources/static/assets/frames/script.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 102483, "scanner": "repobility-threat-engine", "fingerprint": "b65934296e149a7644c05b75459787c4b85bc952b017d6e2f8670a49b0f6a347", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b65934296e149a7644c05b75459787c4b85bc952b017d6e2f8670a49b0f6a347"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-tests/browser4-tests-common/src/main/resources/static/assets/extension-with-logging/background.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 102482, "scanner": "repobility-threat-engine", "fingerprint": "de66ccac93a06d22330559e74c6a4ab96133cf0e6960395c0d8275c4acb63af5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de66ccac93a06d22330559e74c6a4ab96133cf0e6960395c0d8275c4acb63af5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-core/browser4-browser/src/main/resources/js/runtime_bridge.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 102478, "scanner": "repobility-threat-engine", "fingerprint": "deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "aggregated_count": 1}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 102477, "scanner": "repobility-threat-engine", "fingerprint": "3381d5b46f439346afcb496a8e964e7cbe81d6f0c0fcd1123977c0764b0d16b0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3381d5b46f439346afcb496a8e964e7cbe81d6f0c0fcd1123977c0764b0d16b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/browser4-examples/src/main/kotlin/ai/platon/pulsar/examples/sites/topEc/chinese/TopEcCrawler.kt"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 102476, "scanner": "repobility-threat-engine", "fingerprint": "a4725458706955315b0982b276ff9471990bf41c49b98f276195d28714c8a816", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a4725458706955315b0982b276ff9471990bf41c49b98f276195d28714c8a816"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/browser4-examples/src/main/kotlin/ai/platon/pulsar/examples/sites/tools/AutiBotCheck.kt"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 102475, "scanner": "repobility-threat-engine", "fingerprint": "fed1f9fca14b2fecfff24d6ad86ecf8a9d73d07190b604dddd7524911674328e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fed1f9fca14b2fecfff24d6ad86ecf8a9d73d07190b604dddd7524911674328e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-core/browser4-browser/src/main/kotlin/ai/platon/browser4/chrome/handler/transport/DevToolsEventListener.kt"}, "region": {"startLine": 89}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 102471, "scanner": "repobility-threat-engine", "fingerprint": "7195ad2ed9d17b05fb3343deb30e489e47b88806e32e44e36b1ae21ff4fb7c7d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "create_connection", "breakdown": {"if": 4, "elif": 2, "else": 1, "nested_bonus": 3}, "aggregated": true, "complexity": 10, "correlation_key": "fp|7195ad2ed9d17b05fb3343deb30e489e47b88806e32e44e36b1ae21ff4fb7c7d", "aggregated_count": 6}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 102464, "scanner": "repobility-threat-engine", "fingerprint": "457561288201dcf8c9f653dd7f221675c842853ed9a821fb7d4047c5ec2d7afd", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line", "evidence": {"match": ".eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|32|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/kotlin/ai/platon/pulsar/agentic/tools/specs/ToolSpecification.kt"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 102463, "scanner": "repobility-threat-engine", "fingerprint": "7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 102459, "scanner": "repobility-threat-engine", "fingerprint": "649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a"}}}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "properties": {"repobilityId": 102455, "scanner": "repobility-threat-engine", "fingerprint": "fcae1623cb3303039f322a8c75fd6b07027f5aab7dfad7ea777f937c044978bd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 42 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 42 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|fcae1623cb3303039f322a8c75fd6b07027f5aab7dfad7ea777f937c044978bd"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 102451, "scanner": "repobility-threat-engine", "fingerprint": "3c313ffa90def2891347230f1e2f1593c7d77b045fc2c100f98fcea101f1327d", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3c313ffa90def2891347230f1e2f1593c7d77b045fc2c100f98fcea101f1327d"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 102450, "scanner": "repobility-threat-engine", "fingerprint": "090c3b3b5162c6ded25644ac235ac217e9b5bedeee75b674d8fb04b26f170976", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|21|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agent-tools/src/main/kotlin/ai/platon/pulsar/agentic/tools/advanced/crawl/common/DegenerateXSQLScrapeHyperlink.kt"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 102449, "scanner": "repobility-threat-engine", "fingerprint": "915f2d6fec5631614a96db03beb2a63b93ef285f52373239ab6719cfd3e56cd3", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|26|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agent-tools/src/main/kotlin/ai/platon/pulsar/agentic/tools/advanced/crawl/common/AbstractScrapeHyperlink.kt"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 102448, "scanner": "repobility-threat-engine", "fingerprint": "78446ec324f52adb53673c212cf1e72ef11e0107e3dd81f75b3f4fd4a18a4ef2", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|25|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agent-tools/src/main/kotlin/ai/platon/pulsar/agentic/tools/advanced/agent/Models.kt"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102601, "scanner": "repobility-supply-chain", "fingerprint": "817216a3028de4ecc695f4a7a661bdf9345bb470881824dc2835ea58231acc0b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|817216a3028de4ecc695f4a7a661bdf9345bb470881824dc2835ea58231acc0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 1269}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102600, "scanner": "repobility-supply-chain", "fingerprint": "a5b7c166c2fbfe8926b91ac0e4fb85d7c218c2eab22c8e236be668597a73c334", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a5b7c166c2fbfe8926b91ac0e4fb85d7c218c2eab22c8e236be668597a73c334"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 1115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102599, "scanner": "repobility-supply-chain", "fingerprint": "7ec010ef80ae70c523926388f514a4ccf240bda7dd30d187caa9f846fb11fb0c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7ec010ef80ae70c523926388f514a4ccf240bda7dd30d187caa9f846fb11fb0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 1108}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102598, "scanner": "repobility-supply-chain", "fingerprint": "a8ece4f8ac607230c197c41f3399d7735d0d6a1a750acb7cd64e1c65acc82193", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8ece4f8ac607230c197c41f3399d7735d0d6a1a750acb7cd64e1c65acc82193"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 1101}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102597, "scanner": "repobility-supply-chain", "fingerprint": "657defdf62c2e6b15da2a019f0ad3c71fd430366ce4efb5877fd8e02fcc91460", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|657defdf62c2e6b15da2a019f0ad3c71fd430366ce4efb5877fd8e02fcc91460"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 1095}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102596, "scanner": "repobility-supply-chain", "fingerprint": "7618ad21f20bb882baf62f7a9365afd22b1a324dfaa5503fd2ba1e3a6f75d316", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7618ad21f20bb882baf62f7a9365afd22b1a324dfaa5503fd2ba1e3a6f75d316"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 968}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102595, "scanner": "repobility-supply-chain", "fingerprint": "94167f04c9c25e0d4dd50ca062fc041d25442b85b41a5143f33461a42dccb3c8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|94167f04c9c25e0d4dd50ca062fc041d25442b85b41a5143f33461a42dccb3c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 927}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102594, "scanner": "repobility-supply-chain", "fingerprint": "621ab7b374e5759e615eaf2bf331c67665ff46195f9f85219fbc5cbbf1f25adf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|621ab7b374e5759e615eaf2bf331c67665ff46195f9f85219fbc5cbbf1f25adf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 922}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102593, "scanner": "repobility-supply-chain", "fingerprint": "6f78e2521cc51918c05edbc9a8cc494ca8acdc0f530ef72c53638dcf19441820", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6f78e2521cc51918c05edbc9a8cc494ca8acdc0f530ef72c53638dcf19441820"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 905}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102592, "scanner": "repobility-supply-chain", "fingerprint": "c71036e61b118d1ebd1417562bfb4a3e3e7b11af9d5375702950c4855c46e762", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c71036e61b118d1ebd1417562bfb4a3e3e7b11af9d5375702950c4855c46e762"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 857}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102591, "scanner": "repobility-supply-chain", "fingerprint": "1b21f852b8fbd15b98f5d2d1edef55b471a6d39bdcb11406fee32b3d91c34acc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b21f852b8fbd15b98f5d2d1edef55b471a6d39bdcb11406fee32b3d91c34acc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 851}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102590, "scanner": "repobility-supply-chain", "fingerprint": "9a1ccd7610ddb8048185e5b4123a394c921a2e6a2a95b9ea664e9d2cb81b452d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a1ccd7610ddb8048185e5b4123a394c921a2e6a2a95b9ea664e9d2cb81b452d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 812}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102589, "scanner": "repobility-supply-chain", "fingerprint": "f8a2152cb420dc6778eb7854ef3959b80dcebcfdbd3247d1e3bbc82888e3c794", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f8a2152cb420dc6778eb7854ef3959b80dcebcfdbd3247d1e3bbc82888e3c794"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 739}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102588, "scanner": "repobility-supply-chain", "fingerprint": "e05740949203f9b2803bfe82424834719282f1efe832172402999c4bd8954789", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e05740949203f9b2803bfe82424834719282f1efe832172402999c4bd8954789"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 734}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102587, "scanner": "repobility-supply-chain", "fingerprint": "a14cf393ab389bc8debcac8777f162ec3e20a44855e8823761266181d1ddb2ae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a14cf393ab389bc8debcac8777f162ec3e20a44855e8823761266181d1ddb2ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 593}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102586, "scanner": "repobility-supply-chain", "fingerprint": "206fb2cf97929227ac4da8eb9af4c022a5cf1767311cd64a7ed0036b463a3939", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|206fb2cf97929227ac4da8eb9af4c022a5cf1767311cd64a7ed0036b463a3939"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 585}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102585, "scanner": "repobility-supply-chain", "fingerprint": "fc9fdd68a3f9a62dcb9e5dbe8115ddcbc8c4bf569f2245ab8bac94a9c0848c47", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc9fdd68a3f9a62dcb9e5dbe8115ddcbc8c4bf569f2245ab8bac94a9c0848c47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 269}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102584, "scanner": "repobility-supply-chain", "fingerprint": "4c584163390972d495b0d13970db10afc651b6ac626cee004c918171941bcc62", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4c584163390972d495b0d13970db10afc651b6ac626cee004c918171941bcc62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102583, "scanner": "repobility-supply-chain", "fingerprint": "25c1239d04b9d22cf8acd3c94941248150c2ae100862b83e81455ea8e352b29d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|25c1239d04b9d22cf8acd3c94941248150c2ae100862b83e81455ea8e352b29d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102582, "scanner": "repobility-supply-chain", "fingerprint": "fe92daf4c3683e47f969e1fe87aa4a8ff5e9a89228728610bf0f5dc2ef2892da", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe92daf4c3683e47f969e1fe87aa4a8ff5e9a89228728610bf0f5dc2ef2892da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly.yml"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102581, "scanner": "repobility-supply-chain", "fingerprint": "1bb1c9602bc6552e4f8dfb2014f1404c513bd8488372bf4309d9381e3cbb7143", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1bb1c9602bc6552e4f8dfb2014f1404c513bd8488372bf4309d9381e3cbb7143"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly.yml"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102580, "scanner": "repobility-supply-chain", "fingerprint": "8fb86071ca27cc70ffa5d61d8904b6f2a54ab035ddbb96755292b8f7a3768532", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8fb86071ca27cc70ffa5d61d8904b6f2a54ab035ddbb96755292b8f7a3768532"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102579, "scanner": "repobility-supply-chain", "fingerprint": "2c7147903902acc1df33ac1716cb46ebbc507805f1148ff39edc5415ce771d18", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2c7147903902acc1df33ac1716cb46ebbc507805f1148ff39edc5415ce771d18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102578, "scanner": "repobility-supply-chain", "fingerprint": "756db1a7b12e839126e64b6bd6c925b9b7159e107e44bb6105e4c30f1ae3850e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|756db1a7b12e839126e64b6bd6c925b9b7159e107e44bb6105e4c30f1ae3850e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 102577, "scanner": "repobility-supply-chain", "fingerprint": "4d01538d49d55778d6ae34cc20eea1017771f46c9c304c0fb1f68ebd93956ce3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d01538d49d55778d6ae34cc20eea1017771f46c9c304c0fb1f68ebd93956ce3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `rust:1.94-bookworm` not pinned by digest: `FROM rust:1.94-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 102576, "scanner": "repobility-supply-chain", "fingerprint": "968dc910ea29857e9a4b5fbd1b1497f9d2998e50da645e75004645a11649ddf0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|968dc910ea29857e9a4b5fbd1b1497f9d2998e50da645e75004645a11649ddf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/docker/Dockerfile.build"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `eclipse-temurin:21-jre-alpine` not pinned by digest: `FROM eclipse-temurin:21-jre-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 102575, "scanner": "repobility-supply-chain", "fingerprint": "e761570caed0024ce36b9d12fe1eed03c5ad6661109ac96d7e2a332919766330", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e761570caed0024ce36b9d12fe1eed03c5ad6661109ac96d7e2a332919766330"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `maven:3.9.9-eclipse-temurin-21-alpine` not pinned by digest: `FROM maven:3.9.9-eclipse-temurin-21-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 102574, "scanner": "repobility-supply-chain", "fingerprint": "53c4248f81963e33101d7d34c7af4b93a2b2dac8626f0348d4133d4299bd9acf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|53c4248f81963e33101d7d34c7af4b93a2b2dac8626f0348d4133d4299bd9acf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `eclipse-temurin:21-jre-alpine` not pinned by digest: `FROM eclipse-temurin:21-jre-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 102573, "scanner": "repobility-supply-chain", "fingerprint": "487b902136c97031e05a7c6da24162c89b607c223d582cd906002ee47c5b0346", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|487b902136c97031e05a7c6da24162c89b607c223d582cd906002ee47c5b0346"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.fast"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_entry_height_too_small` of class `TestGetBoundingBoxMessages` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102570, "scanner": "repobility-ast-engine", "fingerprint": "6c5b58d38adc0e21ade0461a92f82a9a447a167de963fa9842761151c91dda87", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6c5b58d38adc0e21ade0461a92f82a9a447a167de963fa9842761151c91dda87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/check_bounding_boxes_test.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.create_json_stream` used but never assigned in __init__: Method `test_entry_height_too_small` of class `TestGetBoundingBoxMessages` reads `self.create_json_stream`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102569, "scanner": "repobility-ast-engine", "fingerprint": "f1bed562ef938157d391f2f7d05816b8253b9a2755284cc4af69b98bbf014717", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f1bed562ef938157d391f2f7d05816b8253b9a2755284cc4af69b98bbf014717"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/check_bounding_boxes_test.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertFalse` used but never assigned in __init__: Method `test_different_pages_no_intersection` of class `TestGetBoundingBoxMessages` reads `self.assertFalse`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102568, "scanner": "repobility-ast-engine", "fingerprint": "41345f88415af1367be7473ddc91a0be06209a4a54dfb7366887ae7715e48e68", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|41345f88415af1367be7473ddc91a0be06209a4a54dfb7366887ae7715e48e68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/check_bounding_boxes_test.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_different_pages_no_intersection` of class `TestGetBoundingBoxMessages` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102567, "scanner": "repobility-ast-engine", "fingerprint": "4e30f41a00632d00877fe18a69a6f6f4882bc7b93ebb4e54326285815aa7b2a1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4e30f41a00632d00877fe18a69a6f6f4882bc7b93ebb4e54326285815aa7b2a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/check_bounding_boxes_test.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.create_json_stream` used but never assigned in __init__: Method `test_different_pages_no_intersection` of class `TestGetBoundingBoxMessages` reads `self.create_json_stream`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102566, "scanner": "repobility-ast-engine", "fingerprint": "35e59f96a500c12433410decc623393371600f6ce21129063c3d4228c4a68c98", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|35e59f96a500c12433410decc623393371600f6ce21129063c3d4228c4a68c98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/check_bounding_boxes_test.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertFalse` used but never assigned in __init__: Method `test_intersection_between_different_fields` of class `TestGetBoundingBoxMessages` reads `self.assertFalse`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102565, "scanner": "repobility-ast-engine", "fingerprint": "e96576935d76234b28bf309981cdbea8b1d3ef5e889f4203defe4a257cdd1c48", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e96576935d76234b28bf309981cdbea8b1d3ef5e889f4203defe4a257cdd1c48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/check_bounding_boxes_test.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_intersection_between_different_fields` of class `TestGetBoundingBoxMessages` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102564, "scanner": "repobility-ast-engine", "fingerprint": "790a4dfaf7aed980a258b1957d470187928ce862a28de0876ba0cc6e203d9a6a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|790a4dfaf7aed980a258b1957d470187928ce862a28de0876ba0cc6e203d9a6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/check_bounding_boxes_test.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.create_json_stream` used but never assigned in __init__: Method `test_intersection_between_different_fields` of class `TestGetBoundingBoxMessages` reads `self.create_json_stream`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102563, "scanner": "repobility-ast-engine", "fingerprint": "e21c401474b82a20b31b5fd1c0028b1823070ddf9f6729a7aa2f1629d1f45d98", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e21c401474b82a20b31b5fd1c0028b1823070ddf9f6729a7aa2f1629d1f45d98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/check_bounding_boxes_test.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertFalse` used but never assigned in __init__: Method `test_label_entry_intersection_same_field` of class `TestGetBoundingBoxMessages` reads `self.assertFalse`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102562, "scanner": "repobility-ast-engine", "fingerprint": "950d1d11d55bfdfcdae1d3baffb199eb5ed8e32f7531357c6e3a7a6a543e9bc6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|950d1d11d55bfdfcdae1d3baffb199eb5ed8e32f7531357c6e3a7a6a543e9bc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/check_bounding_boxes_test.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_label_entry_intersection_same_field` of class `TestGetBoundingBoxMessages` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102561, "scanner": "repobility-ast-engine", "fingerprint": "27d5b7a89813c3c1b0ffbeea6968cb8882e078aa040983c7efa3e5fc62fa06a2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|27d5b7a89813c3c1b0ffbeea6968cb8882e078aa040983c7efa3e5fc62fa06a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/check_bounding_boxes_test.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.create_json_stream` used but never assigned in __init__: Method `test_label_entry_intersection_same_field` of class `TestGetBoundingBoxMessages` reads `self.create_json_stream`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102560, "scanner": "repobility-ast-engine", "fingerprint": "de771e9a9e8b05e7aea515045739f9e670c6e71ae66afa0b48b110914692263e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|de771e9a9e8b05e7aea515045739f9e670c6e71ae66afa0b48b110914692263e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/check_bounding_boxes_test.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertFalse` used but never assigned in __init__: Method `test_no_intersections` of class `TestGetBoundingBoxMessages` reads `self.assertFalse`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102559, "scanner": "repobility-ast-engine", "fingerprint": "29d69057b812da506b6ac5ca261e17295fbdd6df034c53bbb286729f82e383a7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|29d69057b812da506b6ac5ca261e17295fbdd6df034c53bbb286729f82e383a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/check_bounding_boxes_test.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_no_intersections` of class `TestGetBoundingBoxMessages` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102558, "scanner": "repobility-ast-engine", "fingerprint": "8bec57721d0f9a564874a0d90f5671eb71b7c637b4c84fa30069f33d4e1fb01b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8bec57721d0f9a564874a0d90f5671eb71b7c637b4c84fa30069f33d4e1fb01b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/check_bounding_boxes_test.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.create_json_stream` used but never assigned in __init__: Method `test_no_intersections` of class `TestGetBoundingBoxMessages` reads `self.create_json_stream`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102557, "scanner": "repobility-ast-engine", "fingerprint": "6dfbf37e8a32476945f1544119a9a129d81f37b7f1238a6b1bb00e72d7eec6be", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6dfbf37e8a32476945f1544119a9a129d81f37b7f1238a6b1bb00e72d7eec6be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/check_bounding_boxes_test.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._create_context` used but never assigned in __init__: Method `__aenter__` of class `MCPConnection` reads `self._create_context`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102554, "scanner": "repobility-ast-engine", "fingerprint": "c59d049ae7af90d1995725d40a03a351bae96e575c7e12bad0b8bdbd135f5216", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c59d049ae7af90d1995725d40a03a351bae96e575c7e12bad0b8bdbd135f5216"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/mcp-builder/scripts/connections.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.check_file` used but never assigned in __init__: Method `run` of class `LinkChecker` reads `self.check_file`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102549, "scanner": "repobility-ast-engine", "fingerprint": "5275a39ab6a041b242dc0702808248b8db2aedf48d6b3421f3a1e5da43382c82", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5275a39ab6a041b242dc0702808248b8db2aedf48d6b3421f3a1e5da43382c82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/quality/fix-links.py"}, "region": {"startLine": 375}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.find_documentation_files` used but never assigned in __init__: Method `run` of class `LinkChecker` reads `self.find_documentation_files`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102548, "scanner": "repobility-ast-engine", "fingerprint": "435cc11d060e70e456fa7914af915001ed538f3e9a59b225f4f317add660b097", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|435cc11d060e70e456fa7914af915001ed538f3e9a59b225f4f317add660b097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/quality/fix-links.py"}, "region": {"startLine": 361}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.check_link` used but never assigned in __init__: Method `check_file` of class `LinkChecker` reads `self.check_link`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102547, "scanner": "repobility-ast-engine", "fingerprint": "5b81da77ee177c8b69dcc2610771035e0bf1660bd1a9c827c1aa2d8ea6df5915", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5b81da77ee177c8b69dcc2610771035e0bf1660bd1a9c827c1aa2d8ea6df5915"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/quality/fix-links.py"}, "region": {"startLine": 350}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.extract_links_from_file` used but never assigned in __init__: Method `check_file` of class `LinkChecker` reads `self.extract_links_from_file`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102546, "scanner": "repobility-ast-engine", "fingerprint": "d5e8016f99e1afa6bfc0a527a36bb4405973579192344c3d508ebb78957e90f3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d5e8016f99e1afa6bfc0a527a36bb4405973579192344c3d508ebb78957e90f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/quality/fix-links.py"}, "region": {"startLine": 346}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.check_internal_link` used but never assigned in __init__: Method `check_link` of class `LinkChecker` reads `self.check_internal_link`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102545, "scanner": "repobility-ast-engine", "fingerprint": "279f0e083b37f05c018083991a0d63d46836f186d568dbbbdaf4562d59aa6c83", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|279f0e083b37f05c018083991a0d63d46836f186d568dbbbdaf4562d59aa6c83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/quality/fix-links.py"}, "region": {"startLine": 317}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._is_localhost_url` used but never assigned in __init__: Method `check_link` of class `LinkChecker` reads `self._is_localhost_url`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102544, "scanner": "repobility-ast-engine", "fingerprint": "6a0355c4efa96a9fbbddf7c9fd1b466b451469b8fa2253183ed92329df49c67a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6a0355c4efa96a9fbbddf7c9fd1b466b451469b8fa2253183ed92329df49c67a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/quality/fix-links.py"}, "region": {"startLine": 302}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.check_external_link` used but never assigned in __init__: Method `check_link` of class `LinkChecker` reads `self.check_external_link`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102543, "scanner": "repobility-ast-engine", "fingerprint": "2f8e1a4d9165c7ba29c6ddc8b31218e7e425082338afa2d34898f4fcaaae7535", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2f8e1a4d9165c7ba29c6ddc8b31218e7e425082338afa2d34898f4fcaaae7535"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/quality/fix-links.py"}, "region": {"startLine": 312}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._should_skip_url` used but never assigned in __init__: Method `extract_links_from_file` of class `LinkChecker` reads `self._should_skip_url`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102542, "scanner": "repobility-ast-engine", "fingerprint": "196945acf4fb569675e44867eeeadc4986b18902f8437a2e08d5bbdd95ec3b5c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|196945acf4fb569675e44867eeeadc4986b18902f8437a2e08d5bbdd95ec3b5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/quality/fix-links.py"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.should_skip_file` used but never assigned in __init__: Method `find_documentation_files` of class `LinkChecker` reads `self.should_skip_file`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102541, "scanner": "repobility-ast-engine", "fingerprint": "19673e799e53335782e07c776a4e2c6623f3e2708dd5d35ed19623a94f183156", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|19673e799e53335782e07c776a4e2c6623f3e2708dd5d35ed19623a94f183156"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/quality/fix-links.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.should_skip_file` used but never assigned in __init__: Method `find_documentation_files` of class `LinkChecker` reads `self.should_skip_file`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 102540, "scanner": "repobility-ast-engine", "fingerprint": "939695b8b2810909225331f39358ba2aab12e4fdfc2a98fb61f52ae6ebbc7c17", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|939695b8b2810909225331f39358ba2aab12e4fdfc2a98fb61f52ae6ebbc7c17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/quality/fix-links.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 102536, "scanner": "repobility-journey-contract", "fingerprint": "b9a11ad85b59677d2614c41109a8447d260e61b89eb045da8985590997b40606", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|5|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-tests/browser4-tests-common/src/main/resources/static/assets/screenshots/controls.html"}, "region": {"startLine": 5}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /{id}/result."}, "properties": {"repobilityId": 102528, "scanner": "repobility-access-control", "fingerprint": "da2781d46e8ebc13526bf2743d79b485c7dbdc88858dbaad363190d13fd0fe02", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{id}/result", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|127|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-rest/src/main/kotlin/ai/platon/pulsar/rest/api/controller/SwarmController.kt"}, "region": {"startLine": 127}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /{uuid}/stream."}, "properties": {"repobilityId": 102527, "scanner": "repobility-access-control", "fingerprint": "e348ab14af9a23e71120409a83a07cb098c3c6ab3b0832138eafac409e190b7b", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{uuid}/stream", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|65|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-rest/src/main/kotlin/ai/platon/pulsar/rest/api/controller/ExtractionController.kt"}, "region": {"startLine": 65}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /{uuid}."}, "properties": {"repobilityId": 102526, "scanner": "repobility-access-control", "fingerprint": "a3d7866d6dee7f8ba45564ce19ea3e3f8fa8eb6b8ba34a66dffbc679a89d70d7", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{uuid}", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|51|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-rest/src/main/kotlin/ai/platon/pulsar/rest/api/controller/ExtractionController.kt"}, "region": {"startLine": 51}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /{id}/result."}, "properties": {"repobilityId": 102525, "scanner": "repobility-access-control", "fingerprint": "c3822fce614bfe11b8898286c9e003911aef8711079d7817269a0c40346d0f79", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{id}/result", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|120|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-rest/src/main/kotlin/ai/platon/pulsar/rest/api/controller/ScrapeController.kt"}, "region": {"startLine": 120}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /{id}/stream."}, "properties": {"repobilityId": 102524, "scanner": "repobility-access-control", "fingerprint": "a95a5fd0cccc708ce36a42a849ece89611d473997c0dd3909d75d70be3733247", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{id}/stream", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|82|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-rest/src/main/kotlin/ai/platon/pulsar/rest/api/controller/ConversationController.kt"}, "region": {"startLine": 82}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /{id}."}, "properties": {"repobilityId": 102523, "scanner": "repobility-access-control", "fingerprint": "398bc81076004d15141c2715bfd4ad60d411fb9f2da2e59154af828576fd2c8b", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{id}", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|68|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-rest/src/main/kotlin/ai/platon/pulsar/rest/api/controller/ConversationController.kt"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 102514, "scanner": "repobility-docker", "fingerprint": "11addb5e9a4d29977edc18889edbc418d4512932f393eaf17855bfc710e4ba2b", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "27017:27017", "target": "27017", "host_ip": "", "published": "27017"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mongodb", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|11addb5e9a4d29977edc18889edbc418d4512932f393eaf17855bfc710e4ba2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 102497, "scanner": "repobility-threat-engine", "fingerprint": "8ce022e33ea2fb0ab26e817ecb414f6265f06d981bdf03543adafe7e5e7459c7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8ce022e33ea2fb0ab26e817ecb414f6265f06d981bdf03543adafe7e5e7459c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/scripts/publish-if-needed.js"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 102494, "scanner": "repobility-threat-engine", "fingerprint": "4c1fc215d81cda00651e0d932189e469838c0d069feab527ba744e43d7d11e2c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4c1fc215d81cda00651e0d932189e469838c0d069feab527ba744e43d7d11e2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/browser4-cli/src/state.rs"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 102493, "scanner": "repobility-threat-engine", "fingerprint": "1456db43669155dd7be3ad0dd54c9cba69b3c73df7c4c0a0c980e19253a4d70b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1456db43669155dd7be3ad0dd54c9cba69b3c73df7c4c0a0c980e19253a4d70b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/browser4-cli/src/snapshot.rs"}, "region": {"startLine": 134}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 102488, "scanner": "repobility-threat-engine", "fingerprint": "54701ab05507e4d828898d4afcb243e4553669624757fdc8bc933ca397a90e8a", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|54701ab05507e4d828898d4afcb243e4553669624757fdc8bc933ca397a90e8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-core/browser4-skeleton/src/main/kotlin/ai/platon/pulsar/skeleton/workflow/parse/ParserConfigReader.kt"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 102480, "scanner": "repobility-threat-engine", "fingerprint": "76dc5825cae7561e7bf6bb1c96afde315fdda4b29bac951530838a8cedff6f2c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|76dc5825cae7561e7bf6bb1c96afde315fdda4b29bac951530838a8cedff6f2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-core/browser4-skeleton/src/main/kotlin/ai/platon/pulsar/skeleton/workflow/parse/ParserConfigReader.kt"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 102479, "scanner": "repobility-threat-engine", "fingerprint": "6f67e52c3c0ffbd09ad65ec685277bf7979a251828d4cf4163ebd2652ec03247", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6f67e52c3c0ffbd09ad65ec685277bf7979a251828d4cf4163ebd2652ec03247"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-core/browser4-browser/src/main/kotlin/ai/platon/browser4/chrome/handler/transport/KtorTransport.kt"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 102474, "scanner": "repobility-threat-engine", "fingerprint": "6d75892928d60347e802131f0d3cff94ccc860d58a8b21da5a7140509cd9fba1", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(@Request", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|41|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-rest/src/main/kotlin/ai/platon/pulsar/rest/api/controller/SwarmController.kt"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 102473, "scanner": "repobility-threat-engine", "fingerprint": "2a33bb5046b16e0d1a7d5c9be4c5ddf587094ee5485466a92e4439677e260e33", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(request, timeout=REQUEST", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|58|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/weather/scripts/get_weather.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 102472, "scanner": "repobility-threat-engine", "fingerprint": "31933f8d85bce10b34d9c223d5e905f94fd3a3f6f2429d24c57a5ab692e8aa98", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|16|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/create_validation_image.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `get_field_info` has cognitive complexity 34 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, elif=1, else=1, except=1, for=4, if=6, nested_bonus=19."}, "properties": {"repobilityId": 102470, "scanner": "repobility-threat-engine", "fingerprint": "6a0e57bb4543a4729ae6249e4c621b0dcb652c87769c518074f546c331ba0cda", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 34 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "get_field_info", "breakdown": {"if": 6, "for": 4, "elif": 1, "else": 1, "except": 1, "continue": 2, "nested_bonus": 19}, "complexity": 34, "correlation_key": "fp|6a0e57bb4543a4729ae6249e4c621b0dcb652c87769c518074f546c331ba0cda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/extract_form_field_info.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `get_bounding_box_messages` has cognitive complexity 31 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, for=3, if=8, nested_bonus=19."}, "properties": {"repobilityId": 102469, "scanner": "repobility-threat-engine", "fingerprint": "751f2369d00688a8968341b402dca9de0982a28485c825983717ec40f76297c0", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 31 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "get_bounding_box_messages", "breakdown": {"if": 8, "for": 3, "else": 1, "nested_bonus": 19}, "complexity": 31, "correlation_key": "fp|751f2369d00688a8968341b402dca9de0982a28485c825983717ec40f76297c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/check_bounding_boxes.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 102467, "scanner": "repobility-threat-engine", "fingerprint": "ee89368181c0de050bcfb6171f2628874080f2f602a0207004ff5060e498a0ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ee89368181c0de050bcfb6171f2628874080f2f602a0207004ff5060e498a0ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/mcp-builder/scripts/connections.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 102462, "scanner": "repobility-threat-engine", "fingerprint": "7bcf280bd96a0c81cc9f0a96dc10103de26073fc3a4ba5200720ca59f056ee32", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "img.save(output_path)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7bcf280bd96a0c81cc9f0a96dc10103de26073fc3a4ba5200720ca59f056ee32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/create_validation_image.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 102461, "scanner": "repobility-threat-engine", "fingerprint": "a92bce86f26775bc3861a0e974021206335860240c53a5168413cff8fc95e348", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "image.save(image_path)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a92bce86f26775bc3861a0e974021206335860240c53a5168413cff8fc95e348"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/pdf/scripts/convert_pdf_to_images.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 102460, "scanner": "repobility-threat-engine", "fingerprint": "0eb85df9f7edfb32a611f769ec33acd4d883814928f60a2120a3a9f0c41b7284", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Resource.create(\n                Attributes.builder()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0eb85df9f7edfb32a611f769ec33acd4d883814928f60a2120a3a9f0c41b7284"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/kotlin/ai/platon/pulsar/agentic/observability/OpenTelemetryConfig.kt"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 102458, "scanner": "repobility-threat-engine", "fingerprint": "fa03fd4c36adf4ab887777409c1398f2787e340845de6e0e0fb0cd0e0641c6b6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL (s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fa03fd4c36adf4ab887777409c1398f2787e340845de6e0e0fb0cd0e0641c6b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/resources/skills/mcp-builder/scripts/connections.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 102457, "scanner": "repobility-threat-engine", "fingerprint": "c2bdffe7f7c5768a129bf1b31edb8ba3260304ab62767a49d7e61540a608ba3a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c2bdffe7f7c5768a129bf1b31edb8ba3260304ab62767a49d7e61540a608ba3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/kotlin/ai/platon/pulsar/agentic/tools/util/ActionValidator.kt"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 102456, "scanner": "repobility-threat-engine", "fingerprint": "ecdcb88540f509cae475c2a98d8a06d428317d7a5b93109ef3646499a7c0c80f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ecdcb88540f509cae475c2a98d8a06d428317d7a5b93109ef3646499a7c0c80f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agentic/src/main/kotlin/ai/platon/pulsar/agentic/context/sql/AbstractBrowser4SQLContext.kt"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 102454, "scanner": "repobility-threat-engine", "fingerprint": "1a5ab8fa250028365b29a1511f0a21dc10c35a9d42e57fec651433eb774bd3b1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(session", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1a5ab8fa250028365b29a1511f0a21dc10c35a9d42e57fec651433eb774bd3b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agent-tools/src/main/kotlin/ai/platon/pulsar/agentic/tools/advanced/crawl/service/ScrapeService.kt"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 102453, "scanner": "repobility-threat-engine", "fingerprint": "f7a5bae36984e02877c97e67eb04e2d8652b2c52854d274a1c69c5ae1f76e2be", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(page", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f7a5bae36984e02877c97e67eb04e2d8652b2c52854d274a1c69c5ae1f76e2be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agent-tools/src/main/kotlin/ai/platon/pulsar/agentic/tools/advanced/crawl/common/XSQLScrapeHyperlink.kt"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 102452, "scanner": "repobility-threat-engine", "fingerprint": "e7fcf8b6776a64d1348d6f43e7afe8b277c6601c05a98c7c323be342b910c0f6", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(page", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e7fcf8b6776a64d1348d6f43e7afe8b277c6601c05a98c7c323be342b910c0f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser4-agent-tools/src/main/kotlin/ai/platon/pulsar/agentic/tools/advanced/crawl/common/DegenerateXSQLScrapeHyperlink.kt"}, "region": {"startLine": 30}}}]}]}]}