{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED109", "name": "[MINED109] Mutable default argument in `get_results` (list): `def get_results(... = []/{}/set())` \u2014 Python's default val", "shortDescription": {"text": "[MINED109] Mutable default argument in `get_results` (list): `def get_results(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for e"}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def get_results(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `compute_params` has cognitive complexity 15 (SonarSource scale). Cognitiv", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `compute_params` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursio"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 15."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC007", "name": "Generated build artifact directory is present at repository root", "shortDescription": {"text": "Generated build artifact directory is present at repository root"}, "fullDescription": {"text": "Remove generated output from version control, add it to .gitignore and .dockerignore where relevant, and regenerate it in CI or release jobs."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.", "shortDescription": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED011", "name": "[MINED011] Scala Get On Option (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED011] Scala Get On Option (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete (and 93 more): Same pattern found in 93 additional files. Review if needed.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete (and 93 more): Same pattern found in 93 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED063", "name": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use.", "shortDescription": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-367 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v6`: `uses: actions/github-script@v6` resolves at work", "shortDescription": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v6`: `uses: actions/github-script@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise"}, "fullDescription": {"text": "Replace with: `uses: actions/github-script@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `dockcross/manylinux_2_28-x64:latest` unpinned: `container/services image: ", "shortDescription": {"text": "[MINED126] Workflow container/services image `dockcross/manylinux_2_28-x64:latest` unpinned: `container/services image: dockcross/manylinux_2_28-x64:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow cont"}, "fullDescription": {"text": "Replace with `dockcross/manylinux_2_28-x64:latest@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `testInvalidUsageCommentNotSafety` of class `C", "shortDescription": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `testInvalidUsageCommentNotSafety` of class `CheckUnsafeBuffersSafetyCommentsTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-"}, "fullDescription": {"text": "Initialize `self.assertEqual = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `enum` used but not imported: The file uses `enum.something(...)` but never imports `enum`. T", "shortDescription": {"text": "[MINED107] Missing import: `enum` used but not imported: The file uses `enum.something(...)` but never imports `enum`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import enum` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1383"}, "properties": {"repository": "google/dawn", "repoUrl": "https://github.com/google/dawn", "branch": "main"}, "results": [{"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `get_results` (list): `def get_results(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 141360, "scanner": "repobility-ast-engine", "fingerprint": "0c24615f30bf145716b95d155f2dd38bfb11ce64193a330c6bce5a71d171110c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0c24615f30bf145716b95d155f2dd38bfb11ce64193a330c6bce5a71d171110c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/perf_test_runner.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 141356, "scanner": "repobility-ast-engine", "fingerprint": "f71ab9029c93180fff989555549ace49bf007da238c457c8d497e0254d7e831e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f71ab9029c93180fff989555549ace49bf007da238c457c8d497e0254d7e831e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generator/dawn_version_generator.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 141355, "scanner": "repobility-ast-engine", "fingerprint": "325bb032953770987fae4e499b8a38b896a2dbb70adf561428f8473e6b27e889", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|325bb032953770987fae4e499b8a38b896a2dbb70adf561428f8473e6b27e889"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generator/dawn_version_generator.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 141302, "scanner": "repobility-threat-engine", "fingerprint": "ef44b10dbc9224e285e0275d37ac0d7f8a79d74ad7d5bbffb4ad1f186e09f0e3", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|86|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tint/lang/core/ir/evaluator.h"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 141301, "scanner": "repobility-threat-engine", "fingerprint": "434f528f365206e31cd5111f4d26798f5ab7f33de6047ece4a71c6e45e95804b", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|60|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tint/cmd/fuzz/common/runner.h"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 141300, "scanner": "repobility-threat-engine", "fingerprint": "c7e55b44e0e6eadf4ce5092966e1188fb40406c2779325f8d458b05693c72385", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|51|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/common/TypeTraits.h"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 141287, "scanner": "repobility-threat-engine", "fingerprint": "2e838d95f32864d80dca4215e84039edb21a1898152b110c48bb65735bf1dbb5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n                return [get_git_head(dawn_dir)\n                        ] + get_git_resolved_hea", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2e838d95f32864d80dca4215e84039edb21a1898152b110c48bb65735bf1dbb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generator/dawn_version_generator.py"}, "region": {"startLine": 161}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `compute_params` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, for=8, if=3, nested_bonus=3."}, "properties": {"repobilityId": 141285, "scanner": "repobility-threat-engine", "fingerprint": "a4f232f35b85e4969f89d6538b24db9744105a92f7dd6613d2072b505a0d80df", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 15 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "compute_params", "breakdown": {"if": 3, "for": 8, "continue": 1, "nested_bonus": 3}, "complexity": 15, "correlation_key": "fp|a4f232f35b85e4969f89d6538b24db9744105a92f7dd6613d2072b505a0d80df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generator/opengl_loader_generator.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `__init__` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, for=3, if=4, nested_bonus=8."}, "properties": {"repobilityId": 141284, "scanner": "repobility-threat-engine", "fingerprint": "fbc3a1e9f3bcaf1e65be9e7b0548495e60e95ae59568932690acf4e324a7c875", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 16 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "__init__", "breakdown": {"if": 4, "for": 3, "continue": 1, "nested_bonus": 8}, "complexity": 16, "correlation_key": "fp|fbc3a1e9f3bcaf1e65be9e7b0548495e60e95ae59568932690acf4e324a7c875"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generator/dawn_gpu_info_generator.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141329, "scanner": "repobility-ai-code-hygiene", "fingerprint": "418bbbae8487737f2cb602ff4851c1cde9fb0bd9d85b84265fb55d022f8f18be", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/dawn/native/d3d11/PhysicalDeviceD3D11.h", "duplicate_line": 16, "correlation_key": "fp|418bbbae8487737f2cb602ff4851c1cde9fb0bd9d85b84265fb55d022f8f18be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/native/d3d12/PhysicalDeviceD3D12.h"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141328, "scanner": "repobility-ai-code-hygiene", "fingerprint": "11a6add90df306f69c51e223b5c294a7a5fc33dab6cd2735ef8b6940e7c1a514", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/dawn/native/d3d11/PhysicalDeviceD3D11.cpp", "duplicate_line": 223, "correlation_key": "fp|11a6add90df306f69c51e223b5c294a7a5fc33dab6cd2735ef8b6940e7c1a514"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/native/d3d12/PhysicalDeviceD3D12.cpp"}, "region": {"startLine": 553}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141327, "scanner": "repobility-ai-code-hygiene", "fingerprint": "03718f71f52ffa414a61a3072c6d1e737a77217ae7cfd4a42ab00aac6a2b04bd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/dawn/native/d3d11/Forward.h", "duplicate_line": 2, "correlation_key": "fp|03718f71f52ffa414a61a3072c6d1e737a77217ae7cfd4a42ab00aac6a2b04bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/native/d3d12/Forward.h"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141326, "scanner": "repobility-ai-code-hygiene", "fingerprint": "35b7ad75017710b594d41f23fb8cc555e24e9eb7281f7067b02f552efc217165", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/dawn/native/d3d11/DeviceD3D11.h", "duplicate_line": 75, "correlation_key": "fp|35b7ad75017710b594d41f23fb8cc555e24e9eb7281f7067b02f552efc217165"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/native/d3d12/DeviceD3D12.h"}, "region": {"startLine": 96}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141325, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2723ae4897123d99c420b782901fdeb318f9d47ddc740176c4a5bf9156dc2b32", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/dawn/native/d3d11/DeviceD3D11.cpp", "duplicate_line": 148, "correlation_key": "fp|2723ae4897123d99c420b782901fdeb318f9d47ddc740176c4a5bf9156dc2b32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/native/d3d12/DeviceD3D12.cpp"}, "region": {"startLine": 241}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141324, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06981eaa4359b86e499a2d99d34f0c13542705a5fe98a29e5f101e24ff97a5ca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/dawn/native/d3d11/RenderPipelineD3D11.cpp", "duplicate_line": 318, "correlation_key": "fp|06981eaa4359b86e499a2d99d34f0c13542705a5fe98a29e5f101e24ff97a5ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/native/d3d12/ComputePipelineD3D12.cpp"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141323, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c3c26257ba302cdd48b5e19fa9a445766ebab55802b6988a2326396f2410ec7a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/dawn/native/ComputePassEncoder.cpp", "duplicate_line": 358, "correlation_key": "fp|c3c26257ba302cdd48b5e19fa9a445766ebab55802b6988a2326396f2410ec7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/native/RenderEncoderBase.cpp"}, "region": {"startLine": 528}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141322, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eb31b4df812c919ee0f2044509bb52c29ec58cda29bde98547d21f4f0b34c2ab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/dawn/glfw/utils.cpp", "duplicate_line": 1, "correlation_key": "fp|eb31b4df812c919ee0f2044509bb52c29ec58cda29bde98547d21f4f0b34c2ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/glfw/utils_emscripten.cpp"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 141321, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dfc933dcd391c5330143114032daf8406c4de38a9690a61f3272979c7683db0b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/merge_scripts/generate_tint_fuzz_corpora.py", "duplicate_line": 8, "correlation_key": "fp|dfc933dcd391c5330143114032daf8406c4de38a9690a61f3272979c7683db0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/merge_scripts/generate_wire_trace_fuzz_corpora.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC007", "level": "note", "message": {"text": "Generated build artifact directory is present at repository root"}, "properties": {"repobilityId": 141320, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1", "category": "quality", "severity": "low", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains a common generated artifact directory.", "evidence": {"rule_id": "AIC007", "scanner": "repobility-ai-code-hygiene", "directory": "build", "references": ["https://git-scm.com/docs/gitignore", "https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 141299, "scanner": "repobility-threat-engine", "fingerprint": "29f73e3b05ee116c51bb828e1b415cfaf9553f11779300cac828830aae8be972", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"DynamicLib.Open: \" + filename + \" Windows Error: \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|29f73e3b05ee116c51bb828e1b415cfaf9553f11779300cac828830aae8be972"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/common/DynamicLib.cpp"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 141313, "scanner": "repobility-threat-engine", "fingerprint": "4cb8b0bd4ee66aafd08b91774ac4b84d42af1eea7c4d59811057ea8d0a17ea90", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4cb8b0bd4ee66aafd08b91774ac4b84d42af1eea7c4d59811057ea8d0a17ea90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tint/lang/msl/validate/validate_metal.mm"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 141312, "scanner": "repobility-threat-engine", "fingerprint": "7b3d2e836a40230caea27b5300360304a3bbe9f9d228e2c6841a22adac7f5891", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7b3d2e836a40230caea27b5300360304a3bbe9f9d228e2c6841a22adac7f5891"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/native/metal/QueueMTL.mm"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 141311, "scanner": "repobility-threat-engine", "fingerprint": "1aa85ae1b7552730ee09a1deb6985fee6355d36be726a76e4ec378ff5b7204aa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1aa85ae1b7552730ee09a1deb6985fee6355d36be726a76e4ec378ff5b7204aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/native/metal/PipelineLayoutMTL.mm"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED011", "level": "none", "message": {"text": "[MINED011] Scala Get On Option (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 141310, "scanner": "repobility-threat-engine", "fingerprint": "26e3bc9d31062004f1edd8b097546841b4f39e3ab771faaaabe7ad61c20ec00a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|26e3bc9d31062004f1edd8b097546841b4f39e3ab771faaaabe7ad61c20ec00a", "aggregated_count": 5}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete (and 93 more): Same pattern found in 93 additional files. Review if needed."}, "properties": {"repobilityId": 141306, "scanner": "repobility-threat-engine", "fingerprint": "0c43024dce10295b69ac9d3a3283cf6d978062df8610731bf66b6555f026d683", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 93 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0c43024dce10295b69ac9d3a3283cf6d978062df8610731bf66b6555f026d683", "aggregated_count": 93}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 141305, "scanner": "repobility-threat-engine", "fingerprint": "c643c762bbbdedc00226ca2441d08cb90e5ce3614071ee860df4339b0984c0de", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c643c762bbbdedc00226ca2441d08cb90e5ce3614071ee860df4339b0984c0de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/native/BuddyAllocator.cpp"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 141304, "scanner": "repobility-threat-engine", "fingerprint": "6f4334e9c1da9d441a2507a323a8fbec75c383798496d19013b2438d2c6fcd8e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6f4334e9c1da9d441a2507a323a8fbec75c383798496d19013b2438d2c6fcd8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/native/BindGroupLayout.cpp"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 141303, "scanner": "repobility-threat-engine", "fingerprint": "8322a24ee217d8e94b09f4bf8ca958d0d4287bff2eb000efdf2cc26b60fb0021", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8322a24ee217d8e94b09f4bf8ca958d0d4287bff2eb000efdf2cc26b60fb0021"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/native/AsyncTask.h"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED063", "level": "none", "message": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "properties": {"repobilityId": 141296, "scanner": "repobility-threat-engine", "fingerprint": "37ca8be86d463a888b44e0f0582cbe9cf1f11c5ece8fc3f662fcefc3e95700dc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "toctou-os-path-exists", "owasp": null, "cwe_ids": ["CWE-367"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348048+00:00", "triaged_in_corpus": 12, "observations_count": 90754, "ai_coder_pattern_id": 41}, "scanner": "repobility-threat-engine", "correlation_key": "fp|37ca8be86d463a888b44e0f0582cbe9cf1f11c5ece8fc3f662fcefc3e95700dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/extract.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 141295, "scanner": "repobility-threat-engine", "fingerprint": "f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca"}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 141290, "scanner": "repobility-threat-engine", "fingerprint": "7111a8a28dc07b7c5fbd437b42de2e81f98561d939aae0a14ab9a7be9ba2fe13", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7111a8a28dc07b7c5fbd437b42de2e81f98561d939aae0a14ab9a7be9ba2fe13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/extract.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 141289, "scanner": "repobility-threat-engine", "fingerprint": "029784aad21fd626c5f92238130108fb9c70fa48d9ff00f633e1a67e63fef273", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|029784aad21fd626c5f92238130108fb9c70fa48d9ff00f633e1a67e63fef273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generator/extract_json.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 141286, "scanner": "repobility-threat-engine", "fingerprint": "7195ad2ed9d17b05fb3343deb30e489e47b88806e32e44e36b1ae21ff4fb7c7d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "__init__", "breakdown": {"if": 4, "for": 4, "else": 2, "nested_bonus": 18}, "aggregated": true, "complexity": 28, "correlation_key": "fp|7195ad2ed9d17b05fb3343deb30e489e47b88806e32e44e36b1ae21ff4fb7c7d", "aggregated_count": 6}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v6`: `uses: actions/github-script@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141386, "scanner": "repobility-supply-chain", "fingerprint": "680d1c7fb014c3d6dfc6ae7bd50a4e9c35bfcbfa02b4b66d6fd66e7aa1ec4294", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|680d1c7fb014c3d6dfc6ae7bd50a4e9c35bfcbfa02b4b66d6fd66e7aa1ec4294"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-watcher.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v2`: `uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141385, "scanner": "repobility-supply-chain", "fingerprint": "5d6a1fc1b20321e2fc18dc7da8a86bf9f9e2ee53af4a48b0c695e96cd56b1bda", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5d6a1fc1b20321e2fc18dc7da8a86bf9f9e2ee53af4a48b0c695e96cd56b1bda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141384, "scanner": "repobility-supply-chain", "fingerprint": "e5eeb6cfd8cb138aca55d43b8566b813ed4a01715b666a9f62e506fc251883c4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e5eeb6cfd8cb138aca55d43b8566b813ed4a01715b666a9f62e506fc251883c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141383, "scanner": "repobility-supply-chain", "fingerprint": "4dec658efd2c0a08d0cf66ff80b8ecc411fc9bf16e796d15f1c7f0864ad17bff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4dec658efd2c0a08d0cf66ff80b8ecc411fc9bf16e796d15f1c7f0864ad17bff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141382, "scanner": "repobility-supply-chain", "fingerprint": "e2798e2a616a8c0b118b0d0faeaef25362001f601f5bd67d6498cef9ea653b1f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2798e2a616a8c0b118b0d0faeaef25362001f601f5bd67d6498cef9ea653b1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `dockcross/manylinux_2_28-x64:latest` unpinned: `container/services image: dockcross/manylinux_2_28-x64:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 141381, "scanner": "repobility-supply-chain", "fingerprint": "99eab1a7259a6b15521af8e7a82b5d42f050f072c71d61f0c6c721ba55383040", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|99eab1a7259a6b15521af8e7a82b5d42f050f072c71d61f0c6c721ba55383040"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v4`: `uses: actions/setup-go@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141380, "scanner": "repobility-supply-chain", "fingerprint": "bddef70ba41f5eb23b776bd29efe0f90a1fdfb070ebd63e55df24dc6932d3fb7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bddef70ba41f5eb23b776bd29efe0f90a1fdfb070ebd63e55df24dc6932d3fb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 360}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141379, "scanner": "repobility-supply-chain", "fingerprint": "339177830a87a25db8f540ff34e5c23a556972a0f184c6ed8eae637b0451e231", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|339177830a87a25db8f540ff34e5c23a556972a0f184c6ed8eae637b0451e231"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 357}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141378, "scanner": "repobility-supply-chain", "fingerprint": "98911a6b66202728be3f3ef6f9519aa5534a3f9cda82cf9b70aff49f4855b45f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|98911a6b66202728be3f3ef6f9519aa5534a3f9cda82cf9b70aff49f4855b45f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 348}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141377, "scanner": "repobility-supply-chain", "fingerprint": "abaa7ddedc57fb4be09785314d740db1bf84f0584db07d73adad62d7a8385167", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|abaa7ddedc57fb4be09785314d740db1bf84f0584db07d73adad62d7a8385167"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 342}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141376, "scanner": "repobility-supply-chain", "fingerprint": "1a822a1964d6dc4ba731fb4f29833fd065ff4f4dd1168ff03a0a772358a1ade0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1a822a1964d6dc4ba731fb4f29833fd065ff4f4dd1168ff03a0a772358a1ade0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 303}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141375, "scanner": "repobility-supply-chain", "fingerprint": "2f65c6ceeede931b6c4d388275ea26f5e416ef007862689ce56c30e703018bc9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2f65c6ceeede931b6c4d388275ea26f5e416ef007862689ce56c30e703018bc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 300}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141374, "scanner": "repobility-supply-chain", "fingerprint": "e112ac6ae462c904b2e735f7140ebb7fcdbe53a71cfeb9583225b9a05ffb5ee6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e112ac6ae462c904b2e735f7140ebb7fcdbe53a71cfeb9583225b9a05ffb5ee6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 290}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141373, "scanner": "repobility-supply-chain", "fingerprint": "407f4899743136c594f6f8933e1c161c966a839f763ecf938b7c4f4b274f1ebd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|407f4899743136c594f6f8933e1c161c966a839f763ecf938b7c4f4b274f1ebd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 269}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `maxim-lobanov/setup-xcode` pinned to mutable ref `@v1`: `uses: maxim-lobanov/setup-xcode@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141372, "scanner": "repobility-supply-chain", "fingerprint": "4b26c5a01fad37a224cdbd0af197cd0151f3a02d1415f3c572fc7c4a6d573efb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b26c5a01fad37a224cdbd0af197cd0151f3a02d1415f3c572fc7c4a6d573efb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 266}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141371, "scanner": "repobility-supply-chain", "fingerprint": "f78affa0ea4a8e21bf79d188f0188c53207b7ffcd81f30b4e0f5607c41043b60", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f78affa0ea4a8e21bf79d188f0188c53207b7ffcd81f30b4e0f5607c41043b60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 226}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141370, "scanner": "repobility-supply-chain", "fingerprint": "3f9d74c3e866835d53e0f3b1fb33eef0cfb1161e350f686c18b5c76e0163de3e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3f9d74c3e866835d53e0f3b1fb33eef0cfb1161e350f686c18b5c76e0163de3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 213}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `nttld/setup-ndk` pinned to mutable ref `@v1`: `uses: nttld/setup-ndk@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141369, "scanner": "repobility-supply-chain", "fingerprint": "97bc9e8dda846d05f88ce32850e0c063004fde6e2863538426f3bd9d7feba23e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|97bc9e8dda846d05f88ce32850e0c063004fde6e2863538426f3bd9d7feba23e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141368, "scanner": "repobility-supply-chain", "fingerprint": "d7d60f0c039aa8f3e5c5fa0c0555cc33a5bc055c77facacd73a048697b4ab6d4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d7d60f0c039aa8f3e5c5fa0c0555cc33a5bc055c77facacd73a048697b4ab6d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 185}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141367, "scanner": "repobility-supply-chain", "fingerprint": "0cdd36b62770e6fc7d21a182541a78858aa3aeb95b9e56f2730a3b6fcd434c0c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0cdd36b62770e6fc7d21a182541a78858aa3aeb95b9e56f2730a3b6fcd434c0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `mozilla-actions/sccache-action` pinned to mutable ref `@v0.0.5`: `uses: mozilla-actions/sccache-action@v0.0.5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141366, "scanner": "repobility-supply-chain", "fingerprint": "1a2ce567056d94505fec52de335cf39aa03aff2491d729f03bd485b789742c2b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1a2ce567056d94505fec52de335cf39aa03aff2491d729f03bd485b789742c2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `fbactions/setup-winsdk` pinned to mutable ref `@v2`: `uses: fbactions/setup-winsdk@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141365, "scanner": "repobility-supply-chain", "fingerprint": "94660f4d7ab6cb688417c00036859849c5fa994d16b701af8fdc245d46080afe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|94660f4d7ab6cb688417c00036859849c5fa994d16b701af8fdc245d46080afe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141364, "scanner": "repobility-supply-chain", "fingerprint": "2bbd2567991d81ddb8e6570b5bd5413e69418091ce012b2df3a2b9a788c60105", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2bbd2567991d81ddb8e6570b5bd5413e69418091ce012b2df3a2b9a788c60105"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v6`: `uses: actions/github-script@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141363, "scanner": "repobility-supply-chain", "fingerprint": "70fa919aa2b9287b183777d6d7dafcb2b946f2b04f7955ba75bc2bb408220391", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|70fa919aa2b9287b183777d6d7dafcb2b946f2b04f7955ba75bc2bb408220391"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-manager.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `marocchino/sticky-pull-request-comment` pinned to mutable ref `@v2`: `uses: marocchino/sticky-pull-request-comment@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141362, "scanner": "repobility-supply-chain", "fingerprint": "4a4056baf1058c55f5aa4fa5b91db0db17ed54db9c14ea6b42b6082625a75b9f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4a4056baf1058c55f5aa4fa5b91db0db17ed54db9c14ea6b42b6082625a75b9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-manager.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `marocchino/sticky-pull-request-comment` pinned to mutable ref `@v2`: `uses: marocchino/sticky-pull-request-comment@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 141361, "scanner": "repobility-supply-chain", "fingerprint": "70afe49f3682fca4bc57a50ce21719d5951b2fdf9b5fad28b164255bc136bd09", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|70afe49f3682fca4bc57a50ce21719d5951b2fdf9b5fad28b164255bc136bd09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-manager.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `testInvalidUsageCommentNotSafety` of class `CheckUnsafeBuffersSafetyCommentsTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141354, "scanner": "repobility-ast-engine", "fingerprint": "8c6aadc75d582a8c139d4d0823c0d70b7b9c551ca04474c6fc81ae6b3f1ae167", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8c6aadc75d582a8c139d4d0823c0d70b7b9c551ca04474c6fc81ae6b3f1ae167"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 235}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIn` used but never assigned in __init__: Method `testInvalidUsageNoComment` of class `CheckUnsafeBuffersSafetyCommentsTest` reads `self.assertIn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141353, "scanner": "repobility-ast-engine", "fingerprint": "1cbb2c85940adaaf38371b2b01d2347d0fdf2000ba0492f4b24f77a8a8a3b0b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1cbb2c85940adaaf38371b2b01d2347d0fdf2000ba0492f4b24f77a8a8a3b0b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `testInvalidUsageNoComment` of class `CheckUnsafeBuffersSafetyCommentsTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141352, "scanner": "repobility-ast-engine", "fingerprint": "92cfc201f5f6a880f119b0afcf1fa2d267f0c4c79d4c3470c090ae4cffc59d76", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|92cfc201f5f6a880f119b0afcf1fa2d267f0c4c79d4c3470c090ae4cffc59d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 219}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `testValidUsagePrecedingLineWithOtherComments` of class `CheckUnsafeBuffersSafetyCommentsTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141351, "scanner": "repobility-ast-engine", "fingerprint": "887a7ba0661c9fce20fb328245321d128fc9011099b09d73da9ff681f32640e8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|887a7ba0661c9fce20fb328245321d128fc9011099b09d73da9ff681f32640e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `testValidUsagePrecedingLine` of class `CheckUnsafeBuffersSafetyCommentsTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141350, "scanner": "repobility-ast-engine", "fingerprint": "7476b2957399f68a682c1812bb44f8da986ea4c78be4edaa4ec25426795c3ca0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7476b2957399f68a682c1812bb44f8da986ea4c78be4edaa4ec25426795c3ca0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `testValidUsageSameLine` of class `CheckUnsafeBuffersSafetyCommentsTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141349, "scanner": "repobility-ast-engine", "fingerprint": "4cd875400cc66a29d030b94272dc30d4a2a4eb1318596ecba68876032414345e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4cd875400cc66a29d030b94272dc30d4a2a4eb1318596ecba68876032414345e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `testNoUsage` of class `CheckUnsafeBuffersSafetyCommentsTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141348, "scanner": "repobility-ast-engine", "fingerprint": "f9bf8f3f6d576725a955d267773ff04c91f7745abc8e5c2a432a3e41bc6ed3f0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f9bf8f3f6d576725a955d267773ff04c91f7745abc8e5c2a432a3e41bc6ed3f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `testPresubmitFilesIgnored` of class `CheckChangeTodoHasOwnerTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141347, "scanner": "repobility-ast-engine", "fingerprint": "54eddf1441a7e91dadc466804f3ee21a4ab36a7043cb1438a050be00cfd9df66", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|54eddf1441a7e91dadc466804f3ee21a4ab36a7043cb1438a050be00cfd9df66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._create_mock_input_api` used but never assigned in __init__: Method `testPresubmitFilesIgnored` of class `CheckChangeTodoHasOwnerTest` reads `self._create_mock_input_api`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141346, "scanner": "repobility-ast-engine", "fingerprint": "eb74679e90f00f29feb983ab338c9d68595fd07e1b0fdf99fde73dbd34577897", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eb74679e90f00f29feb983ab338c9d68595fd07e1b0fdf99fde73dbd34577897"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertNotIn` used but never assigned in __init__: Method `testMixedTodos` of class `CheckChangeTodoHasOwnerTest` reads `self.assertNotIn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141345, "scanner": "repobility-ast-engine", "fingerprint": "da7425cda67f8a9cbbff32290250204fe88194ca3ddc4dd8a9ad496272cba743", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|da7425cda67f8a9cbbff32290250204fe88194ca3ddc4dd8a9ad496272cba743"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIn` used but never assigned in __init__: Method `testMixedTodos` of class `CheckChangeTodoHasOwnerTest` reads `self.assertIn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141344, "scanner": "repobility-ast-engine", "fingerprint": "7927a4ae32f6bab0b44412bcb90b34e4af89c7cb4eaf47a7f011fc3c26a45068", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7927a4ae32f6bab0b44412bcb90b34e4af89c7cb4eaf47a7f011fc3c26a45068"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `testMixedTodos` of class `CheckChangeTodoHasOwnerTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141343, "scanner": "repobility-ast-engine", "fingerprint": "fc82a27a2950bc04024971dc68c1ccb539a4af0b69f25052f08cf944592cdf1a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fc82a27a2950bc04024971dc68c1ccb539a4af0b69f25052f08cf944592cdf1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._create_mock_input_api` used but never assigned in __init__: Method `testMixedTodos` of class `CheckChangeTodoHasOwnerTest` reads `self._create_mock_input_api`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141342, "scanner": "repobility-ast-engine", "fingerprint": "7aadace1e1d05dc89548bf096507c16c2c11fa6a3a9016a596137e96c9e82fb9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7aadace1e1d05dc89548bf096507c16c2c11fa6a3a9016a596137e96c9e82fb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIn` used but never assigned in __init__: Method `testTodoAndDawnUnsafeTodo` of class `CheckChangeTodoHasOwnerTest` reads `self.assertIn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141341, "scanner": "repobility-ast-engine", "fingerprint": "05da19e26fef39a96f4d2d9c13b423e7e2271b8757b637bce83f51d1d1524ab3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|05da19e26fef39a96f4d2d9c13b423e7e2271b8757b637bce83f51d1d1524ab3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `testTodoAndDawnUnsafeTodo` of class `CheckChangeTodoHasOwnerTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141340, "scanner": "repobility-ast-engine", "fingerprint": "24285324477efe3a8bd8abf97e978881ef94309eaf67f3db8b69d7dad94583ca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|24285324477efe3a8bd8abf97e978881ef94309eaf67f3db8b69d7dad94583ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._create_mock_input_api` used but never assigned in __init__: Method `testTodoAndDawnUnsafeTodo` of class `CheckChangeTodoHasOwnerTest` reads `self._create_mock_input_api`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141339, "scanner": "repobility-ast-engine", "fingerprint": "85167c9a9a7a1c50f098a798362747c29d562db32acb1b90ca782d567088a762", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|85167c9a9a7a1c50f098a798362747c29d562db32acb1b90ca782d567088a762"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `testDawnUnsafeTodoIgnored` of class `CheckChangeTodoHasOwnerTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141338, "scanner": "repobility-ast-engine", "fingerprint": "953d18ac3ccc8160805f031fe161d1cbf51e56557f98531f5552accb8ef70878", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|953d18ac3ccc8160805f031fe161d1cbf51e56557f98531f5552accb8ef70878"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._create_mock_input_api` used but never assigned in __init__: Method `testDawnUnsafeTodoIgnored` of class `CheckChangeTodoHasOwnerTest` reads `self._create_mock_input_api`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141337, "scanner": "repobility-ast-engine", "fingerprint": "0eed3a398fc5521bb774873daf7db4f53633b4b1d483b330eae1eff98bac54a7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0eed3a398fc5521bb774873daf7db4f53633b4b1d483b330eae1eff98bac54a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIn` used but never assigned in __init__: Method `testInvalidTodo` of class `CheckChangeTodoHasOwnerTest` reads `self.assertIn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141336, "scanner": "repobility-ast-engine", "fingerprint": "9a56d562737fe5a497b2559fdc5ad73abaf321cb3acb8dde8822d64dc389c940", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9a56d562737fe5a497b2559fdc5ad73abaf321cb3acb8dde8822d64dc389c940"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `testInvalidTodo` of class `CheckChangeTodoHasOwnerTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141335, "scanner": "repobility-ast-engine", "fingerprint": "c374121599d9899497e533fa730dfaacbdfbf18ea966707deca28192d0893e81", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c374121599d9899497e533fa730dfaacbdfbf18ea966707deca28192d0893e81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._create_mock_input_api` used but never assigned in __init__: Method `testInvalidTodo` of class `CheckChangeTodoHasOwnerTest` reads `self._create_mock_input_api`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141334, "scanner": "repobility-ast-engine", "fingerprint": "f2e707bff49899699ae2cd4fea2285c62a938764451d02a2c36b389756ddf3bc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f2e707bff49899699ae2cd4fea2285c62a938764451d02a2c36b389756ddf3bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `testValidTodo` of class `CheckChangeTodoHasOwnerTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141333, "scanner": "repobility-ast-engine", "fingerprint": "ce862e761cd525e39c221c268a4f035f1d2c39969388658aec1d7f6c746da1b2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ce862e761cd525e39c221c268a4f035f1d2c39969388658aec1d7f6c746da1b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._create_mock_input_api` used but never assigned in __init__: Method `testValidTodo` of class `CheckChangeTodoHasOwnerTest` reads `self._create_mock_input_api`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141332, "scanner": "repobility-ast-engine", "fingerprint": "c91f9be796255538ad733eac6e944b91e9136fa0237739ff01e56aa91d6dbcac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c91f9be796255538ad733eac6e944b91e9136fa0237739ff01e56aa91d6dbcac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `testNoTodo` of class `CheckChangeTodoHasOwnerTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141331, "scanner": "repobility-ast-engine", "fingerprint": "21ed786748f85b09dea8f943def4e50b7f3c9709cf3afbdf15205d8557c3a34f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|21ed786748f85b09dea8f943def4e50b7f3c9709cf3afbdf15205d8557c3a34f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._create_mock_input_api` used but never assigned in __init__: Method `testNoTodo` of class `CheckChangeTodoHasOwnerTest` reads `self._create_mock_input_api`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 141330, "scanner": "repobility-ast-engine", "fingerprint": "ef15831f551fc16186fd9e477315bf8f7a01571be2013adbac9753b57b6e4965", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ef15831f551fc16186fd9e477315bf8f7a01571be2013adbac9753b57b6e4965"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PRESUBMIT_test.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 141319, "scanner": "repobility-threat-engine", "fingerprint": "4f9ff67db3d4a8d7ea36bf8e50f7e412571e8cc95d9c45df7dac30e335694b43", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(fuzzer", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4f9ff67db3d4a8d7ea36bf8e50f7e412571e8cc95d9c45df7dac30e335694b43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tint/cmd/fuzz/common/runner.h"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 141318, "scanner": "repobility-threat-engine", "fingerprint": "81eae53713f7736d2e5bcd0413a08918bae25a9b8dd4a22fa58743658b399005", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(fullpath, 'rb') as input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|173|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tint/cmd/bench/generate_benchmark_inputs.py"}, "region": {"startLine": 173}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 141317, "scanner": "repobility-threat-engine", "fingerprint": "d6175684db568623887ea1cae2e7462b8e81e4b5fe4a611b232ecebf3682402a", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(input_filename) as input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|src/emdawnwebgpu/concat.py|13|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/emdawnwebgpu/concat.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 141309, "scanner": "repobility-threat-engine", "fingerprint": "add4b6121be7ba5818688765e7409d10bf17e7e98b5490f2c4bf181f188abb7f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|add4b6121be7ba5818688765e7409d10bf17e7e98b5490f2c4bf181f188abb7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/native/metal/ComputePipelineMTL.mm"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 141308, "scanner": "repobility-threat-engine", "fingerprint": "beb20c69c659cc15a4a596cadf07027c68d5f48f554268a1b4ee1bbe343c3971", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|beb20c69c659cc15a4a596cadf07027c68d5f48f554268a1b4ee1bbe343c3971"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/native/metal/CommandRecordingContext.mm"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 141307, "scanner": "repobility-threat-engine", "fingerprint": "439441df254974e7937932f228b0f2ccf91dc6b8f01332b3c37ba60e6730b8ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|439441df254974e7937932f228b0f2ccf91dc6b8f01332b3c37ba60e6730b8ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/native/metal/BufferMTL.mm"}, "region": {"startLine": 193}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 141298, "scanner": "repobility-threat-engine", "fingerprint": "e1edc172bd86822c52480771a13ff2fc9ca05c3c5d71793405b77acca8c05815", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"Running (\\d+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|scripts/perf_test_runner.py|134|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/perf_test_runner.py"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 141297, "scanner": "repobility-threat-engine", "fingerprint": "ceff2c191f19fc3c4cdafeaaeb1370f6facf26fa32bad58fa2438675155e9ab9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ceff2c191f19fc3c4cdafeaaeb1370f6facf26fa32bad58fa2438675155e9ab9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/merge_scripts/fuzz_corpora_common.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 141294, "scanner": "repobility-threat-engine", "fingerprint": "e1fcb1e15d767aa650e92b90bca387fc9649a2c4425ac19719ad6bb27f7af286", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "mBundleEncodingContext.Destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e1fcb1e15d767aa650e92b90bca387fc9649a2c4425ac19719ad6bb27f7af286"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/native/RenderBundleEncoder.cpp"}, "region": {"startLine": 133}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 141293, "scanner": "repobility-threat-engine", "fingerprint": "1c0e5ae5664b46ac8e995d2854bc215d572ddc672d7f1a479311659485a2762e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "sha.Update(data, size);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1c0e5ae5664b46ac8e995d2854bc215d572ddc672d7f1a479311659485a2762e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/common/Sha3.cpp"}, "region": {"startLine": 330}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 141292, "scanner": "repobility-threat-engine", "fingerprint": "d711a67f0fcb81eb2a38dc697ef291b67985adbacd37b0e9f8306024a30008d5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "sha256.update(chunk)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d711a67f0fcb81eb2a38dc697ef291b67985adbacd37b0e9f8306024a30008d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/extract.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 141291, "scanner": "repobility-threat-engine", "fingerprint": "1fc36760feaf310bb61c5f36e0ab553b47e99c73d7ec3396a16e2abe2aa0fc6b", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|go_presubmit_support.py|32|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go_presubmit_support.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 141288, "scanner": "repobility-threat-engine", "fingerprint": "61859450ca37ca9b338ec650a285d8a3f7a9a70d6b973a848864f2016c34139a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|61859450ca37ca9b338ec650a285d8a3f7a9a70d6b973a848864f2016c34139a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generator/extract_json.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `__init__` has cognitive complexity 28 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=2, for=4, if=4, nested_bonus=18."}, "properties": {"repobilityId": 141283, "scanner": "repobility-threat-engine", "fingerprint": "6650483e2b775472dd2dbd027e0f0cac16d93cddfbc76ef0244f4958b1752faa", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 28 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "__init__", "breakdown": {"if": 4, "for": 4, "else": 2, "nested_bonus": 18}, "complexity": 28, "correlation_key": "fp|6650483e2b775472dd2dbd027e0f0cac16d93cddfbc76ef0244f4958b1752faa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generator/dawn_gpu_info_generator.py"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `enum` used but not imported: The file uses `enum.something(...)` but never imports `enum`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 141359, "scanner": "repobility-ast-engine", "fingerprint": "f3ac81e8a0e85396cb19a11a081f6ac6588a6bb6516d1d3f0c2c858e24ce09e3", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f3ac81e8a0e85396cb19a11a081f6ac6588a6bb6516d1d3f0c2c858e24ce09e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generator/opengl_loader_generator.py"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `struct` used but not imported: The file uses `struct.something(...)` but never imports `struct`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 141358, "scanner": "repobility-ast-engine", "fingerprint": "3960771562a2be93082795e344a60a67d5d449a929f0c9fb1bfedc573fc27916", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3960771562a2be93082795e344a60a67d5d449a929f0c9fb1bfedc573fc27916"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generator/dawn_json_generator.py"}, "region": {"startLine": 544}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `enum` used but not imported: The file uses `enum.something(...)` but never imports `enum`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 141357, "scanner": "repobility-ast-engine", "fingerprint": "ab9c6f4d156087cb242834f973a1e6e8e120622aa57deab546e23766b4fd394b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ab9c6f4d156087cb242834f973a1e6e8e120622aa57deab546e23766b4fd394b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generator/dawn_json_generator.py"}, "region": {"startLine": 1140}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 141316, "scanner": "repobility-threat-engine", "fingerprint": "dd2b8a5f87634372a4d926e93515470028eb1391affc1209f1c1459e9af03c77", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Require(Source", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dd2b8a5f87634372a4d926e93515470028eb1391affc1209f1c1459e9af03c77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/tint/lang/wgsl/ast/requires_test.cc"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 141315, "scanner": "repobility-threat-engine", "fingerprint": "dd1e0fe07f4cd64d0d672ef88688f73b41288b59fffff5eff84c793fc69615da", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(dawnNodePath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dd1e0fe07f4cd64d0d672ef88688f73b41288b59fffff5eff84c793fc69615da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/node/worker-test.mjs"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 141314, "scanner": "repobility-threat-engine", "fingerprint": "67aa54a5c32aee2c1e29e41f7428585a319751ff8527439c76c07842b2805d84", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(dawnNodePath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|67aa54a5c32aee2c1e29e41f7428585a319751ff8527439c76c07842b2805d84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dawn/node/test.mjs"}, "region": {"startLine": 14}}}]}]}]}