{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC012", "name": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json", "shortDescription": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, "}, "fullDescription": {"text": "FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.72, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE "}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/relationships/custom/{edge_id}."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /api/settings/models."}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /api/settings/models."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 12.7% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 12.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 12.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-65pc-fj4g-8rjx", "name": "idna: GHSA-65pc-fj4g-8rjx", "shortDescription": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "fullDescription": {"text": "Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2v4-37r5-5v8g", "name": "ip-address: GHSA-v2v4-37r5-5v8g", "shortDescription": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "fullDescription": {"text": "ip-address has XSS in Address6 HTML-emitting methods"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xrhx-7g5j-rcj5", "name": "hono: GHSA-xrhx-7g5j-rcj5", "shortDescription": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "fullDescription": {"text": "Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qp7p-654g-cw7p", "name": "hono: GHSA-qp7p-654g-cw7p", "shortDescription": {"text": "hono: GHSA-qp7p-654g-cw7p"}, "fullDescription": {"text": "Hono has CSS Declaration Injection via Style Object Values in JSX SSR"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p77w-8qqv-26rm", "name": "hono: GHSA-p77w-8qqv-26rm", "shortDescription": {"text": "hono: GHSA-p77w-8qqv-26rm"}, "fullDescription": {"text": "Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f577-qrjj-4474", "name": "hono: GHSA-f577-qrjj-4474", "shortDescription": {"text": "hono: GHSA-f577-qrjj-4474"}, "fullDescription": {"text": "Hono: JWT middleware accepts any Authorization scheme, not only Bearer"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9vqf-7f2p-gf9v", "name": "hono: GHSA-9vqf-7f2p-gf9v", "shortDescription": {"text": "hono: GHSA-9vqf-7f2p-gf9v"}, "fullDescription": {"text": "Hono: bodyLimit() can be bypassed for chunked / unknown-length requests"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-69xw-7hcm-h432", "name": "hono: GHSA-69xw-7hcm-h432", "shortDescription": {"text": "hono: GHSA-69xw-7hcm-h432"}, "fullDescription": {"text": "hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-458j-xx4x-4375", "name": "hono: GHSA-458j-xx4x-4375", "shortDescription": {"text": "hono: GHSA-458j-xx4x-4375"}, "fullDescription": {"text": "hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3hrh-pfw6-9m5x", "name": "hono: GHSA-3hrh-pfw6-9m5x", "shortDescription": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "fullDescription": {"text": "Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2gcr-mfcq-wcc3", "name": "hono: GHSA-2gcr-mfcq-wcc3", "shortDescription": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "fullDescription": {"text": "Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jxxr-4gwj-5jf2", "name": "brace-expansion: GHSA-jxxr-4gwj-5jf2", "shortDescription": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "fullDescription": {"text": "brace-expansion: Large numeric range defeats documented `max` DoS protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC139", "name": "[SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payme", "shortDescription": {"text": "[SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payments, or webhooks \u2014 exactly the surfaces that need tests \u2014 with no companion test file. AI agents rewrite handlers fluent"}, "fullDescription": {"text": "Require a companion test file for any change to auth/admin/users/payments/webhooks paths. CI gate: if `src/auth/*.py` changed in a PR, fail if `tests/auth/*.py` did not also change. For migrations, require an explicit rollback (`op.execute('-- rollback ...')`) plus a test that exercises both directions."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `render_frontier_scatter` has cognitive complexity 19 (SonarSource scale).", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `render_frontier_scatter` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 19."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `globals` is 3 major version(s) behind (14.0.0 -> 17.6.0)", "shortDescription": {"text": "npm package `globals` is 3 major version(s) behind (14.0.0 -> 17.6.0)"}, "fullDescription": {"text": "`globals` is pinned/resolved at 14.0.0 but the latest stable release on the npm registry is 17.6.0 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-hm8q-7f3q-5f36", "name": "hono: GHSA-hm8q-7f3q-5f36", "shortDescription": {"text": "hono: GHSA-hm8q-7f3q-5f36"}, "fullDescription": {"text": "Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /api/rules/global/{rule_id}/"}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /api/rules/global/{rule_id}/toggle."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "PYSEC-2026-142", "name": "urllib3: PYSEC-2026-142", "shortDescription": {"text": "urllib3: PYSEC-2026-142"}, "fullDescription": {"text": "urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-141", "name": "urllib3: PYSEC-2026-141", "shortDescription": {"text": "urllib3: PYSEC-2026-141"}, "fullDescription": {"text": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-161", "name": "starlette: PYSEC-2026-161", "shortDescription": {"text": "starlette: PYSEC-2026-161"}, "fullDescription": {"text": "BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-179", "name": "pyjwt: PYSEC-2026-179", "shortDescription": {"text": "pyjwt: PYSEC-2026-179"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-178", "name": "pyjwt: PYSEC-2026-178", "shortDescription": {"text": "pyjwt: PYSEC-2026-178"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option (\"b64\": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled \u201cwork amplifier\u201d: a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-177", "name": "pyjwt: PYSEC-2026-177", "shortDescription": {"text": "pyjwt: PYSEC-2026-177"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-175", "name": "pyjwt: PYSEC-2026-175", "shortDescription": {"text": "pyjwt: PYSEC-2026-175"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no documented option to restrict which schemes PyJWKClient will fetch. If an application's jku URL ingestion path accepts attacker-influenced URLs (e.g., from JWT header, configuration file, OAuth flow parameter), the attacker can cause PyJWKClient to read arbitrary local files via file:// (SSRF on local filesystem), cause PyJWKClient to attempt FTP / data-URI fetches (broader SSRF surface), or forge tokens that PyJWT verifies as valid. The library does not directly return non-HTTP(S) URI contents to the attacker; the chained \"plant a JWKS to forge tokens\" scenario described in the original report requires additional application-layer flaws (attacker write access to a filesystem path, untrusted jku "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v39h-62p7-jpjc", "name": "fast-uri: GHSA-v39h-62p7-jpjc", "shortDescription": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "fullDescription": {"text": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q3j6-qgpj-74h6", "name": "fast-uri: GHSA-q3j6-qgpj-74h6", "shortDescription": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "fullDescription": {"text": "fast-uri vulnerable to path traversal via percent-encoded dot segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v6`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "fullDescription": {"text": "`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "pre-commit hook `https://github.com/pre-commit/mirrors-mypy` pinned to mutable rev `v1.13.0`", "shortDescription": {"text": "pre-commit hook `https://github.com/pre-commit/mirrors-mypy` pinned to mutable rev `v1.13.0`"}, "fullDescription": {"text": "`.pre-commit-config.yaml` references `https://github.com/pre-commit/mirrors-mypy` at `rev: v1.13.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `python:3.12-slim` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `python:3.12-slim` not pinned by digest"}, "fullDescription": {"text": "`FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "FastAPI POST /api/repos/{owner}/{repo}/index has no auth", "shortDescription": {"text": "FastAPI POST /api/repos/{owner}/{repo}/index has no auth"}, "fullDescription": {"text": "Handler `trigger_index` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "Phantom test coverage: test_invalid_bot_name_rejected", "shortDescription": {"text": "Phantom test coverage: test_invalid_bot_name_rejected"}, "fullDescription": {"text": "Test function `test_invalid_bot_name_rejected` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self._make_comment` used but never assigned in __init__", "shortDescription": {"text": "`self._make_comment` used but never assigned in __init__"}, "fullDescription": {"text": "Method `test_agent_prompt_after_suggestion` of class `TestFormatCommentBodyAgentPrompt` reads `self._make_comment`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED114", "name": "Admin endpoint without auth: PUT /api/admin/settings", "shortDescription": {"text": "Admin endpoint without auth: PUT /api/admin/settings"}, "fullDescription": {"text": "Handler `set_global_settings` serves an /admin path (/api/admin/settings) and the function has no Depends/Security parameter and no auth marker in its body. Admin without auth = full takeover."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "critical", "confidence": 0.8, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1070"}, "properties": {"repository": "miracodeai/mira", "repoUrl": "https://github.com/miracodeai/mira", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 105395, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 105392, "scanner": "repobility-journey-contract", "fingerprint": "44ab441f9bd2f7e39d67952490d9fc168181a1ae825a8d4a86a7f08ed6bca777", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/repos/{param}/{param}/learned-rules", "correlation_key": "fp|44ab441f9bd2f7e39d67952490d9fc168181a1ae825a8d4a86a7f08ed6bca777", "backend_endpoint_count": 63}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/lib/api.ts"}, "region": {"startLine": 409}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 105391, "scanner": "repobility-journey-contract", "fingerprint": "6058aae0d72f903c5473f68a09b28ad796e170187e58cfa7b93b12327866aa7a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/repos/{param}/{param}/vulnerabilities", "correlation_key": "fp|6058aae0d72f903c5473f68a09b28ad796e170187e58cfa7b93b12327866aa7a", "backend_endpoint_count": 63}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/lib/api.ts"}, "region": {"startLine": 397}}}]}, {"ruleId": "AUC012", "level": "warning", "message": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"repobilityId": 105390, "scanner": "repobility-access-control", "fingerprint": "27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899", "category": "auth", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"apps": [{"line": 90, "file_path": "src/mira/github_app/webhooks.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 53, "file_path": "src/mira/dashboard/api.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}], "scanner": "repobility-access-control", "correlation_key": "fp|27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899"}}}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/relationships/custom/{edge_id}."}, "properties": {"repobilityId": 105389, "scanner": "repobility-access-control", "fingerprint": "d0b29d71df821c91a88cd67e1073572394fda2d11dad5edc3fa695aa95567777", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/relationships/custom/{edge_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|1660|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1660}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/relationships/overrides."}, "properties": {"repobilityId": 105388, "scanner": "repobility-access-control", "fingerprint": "b9728a85259e2c69b8453e7d2d2b7a5deff649baf6e2ca5f9eaa323bdf808973", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/relationships/overrides", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|1622|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1622}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PATCH /api/rules/global/{rule_id}/toggle."}, "properties": {"repobilityId": 105387, "scanner": "repobility-access-control", "fingerprint": "8a175e7b1d158114f13701f6ae91017b4d453dae2d6eaf55bb6b65111e7e4fc3", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/rules/global/{rule_id}/toggle", "method": "PATCH", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|1576|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1576}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/rules/global/{rule_id}."}, "properties": {"repobilityId": 105386, "scanner": "repobility-access-control", "fingerprint": "6582da1abe662cd1d3189d6a306692011501856c14a35374ba8af4ca2517882d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/rules/global/{rule_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|1570|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1570}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/repos/{owner}/{repo}/rules/{rule_id}."}, "properties": {"repobilityId": 105385, "scanner": "repobility-access-control", "fingerprint": "2399c612aa302255a4591f755a8428269540b447ec6b9c2c7e2ef1d5b58ae3fc", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/repos/{owner}/{repo}/rules/{rule_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|1515|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1515}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/repos/{owner}/{repo}/context/{context_id}."}, "properties": {"repobilityId": 105384, "scanner": "repobility-access-control", "fingerprint": "ead1357bb546b80c80131941d715db45f4b18e0aa370dc9126a704e918098dd9", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/repos/{owner}/{repo}/context/{context_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|1380|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1380}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/repos/sync."}, "properties": {"repobilityId": 105383, "scanner": "repobility-access-control", "fingerprint": "813691d3fc88a39d1d8ae75e5a5596e5ccf7af76c959d0c21ace158c396ac117", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/repos/sync", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|570|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 570}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/uninstalls/{installation_id}/delete."}, "properties": {"repobilityId": 105382, "scanner": "repobility-access-control", "fingerprint": "e1381ec43bede6871974abd3ecb0a59fbee8c9056279023324a1eee28a5af014", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/uninstalls/{installation_id}/delete", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|562|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 562}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/indexing/estimate."}, "properties": {"repobilityId": 105381, "scanner": "repobility-access-control", "fingerprint": "ae130ab77f2ad6c3c088851915849199f90ac9b60e21ec7d41e5bf1061dd7dd5", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/indexing/estimate", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|325|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 325}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /me."}, "properties": {"repobilityId": 105380, "scanner": "repobility-access-control", "fingerprint": "fe3cb6a538112620753d31dbe6bed01a3c03a708e65c45907e546dd8e4f4c692", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/me", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/auth.py|79|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/auth.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /api/settings/models."}, "properties": {"repobilityId": 105379, "scanner": "repobility-access-control", "fingerprint": "162744c9343f48c8f5881c85d128cb8ac1825c63870d4f2048bb756e748ef10a", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/settings/models", "method": "PUT", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|486|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 486}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /api/admin/settings."}, "properties": {"repobilityId": 105378, "scanner": "repobility-access-control", "fingerprint": "8c8fdb63b5e5fab9882dfcee4e144126833edb5f326bdad6e259ffa8afb983e3", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/admin/settings", "method": "PUT", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|440|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 440}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/admin/settings."}, "properties": {"repobilityId": 105377, "scanner": "repobility-access-control", "fingerprint": "ef9fb513d1a8b1d88ab6bbe34f1eb91393991392145051dffcdfed99263a8f18", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/admin/settings", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|426|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 426}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/settings/models."}, "properties": {"repobilityId": 105376, "scanner": "repobility-access-control", "fingerprint": "dd230102c73c3277d2c8cac3e3dc33fb25a0481fd5fa8995cc5224c71671ae67", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/settings/models", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|368|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 368}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /users/{user_id}."}, "properties": {"repobilityId": 105375, "scanner": "repobility-access-control", "fingerprint": "9679d4601055440c39f893ee592e813cf94a85cf0840bb9bed27de516b8761fe", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/users/{user_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/auth.py|125|cwe-285", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/auth.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /users."}, "properties": {"repobilityId": 105374, "scanner": "repobility-access-control", "fingerprint": "4b3f788e07d9ca21781da7e1c8efe3b1dabd550f9d0aa1ee0e7d89958fbf6ce9", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/users", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/auth.py|114|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/auth.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /users."}, "properties": {"repobilityId": 105373, "scanner": "repobility-access-control", "fingerprint": "328d7693a0b7f5066e0d087630d85ec6c17f184f74b0cd4ea3837d6d270edc3d", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/users", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/auth.py|105|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/auth.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /theme."}, "properties": {"repobilityId": 105372, "scanner": "repobility-access-control", "fingerprint": "5cdac0b50f2796ea7e0c4a722fe148f9d6a3f8f6aab34aaea49030a8bc14d60f", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/theme", "method": "PUT", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/auth.py|91|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/auth.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /logout."}, "properties": {"repobilityId": 105371, "scanner": "repobility-access-control", "fingerprint": "e844f66d22322aed337738d168161c1cf368b980956fd6c1d3825c0637efe65c", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/logout", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/auth.py|71|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/auth.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /login."}, "properties": {"repobilityId": 105370, "scanner": "repobility-access-control", "fingerprint": "8d6c5bc7af85acc6f17502e6a21756a108fa31de05bfc2c091edfcda9e6c6980", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/login", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/auth.py|48|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/auth.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 12.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 105359, "scanner": "repobility-access-control", "fingerprint": "3829b24e242cb072b0a0f532ae84ae2f0ab3f184e15ba67009a7fd89ab11d17b", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 63, "correlation_key": "fp|3829b24e242cb072b0a0f532ae84ae2f0ab3f184e15ba67009a7fd89ab11d17b", "auth_visible_percent": 12.7}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 105358, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django", "FastAPI"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-65pc-fj4g-8rjx", "level": "warning", "message": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "properties": {"repobilityId": 105350, "scanner": "osv-scanner", "fingerprint": "3cb0e6e51097792f0802522bd5a1c534f3c96b9d90576d70a538075f8c4d5bb0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45409"], "package": "idna", "rule_id": "GHSA-65pc-fj4g-8rjx", "scanner": "osv-scanner", "correlation_key": "vuln|idna|CVE-2024-3651|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 105349, "scanner": "osv-scanner", "fingerprint": "531eb239b3e470625a3086046f775f1c0775a69405069f24ffb566f05c0c86ee", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|ui/mira/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 105348, "scanner": "osv-scanner", "fingerprint": "725df2aee471db96539b49f51bae1db31aa44967f54de67a87c7a39c3dd8320b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|ui/mira/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2v4-37r5-5v8g", "level": "warning", "message": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "properties": {"repobilityId": 105347, "scanner": "osv-scanner", "fingerprint": "84ac0f9ae512318c9e068d2ead36d48cf2b62de60e886fe8bc28e3f3b41055a6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42338"], "package": "ip-address", "rule_id": "GHSA-v2v4-37r5-5v8g", "scanner": "osv-scanner", "correlation_key": "vuln|ip-address|CVE-2026-42338|ui/mira/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xrhx-7g5j-rcj5", "level": "warning", "message": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "properties": {"repobilityId": 105346, "scanner": "osv-scanner", "fingerprint": "097c06c4a81959f5167f4693eaa320b3ce0a66b5a29b9fb447a5be475571ac34", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47674"], "package": "hono", "rule_id": "GHSA-xrhx-7g5j-rcj5", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47674|ui/mira/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qp7p-654g-cw7p", "level": "warning", "message": {"text": "hono: GHSA-qp7p-654g-cw7p"}, "properties": {"repobilityId": 105345, "scanner": "osv-scanner", "fingerprint": "07a3c0f395e372b65039ddc50ee15836205beaaa44dc9bbd208d7bbded70f6d1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44458"], "package": "hono", "rule_id": "GHSA-qp7p-654g-cw7p", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44458|ui/mira/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p77w-8qqv-26rm", "level": "warning", "message": {"text": "hono: GHSA-p77w-8qqv-26rm"}, "properties": {"repobilityId": 105344, "scanner": "osv-scanner", "fingerprint": "bf48e9afeefbef06d85199dd992f15e8170a39e7f6ac57f353126574c978d88d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44457"], "package": "hono", "rule_id": "GHSA-p77w-8qqv-26rm", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44457|ui/mira/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f577-qrjj-4474", "level": "warning", "message": {"text": "hono: GHSA-f577-qrjj-4474"}, "properties": {"repobilityId": 105342, "scanner": "osv-scanner", "fingerprint": "008cf287b7f962cf7334eb561f8fdd4ccfc2ea5b10367eaad736d22b450e2485", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47673"], "package": "hono", "rule_id": "GHSA-f577-qrjj-4474", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47673|ui/mira/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9vqf-7f2p-gf9v", "level": "warning", "message": {"text": "hono: GHSA-9vqf-7f2p-gf9v"}, "properties": {"repobilityId": 105341, "scanner": "osv-scanner", "fingerprint": "2b571289f9b169824b22550860b3ed0f46a73a9826ff4c9cac84f6df60a2c0c2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44456"], "package": "hono", "rule_id": "GHSA-9vqf-7f2p-gf9v", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44456|ui/mira/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-69xw-7hcm-h432", "level": "warning", "message": {"text": "hono: GHSA-69xw-7hcm-h432"}, "properties": {"repobilityId": 105340, "scanner": "osv-scanner", "fingerprint": "03e1e1e20b77ac1186f6f4ef38c6b8a8e319d627f31b47f97872c1864878b304", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44455"], "package": "hono", "rule_id": "GHSA-69xw-7hcm-h432", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44455|ui/mira/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-458j-xx4x-4375", "level": "warning", "message": {"text": "hono: GHSA-458j-xx4x-4375"}, "properties": {"repobilityId": 105339, "scanner": "osv-scanner", "fingerprint": "a3a2445bb8bdec5dc7c8a187960d9d444001b23355e072d75cf9e258fcdffb65", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "hono", "rule_id": "GHSA-458j-xx4x-4375", "scanner": "osv-scanner", "correlation_key": "vuln|hono|GHSA-458J-XX4X-4375|ui/mira/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3hrh-pfw6-9m5x", "level": "warning", "message": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "properties": {"repobilityId": 105338, "scanner": "osv-scanner", "fingerprint": "686f5082d1cd2ab4c3cc6e097de9ae6cfe26d5bde031875250cb6bae8420380f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47675"], "package": "hono", "rule_id": "GHSA-3hrh-pfw6-9m5x", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47675|ui/mira/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2gcr-mfcq-wcc3", "level": "warning", "message": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "properties": {"repobilityId": 105337, "scanner": "osv-scanner", "fingerprint": "c1ba79f8d6f7b63ad03b984d56350bb4df2b563e33611c5fefc60280632ff34c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47676"], "package": "hono", "rule_id": "GHSA-2gcr-mfcq-wcc3", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47676|ui/mira/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jxxr-4gwj-5jf2", "level": "warning", "message": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "properties": {"repobilityId": 105334, "scanner": "osv-scanner", "fingerprint": "f238a95224b8b20a669ec287cdf67ec6b76873e946d1a08e0bec32dba868873f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45149"], "package": "brace-expansion", "rule_id": "GHSA-jxxr-4gwj-5jf2", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-45149|ui/mira/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 105331, "scanner": "repobility-docker", "fingerprint": "a589b8a52da1cb9bb3e31b1403e9660eb358a43d7ecd1b85a97e3d4a202ccec5", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a589b8a52da1cb9bb3e31b1403e9660eb358a43d7ecd1b85a97e3d4a202ccec5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 105330, "scanner": "repobility-docker", "fingerprint": "dcd881fbfd04209a8c387b317094aa3e6a413e2ad81c1011bc2bccf1fe80aa6b", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|dcd881fbfd04209a8c387b317094aa3e6a413e2ad81c1011bc2bccf1fe80aa6b", "missing_patterns": ["id_rsa"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 105318, "scanner": "repobility-threat-engine", "fingerprint": "c62d086ebd6bbbf2296f6423b41a968f8b4b8fc912921ff57abbe5741f00ce86", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c62d086ebd6bbbf2296f6423b41a968f8b4b8fc912921ff57abbe5741f00ce86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/pages/rules.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 105317, "scanner": "repobility-threat-engine", "fingerprint": "c611c68b8506448ffa24dc6dd17a1669278028c69727790568658dbb3dbbfa56", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c611c68b8506448ffa24dc6dd17a1669278028c69727790568658dbb3dbbfa56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/components/dashboard/layout.tsx"}, "region": {"startLine": 124}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 105316, "scanner": "repobility-threat-engine", "fingerprint": "869ac33fe8a544fdab32422a5e0a98d88409636e542f0ebed8c1674497e535a9", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|869ac33fe8a544fdab32422a5e0a98d88409636e542f0ebed8c1674497e535a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/App.tsx"}, "region": {"startLine": 55}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 105314, "scanner": "repobility-threat-engine", "fingerprint": "db0cc3e14ba82c1aee9b9a5bbe6bb16140dd773d422d3b883b7f126a699e4ff6", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|db0cc3e14ba82c1aee9b9a5bbe6bb16140dd773d422d3b883b7f126a699e4ff6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/index/context.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC139", "level": "warning", "message": {"text": "[SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payments, or webhooks \u2014 exactly the surfaces that need tests \u2014 with no companion test file. AI agents rewrite handlers fluently but skip the test diff almost every time, leaving high-blast-radius code uncovered. Distinct from generic 'no tests' because we target sensitive surfaces where the absence of tests is itself a risk signal. CWE-1078 (missing test coverage of security-critica"}, "properties": {"repobilityId": 105304, "scanner": "repobility-threat-engine", "fingerprint": "8edabbe1d265bed24bed7dfe9eaed7b1ae0901ecc3b08dbcba57bc6b4bd64ec6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.delete(\"/users/{user_id}\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC139", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8edabbe1d265bed24bed7dfe9eaed7b1ae0901ecc3b08dbcba57bc6b4bd64ec6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/auth.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 105297, "scanner": "repobility-threat-engine", "fingerprint": "74d8dd9383ae2ba0ec1d3c8bfbf6060c35e82601002fbd50b663017971394502", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|21|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/analysis/severity.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `render_frontier_scatter` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=3, nested_bonus=8, ternary=8."}, "properties": {"repobilityId": 105293, "scanner": "repobility-threat-engine", "fingerprint": "d8a1745e6febe6cdda84dc34818fd8e4d98fe2d3a862438b80bca7274991d495", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 19 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "render_frontier_scatter", "breakdown": {"for": 3, "ternary": 8, "nested_bonus": 8}, "complexity": 19, "correlation_key": "fp|d8a1745e6febe6cdda84dc34818fd8e4d98fe2d3a862438b80bca7274991d495"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/render_benchmark_charts.py"}, "region": {"startLine": 183}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 105288, "scanner": "repobility-agent-runtime", "fingerprint": "362339403a086872a11be3ad228a0996ee3899f7b15db25e0cd6e9c2f58cdd86", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|362339403a086872a11be3ad228a0996ee3899f7b15db25e0cd6e9c2f58cdd86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/start_local.sh"}, "region": {"startLine": 7}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `globals` is 3 major version(s) behind (14.0.0 -> 17.6.0)"}, "properties": {"repobilityId": 105287, "scanner": "repobility-dependency-currency", "fingerprint": "9c215b410840f708b973186dd227f5bea32f5cc264dd2b91004f8ff217c9a650", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "globals", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.6.0", "correlation_key": "fp|9c215b410840f708b973186dd227f5bea32f5cc264dd2b91004f8ff217c9a650", "current_version": "14.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vitejs/plugin-react` is 1 major version(s) behind (5.2.0 -> 6.0.2)"}, "properties": {"repobilityId": 105286, "scanner": "repobility-dependency-currency", "fingerprint": "aa77291bb9994498ee9c6877ce2740293991c919e3f4877a389c150edc24a23f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitejs/plugin-react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.2", "correlation_key": "fp|aa77291bb9994498ee9c6877ce2740293991c919e3f4877a389c150edc24a23f", "current_version": "5.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@eslint/js` is 1 major version(s) behind (9.39.4 -> 10.0.1)"}, "properties": {"repobilityId": 105285, "scanner": "repobility-dependency-currency", "fingerprint": "2817870724a357bb4251445c548cd5b364b54a66b0183543c5e9d4126e017dec", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@eslint/js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.1", "correlation_key": "fp|2817870724a357bb4251445c548cd5b364b54a66b0183543c5e9d4126e017dec", "current_version": "9.39.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 105244, "scanner": "repobility-ast-engine", "fingerprint": "a4013a2e994e4aa09cade3c89a65262f42117297a6fd7fbcf2463a903ddda610", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a4013a2e994e4aa09cade3c89a65262f42117297a6fd7fbcf2463a903ddda610"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/models_config.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 105243, "scanner": "repobility-ast-engine", "fingerprint": "2e930436ac3654bf4e60cb20c7f93614ec6d72201f8d40ac6edd7d1c6621e95e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2e930436ac3654bf4e60cb20c7f93614ec6d72201f8d40ac6edd7d1c6621e95e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/events.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 105242, "scanner": "repobility-ast-engine", "fingerprint": "e37143993152b43d72d43c443104049b25ce955fb13947c20384c87b0636405b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e37143993152b43d72d43c443104049b25ce955fb13947c20384c87b0636405b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/auth.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 105241, "scanner": "repobility-ast-engine", "fingerprint": "52c7fd3f75cc5069e60d20fdb2f2f1e29a314c2e0dc8338e2a6ebbd574bcdbbb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|52c7fd3f75cc5069e60d20fdb2f2f1e29a314c2e0dc8338e2a6ebbd574bcdbbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/github_app/index_handlers.py"}, "region": {"startLine": 333}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 105240, "scanner": "repobility-ast-engine", "fingerprint": "fdbe3e98721c8dcfac0ad84b4782f5d226a9eda9c44b71e17580e8298f87e373", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fdbe3e98721c8dcfac0ad84b4782f5d226a9eda9c44b71e17580e8298f87e373"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/github_app/index_handlers.py"}, "region": {"startLine": 314}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 105239, "scanner": "repobility-ast-engine", "fingerprint": "cf0cf51e15ad0efffa87c1e28644a1800c9a3ebb3e2f8b350a490e7fe81148a5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cf0cf51e15ad0efffa87c1e28644a1800c9a3ebb3e2f8b350a490e7fe81148a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/core/passes.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 105238, "scanner": "repobility-ast-engine", "fingerprint": "3c48a46265645893f650f7b3aa56daa1c9c894e96da8e219b812ca810d9b2acd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3c48a46265645893f650f7b3aa56daa1c9c894e96da8e219b812ca810d9b2acd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/core/passes.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "GHSA-hm8q-7f3q-5f36", "level": "note", "message": {"text": "hono: GHSA-hm8q-7f3q-5f36"}, "properties": {"repobilityId": 105343, "scanner": "osv-scanner", "fingerprint": "1d8bcf854400431d8f7b36374e51f8d2d1c89708942dbc3b16c876930b7167ba", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44459"], "package": "hono", "rule_id": "GHSA-hm8q-7f3q-5f36", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44459|ui/mira/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 105332, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `render_speed_bars` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=2, nested_bonus=5, ternary=5."}, "properties": {"repobilityId": 105294, "scanner": "repobility-threat-engine", "fingerprint": "8eb07a66cd43382e4f9843d7532b83a11388bf32f36488ca65398cefae20092f", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 12 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "render_speed_bars", "breakdown": {"for": 2, "ternary": 5, "nested_bonus": 5}, "complexity": 12, "correlation_key": "fp|8eb07a66cd43382e4f9843d7532b83a11388bf32f36488ca65398cefae20092f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/render_benchmark_charts.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `run` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=3, if=4, nested_bonus=2."}, "properties": {"repobilityId": 105292, "scanner": "repobility-threat-engine", "fingerprint": "ceb4cca0c40ec81d241442e8634cbe32c8252d878f1fb24ee25ee6e7d05a4d30", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "run", "breakdown": {"if": 4, "for": 3, "nested_bonus": 2}, "complexity": 9, "correlation_key": "fp|ceb4cca0c40ec81d241442e8634cbe32c8252d878f1fb24ee25ee6e7d05a4d30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/play_learning.py"}, "region": {"startLine": 227}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `shadcn` is minor version(s) behind (4.7.0 -> 4.10.0)"}, "properties": {"repobilityId": 105284, "scanner": "repobility-dependency-currency", "fingerprint": "c1d58cd19e793dff7fb93663c961b8cdbb3b97a82cca1932b484cc938b7562e2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "shadcn", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.10.0", "correlation_key": "fp|c1d58cd19e793dff7fb93663c961b8cdbb3b97a82cca1932b484cc938b7562e2", "current_version": "4.7.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@xyflow/react` is minor version(s) behind (12.10.2 -> 12.11.0)"}, "properties": {"repobilityId": 105283, "scanner": "repobility-dependency-currency", "fingerprint": "110833d33fdbd4ac683621f43a1b4f5374f2c6eecd764ab27c621075fbfdd13c", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@xyflow/react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "12.11.0", "correlation_key": "fp|110833d33fdbd4ac683621f43a1b4f5374f2c6eecd764ab27c621075fbfdd13c", "current_version": "12.10.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105187, "scanner": "repobility-ai-code-hygiene", "fingerprint": "381b82e235fe3f32333a494d16a348596c6054b0cd5e213f3d5217baf1829e93", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ui/mira/src/pages/settings.tsx", "duplicate_line": 281, "correlation_key": "fp|381b82e235fe3f32333a494d16a348596c6054b0cd5e213f3d5217baf1829e93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/pages/setup.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105186, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6319131ff0a862ad927cddd185dc200daf2ad4a59386cbd5c96cd6995dd45b9a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ui/mira/src/pages/rules.tsx", "duplicate_line": 4, "correlation_key": "fp|6319131ff0a862ad927cddd185dc200daf2ad4a59386cbd5c96cd6995dd45b9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/pages/settings.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105185, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac44c869e2121cdfb713f93a68143cb56234e2dff8cdf95a4c9c65b521ba0ee2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ui/mira/src/components/dashboard/blast-graph.tsx", "duplicate_line": 1, "correlation_key": "fp|ac44c869e2121cdfb713f93a68143cb56234e2dff8cdf95a4c9c65b521ba0ee2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/components/dashboard/relationship-graph.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105184, "scanner": "repobility-ai-code-hygiene", "fingerprint": "25b608f05d13122ea21471cd0a020f50a222b3047ad67b9a29fd241e0a1b5b60", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ui/mira/src/components/dashboard/blast-graph.tsx", "duplicate_line": 1, "correlation_key": "fp|25b608f05d13122ea21471cd0a020f50a222b3047ad67b9a29fd241e0a1b5b60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/components/dashboard/dependencies-graph.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105183, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca80a82371b0cc53ffd796f71a23a414b3da2f4e990cb21264e37c11c47ffcf5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/mira/llm/bedrock.py", "duplicate_line": 214, "correlation_key": "fp|ca80a82371b0cc53ffd796f71a23a414b3da2f4e990cb21264e37c11c47ffcf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/llm/provider.py"}, "region": {"startLine": 416}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105182, "scanner": "repobility-ai-code-hygiene", "fingerprint": "436291bfd8d589772da79531f5d2f068aa1245aa21f62b06bdb56c4571f1fe75", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/mira/config.py", "duplicate_line": 31, "correlation_key": "fp|436291bfd8d589772da79531f5d2f068aa1245aa21f62b06bdb56c4571f1fe75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/index/indexer.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 105329, "scanner": "repobility-threat-engine", "fingerprint": "5b1343788049d859ac182b25f32cb9d42769526dd9071e055dd6d92dabe6bd6b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5b1343788049d859ac182b25f32cb9d42769526dd9071e055dd6d92dabe6bd6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/components/ui/chart.tsx"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 105328, "scanner": "repobility-threat-engine", "fingerprint": "5fe2cf04427df05fc0aef7cf138aa979c1fc3f2cedae48cbd068d6e07c3f09f1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5fe2cf04427df05fc0aef7cf138aa979c1fc3f2cedae48cbd068d6e07c3f09f1", "aggregated_count": 2}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 105327, "scanner": "repobility-threat-engine", "fingerprint": "99cc9c8737bb38bef41b8127f2c05b11ca1fcbcc5d2a182d420e4662c2adebb1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|99cc9c8737bb38bef41b8127f2c05b11ca1fcbcc5d2a182d420e4662c2adebb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/pages/relationships.tsx"}, "region": {"startLine": 209}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 105326, "scanner": "repobility-threat-engine", "fingerprint": "4ce044dfd1c9e2983098453dd748a2e05614e31a3790e7b45723488322f50e5e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4ce044dfd1c9e2983098453dd748a2e05614e31a3790e7b45723488322f50e5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/components/ui/chart.tsx"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 105325, "scanner": "repobility-threat-engine", "fingerprint": "4049bb77310b238e01daab4dadc693d204d8772a0b771caec6c2bcb9655f85b3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4049bb77310b238e01daab4dadc693d204d8772a0b771caec6c2bcb9655f85b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/components/dashboard/layout.tsx"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 105324, "scanner": "repobility-threat-engine", "fingerprint": "b33c6a66cdffe118da050b1630a74d8ae3fa23f5d3114b25662030d65f4ec28e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b33c6a66cdffe118da050b1630a74d8ae3fa23f5d3114b25662030d65f4ec28e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/components/theme-provider.tsx"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 105323, "scanner": "repobility-threat-engine", "fingerprint": "936d90a8908b01b4c3791ca2ecc47498276115138d52d84ae084c23313f95cc7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|936d90a8908b01b4c3791ca2ecc47498276115138d52d84ae084c23313f95cc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/components/dashboard/layout.tsx"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 105322, "scanner": "repobility-threat-engine", "fingerprint": "c066fdac20648ab02e6c78e05ac6d7be6049c4550b793a58bcd25dd5d0594df0", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c066fdac20648ab02e6c78e05ac6d7be6049c4550b793a58bcd25dd5d0594df0"}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 105308, "scanner": "repobility-threat-engine", "fingerprint": "86ba1835d70968651e1fbb2569a4d94211de579a814cf34a5d1e1e2eafe3f130", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|86ba1835d70968651e1fbb2569a4d94211de579a814cf34a5d1e1e2eafe3f130", "aggregated_count": 1}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 105307, "scanner": "repobility-threat-engine", "fingerprint": "e2b27f33a39ac93cbfa49e15db0c8c0d8c28a421c345b073180b5212e8879be0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e2b27f33a39ac93cbfa49e15db0c8c0d8c28a421c345b073180b5212e8879be0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/llm/response_parser.py"}, "region": {"startLine": 255}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 105306, "scanner": "repobility-threat-engine", "fingerprint": "76f4877f115fd5004c495a1e5de813e8e2eda8294bec84f92797f4c4276469eb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|76f4877f115fd5004c495a1e5de813e8e2eda8294bec84f92797f4c4276469eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/index/context.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 105305, "scanner": "repobility-threat-engine", "fingerprint": "d2d5b7261a89b92c83f4090b602a20c6f0a3ac2006f3772144e6cbc269c0657d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d2d5b7261a89b92c83f4090b602a20c6f0a3ac2006f3772144e6cbc269c0657d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/events.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 105303, "scanner": "repobility-threat-engine", "fingerprint": "59b9bcb059511a065c1ca93309ec90494bcd91d0f2ad3f7a74920f89d56d2c6e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|59b9bcb059511a065c1ca93309ec90494bcd91d0f2ad3f7a74920f89d56d2c6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/security/osv.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 105302, "scanner": "repobility-threat-engine", "fingerprint": "c937c3ece46eec9761af181aa8eb4c783da1bf831c8bb09219e644b8b9c10500", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c937c3ece46eec9761af181aa8eb4c783da1bf831c8bb09219e644b8b9c10500"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/llm/agentic_tools.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 105301, "scanner": "repobility-threat-engine", "fingerprint": "4360170eec61bd34a6c3d2207bf48b2509dd3496d803697103dee8de21b6efc0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4360170eec61bd34a6c3d2207bf48b2509dd3496d803697103dee8de21b6efc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/core/priority.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "properties": {"repobilityId": 105295, "scanner": "repobility-threat-engine", "fingerprint": "60aadc37f99344f8f56cc5876ea4a2ccdc8f906a0a147b2409400ab5502ba041", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "run", "breakdown": {"if": 4, "for": 3, "nested_bonus": 2}, "aggregated": true, "complexity": 9, "correlation_key": "fp|60aadc37f99344f8f56cc5876ea4a2ccdc8f906a0a147b2409400ab5502ba041", "aggregated_count": 35}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 105291, "scanner": "repobility-threat-engine", "fingerprint": "a6ab929835935615181275d862ba7fb810ba0bb9d5212176e1180769ae9d777c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a6ab929835935615181275d862ba7fb810ba0bb9d5212176e1180769ae9d777c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/play_learning.py"}, "region": {"startLine": 231}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 105290, "scanner": "repobility-threat-engine", "fingerprint": "3bc867848aec2a3ad6caa6ebdb49806f74e2340ea2b62a88dc68d2bbb57edcad", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.debug(\"Cached installation token for %d\", installation_id)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|src/mira/github_app/auth.py|7|logger.debug cached installation token for d installation_id"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/github_app/auth.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 105289, "scanner": "repobility-threat-engine", "fingerprint": "1052f0a7903e71c1eec6b07995ba84e41b8b76c73b57b1ba4806197d58192797", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(\"ERROR: set OPENROUTER_API_KEY, OPENAI_API_KEY, or ANTHROPIC_API_KEY.\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|scripts/play_learning.py|23|print error: set openrouter_api_key openai_api_key or anthropic_api_key."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/play_learning.py"}, "region": {"startLine": 231}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 105394, "scanner": "repobility-journey-contract", "fingerprint": "79e836f550b0f6f1901264fb8fcf22c77de3d06975d280b6d286e0cc9b409109", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|ui/mira/src/pages/users.tsx|86|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/pages/users.tsx"}, "region": {"startLine": 86}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 105393, "scanner": "repobility-journey-contract", "fingerprint": "1386b5b3ca0fd2e598c46d67fc27b383fba56b6ef7af251e26e7149dbfbfd108", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|ui/mira/src/pages/login.tsx|65|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/pages/login.tsx"}, "region": {"startLine": 65}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /api/rules/global/{rule_id}/toggle."}, "properties": {"repobilityId": 105369, "scanner": "repobility-access-control", "fingerprint": "5e2fdec840c3aae5a17c40fbff11d51147d5b2761db3e0b0a3a0bec130c31c7c", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/rules/global/{rule_id}/toggle", "method": "PATCH", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|1576|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1576}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /api/rules/global/{rule_id}."}, "properties": {"repobilityId": 105368, "scanner": "repobility-access-control", "fingerprint": "7139da6a424987919de2e5f9afaa5668a7bc1bb42face03ff509ebc3b59f2bb5", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/rules/global/{rule_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|1570|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1570}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /api/rules/global/{rule_id}."}, "properties": {"repobilityId": 105367, "scanner": "repobility-access-control", "fingerprint": "208b4badb00bbaea07271ee78a97596cbad47c9dcd1ef7a3486288a80d008ed2", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/rules/global/{rule_id}", "method": "PUT", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|1554|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1554}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /api/repos/{owner}/{repo}/rules/{rule_id}."}, "properties": {"repobilityId": 105366, "scanner": "repobility-access-control", "fingerprint": "e28f580c09ee2d0ee7a83dc98aa85078762788138e9e07535748306542db313d", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/repos/{owner}/{repo}/rules/{rule_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|1515|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1515}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /api/repos/{owner}/{repo}/rules/{rule_id}."}, "properties": {"repobilityId": 105365, "scanner": "repobility-access-control", "fingerprint": "36af8341ab66434f4d6a67d3e6393ef9fcbc85ca8fd4fedae20a08a288b0a879", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/repos/{owner}/{repo}/rules/{rule_id}", "method": "PUT", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|1498|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1498}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /api/repos/{owner}/{repo}/context/{context_id}."}, "properties": {"repobilityId": 105364, "scanner": "repobility-access-control", "fingerprint": "2a3f11dbd2fab838c68cbfc037fcae9120b972385f30978a8eaf834bcba04b49", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/repos/{owner}/{repo}/context/{context_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|1380|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1380}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /api/repos/{owner}/{repo}/context/{context_id}."}, "properties": {"repobilityId": 105363, "scanner": "repobility-access-control", "fingerprint": "1bf2a38965ab288596f2a3e4bfd6444a4dece23cc66119d13b678b6e189eb8c3", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/repos/{owner}/{repo}/context/{context_id}", "method": "PUT", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|1360|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1360}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/uninstalls/{installation_id}/delete."}, "properties": {"repobilityId": 105362, "scanner": "repobility-access-control", "fingerprint": "f14aa55c50c2538320dbdefb3b80f284fcb7169b307a752bcea863e20fdd5d82", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/uninstalls/{installation_id}/delete", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|562|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 562}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/uninstalls/{installation_id}/keep."}, "properties": {"repobilityId": 105361, "scanner": "repobility-access-control", "fingerprint": "168a28485fea3f83d4841399d47ebbd42ac7661fb21a53036258d14453426173", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/uninstalls/{installation_id}/keep", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/api.py|555|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 555}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /users/{user_id}."}, "properties": {"repobilityId": 105360, "scanner": "repobility-access-control", "fingerprint": "99dade662dfd0f96dff1b908615dc2b5f783e5b71857656d0950af93cbc23342", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/users/{user_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/mira/dashboard/auth.py|125|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/auth.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "PYSEC-2026-142", "level": "error", "message": {"text": "urllib3: PYSEC-2026-142"}, "properties": {"repobilityId": 105357, "scanner": "osv-scanner", "fingerprint": "66e1b1aa9022c519776ddad0df70ff61566d315478a0e1d4db634530c7bec89d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44432", "GHSA-mf9v-mfxr-j63j"], "package": "urllib3", "rule_id": "PYSEC-2026-142", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-44432|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-mf9v-mfxr-j63j", "PYSEC-2026-142"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["66e1b1aa9022c519776ddad0df70ff61566d315478a0e1d4db634530c7bec89d", "a381e5d6707c9f75030a22ee814aac9c80fbfaca862e6fa548c90d2b0d78e00f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-141", "level": "error", "message": {"text": "urllib3: PYSEC-2026-141"}, "properties": {"repobilityId": 105356, "scanner": "osv-scanner", "fingerprint": "202e502152aa0eef57a4c3f3a01e648d30977c8aa06b2acc05a839706b0597b4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44431", "GHSA-qccp-gfcp-xxvc"], "package": "urllib3", "rule_id": "PYSEC-2026-141", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-44431|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-qccp-gfcp-xxvc", "PYSEC-2026-141"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["202e502152aa0eef57a4c3f3a01e648d30977c8aa06b2acc05a839706b0597b4", "b78af741547635e5ed59316b870c20991733a249d6cd722bd682d0d24fc35efa"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-161", "level": "error", "message": {"text": "starlette: PYSEC-2026-161"}, "properties": {"repobilityId": 105355, "scanner": "osv-scanner", "fingerprint": "993c965e051ac08384f28c004ed2828303fa08d6e623c80da1211dbce5cea7ce", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-48710", "GHSA-86qp-5c8j-p5mr", "X41-2026-002"], "package": "starlette", "rule_id": "PYSEC-2026-161", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-48710|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-86qp-5c8j-p5mr", "PYSEC-2026-161"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["20d0e73bab623b5772bb5ee81b54e26f25bfd7b3f632ca3aec483536eb176c89", "993c965e051ac08384f28c004ed2828303fa08d6e623c80da1211dbce5cea7ce"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-179", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-179"}, "properties": {"repobilityId": 105354, "scanner": "osv-scanner", "fingerprint": "3a8c92a4bc42452ab63c8b780593c12b550761e77665f811c437dd35791069ae", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48526", "GHSA-xgmm-8j9v-c9wx"], "package": "pyjwt", "rule_id": "PYSEC-2026-179", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48526|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-178", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-178"}, "properties": {"repobilityId": 105353, "scanner": "osv-scanner", "fingerprint": "529afc49608a001ef35ca72e2e5bf2ab615fb9fdf39e2d3fc621ae3c7274698b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48525", "GHSA-w7vc-732c-9m39"], "package": "pyjwt", "rule_id": "PYSEC-2026-178", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48525|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-177", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-177"}, "properties": {"repobilityId": 105352, "scanner": "osv-scanner", "fingerprint": "e4a57bf8d7416024fd079256b08e268bcee4f11f05b7eaee044fc1d8b95a1189", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48524", "GHSA-fhv5-28vv-h8m8"], "package": "pyjwt", "rule_id": "PYSEC-2026-177", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48524|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-175", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-175"}, "properties": {"repobilityId": 105351, "scanner": "osv-scanner", "fingerprint": "5008712fe3bda523fafb9d2d087e037a86c42cd2bee1401e12b9c2d636db62f1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48522", "GHSA-993g-76c3-p5m4"], "package": "pyjwt", "rule_id": "PYSEC-2026-175", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48522|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v39h-62p7-jpjc", "level": "error", "message": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "properties": {"repobilityId": 105336, "scanner": "osv-scanner", "fingerprint": "f5d41a3069714b13d091420a702bc671eb17ce348b5b729105b16618ca2d8e00", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6322"], "package": "fast-uri", "rule_id": "GHSA-v39h-62p7-jpjc", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6322|ui/mira/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q3j6-qgpj-74h6", "level": "error", "message": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "properties": {"repobilityId": 105335, "scanner": "osv-scanner", "fingerprint": "add9c9de644a8109fab684800cc843f617942ee724526a20c0f9efc1cdc0725e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6321"], "package": "fast-uri", "rule_id": "GHSA-q3j6-qgpj-74h6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6321|ui/mira/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 105321, "scanner": "repobility-threat-engine", "fingerprint": "420d9f8343dbd5355bbc1b2a40f44c21b583c67555c7593202de6f1dacd1a054", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((h) => `${h.owner}/${h.repo}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|420d9f8343dbd5355bbc1b2a40f44c21b583c67555c7593202de6f1dacd1a054"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/pages/packages.tsx"}, "region": {"startLine": 186}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 105320, "scanner": "repobility-threat-engine", "fingerprint": "75153cdeeca63c8ec2e02ac127562f4d96bd16b802f39d5f187e3706b426d8e0", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n            ([theme, prefix]) => `\n${prefix} [data-chart=${id}] {\n${colorConfig\n  .map(([key, i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|75153cdeeca63c8ec2e02ac127562f4d96bd16b802f39d5f187e3706b426d8e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/components/ui/chart.tsx"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 105319, "scanner": "repobility-threat-engine", "fingerprint": "a0827ad025ccb1f124b3e65b8b8231c06966f163e9411ed52a6306242922cebf", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((v) => `${v.cve_id}: ${v.summary}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a0827ad025ccb1f124b3e65b8b8231c06966f163e9411ed52a6306242922cebf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/mira/src/components/dashboard/dependencies-table.tsx"}, "region": {"startLine": 244}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 105315, "scanner": "repobility-threat-engine", "fingerprint": "3b58ac057e5cf40b8ecb0dbe5e848312d00f331a5d50b6927c41472e6f9c7e06", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"(\\d+(?:\\.\\d+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|src/mira/security/osv.py|113|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/security/osv.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 105313, "scanner": "repobility-threat-engine", "fingerprint": "f2528c38c63dc8ac9f1166f643041802b10ebb5904d1b8616bf375f32214d32a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2528c38c63dc8ac9f1166f643041802b10ebb5904d1b8616bf375f32214d32a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/security/osv.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 105312, "scanner": "repobility-threat-engine", "fingerprint": "8704ac530d22d2216dd07c1b67cd7668a461280d570c35c38313f73b8bab6105", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8704ac530d22d2216dd07c1b67cd7668a461280d570c35c38313f73b8bab6105"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/llm/response_parser.py"}, "region": {"startLine": 254}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 105311, "scanner": "repobility-threat-engine", "fingerprint": "c0b391cfc0fba71fe49987d0267f7453a3697a447756ae71ec5876f39637759f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c0b391cfc0fba71fe49987d0267f7453a3697a447756ae71ec5876f39637759f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/index/context.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 105310, "scanner": "repobility-threat-engine", "fingerprint": "521a393d2f6c3e9b7a371ba460643c34966cee2adcd8a489a3d6126f0761aff2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "all_results.update(results)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|521a393d2f6c3e9b7a371ba460643c34966cee2adcd8a489a3d6126f0761aff2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/security/poller.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 105309, "scanner": "repobility-threat-engine", "fingerprint": "22a66f4c70dae44f0152acd8f6a7ee04644e0759f2a8dbc39a06d180aa2dc8d0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "import_paths.update(changed_fs.imports)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|22a66f4c70dae44f0152acd8f6a7ee04644e0759f2a8dbc39a06d180aa2dc8d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/index/context.py"}, "region": {"startLine": 219}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 105299, "scanner": "repobility-threat-engine", "fingerprint": "e27c2a50ea97e6feb9c8b5fc198d6adee64588e5811122d7ac1e16fd3ffd395d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e27c2a50ea97e6feb9c8b5fc198d6adee64588e5811122d7ac1e16fd3ffd395d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/security/osv.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 105298, "scanner": "repobility-threat-engine", "fingerprint": "59fb0cd86d1a1a388f4b36d2f34aa52cc673f259b1a0a988f76bc89a5eb2e504", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL (g", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|59fb0cd86d1a1a388f4b36d2f34aa52cc673f259b1a0a988f76bc89a5eb2e504"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/cli.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 105282, "scanner": "repobility-supply-chain", "fingerprint": "185c7f7f4103d437748dc7596cef49c99dc9837a8057e529804f2986f49f5641", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|185c7f7f4103d437748dc7596cef49c99dc9837a8057e529804f2986f49f5641"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 105281, "scanner": "repobility-supply-chain", "fingerprint": "dc257e1c42a78d7a22957be95f7868992f2fdb819e8f1684d59505d346a0f3bd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dc257e1c42a78d7a22957be95f7868992f2fdb819e8f1684d59505d346a0f3bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 105280, "scanner": "repobility-supply-chain", "fingerprint": "b4c4bb287d372c7decf65a44fc7fd60083288ac26855b8842e5f25f99fb49e7c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4c4bb287d372c7decf65a44fc7fd60083288ac26855b8842e5f25f99fb49e7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 105279, "scanner": "repobility-supply-chain", "fingerprint": "05834107a5d8fdf6bfe9d77c70f718f20d6062c4afae288805463861efe50053", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05834107a5d8fdf6bfe9d77c70f718f20d6062c4afae288805463861efe50053"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 105278, "scanner": "repobility-supply-chain", "fingerprint": "536c35be8639f670dd616df6aa0ab171fcd70716fd585199648409a93b580919", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|536c35be8639f670dd616df6aa0ab171fcd70716fd585199648409a93b580919"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 105277, "scanner": "repobility-supply-chain", "fingerprint": "3c397ba2befb1ebce30b3d91a72a6fcc39c72e63c46a5920370e4283dd25e684", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c397ba2befb1ebce30b3d91a72a6fcc39c72e63c46a5920370e4283dd25e684"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-publish.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 105276, "scanner": "repobility-supply-chain", "fingerprint": "2876ef327c7fa1e83234bf71a6caf38f730ef1586e9a55760391af780b7c5471", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2876ef327c7fa1e83234bf71a6caf38f730ef1586e9a55760391af780b7c5471"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 105275, "scanner": "repobility-supply-chain", "fingerprint": "ad1245710bc8e0337584495d0c013415bd890a7a667981d2f373c2e51b34aaae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad1245710bc8e0337584495d0c013415bd890a7a667981d2f373c2e51b34aaae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/pre-commit/mirrors-mypy` pinned to mutable rev `v1.13.0`"}, "properties": {"repobilityId": 105274, "scanner": "repobility-supply-chain", "fingerprint": "7d8b539afe343515af32168a5e943cc426835bc874e264229402a12c3e9d4ae2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d8b539afe343515af32168a5e943cc426835bc874e264229402a12c3e9d4ae2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v4.6.0`"}, "properties": {"repobilityId": 105273, "scanner": "repobility-supply-chain", "fingerprint": "9cbf0345f1a3e95767232d14d3784dbdca3374a550835e62be5090f90238fc9e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9cbf0345f1a3e95767232d14d3784dbdca3374a550835e62be5090f90238fc9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.12-slim` not pinned by digest"}, "properties": {"repobilityId": 105272, "scanner": "repobility-supply-chain", "fingerprint": "9f08284cd970ad32f819a60f140fe053e80ad89c0b060213047d44532ca386f8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9f08284cd970ad32f819a60f140fe053e80ad89c0b060213047d44532ca386f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:20-slim` not pinned by digest"}, "properties": {"repobilityId": 105271, "scanner": "repobility-supply-chain", "fingerprint": "fc8e95ac0c5003fa2fc5c0a102778d04a008c8786180acce584b7c6625d5e748", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc8e95ac0c5003fa2fc5c0a102778d04a008c8786180acce584b7c6625d5e748"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /api/repos/{owner}/{repo}/index has no auth"}, "properties": {"repobilityId": 105270, "scanner": "repobility-route-auth", "fingerprint": "d585fa5df9f5a785a433f961980e710247da0eb86bbea1d68289208c3f68aad6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|d585fa5df9f5a785a433f961980e710247da0eb86bbea1d68289208c3f68aad6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1836}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI DELETE /api/relationships/custom/{edge_id} has no auth"}, "properties": {"repobilityId": 105269, "scanner": "repobility-route-auth", "fingerprint": "1729fbe3d796c57cb25affd5f62fdea27bdd31deda66c9e582a5b9d7da2de01e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|1729fbe3d796c57cb25affd5f62fdea27bdd31deda66c9e582a5b9d7da2de01e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1661}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /api/relationships/custom has no auth"}, "properties": {"repobilityId": 105268, "scanner": "repobility-route-auth", "fingerprint": "7f6a8529336145b0ea3e7a1d6810527e89ebe359ad5653e67322309418873058", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|7f6a8529336145b0ea3e7a1d6810527e89ebe359ad5653e67322309418873058"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1648}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI DELETE /api/relationships/overrides has no auth"}, "properties": {"repobilityId": 105267, "scanner": "repobility-route-auth", "fingerprint": "5b366d2be14ac87e217a0df0cf8bf85a9f8759df90b33303ee3baa3e2b56a6ab", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|5b366d2be14ac87e217a0df0cf8bf85a9f8759df90b33303ee3baa3e2b56a6ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1623}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /api/relationships/overrides has no auth"}, "properties": {"repobilityId": 105266, "scanner": "repobility-route-auth", "fingerprint": "d2c060bd96331359795e7b15eedade00fba533ea7d2767686870f8617f68cd75", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|d2c060bd96331359795e7b15eedade00fba533ea7d2767686870f8617f68cd75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1609}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI PATCH /api/rules/global/{rule_id}/toggle has no auth"}, "properties": {"repobilityId": 105265, "scanner": "repobility-route-auth", "fingerprint": "11b5dce0ef0f51b14a18a69439985c3516c1a9fc201a146e015bd3c314f3d8fd", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|11b5dce0ef0f51b14a18a69439985c3516c1a9fc201a146e015bd3c314f3d8fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1577}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI DELETE /api/rules/global/{rule_id} has no auth"}, "properties": {"repobilityId": 105264, "scanner": "repobility-route-auth", "fingerprint": "ca50856711587a65237f3629c4bacfb3196095a50b5dd2ea4d9f681e8aeabe87", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|ca50856711587a65237f3629c4bacfb3196095a50b5dd2ea4d9f681e8aeabe87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1571}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI PUT /api/rules/global/{rule_id} has no auth"}, "properties": {"repobilityId": 105263, "scanner": "repobility-route-auth", "fingerprint": "e74cbbc1958d47495a999487480226f6ace73571d7e6ad526c4ef39ccbaebdfb", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|e74cbbc1958d47495a999487480226f6ace73571d7e6ad526c4ef39ccbaebdfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1555}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /api/rules/global has no auth"}, "properties": {"repobilityId": 105262, "scanner": "repobility-route-auth", "fingerprint": "644b16264c788bd5eb92161e589eca7fb7d1a80324651aa16b47d2b46a146e75", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|644b16264c788bd5eb92161e589eca7fb7d1a80324651aa16b47d2b46a146e75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1542}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI DELETE /api/repos/{owner}/{repo}/rules/{rule_id} has no auth"}, "properties": {"repobilityId": 105261, "scanner": "repobility-route-auth", "fingerprint": "85f56d11079f87e134b4e05546849dceabf72dcccbbf063241e9d09191ba0c06", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|85f56d11079f87e134b4e05546849dceabf72dcccbbf063241e9d09191ba0c06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1516}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI PUT /api/repos/{owner}/{repo}/rules/{rule_id} has no auth"}, "properties": {"repobilityId": 105260, "scanner": "repobility-route-auth", "fingerprint": "a74064a668a18ef642f8798cebec1672ac170a6145049c017a0192ec6850509c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|a74064a668a18ef642f8798cebec1672ac170a6145049c017a0192ec6850509c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1499}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /api/repos/{owner}/{repo}/rules has no auth"}, "properties": {"repobilityId": 105259, "scanner": "repobility-route-auth", "fingerprint": "a63dc7b791eda0b246561c361ce3f8f226483c5c093a167b3983a812bd531719", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|a63dc7b791eda0b246561c361ce3f8f226483c5c093a167b3983a812bd531719"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1485}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI DELETE /api/repos/{owner}/{repo}/context/{context_id} has no auth"}, "properties": {"repobilityId": 105258, "scanner": "repobility-route-auth", "fingerprint": "806dd0d2abb871fe952421eb3e1eb66162d224514474de8156bfcab0ec497290", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|806dd0d2abb871fe952421eb3e1eb66162d224514474de8156bfcab0ec497290"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1381}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI PUT /api/repos/{owner}/{repo}/context/{context_id} has no auth"}, "properties": {"repobilityId": 105257, "scanner": "repobility-route-auth", "fingerprint": "f157edc785ca7d09d7ec59180a0d5645b810abd8c89b01662f1866a4ce28471d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|f157edc785ca7d09d7ec59180a0d5645b810abd8c89b01662f1866a4ce28471d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1361}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /api/repos/{owner}/{repo}/context has no auth"}, "properties": {"repobilityId": 105256, "scanner": "repobility-route-auth", "fingerprint": "88953246b1d9e3a90b685db0f1710db348793b5e7fc9f3ad0319e2d07b5eef39", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|88953246b1d9e3a90b685db0f1710db348793b5e7fc9f3ad0319e2d07b5eef39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 1348}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /api/setup/complete has no auth"}, "properties": {"repobilityId": 105255, "scanner": "repobility-route-auth", "fingerprint": "a19ac90d7a771c7778103a37d1762041003e5aca6b75651b00c6deb1af63da9a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|a19ac90d7a771c7778103a37d1762041003e5aca6b75651b00c6deb1af63da9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 680}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /api/repos/sync has no auth"}, "properties": {"repobilityId": 105254, "scanner": "repobility-route-auth", "fingerprint": "5023116a588c099f19706de25bfd6cef7eafa610071662ee39c631649837b20d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|5023116a588c099f19706de25bfd6cef7eafa610071662ee39c631649837b20d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 571}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /api/uninstalls/{installation_id}/delete has no auth"}, "properties": {"repobilityId": 105253, "scanner": "repobility-route-auth", "fingerprint": "8285a63ba8597632cd6de862bea4ce6f3e159eeceb8e96c7cfbc5e3419ea3466", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|8285a63ba8597632cd6de862bea4ce6f3e159eeceb8e96c7cfbc5e3419ea3466"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 563}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /api/uninstalls/{installation_id}/keep has no auth"}, "properties": {"repobilityId": 105252, "scanner": "repobility-route-auth", "fingerprint": "1f55ecd2804922582731fee3275126f6af3d96566ca76d096317d013451c7ef3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|1f55ecd2804922582731fee3275126f6af3d96566ca76d096317d013451c7ef3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 556}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI PUT /api/settings/models has no auth"}, "properties": {"repobilityId": 105251, "scanner": "repobility-route-auth", "fingerprint": "912ef6a33505b6f36db6d2c0f13dcd327cca73e4283f636574a5a901a019c8a3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|912ef6a33505b6f36db6d2c0f13dcd327cca73e4283f636574a5a901a019c8a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 487}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI DELETE /users/{user_id} has no auth"}, "properties": {"repobilityId": 105249, "scanner": "repobility-route-auth", "fingerprint": "00699430a11e4b93d9086d57407f230a24707f05aebb865919a76f1c44434fd8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|00699430a11e4b93d9086d57407f230a24707f05aebb865919a76f1c44434fd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/auth.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /users has no auth"}, "properties": {"repobilityId": 105248, "scanner": "repobility-route-auth", "fingerprint": "12fd07a7d4cb3bc665e25907f92ff4977e21579efec1aba2e669e183c30cf12a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|12fd07a7d4cb3bc665e25907f92ff4977e21579efec1aba2e669e183c30cf12a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/auth.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI PUT /theme has no auth"}, "properties": {"repobilityId": 105247, "scanner": "repobility-route-auth", "fingerprint": "491cdb3ff63deca8e8bef7d26ff669a70f78f287dd2de74e1429d126d1db8fe5", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|491cdb3ff63deca8e8bef7d26ff669a70f78f287dd2de74e1429d126d1db8fe5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/auth.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /logout has no auth"}, "properties": {"repobilityId": 105246, "scanner": "repobility-route-auth", "fingerprint": "7106f5a890e0655576a265e87877a4542b941cc8a561ab96b44ff1863d73d46a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|7106f5a890e0655576a265e87877a4542b941cc8a561ab96b44ff1863d73d46a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/auth.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /github/webhook has no auth"}, "properties": {"repobilityId": 105245, "scanner": "repobility-route-auth", "fingerprint": "5eb79108d2bad775e1667ae0d8fa55333e1e3776d31485fe2306f98063624cc6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|5eb79108d2bad775e1667ae0d8fa55333e1e3776d31485fe2306f98063624cc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/github_app/webhooks.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_invalid_bot_name_rejected"}, "properties": {"repobilityId": 105237, "scanner": "repobility-ast-engine", "fingerprint": "6272c57f66e0c297074ba9077da2cf07aa11c8f49d0950a4a1136b0131f1fe93", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6272c57f66e0c297074ba9077da2cf07aa11c8f49d0950a4a1136b0131f1fe93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_webhooks.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_handle_thread_reject_thread_not_found"}, "properties": {"repobilityId": 105236, "scanner": "repobility-ast-engine", "fingerprint": "c4f043dbbd8b5076ad94821fc176f8bc13fb47b7bf2a6acc9ba8742ce8a8cf9d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c4f043dbbd8b5076ad94821fc176f8bc13fb47b7bf2a6acc9ba8742ce8a8cf9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_handlers.py"}, "region": {"startLine": 288}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_handle_thread_reject_exits_early_for_non_reject_command"}, "properties": {"repobilityId": 105235, "scanner": "repobility-ast-engine", "fingerprint": "5bc97f8e5d9230fefda06763e3d6c95d9ac3a9033cea50a970af90bbf08b71ec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5bc97f8e5d9230fefda06763e3d6c95d9ac3a9033cea50a970af90bbf08b71ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_handlers.py"}, "region": {"startLine": 273}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_handle_comment_review_keyword"}, "properties": {"repobilityId": 105234, "scanner": "repobility-ast-engine", "fingerprint": "f926111aab4b0dd3969ac6ee1bcb7baeb2626c0358539710f3b4a31369641ce9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f926111aab4b0dd3969ac6ee1bcb7baeb2626c0358539710f3b4a31369641ce9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_handlers.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_handle_pr_event"}, "properties": {"repobilityId": 105233, "scanner": "repobility-ast-engine", "fingerprint": "db153ab155965ef085454943e5c1d149fdd4ce95bdb664193b8408995e84f310", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|db153ab155965ef085454943e5c1d149fdd4ce95bdb664193b8408995e84f310"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_handlers.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_non_object_json"}, "properties": {"repobilityId": 105232, "scanner": "repobility-ast-engine", "fingerprint": "7eb4970cd46686b5bd6fa58d248da5f52d9e87f6ba9c064fbd0886824240b8e9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7eb4970cd46686b5bd6fa58d248da5f52d9e87f6ba9c064fbd0886824240b8e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_response_parser.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_invalid_json"}, "properties": {"repobilityId": 105231, "scanner": "repobility-ast-engine", "fingerprint": "163a6b7cb0a67a67513fb190ff1f354f928ce81fa2456392e6082ec7074b9c92", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|163a6b7cb0a67a67513fb190ff1f354f928ce81fa2456392e6082ec7074b9c92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_response_parser.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_resource_not_found_error"}, "properties": {"repobilityId": 105230, "scanner": "repobility-ast-engine", "fingerprint": "a86ba8f7ebde7bdce22af5aee2bb6f5aefe6f60e8952fbf51c15ddca27302a5e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a86ba8f7ebde7bdce22af5aee2bb6f5aefe6f60e8952fbf51c15ddca27302a5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_bedrock_provider.py"}, "region": {"startLine": 222}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_access_denied_error"}, "properties": {"repobilityId": 105229, "scanner": "repobility-ast-engine", "fingerprint": "c9bf3bf73c2f1b7b407c230df8ed5295e28fdb5919a1b9b1c67b005a245ec9d3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c9bf3bf73c2f1b7b407c230df8ed5295e28fdb5919a1b9b1c67b005a245ec9d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_bedrock_provider.py"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_no_fallback_raises"}, "properties": {"repobilityId": 105228, "scanner": "repobility-ast-engine", "fingerprint": "fd0878367d849fafe12edf26b5e52fa8145356f466bfb494f96dfc3d383877f1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fd0878367d849fafe12edf26b5e52fa8145356f466bfb494f96dfc3d383877f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_bedrock_provider.py"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_missing_boto3_raises"}, "properties": {"repobilityId": 105227, "scanner": "repobility-ast-engine", "fingerprint": "0c69b381d94b6cf2ec6a869037e11583120fb1a967170ef45e6215d9f9417d2a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0c69b381d94b6cf2ec6a869037e11583120fb1a967170ef45e6215d9f9417d2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_bedrock_provider.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_creates_client_with_profile"}, "properties": {"repobilityId": 105226, "scanner": "repobility-ast-engine", "fingerprint": "9002bcd322a08fc3553d8415bca21a825ed70467eb7990a22c34ba4949a939ef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9002bcd322a08fc3553d8415bca21a825ed70467eb7990a22c34ba4949a939ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_bedrock_provider.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_creates_client_with_region"}, "properties": {"repobilityId": 105225, "scanner": "repobility-ast-engine", "fingerprint": "5caf2c2d4fba4cc98a00f700d844a287ae4ec144d4d587990dff0e1b6b7fc133", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5caf2c2d4fba4cc98a00f700d844a287ae4ec144d4d587990dff0e1b6b7fc133"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_bedrock_provider.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_comment` used but never assigned in __init__"}, "properties": {"repobilityId": 105224, "scanner": "repobility-ast-engine", "fingerprint": "1fd95015b3963f88c9c61717389c38769e7feab786cc635845612a6d135dbad0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1fd95015b3963f88c9c61717389c38769e7feab786cc635845612a6d135dbad0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 479}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_comment` used but never assigned in __init__"}, "properties": {"repobilityId": 105223, "scanner": "repobility-ast-engine", "fingerprint": "33ea8eb0583c06ce52508b59e865e05c57fb9d20e98a3d2e69e5b1b90d2cf243", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|33ea8eb0583c06ce52508b59e865e05c57fb9d20e98a3d2e69e5b1b90d2cf243"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 473}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_comment` used but never assigned in __init__"}, "properties": {"repobilityId": 105222, "scanner": "repobility-ast-engine", "fingerprint": "204e5fa41cf120ca39dabdfd57ac079adcac62ea33ce8f81fbdf22b6f728b4a1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|204e5fa41cf120ca39dabdfd57ac079adcac62ea33ce8f81fbdf22b6f728b4a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 465}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_comment` used but never assigned in __init__"}, "properties": {"repobilityId": 105221, "scanner": "repobility-ast-engine", "fingerprint": "026287a7fc243308fb1b38b61606df9587ff4373ed75785b7138ccc41ed1e697", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|026287a7fc243308fb1b38b61606df9587ff4373ed75785b7138ccc41ed1e697"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 440}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_comment` used but never assigned in __init__"}, "properties": {"repobilityId": 105220, "scanner": "repobility-ast-engine", "fingerprint": "a46c055e48169c573f6338d83dc5993aeeced89ee5379b18cfee4038db21770b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a46c055e48169c573f6338d83dc5993aeeced89ee5379b18cfee4038db21770b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 435}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_comment` used but never assigned in __init__"}, "properties": {"repobilityId": 105219, "scanner": "repobility-ast-engine", "fingerprint": "7b9d5993165838f1ea61bef8ad3e1b191f69a79947356f810ccec8c6cd3df242", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7b9d5993165838f1ea61bef8ad3e1b191f69a79947356f810ccec8c6cd3df242"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 431}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_comment` used but never assigned in __init__"}, "properties": {"repobilityId": 105218, "scanner": "repobility-ast-engine", "fingerprint": "0caa67af6ca1824b85773713a5f0c8984bdaf6bf27b6d1976d7910608ead4453", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0caa67af6ca1824b85773713a5f0c8984bdaf6bf27b6d1976d7910608ead4453"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 425}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_comment` used but never assigned in __init__"}, "properties": {"repobilityId": 105217, "scanner": "repobility-ast-engine", "fingerprint": "870d66124d6fdb569d34fa907db8796fe448f57bb8f1d643b1a3c9999ff184a0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|870d66124d6fdb569d34fa907db8796fe448f57bb8f1d643b1a3c9999ff184a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 418}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_remove_label_silently_handles_404"}, "properties": {"repobilityId": 105216, "scanner": "repobility-ast-engine", "fingerprint": "4432cdea9ae028859ba0786dd00e3769805e0824384bf78e860b6bfdf4e1f4e2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4432cdea9ae028859ba0786dd00e3769805e0824384bf78e860b6bfdf4e1f4e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 1281}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_remove_label_calls_issue_remove_from_labels"}, "properties": {"repobilityId": 105215, "scanner": "repobility-ast-engine", "fingerprint": "d404bdc000eb91736a00acbafafee55a564d03cb1cedcb8ed031ae17abfd3d0c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d404bdc000eb91736a00acbafafee55a564d03cb1cedcb8ed031ae17abfd3d0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 1261}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_add_label_calls_issue_add_to_labels"}, "properties": {"repobilityId": 105214, "scanner": "repobility-ast-engine", "fingerprint": "a5b0a516c1276cfa908d1319a011d83c8d1775ca886c31b13791db4c0ad1685c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a5b0a516c1276cfa908d1319a011d83c8d1775ca886c31b13791db4c0ad1685c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 1239}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_graphql_error_raises_provider_error"}, "properties": {"repobilityId": 105213, "scanner": "repobility-ast-engine", "fingerprint": "047c2d9e7e1c9b5d4b023119e9af19604d022a4cf66db6bac7b58bb5dc629fdf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|047c2d9e7e1c9b5d4b023119e9af19604d022a4cf66db6bac7b58bb5dc629fdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 859}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_update_comment_calls_edit"}, "properties": {"repobilityId": 105212, "scanner": "repobility-ast-engine", "fingerprint": "bb5c2bb859be7f87f40a7a629dcc0a0ecdf58dad487620dd14ff87dc2dccd2b3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bb5c2bb859be7f87f40a7a629dcc0a0ecdf58dad487620dd14ff87dc2dccd2b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 638}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_post_comment_calls_create_comment"}, "properties": {"repobilityId": 105211, "scanner": "repobility-ast-engine", "fingerprint": "b4eee036c6b47a8e902501672627cfabe5d7c95a315ba373c79c69e34805f579", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b4eee036c6b47a8e902501672627cfabe5d7c95a315ba373c79c69e34805f579"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 517}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_post_review_no_commits_not_retried"}, "properties": {"repobilityId": 105210, "scanner": "repobility-ast-engine", "fingerprint": "6e7b1ac1a343094c882ad9558882d0794a2e42998c81ef2ae5d62552800de993", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6e7b1ac1a343094c882ad9558882d0794a2e42998c81ef2ae5d62552800de993"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 227}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_requires_token"}, "properties": {"repobilityId": 105209, "scanner": "repobility-ast-engine", "fingerprint": "764ff0caf278d194715c246755ff205505fb2e8099095dd524d7596aae544af7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|764ff0caf278d194715c246755ff205505fb2e8099095dd524d7596aae544af7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_empty_string"}, "properties": {"repobilityId": 105208, "scanner": "repobility-ast-engine", "fingerprint": "9312b845e09bb71e001e2cbb7cd9219e04af5ccf04bf360402c3cf0396304cf2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9312b845e09bb71e001e2cbb7cd9219e04af5ccf04bf360402c3cf0396304cf2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_invalid_url"}, "properties": {"repobilityId": 105207, "scanner": "repobility-ast-engine", "fingerprint": "374506e361abc82058aa126d9439aee613be6c83ea115851d450bd0b01c3040c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|374506e361abc82058aa126d9439aee613be6c83ea115851d450bd0b01c3040c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_github_provider.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_review_response` used but never assigned in __init__"}, "properties": {"repobilityId": 105206, "scanner": "repobility-ast-engine", "fingerprint": "d2f0de35e81d04ac82b0eb1d2e8057c4dd2bfbd4e45fb9c3b644ba811c7a3546", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d2f0de35e81d04ac82b0eb1d2e8057c4dd2bfbd4e45fb9c3b644ba811c7a3546"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_integration.py"}, "region": {"startLine": 629}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_walkthrough_response` used but never assigned in __init__"}, "properties": {"repobilityId": 105205, "scanner": "repobility-ast-engine", "fingerprint": "7a16d38b9e3c567b12c90834c557bb9d9f1b57be74597f33e1696a4f9fcdafb3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7a16d38b9e3c567b12c90834c557bb9d9f1b57be74597f33e1696a4f9fcdafb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_integration.py"}, "region": {"startLine": 613}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_review_response` used but never assigned in __init__"}, "properties": {"repobilityId": 105204, "scanner": "repobility-ast-engine", "fingerprint": "cb5a7bb564210573a2c2ba78ae8145410bf9a2821d6035a0760cea083fda326c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cb5a7bb564210573a2c2ba78ae8145410bf9a2821d6035a0760cea083fda326c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_integration.py"}, "region": {"startLine": 612}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_review_response` used but never assigned in __init__"}, "properties": {"repobilityId": 105203, "scanner": "repobility-ast-engine", "fingerprint": "22fc6a814fb75efc0e3685d4000573bde3ad2107280138b3fff3abb5a8a5d126", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|22fc6a814fb75efc0e3685d4000573bde3ad2107280138b3fff3abb5a8a5d126"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_integration.py"}, "region": {"startLine": 597}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_review_response` used but never assigned in __init__"}, "properties": {"repobilityId": 105202, "scanner": "repobility-ast-engine", "fingerprint": "78e96b7a42175936a141f0b554b55790bb527f817d63530235e7b7ef052a6240", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|78e96b7a42175936a141f0b554b55790bb527f817d63530235e7b7ef052a6240"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_integration.py"}, "region": {"startLine": 562}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_walkthrough_response` used but never assigned in __init__"}, "properties": {"repobilityId": 105201, "scanner": "repobility-ast-engine", "fingerprint": "2ad8c758ee382597c33fd49e6de9e7c177bba8ca1171fd61cb644ca15e390081", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2ad8c758ee382597c33fd49e6de9e7c177bba8ca1171fd61cb644ca15e390081"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_integration.py"}, "region": {"startLine": 561}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_review_response` used but never assigned in __init__"}, "properties": {"repobilityId": 105200, "scanner": "repobility-ast-engine", "fingerprint": "11e1758623a8db84afb157a16f3a192227defde8c1525510598a297c4d3f6c67", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|11e1758623a8db84afb157a16f3a192227defde8c1525510598a297c4d3f6c67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_integration.py"}, "region": {"startLine": 560}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_comment` used but never assigned in __init__"}, "properties": {"repobilityId": 105199, "scanner": "repobility-ast-engine", "fingerprint": "1f10369f78778da7f68d83748e1f29421f6229f7ae134dc27ffa21e809e21565", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1f10369f78778da7f68d83748e1f29421f6229f7ae134dc27ffa21e809e21565"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_walkthrough.py"}, "region": {"startLine": 372}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_comment` used but never assigned in __init__"}, "properties": {"repobilityId": 105198, "scanner": "repobility-ast-engine", "fingerprint": "37ad624023d3c76ea30b93f0c4b6ccec94e287ee0463acbd8d09b04ba5b05b26", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|37ad624023d3c76ea30b93f0c4b6ccec94e287ee0463acbd8d09b04ba5b05b26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_walkthrough.py"}, "region": {"startLine": 363}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_comment` used but never assigned in __init__"}, "properties": {"repobilityId": 105197, "scanner": "repobility-ast-engine", "fingerprint": "d1de1069f608f672a2588cf2205d64be486762e0fe7c8969ffa7e2b407cb6fae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d1de1069f608f672a2588cf2205d64be486762e0fe7c8969ffa7e2b407cb6fae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_walkthrough.py"}, "region": {"startLine": 362}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_comment` used but never assigned in __init__"}, "properties": {"repobilityId": 105196, "scanner": "repobility-ast-engine", "fingerprint": "fcd77b3aaa3e1b3c6b26326ac53443ae8089412c0c8d09f7be71661f725423c7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fcd77b3aaa3e1b3c6b26326ac53443ae8089412c0c8d09f7be71661f725423c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_walkthrough.py"}, "region": {"startLine": 361}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_comment` used but never assigned in __init__"}, "properties": {"repobilityId": 105195, "scanner": "repobility-ast-engine", "fingerprint": "d383bd539e5039ae6305acd499743af0c2640bb7ec83169135b7d97239004fe3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d383bd539e5039ae6305acd499743af0c2640bb7ec83169135b7d97239004fe3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_walkthrough.py"}, "region": {"startLine": 360}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_files` used but never assigned in __init__"}, "properties": {"repobilityId": 105194, "scanner": "repobility-ast-engine", "fingerprint": "e1efcc3f9b98940ce6f801efd6c7087c399f508ec44cc8b1c76e1b2a8ec577db", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e1efcc3f9b98940ce6f801efd6c7087c399f508ec44cc8b1c76e1b2a8ec577db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_walkthrough.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_files` used but never assigned in __init__"}, "properties": {"repobilityId": 105193, "scanner": "repobility-ast-engine", "fingerprint": "cb6d737b798aa3b0b4c84e1c326e2116a43706b9fa8e5b3948770c90bfe5325c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cb6d737b798aa3b0b4c84e1c326e2116a43706b9fa8e5b3948770c90bfe5325c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_walkthrough.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_files` used but never assigned in __init__"}, "properties": {"repobilityId": 105192, "scanner": "repobility-ast-engine", "fingerprint": "75e68095ef91f3bf00d3a48b66d79e600f761ebbb19d7c59632fec00bf1247d0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|75e68095ef91f3bf00d3a48b66d79e600f761ebbb19d7c59632fec00bf1247d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_walkthrough.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_files` used but never assigned in __init__"}, "properties": {"repobilityId": 105191, "scanner": "repobility-ast-engine", "fingerprint": "cae9e5ae4f6ea87aabc3d5c71b3cb28d4b2c63a4eff1a782162ebc64ba5c559c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cae9e5ae4f6ea87aabc3d5c71b3cb28d4b2c63a4eff1a782162ebc64ba5c559c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_walkthrough.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_files` used but never assigned in __init__"}, "properties": {"repobilityId": 105190, "scanner": "repobility-ast-engine", "fingerprint": "0c55af1de7ec892d8e13785417c3710608ee95ab465ec507181b5da963dd122e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0c55af1de7ec892d8e13785417c3710608ee95ab465ec507181b5da963dd122e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_walkthrough.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_non_object_raises"}, "properties": {"repobilityId": 105189, "scanner": "repobility-ast-engine", "fingerprint": "a1ce13eed2730ba06df737b23001ec3ee1a0d909209a7b31eb60edb884f21fab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a1ce13eed2730ba06df737b23001ec3ee1a0d909209a7b31eb60edb884f21fab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_walkthrough.py"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_invalid_json_raises"}, "properties": {"repobilityId": 105188, "scanner": "repobility-ast-engine", "fingerprint": "89d47bed154b089599673053c73ef6b5b7cc7f329e2c6fdde0cd989356ea55f2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|89d47bed154b089599673053c73ef6b5b7cc7f329e2c6fdde0cd989356ea55f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_walkthrough.py"}, "region": {"startLine": 136}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 105333, "scanner": "gitleaks", "fingerprint": "d9a801ebbd1cf1d21b66856a6cc7f032901553522a8c9c980cb3e57b570d55bf", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "API_KEY\", \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|tests/fixtures/sample.diff|2|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/fixtures/sample.diff"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 105300, "scanner": "repobility-threat-engine", "fingerprint": "3632f4c35efc43b9a6c93b6a2869537bd77123aad21ae0c26d8ace1a21f229df", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://user:pass@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|src/mira/config.py|14|postgresql://user:pass"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/config.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 105296, "scanner": "repobility-threat-engine", "fingerprint": "108a2914f5bf0ea17b10925946f7734d675b09fc52d1d3ca7877ece7c15a9988", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.3 bits) \u2014 likely real secret", "evidence": {"match": "PASSWORD=\"<redacted>}\"", "reason": "High entropy value (4.3 bits) \u2014 likely real secret", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|scripts/start_local.sh|3|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/start_local.sh"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: PUT /api/admin/settings"}, "properties": {"repobilityId": 105250, "scanner": "repobility-route-auth", "fingerprint": "5bdd2dfd5a9446bab17e531b6597b7f019d5b3298a4346a91bcd5c022e379efc", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|5bdd2dfd5a9446bab17e531b6597b7f019d5b3298a4346a91bcd5c022e379efc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mira/dashboard/api.py"}, "region": {"startLine": 441}}}]}]}]}