{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `ensure_jdk` has cognitive complexity 8 (SonarSource scale). Cognitive com", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `ensure_jdk` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 8."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED022", "name": "[MINED022] C Strcpy (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED022] C Strcpy (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-120 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 24 more): Same pattern found in 24 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED080", "name": "[MINED080] Cpp Using Namespace Std (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED080] Cpp Using Namespace Std (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED081", "name": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr.", "shortDescription": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 13 more): Same pattern found in 13 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED029", "name": "[MINED029] Kotlin Null Bang (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED029] Kotlin Null Bang (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2023-0071", "name": "rsa: RUSTSEC-2023-0071", "shortDescription": {"text": "rsa: RUSTSEC-2023-0071"}, "fullDescription": {"text": "Marvin Attack: potential key recovery through timing sidechannels"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED034", "name": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.", "shortDescription": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED041", "name": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.", "shortDescription": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `app/gradle/wrapper/gradle-wrapper.jar` committed in source repo", "shortDescription": {"text": "Binary file `app/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "fullDescription": {"text": "`app/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,764 bytes) committed to a repo that otherwise has 344 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/upload-artifact` pinned to mutable ref `@v7`", "shortDescription": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "fullDescription": {"text": "`uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.ret` used but never assigned in __init__", "shortDescription": {"text": "`self.ret` used but never assigned in __init__"}, "fullDescription": {"text": "Method `body` of class `ForkApp` reads `self.ret`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/881"}, "properties": {"repository": "topjohnwu/Magisk", "repoUrl": "https://github.com/topjohnwu/Magisk", "branch": "master"}, "results": [{"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 81131, "scanner": "repobility-threat-engine", "fingerprint": "c05b1222d97bd14c8bf3cdb39718ff43c409a6a1b184541d2da138e6f801e7a8", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.run(\n            \"javac -version\",\n            stdout=subprocess.PIPE,\n            stderr", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|scripts/env.py|120|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/env.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 81127, "scanner": "repobility-threat-engine", "fingerprint": "5b87b69d6beb3cce4ecac817a3f4dda3d46519bb0e4911549495b7e5b0be1457", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "entry.getName()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|131|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/core/src/main/java/com/topjohnwu/magisk/core/signing/JarMap.java"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 81119, "scanner": "repobility-threat-engine", "fingerprint": "6364399cd735bda9a16c5d3a834965ff3a7f4f7a93c9496338e7ae903e2f18a9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL = \"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6364399cd735bda9a16c5d3a834965ff3a7f4f7a93c9496338e7ae903e2f18a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/core/src/main/java/com/topjohnwu/magisk/core/Const.kt"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 81105, "scanner": "repobility-threat-engine", "fingerprint": "6acd9efe20750a2845aac2ddb77bc9b740c5f011442e6e81cf55b18c67979bf6", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|90|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk-ng/src/main/java/com/topjohnwu/magisk/ui/flash/FlashViewModel.kt"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 81104, "scanner": "repobility-threat-engine", "fingerprint": "c8beca681b0651e98303c1bb3370f22408a9afb1e84dcdf28e2d0f4f31f1ba21", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|96|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk-ng/src/main/java/com/topjohnwu/magisk/ui/deny/DenyListViewModel.kt"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 81103, "scanner": "repobility-threat-engine", "fingerprint": "97e93666f61e735b4231e3ac6c37a464c4274bb4c87f1338375e7e1023fe6a61", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|9|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk-ng/src/main/java/com/topjohnwu/magisk/terminal/TerminalProcess.kt"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 81078, "scanner": "repobility-ast-engine", "fingerprint": "8613473c323773d4dd648bcaacec68f0f1cbf3ea118e05719bc9c94a86352588", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8613473c323773d4dd648bcaacec68f0f1cbf3ea118e05719bc9c94a86352588"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/env.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `ensure_jdk` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=1, except=1, if=4, nested_bonus=2."}, "properties": {"repobilityId": 81154, "scanner": "repobility-threat-engine", "fingerprint": "b456bfa9d3f9ab965599c4cf881067294539dcab63827816b06d7f107c69b257", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "ensure_jdk", "breakdown": {"if": 4, "and": 1, "except": 1, "nested_bonus": 2}, "complexity": 8, "correlation_key": "fp|b456bfa9d3f9ab965599c4cf881067294539dcab63827816b06d7f107c69b257"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/env.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81077, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a663a98ec0e3d7ce0885b261f8f29ba1306404ca869965b18a6338395f1bc776", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/apk-ng/src/main/java/com/topjohnwu/magisk/ui/surequest/SuRequestActivity.kt", "duplicate_line": 91, "correlation_key": "fp|a663a98ec0e3d7ce0885b261f8f29ba1306404ca869965b18a6338395f1bc776"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk/src/main/java/com/topjohnwu/magisk/ui/surequest/SuRequestViewModel.kt"}, "region": {"startLine": 151}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81076, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7198a21914ce01a005cf165cf9e7d54c71742eafa40ba13d5d0e96230d5dee6d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/apk-ng/src/main/java/com/topjohnwu/magisk/ui/surequest/SuRequestActivity.kt", "duplicate_line": 57, "correlation_key": "fp|7198a21914ce01a005cf165cf9e7d54c71742eafa40ba13d5d0e96230d5dee6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk/src/main/java/com/topjohnwu/magisk/ui/surequest/SuRequestActivity.kt"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81075, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3b538c52bada3c8213bcafff16d1618a3dd2ff9c8686e91655b512c3c7005b30", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/apk-ng/src/main/java/com/topjohnwu/magisk/ui/superuser/SuperuserViewModel.kt", "duplicate_line": 72, "correlation_key": "fp|3b538c52bada3c8213bcafff16d1618a3dd2ff9c8686e91655b512c3c7005b30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk/src/main/java/com/topjohnwu/magisk/ui/superuser/SuperuserViewModel.kt"}, "region": {"startLine": 58}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81074, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fae910eece3f9821c211810c1e04cfe846f3eefe43276c30511988135774bc5b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/apk/src/main/java/com/topjohnwu/magisk/ui/flash/FlashViewModel.kt", "duplicate_line": 87, "correlation_key": "fp|fae910eece3f9821c211810c1e04cfe846f3eefe43276c30511988135774bc5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk/src/main/java/com/topjohnwu/magisk/ui/module/ActionViewModel.kt"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81073, "scanner": "repobility-ai-code-hygiene", "fingerprint": "799fbc6f048b34b57f15ddb95ebfcd9b3e48d9ece54cc3c9c454843e348f00e7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/apk/src/main/java/com/topjohnwu/magisk/ui/flash/FlashFragment.kt", "duplicate_line": 52, "correlation_key": "fp|799fbc6f048b34b57f15ddb95ebfcd9b3e48d9ece54cc3c9c454843e348f00e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk/src/main/java/com/topjohnwu/magisk/ui/module/ActionFragment.kt"}, "region": {"startLine": 58}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81072, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d23b69ec379866e859f4c4ed97cc7d7fbe3c0f8bd6361e62353d828c8badbdf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/apk-ng/src/main/java/com/topjohnwu/magisk/ui/log/LogViewModel.kt", "duplicate_line": 57, "correlation_key": "fp|9d23b69ec379866e859f4c4ed97cc7d7fbe3c0f8bd6361e62353d828c8badbdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk/src/main/java/com/topjohnwu/magisk/ui/log/LogViewModel.kt"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81071, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8a1385fb37f505f33579dc62f142871fac437d6a212405f98b0fec9d8ce8146a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/apk-ng/src/main/java/com/topjohnwu/magisk/ui/install/InstallViewModel.kt", "duplicate_line": 40, "correlation_key": "fp|8a1385fb37f505f33579dc62f142871fac437d6a212405f98b0fec9d8ce8146a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk/src/main/java/com/topjohnwu/magisk/ui/install/InstallViewModel.kt"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81070, "scanner": "repobility-ai-code-hygiene", "fingerprint": "99ddf90ba7b02b0d07e8332233b0b1d40abe00f8f45d6a193550e374a714b919", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/apk-ng/src/main/java/com/topjohnwu/magisk/ui/deny/AppProcessInfo.kt", "duplicate_line": 14, "correlation_key": "fp|99ddf90ba7b02b0d07e8332233b0b1d40abe00f8f45d6a193550e374a714b919"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk/src/main/java/com/topjohnwu/magisk/ui/deny/AppProcessInfo.kt"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81069, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d858a49fc1505553ca369affa2e248379a5a81833e11f9b9de7f9d1548e46dd8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/apk-ng/src/main/java/com/topjohnwu/magisk/arch/AsyncLoadViewModel.kt", "duplicate_line": 1, "correlation_key": "fp|d858a49fc1505553ca369affa2e248379a5a81833e11f9b9de7f9d1548e46dd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk/src/main/java/com/topjohnwu/magisk/arch/AsyncLoadViewModel.kt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81068, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5c32e68e45dce551d81e48ca547beb85d1bb3a37e74a3f37ec61fc760db32760", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/apk-ng/src/main/java/com/topjohnwu/magisk/ui/module/ModuleScreen.kt", "duplicate_line": 148, "correlation_key": "fp|5c32e68e45dce551d81e48ca547beb85d1bb3a37e74a3f37ec61fc760db32760"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk-ng/src/main/java/com/topjohnwu/magisk/ui/superuser/SuperuserScreen.kt"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81067, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e51646d398b96880a91893736af45dae734a98b8e6f0b9a64f32a8011f7f33e3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/apk-ng/src/main/java/com/topjohnwu/magisk/ui/deny/DenyListScreen.kt", "duplicate_line": 70, "correlation_key": "fp|e51646d398b96880a91893736af45dae734a98b8e6f0b9a64f32a8011f7f33e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk-ng/src/main/java/com/topjohnwu/magisk/ui/module/ActionScreen.kt"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED022", "level": "none", "message": {"text": "[MINED022] C Strcpy (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 81152, "scanner": "repobility-threat-engine", "fingerprint": "58fe92dfe6e97b6adfe63db871e448034175d2b56584210bf8112c2ee07eac96", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|58fe92dfe6e97b6adfe63db871e448034175d2b56584210bf8112c2ee07eac96", "aggregated_count": 1}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 81148, "scanner": "repobility-threat-engine", "fingerprint": "a51fc5b757daa107ff993d54388f809af87b26cac35292629b20c635c24267fc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a51fc5b757daa107ff993d54388f809af87b26cac35292629b20c635c24267fc", "aggregated_count": 1}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 81141, "scanner": "repobility-threat-engine", "fingerprint": "28dcae1cdb164214a17e92a09f13fc7424a3faacb0c3f4f6a9e585e397359b39", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|28dcae1cdb164214a17e92a09f13fc7424a3faacb0c3f4f6a9e585e397359b39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/base/include/base.hpp"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "properties": {"repobilityId": 81139, "scanner": "repobility-threat-engine", "fingerprint": "3d38988be61ce5cff0a703d423d82bbf3ba7d12a84dfd4fe29c6dfa306ed8b47", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3d38988be61ce5cff0a703d423d82bbf3ba7d12a84dfd4fe29c6dfa306ed8b47", "aggregated_count": 24}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 81138, "scanner": "repobility-threat-engine", "fingerprint": "5c78672507ef6431b024fbc941a03137fc1bee5abdc90a71bf1ca7c3dd2381ad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5c78672507ef6431b024fbc941a03137fc1bee5abdc90a71bf1ca7c3dd2381ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/base/misc.rs"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 81137, "scanner": "repobility-threat-engine", "fingerprint": "84c03cb7bf2b90dafaaae24d601bef7c0ef10741c2a689ecbfee4d02483b27dc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|84c03cb7bf2b90dafaaae24d601bef7c0ef10741c2a689ecbfee4d02483b27dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/base/logging.rs"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 81136, "scanner": "repobility-threat-engine", "fingerprint": "3ab66af351435b0b401606768fa8eebf9ca43cfd10400025374ab642e57f8da5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3ab66af351435b0b401606768fa8eebf9ca43cfd10400025374ab642e57f8da5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/base/cxx_extern.rs"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 81135, "scanner": "repobility-threat-engine", "fingerprint": "6ecc3b1262b5fcff8b003d78cb0eb41ecf1b47c68504899d3d2be3beef672853", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6ecc3b1262b5fcff8b003d78cb0eb41ecf1b47c68504899d3d2be3beef672853", "aggregated_count": 8}}}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "properties": {"repobilityId": 81134, "scanner": "repobility-threat-engine", "fingerprint": "d7994bccbfda1ed2566890c1151040656615f5b39becb18207817935817b76b4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d7994bccbfda1ed2566890c1151040656615f5b39becb18207817935817b76b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/core/deny/cli.cpp"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "properties": {"repobilityId": 81133, "scanner": "repobility-threat-engine", "fingerprint": "1bd46f449b0bef36323fe0aa1aa1e8ce8687ef2b3555d8db4ad2897629dbfd6d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1bd46f449b0bef36323fe0aa1aa1e8ce8687ef2b3555d8db4ad2897629dbfd6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/core/applets.cpp"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "properties": {"repobilityId": 81132, "scanner": "repobility-threat-engine", "fingerprint": "7dc39dc3bcb23560ce891c29bd1c0d68b2b07a7902578e443ea4b887fb316d0d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7dc39dc3bcb23560ce891c29bd1c0d68b2b07a7902578e443ea4b887fb316d0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/base/base.cpp"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 81126, "scanner": "repobility-threat-engine", "fingerprint": "c947c105985232aecf52eda99815e76fa5f6fa320a54c4c387fd1dddc6e633cf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c947c105985232aecf52eda99815e76fa5f6fa320a54c4c387fd1dddc6e633cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/core/src/main/java/com/topjohnwu/magisk/core/signing/ByteArrayStream.java"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 81125, "scanner": "repobility-threat-engine", "fingerprint": "55f7323b41385f8a91f94d6a76772f9fb595759a32490154a959e71c87261517", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|81|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/shared/src/main/java/com/topjohnwu/magisk/utils/APKInstall.java"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 81124, "scanner": "repobility-threat-engine", "fingerprint": "b39e4406e740e8681e8ab932a3ab2cba349696083f8eb8c987920cdf7307da66", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|60|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/core/src/main/java/com/topjohnwu/magisk/core/download/Subject.kt"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 81123, "scanner": "repobility-threat-engine", "fingerprint": "f1c2c4035cdd6e0916d588faf9becbbbd5dd61a9e4a7efb0017757e4e82f5c05", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f1c2c4035cdd6e0916d588faf9becbbbd5dd61a9e4a7efb0017757e4e82f5c05"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 81118, "scanner": "repobility-threat-engine", "fingerprint": "fe63a0c3db36cbf73bb9f04d5837f9f34863a99ac7da05df7321980a56d87019", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|fe63a0c3db36cbf73bb9f04d5837f9f34863a99ac7da05df7321980a56d87019"}}}, {"ruleId": "MINED029", "level": "none", "message": {"text": "[MINED029] Kotlin Null Bang (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 81114, "scanner": "repobility-threat-engine", "fingerprint": "a1139df92c26317a81189695e3cf45f3399f0afccb1e896c15e11dcda4f4d069", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a1139df92c26317a81189695e3cf45f3399f0afccb1e896c15e11dcda4f4d069", "aggregated_count": 2}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 81110, "scanner": "repobility-threat-engine", "fingerprint": "821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 81106, "scanner": "repobility-threat-engine", "fingerprint": "d9ef2f050a73df664371aa08f284ac8b9640fcbea8eb92ac9591f1de127d5f77", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d9ef2f050a73df664371aa08f284ac8b9640fcbea8eb92ac9591f1de127d5f77"}}}, {"ruleId": "RUSTSEC-2023-0071", "level": "error", "message": {"text": "rsa: RUSTSEC-2023-0071"}, "properties": {"repobilityId": 81155, "scanner": "osv-scanner", "fingerprint": "d0fd20a2c7d66bab9302a84d9af2e03a48fc38a1735060ef1fdba9d51212fc37", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-49092", "GHSA-4grx-2x9w-596c", "GHSA-c38w-74pg-36hr"], "package": "rsa", "rule_id": "RUSTSEC-2023-0071", "scanner": "osv-scanner", "correlation_key": "vuln|rsa|CVE-2023-49092|native/src/cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 81153, "scanner": "repobility-threat-engine", "fingerprint": "ffb116a2894d46f2b5762facf9c8898baabe818984d00b3cf922d530f2ecec90", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ffb116a2894d46f2b5762facf9c8898baabe818984d00b3cf922d530f2ecec90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/env.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 81147, "scanner": "repobility-threat-engine", "fingerprint": "436c74a631e9ff5d99fd04328266c61556ce37f8267068dc6d9577b23be57f73", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|436c74a631e9ff5d99fd04328266c61556ce37f8267068dc6d9577b23be57f73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/boot_patch.sh"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 81146, "scanner": "repobility-threat-engine", "fingerprint": "b9b03742e64bd0315d6c31ebbfc9c97ea980a3095ac2418752520e0bcca4ac4e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b9b03742e64bd0315d6c31ebbfc9c97ea980a3095ac2418752520e0bcca4ac4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/app_functions.sh"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 81145, "scanner": "repobility-threat-engine", "fingerprint": "7ac848f0fc9a8aa30a19127caa085c07166704fa7bd86c2f7250f1f4687c0e71", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7ac848f0fc9a8aa30a19127caa085c07166704fa7bd86c2f7250f1f4687c0e71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/boot/sign.rs"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 81144, "scanner": "repobility-threat-engine", "fingerprint": "dca65a38c0b7fd276b2c09ede4bc88440d083cec36263ab07485e44e3a636faf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dca65a38c0b7fd276b2c09ede4bc88440d083cec36263ab07485e44e3a636faf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/rustup-wrapper/src/main.rs"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 81143, "scanner": "repobility-threat-engine", "fingerprint": "0ac9cdf63b6eee0bf8f1c23ad8f376b02a1edec03304e3135abbc2ca0c63c3f2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0ac9cdf63b6eee0bf8f1c23ad8f376b02a1edec03304e3135abbc2ca0c63c3f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/core/build.rs"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 81142, "scanner": "repobility-threat-engine", "fingerprint": "121341843baaaee6eb15f4ce213ea13d33bd43b115003a3a651d1bba45044fc4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|121341843baaaee6eb15f4ce213ea13d33bd43b115003a3a651d1bba45044fc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/boot/build.rs"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 81140, "scanner": "repobility-threat-engine", "fingerprint": "e4fc1dfbb0faf2d36e9a7dc7f395a209f30665382ca75061276dc0a1300c0b47", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e4fc1dfbb0faf2d36e9a7dc7f395a209f30665382ca75061276dc0a1300c0b47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/base/derive/decodable.rs"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC005", "level": "error", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 81130, "scanner": "repobility-threat-engine", "fingerprint": "8175b419498e7c7aa8f66bcdb6b274059a32edf461bdfc7d70880c1322d17224", "category": "injection", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Command source appears controllable (config/plugin/argv/user input)", "evidence": {"match": "exec(Request", "reason": "Command source appears controllable (config/plugin/argv/user input)", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|injection|token|138|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/stub/src/main/java/com/topjohnwu/magisk/net/Request.java"}, "region": {"startLine": 138}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 81128, "scanner": "repobility-threat-engine", "fingerprint": "0c4d923853524cc8a02d2bdd2b664104183b2ecc61149898d8c97bad646fc359", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(Input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|26|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/core/src/main/java/com/topjohnwu/magisk/core/signing/JarMap.java"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 81122, "scanner": "repobility-threat-engine", "fingerprint": "27f9e566eae1e3139048177feded7b38f39353b6431ea612d5b553c3fa0b8e5a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(query", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|27f9e566eae1e3139048177feded7b38f39353b6431ea612d5b553c3fa0b8e5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/core/src/main/java/com/topjohnwu/magisk/core/data/magiskdb/SettingsDao.kt"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 81121, "scanner": "repobility-threat-engine", "fingerprint": "a08d06f105eb819cc1dec32eb5b0d29907b03d06a58bd314f49ebcf72e3f86c5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(query", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a08d06f105eb819cc1dec32eb5b0d29907b03d06a58bd314f49ebcf72e3f86c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/core/src/main/java/com/topjohnwu/magisk/core/data/magiskdb/PolicyDao.kt"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 81120, "scanner": "repobility-threat-engine", "fingerprint": "8aa0759f5ca68910f3e1a68d711ed1af121e998491cc7e41e7486f9e44be9ec4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(\n        query", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8aa0759f5ca68910f3e1a68d711ed1af121e998491cc7e41e7486f9e44be9ec4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/core/src/main/java/com/topjohnwu/magisk/core/data/magiskdb/MagiskDB.kt"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 81117, "scanner": "repobility-threat-engine", "fingerprint": "10668ea9ac2e30df1f2c58844a3971927f54b15620b54e9c9bf236948f868a68", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "itemsInstalled.update(installed)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|10668ea9ac2e30df1f2c58844a3971927f54b15620b54e9c9bf236948f868a68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk/src/main/java/com/topjohnwu/magisk/ui/module/ModuleViewModel.kt"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 81116, "scanner": "repobility-threat-engine", "fingerprint": "da4b2650648a4f37a43f0a8a0d74adfc7e60a44dce17b81cc6575912dddf22f0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logs.update(newLogs)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|da4b2650648a4f37a43f0a8a0d74adfc7e60a44dce17b81cc6575912dddf22f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk/src/main/java/com/topjohnwu/magisk/ui/log/LogViewModel.kt"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 81115, "scanner": "repobility-threat-engine", "fingerprint": "7590924466d60e78007ab971e603e563eb172f0a4546b2ef588a57705b263bbe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "db.delete(AppContext.applicationInfo.uid)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7590924466d60e78007ab971e603e563eb172f0a4546b2ef588a57705b263bbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk-ng/src/main/java/com/topjohnwu/magisk/ui/superuser/SuperuserViewModel.kt"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 81113, "scanner": "repobility-threat-engine", "fingerprint": "83e26c135fa91c329ccfaf703a842c07ce512a1c1ff8f98d10c8b6e21f8cc958", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|83e26c135fa91c329ccfaf703a842c07ce512a1c1ff8f98d10c8b6e21f8cc958"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/build-logic/src/main/java/Plugin.kt"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 81112, "scanner": "repobility-threat-engine", "fingerprint": "d2255e3f32c6d7e33f9cae66b9c2191ebcbeba2991d78efd616362d75703dac7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d2255e3f32c6d7e33f9cae66b9c2191ebcbeba2991d78efd616362d75703dac7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk/src/main/java/com/topjohnwu/magisk/arch/BaseFragment.kt"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 81111, "scanner": "repobility-threat-engine", "fingerprint": "9d190f046f3a1c82f101037b663173b011287c3c5db2f0377c26b173a7eb61ad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9d190f046f3a1c82f101037b663173b011287c3c5db2f0377c26b173a7eb61ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk-ng/src/main/java/com/topjohnwu/magisk/ui/install/InstallViewModel.kt"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 81109, "scanner": "repobility-threat-engine", "fingerprint": "950e0908c9a51305c30a698b1a3f0f7d6e999042443cd78209770f748e6ac780", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|950e0908c9a51305c30a698b1a3f0f7d6e999042443cd78209770f748e6ac780"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/core/src/main/java/com/topjohnwu/magisk/core/di/Networking.kt"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 81108, "scanner": "repobility-threat-engine", "fingerprint": "33edb8a06e4ab537d577e4e8747258085a838fee31b725af8bd2741aff7c7463", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|33edb8a06e4ab537d577e4e8747258085a838fee31b725af8bd2741aff7c7463"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk/src/main/java/com/topjohnwu/magisk/dialog/DownloadDialog.kt"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 81107, "scanner": "repobility-threat-engine", "fingerprint": "80d0ad9fad2dfe2161fbb992b505f94b99f07df08b289503edf48881208e9f1f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|80d0ad9fad2dfe2161fbb992b505f94b99f07df08b289503edf48881208e9f1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/apk-ng/src/main/java/com/topjohnwu/magisk/ui/install/InstallBottomSheet.kt"}, "region": {"startLine": 241}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `app/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 81102, "scanner": "repobility-supply-chain", "fingerprint": "055e929b0752273fc45438d593d0da1f2ab2776372523036ff1d5c1ae8323fb7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|055e929b0752273fc45438d593d0da1f2ab2776372523036ff1d5c1ae8323fb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 81101, "scanner": "repobility-supply-chain", "fingerprint": "e19b139218e8d22a6892b65876ae33b9f29daadbb8a588a6dd1eb6a261a6afb0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e19b139218e8d22a6892b65876ae33b9f29daadbb8a588a6dd1eb6a261a6afb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 81100, "scanner": "repobility-supply-chain", "fingerprint": "239439ca106e975196cda0b86700b82a8b23954f7dcbe168e1c1586d55b4f3b8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|239439ca106e975196cda0b86700b82a8b23954f7dcbe168e1c1586d55b4f3b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81099, "scanner": "repobility-supply-chain", "fingerprint": "41d820ba5aad783b0129cbaeab2c954612f6fd6c7461d9260051b9f8600cc1d6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41d820ba5aad783b0129cbaeab2c954612f6fd6c7461d9260051b9f8600cc1d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 81098, "scanner": "repobility-supply-chain", "fingerprint": "79b653b0c70c89a8a64705b81495751e54a4ae02660257ed5e743670a6655579", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|79b653b0c70c89a8a64705b81495751e54a4ae02660257ed5e743670a6655579"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 81097, "scanner": "repobility-supply-chain", "fingerprint": "51ebe839d9427b12a1e074c17d862c389f6bdb32c00176b0ecc6dc886f4daf29", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|51ebe839d9427b12a1e074c17d862c389f6bdb32c00176b0ecc6dc886f4daf29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81096, "scanner": "repobility-supply-chain", "fingerprint": "73da961f7f73634872993914b1c0e0802c488b8eff554e9dcef5553b5f447966", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|73da961f7f73634872993914b1c0e0802c488b8eff554e9dcef5553b5f447966"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 81095, "scanner": "repobility-supply-chain", "fingerprint": "d55dd09a154b134ebe29a93c5cd81ddbec3b56ffb8269f508e112a091303a297", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d55dd09a154b134ebe29a93c5cd81ddbec3b56ffb8269f508e112a091303a297"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 81094, "scanner": "repobility-supply-chain", "fingerprint": "ab8138f487cf1ac96b243c1329aab0ec5fff49de61d35f49800f650573b20bc1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab8138f487cf1ac96b243c1329aab0ec5fff49de61d35f49800f650573b20bc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81093, "scanner": "repobility-supply-chain", "fingerprint": "c21dfaecf6e75272d3e75ce2bdf6e23206134a2477e3207e5360eadfd7100775", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c21dfaecf6e75272d3e75ce2bdf6e23206134a2477e3207e5360eadfd7100775"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81092, "scanner": "repobility-supply-chain", "fingerprint": "852b259c9a6665c9d36921af2bd6f028670b8ce11227abfa3aa04d960a2ee129", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|852b259c9a6665c9d36921af2bd6f028670b8ce11227abfa3aa04d960a2ee129"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 81091, "scanner": "repobility-supply-chain", "fingerprint": "72aace0a7b514e8aac62ee957c654208e347df7afd893bb9cbfddd44798aec5f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|72aace0a7b514e8aac62ee957c654208e347df7afd893bb9cbfddd44798aec5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 81090, "scanner": "repobility-supply-chain", "fingerprint": "381edcf832aa7f6c276a98a65648975de7ea577a27cf986c751fbcd22aad67a5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|381edcf832aa7f6c276a98a65648975de7ea577a27cf986c751fbcd22aad67a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81089, "scanner": "repobility-supply-chain", "fingerprint": "ed5f541548740cc45ed754e2b84bad34f6c3825d4f8aa98a249b1d1c9c73e710", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed5f541548740cc45ed754e2b84bad34f6c3825d4f8aa98a249b1d1c9c73e710"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.ret` used but never assigned in __init__"}, "properties": {"repobilityId": 81088, "scanner": "repobility-ast-engine", "fingerprint": "ce53bff63dd23cb32db0e70e60b9e350e64646b23f97a58433691ab0cdbc0975", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ce53bff63dd23cb32db0e70e60b9e350e64646b23f97a58433691ab0cdbc0975"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/core/zygisk/gen_jni_hooks.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.hook_target` used but never assigned in __init__"}, "properties": {"repobilityId": 81087, "scanner": "repobility-ast-engine", "fingerprint": "52ce1e9298973e63bdd0a0604eec1ec55ac3ce9b3f44b4ed1d5612398a35a1b3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|52ce1e9298973e63bdd0a0604eec1ec55ac3ce9b3f44b4ed1d5612398a35a1b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/core/zygisk/gen_jni_hooks.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cpp_fn_type` used but never assigned in __init__"}, "properties": {"repobilityId": 81086, "scanner": "repobility-ast-engine", "fingerprint": "7394d7b3bd91e6b4f706dbd7a997abe9e72a5c65ac81f37da218646038633272", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7394d7b3bd91e6b4f706dbd7a997abe9e72a5c65ac81f37da218646038633272"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/core/zygisk/gen_jni_hooks.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.hook_target` used but never assigned in __init__"}, "properties": {"repobilityId": 81085, "scanner": "repobility-ast-engine", "fingerprint": "b83d27f34955ec28f6eb548699e95fd900ebd70ad7c1d99b703ac4f4103882c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b83d27f34955ec28f6eb548699e95fd900ebd70ad7c1d99b703ac4f4103882c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/core/zygisk/gen_jni_hooks.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.arg_list_name` used but never assigned in __init__"}, "properties": {"repobilityId": 81084, "scanner": "repobility-ast-engine", "fingerprint": "0c908fc2d07868c1159949c62e920ca09c8dcaddd532d7b8e5a3c9bdbd877443", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0c908fc2d07868c1159949c62e920ca09c8dcaddd532d7b8e5a3c9bdbd877443"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/core/zygisk/gen_jni_hooks.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.init_args` used but never assigned in __init__"}, "properties": {"repobilityId": 81083, "scanner": "repobility-ast-engine", "fingerprint": "db792b284f4ef5309eb68496d94a425ade207bcbd2de6a3eae57958824143d0a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|db792b284f4ef5309eb68496d94a425ade207bcbd2de6a3eae57958824143d0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/core/zygisk/gen_jni_hooks.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.ret` used but never assigned in __init__"}, "properties": {"repobilityId": 81082, "scanner": "repobility-ast-engine", "fingerprint": "3d63a7234a978cf4764642490af9877791ec1cf9aa0b751282905137264fb2bb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3d63a7234a978cf4764642490af9877791ec1cf9aa0b751282905137264fb2bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/core/zygisk/gen_jni_hooks.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.args` used but never assigned in __init__"}, "properties": {"repobilityId": 81081, "scanner": "repobility-ast-engine", "fingerprint": "410d0715d7a6899d2deb8a027bd4444a6e12258893880ed049b1d3cf54ee2139", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|410d0715d7a6899d2deb8a027bd4444a6e12258893880ed049b1d3cf54ee2139"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/core/zygisk/gen_jni_hooks.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.arg_list_cpp` used but never assigned in __init__"}, "properties": {"repobilityId": 81080, "scanner": "repobility-ast-engine", "fingerprint": "2dbd1167f6438d7708a680bbe2cf9707347955b1164d51faa042f3c0ce51a117", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2dbd1167f6438d7708a680bbe2cf9707347955b1164d51faa042f3c0ce51a117"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/core/zygisk/gen_jni_hooks.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.arg_list_cpp` used but never assigned in __init__"}, "properties": {"repobilityId": 81079, "scanner": "repobility-ast-engine", "fingerprint": "8b120f102ea32a5878626826ccc270f21d271690aa27686b0fbe3670d79de5b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8b120f102ea32a5878626826ccc270f21d271690aa27686b0fbe3670d79de5b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/core/zygisk/gen_jni_hooks.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 81151, "scanner": "repobility-threat-engine", "fingerprint": "12af16fc67bcf0f044b45e9082dcf1fb9ce400e68168851ab105af343eccd408", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|12af16fc67bcf0f044b45e9082dcf1fb9ce400e68168851ab105af343eccd408"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/init/mount.cpp"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 81150, "scanner": "repobility-threat-engine", "fingerprint": "38dbdb415aa4e88b1b8a020156ab0ff77d0449d5410617c80afcc079279f65a7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|38dbdb415aa4e88b1b8a020156ab0ff77d0449d5410617c80afcc079279f65a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/core/scripting.cpp"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 81149, "scanner": "repobility-threat-engine", "fingerprint": "edcc1037cc0ed6b6086bfe7bdf68276d81a08d2924f063a1ee1262a07331e761", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|edcc1037cc0ed6b6086bfe7bdf68276d81a08d2924f063a1ee1262a07331e761"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/src/core/deny/logcat.cpp"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 81129, "scanner": "repobility-threat-engine", "fingerprint": "3bbd5a16eb0b80e8de61c63d969120ca8b73365e7fa12a40be794e51599be9e7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(scheme", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3bbd5a16eb0b80e8de61c63d969120ca8b73365e7fa12a40be794e51599be9e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/core/src/main/java/com/topjohnwu/magisk/core/utils/MediaStoreUtils.kt"}, "region": {"startLine": 108}}}]}]}]}