{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR003", "name": "Compose service `grafana_dashboard_init` image uses the latest tag", "shortDescription": {"text": "Compose service `grafana_dashboard_init` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR013", "name": "Dockerfile ADD downloads remote content", "shortDescription": {"text": "Dockerfile ADD downloads remote content"}, "fullDescription": {"text": "Use curl/wget with a pinned URL, verify checksum or signature, and prefer COPY for local files."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR015", "name": "Docker build context is very large", "shortDescription": {"text": "Docker build context is very large"}, "fullDescription": {"text": "Shrink the build context with .dockerignore, move generated/runtime data outside the build context, and copy only the manifest files needed for cached dependency layers."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC003", "name": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code.", "shortDescription": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "fullDescription": {"text": "Never commit secrets. Use .env files with .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `kibana` image is selected through a build variable", "shortDescription": {"text": "Compose service `kibana` image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED048] Php Error Suppress (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED092", "name": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection.", "shortDescription": {"text": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED085", "name": "[MINED085] Java Systemexit (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED085] Java Systemexit (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1075 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED083", "name": "[MINED083] Java Thread Start (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED083] Java Thread Start (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-664 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED081", "name": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr.", "shortDescription": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED011", "name": "[MINED011] Scala Get On Option (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED011] Scala Get On Option (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 17 more): Same pattern found in 17 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 7 more): Same pattern found in 7 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `plugins/examples/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `plugins/examples/", "shortDescription": {"text": "[MINED134] Binary file `plugins/examples/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `plugins/examples/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,583 bytes) committed to a repo that otherwise has 29202 source f"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `debian:trixie-slim` not pinned by digest: `FROM debian:trixie-slim` resolves the tag at buil", "shortDescription": {"text": "[MINED118] Dockerfile FROM `debian:trixie-slim` not pinned by digest: `FROM debian:trixie-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production"}, "fullDescription": {"text": "Replace with: `FROM debian:trixie-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED119", "name": "[MINED119] Dockerfile `ADD https://archive.apache.org/dist/tomcat/jakartaee-migration/v${MIGRATION_TOOL_VERSION}/binarie", "shortDescription": {"text": "[MINED119] Dockerfile `ADD https://archive.apache.org/dist/tomcat/jakartaee-migration/v${MIGRATION_TOOL_VERSION}/binaries/jakartaee-migration-${MIGRATION_TOOL_VERSION}-shaded.jar`: Dockerfile `ADD <url>` downloads a remote artifact into the"}, "fullDescription": {"text": "Download the file in CI with a known checksum, vendor it into the repo, and COPY it during the build. Or use `RUN curl -sSL URL | sha256sum -c <(echo '<expected> -')` to verify."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "MINED026", "name": "[MINED026] Fake Verification: assert True, expect(1).toBe(1), or other tautology used to fake passing tests.", "shortDescription": {"text": "[MINED026] Fake Verification: assert True, expect(1).toBe(1), or other tautology used to fake passing tests."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1126 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED036", "name": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping.", "shortDescription": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED034", "name": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.", "shortDescription": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC024", "name": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default.", "shortDescription": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of servic"}, "fullDescription": {"text": "Disable DTDs and external entities before parsing:\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n  factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n  factory.setXIncludeAware(false);\nOr set FEATURE_SECURE_PROCESSING on the factory."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED104", "name": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local pr", "shortDescription": {"text": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks."}, "fullDescription": {"text": "Use the least-privilege mode the file actually needs (e.g. 640 for configs, 750 for executables). For directories that genuinely need shared write access, use a group with chmod g+w and chown the right group."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "DKC008", "name": "Compose service mounts the Docker socket", "shortDescription": {"text": "Compose service mounts the Docker socket"}, "fullDescription": {"text": "Avoid mounting docker.sock. Use a narrow proxy, rootless build service, or provider-native deployment credentials."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.98, "cwe": "", "owasp": ""}}, {"id": "DKR005", "name": "Docker image bakes a secret-like ENV value", "shortDescription": {"text": "Docker image bakes a secret-like ENV value"}, "fullDescription": {"text": "Remove the secret from the Dockerfile, rotate the value if real, and inject runtime secrets through your platform secret manager."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "MINED005", "name": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection.", "shortDescription": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/812"}, "properties": {"repository": "elastic/elasticsearch", "repoUrl": "https://github.com/elastic/elasticsearch", "branch": "main"}, "results": [{"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `grafana_dashboard_init` image uses the latest tag"}, "properties": {"repobilityId": 70813, "scanner": "repobility-docker", "fingerprint": "aa3d64d9fc15342468107261d59b96eed3f0d36c9a770fe60598be69c20814ce", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "alpine:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|aa3d64d9fc15342468107261d59b96eed3f0d36c9a770fe60598be69c20814ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-tools/prometheus-local/docker-compose.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `grafana` image uses the latest tag"}, "properties": {"repobilityId": 70811, "scanner": "repobility-docker", "fingerprint": "ea6011231b14b5d5cf8445e1504a6a8e27632d153403ab9b5803d3fa9c8d4b63", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "grafana/grafana:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ea6011231b14b5d5cf8445e1504a6a8e27632d153403ab9b5803d3fa9c8d4b63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-tools/prometheus-local/docker-compose.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `kibana_settings` image uses the latest tag"}, "properties": {"repobilityId": 70809, "scanner": "repobility-docker", "fingerprint": "caa4a867c035b5c3eec5cfd95dca4bdfde6720090a385f87eb04bfcfb178cb30", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "curlimages/curl:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|caa4a867c035b5c3eec5cfd95dca4bdfde6720090a385f87eb04bfcfb178cb30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-tools/prometheus-local/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `prometheus` image uses the latest tag"}, "properties": {"repobilityId": 70808, "scanner": "repobility-docker", "fingerprint": "df48a578fd6e01ed3f67ca72999d96172bc8f5fd57ecb00ba5b064b60eec85bf", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "prom/prometheus:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|df48a578fd6e01ed3f67ca72999d96172bc8f5fd57ecb00ba5b064b60eec85bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-tools/prometheus-local/docker-compose.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 70806, "scanner": "repobility-docker", "fingerprint": "43f06f7943f1d9da048f8baa139dd5e687278fa097cac1235157603a64ee039e", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:24.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|43f06f7943f1d9da048f8baa139dd5e687278fa097cac1235157603a64ee039e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/smb-fixture/src/main/resources/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 70803, "scanner": "repobility-docker", "fingerprint": "128a477cadde61824afc1eaa3a3986ed1c0036afb605e3556666ea73dd9a8a82", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "osixia/openldap:1.4.0", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|128a477cadde61824afc1eaa3a3986ed1c0036afb605e3556666ea73dd9a8a82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/idp-fixture/src/main/resources/openldap/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 70801, "scanner": "repobility-docker", "fingerprint": "fc2f025d602f1160408488e73b0419be525020e4cda35e941b94875f964dbbf9", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "eclipse-temurin:17-jre", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fc2f025d602f1160408488e73b0419be525020e4cda35e941b94875f964dbbf9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/idp-fixture/src/main/resources/oidc/Dockerfile"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 70800, "scanner": "repobility-docker", "fingerprint": "095d9d52d68ad4bc68ba37962fef22ef569c2ff8773c36b36100c94028e309f0", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|095d9d52d68ad4bc68ba37962fef22ef569c2ff8773c36b36100c94028e309f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/idp-fixture/src/main/resources/oidc/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 70799, "scanner": "repobility-docker", "fingerprint": "fea601dd4504883b627fbe6edeaa3d3a201416ab56c358e928634e5c6a12ab30", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx:1.27-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fea601dd4504883b627fbe6edeaa3d3a201416ab56c358e928634e5c6a12ab30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/idp-fixture/src/main/resources/nginx/Dockerfile"}, "region": {"startLine": 44}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 70798, "scanner": "repobility-docker", "fingerprint": "f6cb5090f581f3af3064c3bb0c4ffb0a2651e668a89a39b3fc44bd9706eddaeb", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "eclipse-temurin:11-jre", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f6cb5090f581f3af3064c3bb0c4ffb0a2651e668a89a39b3fc44bd9706eddaeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/idp-fixture/src/main/resources/idp/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 70796, "scanner": "repobility-docker", "fingerprint": "e8d6c4471e8ffcd4b98bf8adb58a32889bf2452b1faf5107bf9c3640c7514d08", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "docker.elastic.co/elasticsearch-dev/es-rust-cross-toolchain:1.95", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e8d6c4471e8ffcd4b98bf8adb58a32889bf2452b1faf5107bf9c3640c7514d08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/plugin/esql-datasource-parquet-rs/native/build-tools/Dockerfile.cargo-zigbuild"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 70795, "scanner": "repobility-docker", "fingerprint": "b88f4f372c11ee453b29466a77dd774a88aa31d016dedd58b95ed29bf0077121", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:3.21.0", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b88f4f372c11ee453b29466a77dd774a88aa31d016dedd58b95ed29bf0077121"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/fixtures/krb5kdc-fixture/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 70794, "scanner": "repobility-docker", "fingerprint": "4acfff969442178cdc0772110300a7e9a0619bdffa6f0e57bbd4e9e5a264d2fe", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:trixie-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4acfff969442178cdc0772110300a7e9a0619bdffa6f0e57bbd4e9e5a264d2fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/simdvec/native/Dockerfile.cross-toolchain"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 70793, "scanner": "repobility-docker", "fingerprint": "9a8700b6f35659cc11c2c8f6cdec3233a1ef87107fe7d18ba5a88c7079c3a93c", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:trixie-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9a8700b6f35659cc11c2c8f6cdec3233a1ef87107fe7d18ba5a88c7079c3a93c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/parquet-rs/native/Dockerfile.rust-toolchain"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 70787, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR015", "level": "warning", "message": {"text": "Docker build context is very large"}, "properties": {"repobilityId": 70784, "scanner": "repobility-docker", "fingerprint": "b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Estimated Docker build context exceeds Repobility's size or file-count threshold.", "evidence": {"capped": false, "rule_id": "DKR015", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "largest_paths": [{"path": ".git/objects/pack/pack-fe5b5ae0968e7026c4eb75dd0ac65f71d6d52b38.pack", "size_mb": 78.2}, {"path": ".git/objects/pack/pack-f72b55b92c593a2b5ba92c6d52aa38794cefdc8e.pack", "size_mb": 43.5}, {"path": "x-pack/plugin/esql/qa/testFixtures/src/main/resources/data/many_numbers.csv", "size_mb": 13.1}, {"path": "x-pack/plugin/inference/qa/inference-service-tests/src/javaRestTest/resources/rerank-v1.pt", "size_mb": 11.8}, {"path": "x-pack/plugin/inference/qa/inference-service-tests/src/javaRestTest/resources/multilingual-e5-small.vocab.json", "size_mb": 10.9}], "included_files": 43102, "context_size_mb": 521.7, "correlation_key": "fp|b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 70783, "scanner": "repobility-agent-runtime", "fingerprint": "b6cf10f1518b5e09ee14ad24721fd5ba6e87dffeef7f4723f7ebb18aeae1c012", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|b6cf10f1518b5e09ee14ad24721fd5ba6e87dffeef7f4723f7ebb18aeae1c012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/setup_node.sh"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 70778, "scanner": "repobility-threat-engine", "fingerprint": "4f558b4e67ed2e01f4f29ce95ba3b44170528cb0c4ccfc4fe0a93fb241f46e78", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.2 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD = \"<redacted>\"", "reason": "Low entropy value (3.2 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|4|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "modules/data-streams/src/javaRestTest/java/org/elasticsearch/datastreams/lifecycle/DataStreamLifecyclePermissionsTestCase.java"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 70777, "scanner": "repobility-threat-engine", "fingerprint": "02a931de489c6968b523a037d31671686fe437c130dc1aa98b2a8e06ea6cad3b", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.2 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD = \"<redacted>\"", "reason": "Low entropy value (3.2 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|2|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "modules/data-streams/src/javaRestTest/java/org/elasticsearch/datastreams/DataStreamWithSecurityIT.java"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 70771, "scanner": "repobility-threat-engine", "fingerprint": "436b15a4b2dd32775aacf686c7f778ea0d214826ae9bb75a561c121cf3056ad3", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.debug(\n                \"request [\"\n                    + request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|436b15a4b2dd32775aacf686c7f778ea0d214826ae9bb75a561c121cf3056ad3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/rest/src/main/java/org/elasticsearch/client/RequestLogger.java"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 70770, "scanner": "repobility-threat-engine", "fingerprint": "ccd0b17f8e7fc016b15f27da0a74f1dc52b0beb4cfec68caa0e36137ad640514", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Pattern.compile(\"(\\\\d+)\\\\.(\\\\d+)\\\\.(\\\\d+)(?:-(alpha\\\\d+|beta\\\\d+|rc\\\\d+|SNAPSHOT))?\");\n\n    private", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ccd0b17f8e7fc016b15f27da0a74f1dc52b0beb4cfec68caa0e36137ad640514"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools/src/main/java/org/elasticsearch/gradle/Version.java"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 70750, "scanner": "repobility-threat-engine", "fingerprint": "9433e4f32df6e2909ad43c291442fc9c32f5075be7cf570d195c2bfc62715c68", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url = 'https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9433e4f32df6e2909ad43c291442fc9c32f5075be7cf570d195c2bfc62715c68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/integTest/groovy/org/elasticsearch/gradle/internal/precommit/PomValidationPrecommitPluginFuncTest.groovy"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 70746, "scanner": "repobility-threat-engine", "fingerprint": "9b32777c1d8edc2439c5dd7c033f895028ffdbd1ad239c0a8efd11f8bcfd5eb1", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "entry.getName()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|89|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/dependencies/patches/Utils.java"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 70745, "scanner": "repobility-threat-engine", "fingerprint": "0b1f95f0f244f44d8c1c1fd32c23bc2511ea1987e3046bbda39878f118c66ba2", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ZipEntry::getName", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|115|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/JarApiComparisonTask.java"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 70744, "scanner": "repobility-threat-engine", "fingerprint": "90aaebfdbae25801c8c601b87d1878595095ebb75f0aac3b5e9a51c68bdcc6e1", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "entry.getName()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|138|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/integTest/groovy/org/elasticsearch/gradle/internal/SymbolicLinkPreservingTarFuncTest.groovy"}, "region": {"startLine": 138}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 70716, "scanner": "repobility-threat-engine", "fingerprint": "9a423071f9290bb4fd7376a8a89536dd28081e8cdf5366fceaec1892549a3cd1", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|72|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools/reaper/src/main/java/org/elasticsearch/gradle/reaper/Reaper.java"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC003", "level": "warning", "message": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "properties": {"repobilityId": 70710, "scanner": "repobility-threat-engine", "fingerprint": "954e2fe8372b2fd2bdbc040733113a2356560e7a608e86c11881935a39b6bfb8", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "evidence": {"match": "secret_key=\"$AMAZON_S3_SECRET_KEY\"", "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "rule_id": "SEC003", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|. token|4|secret_key amazon_s3_secret_key"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/third-party-test-credentials.sh"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 70831, "scanner": "repobility-docker", "fingerprint": "f6e453946d3e38eb459246a91f22b090ed3423c9bf7526e141968fa120c6419e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "haproxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f6e453946d3e38eb459246a91f22b090ed3423c9bf7526e141968fa120c6419e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "qa/remote-clusters/docker-compose.yml"}, "region": {"startLine": 113}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 70830, "scanner": "repobility-docker", "fingerprint": "be307af836e2ee1a86b930ae89b7ecc6fc2c93c1dc6ed8549c6cb73dd1d9e507", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "haproxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|be307af836e2ee1a86b930ae89b7ecc6fc2c93c1dc6ed8549c6cb73dd1d9e507"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "qa/remote-clusters/docker-compose.yml"}, "region": {"startLine": 113}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 70823, "scanner": "repobility-docker", "fingerprint": "8cc96590491267eb6d6d6c67c82631c17c2141683c54c6b0a9dbfa0ef58d5b89", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "kibana", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8cc96590491267eb6d6d6c67c82631c17c2141683c54c6b0a9dbfa0ef58d5b89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/reference/setup/install/docker/docker-compose.yml"}, "region": {"startLine": 190}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 70822, "scanner": "repobility-docker", "fingerprint": "098bec7bf855e73ace965a1b7d46571e591800d41a10454eaf4a730fb514ddf0", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "kibana", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|098bec7bf855e73ace965a1b7d46571e591800d41a10454eaf4a730fb514ddf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/reference/setup/install/docker/docker-compose.yml"}, "region": {"startLine": 190}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 70805, "scanner": "repobility-docker", "fingerprint": "c700e4bd6e8be9ad3624d92433674c0a499513862f08e51491a15767e838082e", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c700e4bd6e8be9ad3624d92433674c0a499513862f08e51491a15767e838082e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/smb-fixture/src/main/resources/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 70804, "scanner": "repobility-docker", "fingerprint": "b80f91b05aa00645582bfa646396c1685b4d93b7f9573b2fbd87cd290a1379d0", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|b80f91b05aa00645582bfa646396c1685b4d93b7f9573b2fbd87cd290a1379d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/smb-fixture/src/main/resources/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70782, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e0edf422a9ca1d7660db0d122aa918ab106e8c4a93689e06236b197f0d7b3490", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "distribution/tools/server-launcher/src/main/java/org/elasticsearch/server/launcher/ServerLauncher.java", "duplicate_line": 200, "correlation_key": "fp|e0edf422a9ca1d7660db0d122aa918ab106e8c4a93689e06236b197f0d7b3490"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distribution/tools/windows-service-cli/src/main/java/org/elasticsearch/windows/service/WindowsServiceDaemon.java"}, "region": {"startLine": 75}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70781, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2de3d5df7332c3685546bca3ba56a6cbc2456de1ca36ab832acd6013e1cb07e2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/transport/AbstractGenerateTransportVersionDefinitionTask.java", "duplicate_line": 103, "correlation_key": "fp|2de3d5df7332c3685546bca3ba56a6cbc2456de1ca36ab832acd6013e1cb07e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/transport/GenerateTransportVersionDefinitionTask.java"}, "region": {"startLine": 109}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70780, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e257be4fc57a811b9943d28191590943899e83bde7c7e7195f07d8ee3ac1ef59", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/precommit/ValidateJsonAgainstSchemaTask.java", "duplicate_line": 49, "correlation_key": "fp|e257be4fc57a811b9943d28191590943899e83bde7c7e7195f07d8ee3ac1ef59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/precommit/ValidateJsonNoKeywordsTask.java"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70779, "scanner": "repobility-ai-code-hygiene", "fingerprint": "118bc30accb8dccca4f5c152663dce2e68a172017db37de1d19b6b80e96605f8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/packer/CacheCacheableTestFixtures.java", "duplicate_line": 89, "correlation_key": "fp|118bc30accb8dccca4f5c152663dce2e68a172017db37de1d19b6b80e96605f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/precommit/CheckForbiddenApisTask.java"}, "region": {"startLine": 371}}}]}, {"ruleId": "SEC005", "level": "note", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 70772, "scanner": "repobility-threat-engine", "fingerprint": "e0d5d9931611393864535b152553a8d6a2c0723dd8dda1f308ce873fa73163d2", "category": "injection", "severity": "low", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Command is a hardcoded string literal \u2014 lower risk", "evidence": {"match": "subprocess.check_output('git diff --shortstat', shell=True", "reason": "Command is a hardcoded string literal \u2014 lower risk", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "code|injection|token|33|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-tools/prepare_release_update_documentation.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 70714, "scanner": "repobility-threat-engine", "fingerprint": "7b3973233a11e5a45820200947d1eecfc4d2aeec39e8d39ceb1e2594dfc637c5", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"expected [\" + topCount + \"] but got [\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7b3973233a11e5a45820200947d1eecfc4d2aeec39e8d39ceb1e2594dfc637c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/src/main/java/org/elasticsearch/benchmark/_nightly/esql/NumericTopNBenchmark.java"}, "region": {"startLine": 175}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 70713, "scanner": "repobility-threat-engine", "fingerprint": "7053c8f881c4665918e034e756956ec28863bb2dbb75aa1913e101d6f2e33fca", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"NdJsonReadBenchmark[\" + projection + \"] read \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7053c8f881c4665918e034e756956ec28863bb2dbb75aa1913e101d6f2e33fca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/src/main/java/org/elasticsearch/benchmark/_nightly/esql/NdJsonReadBenchmark.java"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 70712, "scanner": "repobility-threat-engine", "fingerprint": "e179db1a5acc8291f464f66316e5f58bdd79cd9ae8f0251a8ba3275b1e1c8415", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"expected [\" + expectedOutput + \"] but got [\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e179db1a5acc8291f464f66316e5f58bdd79cd9ae8f0251a8ba3275b1e1c8415"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/src/main/java/org/elasticsearch/benchmark/_nightly/esql/GroupedTopNBenchmark.java"}, "region": {"startLine": 190}}}]}, {"ruleId": "SEC003", "level": "note", "message": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "properties": {"repobilityId": 70711, "scanner": "repobility-threat-engine", "fingerprint": "15ad769e328c372ab815aabc38fa84bc2c03548937d2b56aff6ca8f4ebc19098", "category": "credential_exposure", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.2 bits) \u2014 likely real secret", "evidence": {"match": "SECRET_KEY = \"RepositoryS3ClientYamlTestSuiteIT-secret-key\"", "reason": "High entropy value (4.2 bits) \u2014 likely real secret", "rule_id": "SEC003", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|3|secret_key token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "modules/repository-s3/src/yamlRestTest/java/org/elasticsearch/repositories/s3/RepositoryS3ClientYamlTestSuiteIT.java"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `kibana` image is selected through a build variable"}, "properties": {"repobilityId": 70821, "scanner": "repobility-docker", "fingerprint": "31065b03b6fe428a54ffb2aeb95224599c08fa9f7d5b8a0898eedcbf79c3adbf", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "docker.elastic.co/kibana/kibana:${STACK_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|31065b03b6fe428a54ffb2aeb95224599c08fa9f7d5b8a0898eedcbf79c3adbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/reference/setup/install/docker/docker-compose.yml"}, "region": {"startLine": 190}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `es03` image is selected through a build variable"}, "properties": {"repobilityId": 70820, "scanner": "repobility-docker", "fingerprint": "ff66248fe9cb3d82be1902b85c9d8dfc60c37e356822227f95875a7652361bc9", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ff66248fe9cb3d82be1902b85c9d8dfc60c37e356822227f95875a7652361bc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/reference/setup/install/docker/docker-compose.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `es02` image is selected through a build variable"}, "properties": {"repobilityId": 70819, "scanner": "repobility-docker", "fingerprint": "abd1d2ac1a3a5a48e9942db355fb516b668831cbff77e6879f0c11c43fe1f245", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|abd1d2ac1a3a5a48e9942db355fb516b668831cbff77e6879f0c11c43fe1f245"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/reference/setup/install/docker/docker-compose.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `es01` image is selected through a build variable"}, "properties": {"repobilityId": 70817, "scanner": "repobility-docker", "fingerprint": "842f7ed35b5bf48e69d3cf44ace2f0862c41ecf65a9506377fdcea2a06e9abfe", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|842f7ed35b5bf48e69d3cf44ace2f0862c41ecf65a9506377fdcea2a06e9abfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/reference/setup/install/docker/docker-compose.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `setup` image is selected through a build variable"}, "properties": {"repobilityId": 70814, "scanner": "repobility-docker", "fingerprint": "e649c586c5cda4f55f195487f28b7f002ba488549782ae35103d25aa6a420200", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|e649c586c5cda4f55f195487f28b7f002ba488549782ae35103d25aa6a420200"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/reference/setup/install/docker/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 70791, "scanner": "repobility-docker", "fingerprint": "556134ad353fcfe7bb787fd37944c77ddccfa5d9b9652cdba37fe333212013f6", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${base_image}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|556134ad353fcfe7bb787fd37944c77ddccfa5d9b9652cdba37fe333212013f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distribution/docker/src/docker/dockerfiles/ironbank/Dockerfile"}, "region": {"startLine": 75}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 70790, "scanner": "repobility-docker", "fingerprint": "589ff144eea8dafd4f74c9e6064bd7cdf8dd7baeed8087248e4edd96e0bf61bd", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${base_image}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|589ff144eea8dafd4f74c9e6064bd7cdf8dd7baeed8087248e4edd96e0bf61bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distribution/docker/src/docker/dockerfiles/ironbank/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 70789, "scanner": "repobility-docker", "fingerprint": "f4228e89269334f96fcd6787935de9eb13295b73c4cab9c99382f1201ed4b048", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${base_image}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f4228e89269334f96fcd6787935de9eb13295b73c4cab9c99382f1201ed4b048"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distribution/docker/src/docker/dockerfiles/default/Dockerfile"}, "region": {"startLine": 81}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 70788, "scanner": "repobility-docker", "fingerprint": "0e05d98eae664c7cf9a191d92f8f7201ca1f1730cc471e13e0add633b3914528", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${base_image}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|0e05d98eae664c7cf9a191d92f8f7201ca1f1730cc471e13e0add633b3914528"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distribution/docker/src/docker/dockerfiles/default/Dockerfile"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 70786, "scanner": "repobility-docker", "fingerprint": "1ce409f8a29790cd9d520376cd1bbcc6a358e6e2004625ef98b9002baed3cf94", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${base_image}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|1ce409f8a29790cd9d520376cd1bbcc6a358e6e2004625ef98b9002baed3cf94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distribution/docker/src/docker/Dockerfile.ess"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 70785, "scanner": "repobility-docker", "fingerprint": "cbd0ff3910357f7f978221419e22904e171b09006cd54c75eb2b7fbd21e028f1", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${base_image}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|cbd0ff3910357f7f978221419e22904e171b09006cd54c75eb2b7fbd21e028f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distribution/docker/src/docker/Dockerfile.ess"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 70767, "scanner": "repobility-threat-engine", "fingerprint": "d71724ef9ebc40c9f37835e9a17943f9474ef3b21970d0351d917057cdfb2b85", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d71724ef9ebc40c9f37835e9a17943f9474ef3b21970d0351d917057cdfb2b85", "aggregated_count": 1}}}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 70766, "scanner": "repobility-threat-engine", "fingerprint": "ad9fe9c380af69fc693b52994a185d4cb595da3fe4ce91eff6e12501cbf6c256", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ad9fe9c380af69fc693b52994a185d4cb595da3fe4ce91eff6e12501cbf6c256"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools/src/integTest/groovy/org/elasticsearch/gradle/TestClustersPluginFuncTest.groovy"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 70765, "scanner": "repobility-threat-engine", "fingerprint": "fd3436197b63ad57a06a05edd8b3fdf0612b3194bbdcf8b7062f1448b94a495e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fd3436197b63ad57a06a05edd8b3fdf0612b3194bbdcf8b7062f1448b94a495e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools/src/integTest/groovy/org/elasticsearch/gradle/LoggedExecFuncTest.groovy"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 70764, "scanner": "repobility-threat-engine", "fingerprint": "25060b63ca9d43292a0a94404d6bddb7a312d058a9cc81f032e42634a8a4d772", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|25060b63ca9d43292a0a94404d6bddb7a312d058a9cc81f032e42634a8a4d772"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools/src/integTest/groovy/org/elasticsearch/gradle/JdkToolchainTestFixtureFuncTest.groovy"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED092", "level": "none", "message": {"text": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection."}, "properties": {"repobilityId": 70763, "scanner": "repobility-threat-engine", "fingerprint": "089fd712c7bec798f7553333d0e9230f45da5bd109d773dfae089a91858a42e2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-runtime-exec", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348152+00:00", "triaged_in_corpus": 15, "observations_count": 250, "ai_coder_pattern_id": 125}, "scanner": "repobility-threat-engine", "correlation_key": "fp|089fd712c7bec798f7553333d0e9230f45da5bd109d773dfae089a91858a42e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools/reaper/src/main/java/org/elasticsearch/gradle/reaper/Reaper.java"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 70762, "scanner": "repobility-threat-engine", "fingerprint": "6051ea758843b6ed68b455d709042d2268cab1c99d8af234e1c6a7fbf59c516d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6051ea758843b6ed68b455d709042d2268cab1c99d8af234e1c6a7fbf59c516d", "aggregated_count": 3}}}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 70761, "scanner": "repobility-threat-engine", "fingerprint": "f17494e8542c2426c90dd410413b7ee6bee6e963bae234a91e37ce7daba46e8d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f17494e8542c2426c90dd410413b7ee6bee6e963bae234a91e37ce7daba46e8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/benchmark/src/main/java/org/elasticsearch/client/benchmark/BenchmarkMain.java"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 70760, "scanner": "repobility-threat-engine", "fingerprint": "08be3d16d0959f20816d217ce64ed18c30976d43e9dc602aa71a3779785c4e8b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|08be3d16d0959f20816d217ce64ed18c30976d43e9dc602aa71a3779785c4e8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/benchmark/src/main/java/org/elasticsearch/client/benchmark/AbstractBenchmark.java"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 70759, "scanner": "repobility-threat-engine", "fingerprint": "4c36f1646788fc8feededdef0187e64019d0b9bc26c680e86a59f8ee7a4b8d52", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4c36f1646788fc8feededdef0187e64019d0b9bc26c680e86a59f8ee7a4b8d52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools/reaper/src/main/java/org/elasticsearch/gradle/reaper/Reaper.java"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 70757, "scanner": "repobility-threat-engine", "fingerprint": "e80148be319b700ae4a24816eb381b9679fe3335acea1d8a13fee0334fe0fdb3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e80148be319b700ae4a24816eb381b9679fe3335acea1d8a13fee0334fe0fdb3", "aggregated_count": 6}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 70756, "scanner": "repobility-threat-engine", "fingerprint": "0f4a0b1d907f8b9ba685971a5481d01ffa9a697129e7ca9895caa1584e3f5156", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0f4a0b1d907f8b9ba685971a5481d01ffa9a697129e7ca9895caa1584e3f5156"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distribution/tools/cli-launcher/src/main/java/org/elasticsearch/launcher/CliToolLauncher.java"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 70755, "scanner": "repobility-threat-engine", "fingerprint": "e5e230f0c14d9cbfdc26f4609e26c10f69adecc0cde8bc5cd32d979b02302348", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e5e230f0c14d9cbfdc26f4609e26c10f69adecc0cde8bc5cd32d979b02302348"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/benchmark/src/main/java/org/elasticsearch/client/benchmark/ops/bulk/BulkBenchmarkTask.java"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 70754, "scanner": "repobility-threat-engine", "fingerprint": "442501d95939af207e9beea99d27a0bb0bd74789038f691063f836eb5d181be4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|442501d95939af207e9beea99d27a0bb0bd74789038f691063f836eb5d181be4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/ci/GcpPreemptionWatchdog.java"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 70753, "scanner": "repobility-threat-engine", "fingerprint": "546d20e574ffd3332be1e74ffe173a419dd2cea1b5657b6eee17e28829a4be0a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|546d20e574ffd3332be1e74ffe173a419dd2cea1b5657b6eee17e28829a4be0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools/src/main/java/org/elasticsearch/gradle/testclusters/MockApmServer.java"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 70752, "scanner": "repobility-threat-engine", "fingerprint": "84a1da5db45f1e0d9b4c5543378514f6f9a398fb071f81b07015a816f7839a53", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|84a1da5db45f1e0d9b4c5543378514f6f9a398fb071f81b07015a816f7839a53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/packer/CacheCacheableTestFixtures.java"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 70751, "scanner": "repobility-threat-engine", "fingerprint": "e0c5407a97c42add75d546517bb41ad498bb2dda54c00f15f4476f901a7e4178", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0c5407a97c42add75d546517bb41ad498bb2dda54c00f15f4476f901a7e4178"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/InternalDistributionArchiveCheckPlugin.java"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 70749, "scanner": "repobility-threat-engine", "fingerprint": "208a99484733fa827229b4e8dce25a592167519226c92eacc9b2fc7364ec462d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|208a99484733fa827229b4e8dce25a592167519226c92eacc9b2fc7364ec462d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/integTest/groovy/org/elasticsearch/gradle/internal/info/GlobalBuildInfoPluginFuncTest.groovy"}, "region": {"startLine": 113}}}]}, {"ruleId": "SEC012", "level": "none", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 70747, "scanner": "repobility-threat-engine", "fingerprint": "46342cffd7a82af62db17b3faa912d30719a9d57eaf7cd87c128c00c0a6d8d49", "category": "path_traversal", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|46342cffd7a82af62db17b3faa912d30719a9d57eaf7cd87c128c00c0a6d8d49"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 70743, "scanner": "repobility-threat-engine", "fingerprint": "9c8c139140f617f7bb042c395d886fc52cd10c560e4a83e89baca87eb4c11777", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9c8c139140f617f7bb042c395d886fc52cd10c560e4a83e89baca87eb4c11777", "aggregated_count": 12}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 70742, "scanner": "repobility-threat-engine", "fingerprint": "67e610082283dd6066cf725daff273b0a8ebf49eeac797983c7376670eea2989", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|67e610082283dd6066cf725daff273b0a8ebf49eeac797983c7376670eea2989"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/ci/GcpPreemptionWatchdog.java"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 70741, "scanner": "repobility-threat-engine", "fingerprint": "039d1cdd7e7959187c4c9ec77d8d2270d51f0acc2278d29b014fe969993cb6c2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|039d1cdd7e7959187c4c9ec77d8d2270d51f0acc2278d29b014fe969993cb6c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/integTest/groovy/org/elasticsearch/gradle/internal/snyk/SnykDependencyMonitoringGradlePluginFuncTest.groovy"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 70740, "scanner": "repobility-threat-engine", "fingerprint": "fd7fb22b3e7c44c00f073a2c6828a4ef93d09aadf87c4510344f61aa1f1369c5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fd7fb22b3e7c44c00f073a2c6828a4ef93d09aadf87c4510344f61aa1f1369c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/integTest/groovy/org/elasticsearch/gradle/internal/InternalDistributionArchiveCheckPluginFuncTest.groovy"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED011", "level": "none", "message": {"text": "[MINED011] Scala Get On Option (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 70739, "scanner": "repobility-threat-engine", "fingerprint": "8e59bb7c8bf2f101e8a261ecab0f74ec0a26fc641020d7a93b1a7754a2b46300", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8e59bb7c8bf2f101e8a261ecab0f74ec0a26fc641020d7a93b1a7754a2b46300", "aggregated_count": 2}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 70735, "scanner": "repobility-threat-engine", "fingerprint": "969998b1ac27485493ea7a596385db1b5bda1cbf37ce6998118fa3af65ae0083", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|969998b1ac27485493ea7a596385db1b5bda1cbf37ce6998118fa3af65ae0083", "aggregated_count": 15}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 70734, "scanner": "repobility-threat-engine", "fingerprint": "0105637aafa3b1e5b35010908a7988c9db0dcbd63266d2b8792128b2f98c77d0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0105637aafa3b1e5b35010908a7988c9db0dcbd63266d2b8792128b2f98c77d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/integTest/groovy/org/elasticsearch/gradle/internal/ExportElasticsearchBuildResourcesTaskFuncTest.groovy"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 70733, "scanner": "repobility-threat-engine", "fingerprint": "4dcee3a4946137473de7e9f7d0e5ac95bded5a3fc758e0876735f92f8f4f5c06", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4dcee3a4946137473de7e9f7d0e5ac95bded5a3fc758e0876735f92f8f4f5c06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/integTest/groovy/org/elasticsearch/gradle/internal/ElasticsearchJavadocPluginFuncTest.groovy"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 70732, "scanner": "repobility-threat-engine", "fingerprint": "b22ddc60e1e81f2a6c530d680e23140c2140ce759a97cd663846880d2d6af57b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b22ddc60e1e81f2a6c530d680e23140c2140ce759a97cd663846880d2d6af57b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/integTest/groovy/org/elasticsearch/gradle/internal/ElasticsearchJavaModulePathPluginFuncTest.groovy"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 70731, "scanner": "repobility-threat-engine", "fingerprint": "c99e84751a1f49acb2a05f8e16365a1ec0085c51b7a83f3c71cbd43d21478817", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c99e84751a1f49acb2a05f8e16365a1ec0085c51b7a83f3c71cbd43d21478817", "aggregated_count": 4}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 70727, "scanner": "repobility-threat-engine", "fingerprint": "dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 70723, "scanner": "repobility-threat-engine", "fingerprint": "82c6b69256192cc53f3e97906f4b7b1953127ff4369eaf5cc476c6a6e6d7a62f", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|82c6b69256192cc53f3e97906f4b7b1953127ff4369eaf5cc476c6a6e6d7a62f"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 70719, "scanner": "repobility-threat-engine", "fingerprint": "59f8fe45fc5615482b4e48d4864d7b6d9fcdf063056f99acf47e7fe5acde521f", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|59f8fe45fc5615482b4e48d4864d7b6d9fcdf063056f99acf47e7fe5acde521f"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 70718, "scanner": "repobility-threat-engine", "fingerprint": "b74b88ea87b41f698ba38eb56555f7dbfdfdc8f7537b3b10a19bfa056fc8376c", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'spec\\b' detected on same line", "evidence": {"match": ".exec(", "reason": "Safe pattern 'spec\\b' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|77|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-conventions/src/main/java/org/elasticsearch/gradle/internal/conventions/info/ParallelDetector.java"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 70717, "scanner": "repobility-threat-engine", "fingerprint": "d362b576467f52d34dbe217a7eb03d947a7a82049378fe60762e1c684540aded", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line", "evidence": {"match": ".eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|211|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/src/main/java/org/elasticsearch/benchmark/esql/JsonExtractBenchmark.java"}, "region": {"startLine": 211}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 178 more): Same pattern found in 178 additional files. Review if needed."}, "properties": {"repobilityId": 70715, "scanner": "repobility-threat-engine", "fingerprint": "14112972011c64381f803c153e6019b08c51172b086e4ca44d8e0bf7991e8e64", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 178 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 178 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|14112972011c64381f803c153e6019b08c51172b086e4ca44d8e0bf7991e8e64"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 70709, "scanner": "repobility-threat-engine", "fingerprint": "501876d43fbaf15c6d4055194dcce53c187c4dbbef78a664b67e46162788cb51", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|501876d43fbaf15c6d4055194dcce53c187c4dbbef78a664b67e46162788cb51"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 70708, "scanner": "repobility-threat-engine", "fingerprint": "742de4bfcd0cf5796870fe09f5d1520bb3a0ffa7a28fbbb7bf0801d2e96b4e64", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "LOGGER.debug(\"Using basic key/secret credentials\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|11|logger.debug using basic key/secret credentials"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/discovery-ec2/src/main/java/org/elasticsearch/discovery/ec2/AwsEc2ServiceImpl.java"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 70707, "scanner": "repobility-threat-engine", "fingerprint": "b0ec454c3040f86975d924b94488116fd0fcb7393a896d033783d5a62a13a109", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "Logger.getLogger(EdgeNGramTokenFilterFactory.class)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|2|logger.getlogger token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "modules/analysis-common/src/main/java/org/elasticsearch/analysis/common/EdgeNGramTokenFilterFactory.java"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 70706, "scanner": "repobility-threat-engine", "fingerprint": "a6bfa83873ba37b3813f446ffec7688ace9dd66c8f1c4c4ccc1f941d4c2111c9", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "LOGGER.lifecycle(\"[gcp-preemption-watchdog] cancelling Gradle build via BuildCancellationToken\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|7|logger.lifecycle gcp-preemption-watchdog cancelling gradle build via buildcancellationtoken"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/ci/PreemptionBuildCanceller.java"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 70704, "scanner": "repobility-threat-engine", "fingerprint": "7bb3cbe558e477d943a8a958fb7e91637ca2fa1d84088147d765262ff2baf188", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7bb3cbe558e477d943a8a958fb7e91637ca2fa1d84088147d765262ff2baf188"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/pull-request/bwc-versions.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 70703, "scanner": "repobility-threat-engine", "fingerprint": "f920b5fefe97d9caa6c2487e2acd4a23976d0d58cc8a1e846cfd6c3d6935d30c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f920b5fefe97d9caa6c2487e2acd4a23976d0d58cc8a1e846cfd6c3d6935d30c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/flakiness-detection/entrypoints/pr.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 70702, "scanner": "repobility-threat-engine", "fingerprint": "340cf559e06ea61cbe96799fd51e5806ca4df347745b855166a663bead061461", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|340cf559e06ea61cbe96799fd51e5806ca4df347745b855166a663bead061461"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 70698, "scanner": "repobility-threat-engine", "fingerprint": "c17c3c334a0c891d86f3db6af749774e09bf68bbf397b5eac82d842bd1fc7f0c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c17c3c334a0c891d86f3db6af749774e09bf68bbf397b5eac82d842bd1fc7f0c", "aggregated_count": 9}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 70697, "scanner": "repobility-threat-engine", "fingerprint": "51d9c0603d947884906ce651502ebdc70268e5d6ada1b2324ce4cab55ca6ce36", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|51d9c0603d947884906ce651502ebdc70268e5d6ada1b2324ce4cab55ca6ce36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/flakiness-detection/entrypoints/manual.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 70696, "scanner": "repobility-threat-engine", "fingerprint": "ceab160204712a415128b995dd4d896be910300e444726c4304b100fa9abceae", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ceab160204712a415128b995dd4d896be910300e444726c4304b100fa9abceae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/flakiness-detection/entrypoints/local.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 70695, "scanner": "repobility-threat-engine", "fingerprint": "53df04ea53723ab4d393b080388c7271f447dead05887ea3f113bbd2e5eae2c0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|53df04ea53723ab4d393b080388c7271f447dead05887ea3f113bbd2e5eae2c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/flakiness-detection/entrypoints/analyze.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 70694, "scanner": "repobility-threat-engine", "fingerprint": "53e4fe4535b21b867c8404d778b99a5570a2cad163573058c3b6e6ef18fea32a", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|53e4fe4535b21b867c8404d778b99a5570a2cad163573058c3b6e6ef18fea32a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/flakiness-detection/commands.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `plugins/examples/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `plugins/examples/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,583 bytes) committed to a repo that otherwise has 29202 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 70858, "scanner": "repobility-supply-chain", "fingerprint": "286235928899721c916561dff5a995ebcfa1f66815af15eabd542c477cda248d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|286235928899721c916561dff5a995ebcfa1f66815af15eabd542c477cda248d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/examples/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `distribution/src/bin/elasticsearch-service-mgr.exe` committed in source repo: `distribution/src/bin/elasticsearch-service-mgr.exe` is a .exe binary (126,600 bytes) committed to a repo that otherwise has 29202 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 70857, "scanner": "repobility-supply-chain", "fingerprint": "e428d3616e40493c218db57a599fa2e87c6923bce75acc53ea4e868555dadbea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e428d3616e40493c218db57a599fa2e87c6923bce75acc53ea4e868555dadbea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distribution/src/bin/elasticsearch-service-mgr.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `distribution/src/bin/elasticsearch-service-x64.exe` committed in source repo: `distribution/src/bin/elasticsearch-service-x64.exe` is a .exe binary (142,984 bytes) committed to a repo that otherwise has 29202 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 70856, "scanner": "repobility-supply-chain", "fingerprint": "cfe26347e05c4a3255c7c2353a2b7d7e1aa0b46d61cb35bc772b6850615c7a5e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cfe26347e05c4a3255c7c2353a2b7d7e1aa0b46d61cb35bc772b6850615c7a5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distribution/src/bin/elasticsearch-service-x64.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `server/src/test/resources/org/elasticsearch/plugins/non-extensible-plugin.jar` committed in source repo: `server/src/test/resources/org/elasticsearch/plugins/non-extensible-plugin.jar` is a .jar binary (711 bytes) committed to a repo that otherwise has 29202 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 70855, "scanner": "repobility-supply-chain", "fingerprint": "007a6840061327e91e7aa277c54fe4dbfb5b55292e59a84413fed19a474e95df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|007a6840061327e91e7aa277c54fe4dbfb5b55292e59a84413fed19a474e95df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/test/resources/org/elasticsearch/plugins/non-extensible-plugin.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `server/src/test/resources/org/elasticsearch/plugins/dummy-plugin.jar` committed in source repo: `server/src/test/resources/org/elasticsearch/plugins/dummy-plugin.jar` is a .jar binary (689 bytes) committed to a repo that otherwise has 29202 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 70854, "scanner": "repobility-supply-chain", "fingerprint": "0852dace4fd657a5673336f0e097322eb946ee984e53ff9ecec2fce2e84a277c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0852dace4fd657a5673336f0e097322eb946ee984e53ff9ecec2fce2e84a277c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/test/resources/org/elasticsearch/plugins/dummy-plugin.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 29202 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 70853, "scanner": "repobility-supply-chain", "fingerprint": "511144b6149752359e7ab797533b5a068c0ac7434a0ac76a06036e13ac8b16e7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|511144b6149752359e7ab797533b5a068c0ac7434a0ac76a06036e13ac8b16e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70852, "scanner": "repobility-supply-chain", "fingerprint": "8e3304774ca64a89b95c6e825b2d20a7847504dab91a7d04c8c878844499e67c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e3304774ca64a89b95c6e825b2d20a7847504dab91a7d04c8c878844499e67c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-esql-generated-headers.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `elastic/docs-actions/.github/workflows/docs-preview-cleanup.yml` pinned to mutable ref `@v1`: `uses: elastic/docs-actions/.github/workflows/docs-preview-cleanup.yml@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70851, "scanner": "repobility-supply-chain", "fingerprint": "02c4a30b3e82203d464c65ccc380d7d771dd0f6fe76e938d1cd28c3a188e3398", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|02c4a30b3e82203d464c65ccc380d7d771dd0f6fe76e938d1cd28c3a188e3398"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs-preview-cleanup.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `elastic/oblt-actions/updatecli/run` pinned to mutable ref `@v1`: `uses: elastic/oblt-actions/updatecli/run@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70850, "scanner": "repobility-supply-chain", "fingerprint": "8fceac60b987eef4689db7c6a60068cfeb02b0f3baf723a72ef08cded7a18485", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8fceac60b987eef4689db7c6a60068cfeb02b0f3baf723a72ef08cded7a18485"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/updatecli-compose.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70849, "scanner": "repobility-supply-chain", "fingerprint": "d0064257e8fff851a17d908804890444c9a47518f3e7c69112f9bf7a9fb21b18", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0064257e8fff851a17d908804890444c9a47518f3e7c69112f9bf7a9fb21b18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/updatecli-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70848, "scanner": "repobility-supply-chain", "fingerprint": "9d9b70a048d3680161b9f43fc09e9f39b340cf325d5d289758a96094e9cda7a1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9d9b70a048d3680161b9f43fc09e9f39b340cf325d5d289758a96094e9cda7a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/updatecli-compose.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `elastic/docs-actions/.github/workflows/docs-deploy.yml` pinned to mutable ref `@v1`: `uses: elastic/docs-actions/.github/workflows/docs-deploy.yml@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70847, "scanner": "repobility-supply-chain", "fingerprint": "cb821fe34205aeb2080ef9f0070a112bccb495ec6297bf975e7cec7ed5302943", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb821fe34205aeb2080ef9f0070a112bccb495ec6297bf975e7cec7ed5302943"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs-deploy.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70846, "scanner": "repobility-supply-chain", "fingerprint": "582e4e3d3b35d94979336ac966e0acb49ddbfcc116b71a843cf4d07142c0c979", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|582e4e3d3b35d94979336ac966e0acb49ddbfcc116b71a843cf4d07142c0c979"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-wrapper-validation.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `elastic/docs-actions/.github/workflows/docs-build.yml` pinned to mutable ref `@v1`: `uses: elastic/docs-actions/.github/workflows/docs-build.yml@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70845, "scanner": "repobility-supply-chain", "fingerprint": "962c836804ec11aae9047bf0f053c39a9f7e697906cf38c132967763386fdd7d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|962c836804ec11aae9047bf0f053c39a9f7e697906cf38c132967763386fdd7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs-build.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:trixie-slim` not pinned by digest: `FROM debian:trixie-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 70844, "scanner": "repobility-supply-chain", "fingerprint": "da52320ef2bbb988225df3fbcc560a7a4b931d3c507b37c9292c46d368239c17", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|da52320ef2bbb988225df3fbcc560a7a4b931d3c507b37c9292c46d368239c17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/simdvec/native/Dockerfile.cross-toolchain"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:trixie-slim` not pinned by digest: `FROM debian:trixie-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 70843, "scanner": "repobility-supply-chain", "fingerprint": "fe5eaa0d61d06134920cd4282762875f86f32de8f3a3b172399d86ccbb2fad9c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe5eaa0d61d06134920cd4282762875f86f32de8f3a3b172399d86ccbb2fad9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/parquet-rs/native/Dockerfile.rust-toolchain"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `osixia/openldap:1.4.0` not pinned by digest: `FROM osixia/openldap:1.4.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 70842, "scanner": "repobility-supply-chain", "fingerprint": "282226747281bcffe7ff64b5d842ce71795a72f42b94584ec387dbf57944fd41", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|282226747281bcffe7ff64b5d842ce71795a72f42b94584ec387dbf57944fd41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/idp-fixture/src/main/resources/openldap/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://archive.apache.org/dist/tomcat/jakartaee-migration/v${MIGRATION_TOOL_VERSION}/binaries/jakartaee-migration-${MIGRATION_TOOL_VERSION}-shaded.jar`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 70841, "scanner": "repobility-supply-chain", "fingerprint": "b91252b4b5a30b85b7564135e2c20bfe6843aab385431e1e08e153c615629410", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b91252b4b5a30b85b7564135e2c20bfe6843aab385431e1e08e153c615629410"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/idp-fixture/src/main/resources/oidc/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `eclipse-temurin:17-jre` not pinned by digest: `FROM eclipse-temurin:17-jre` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 70840, "scanner": "repobility-supply-chain", "fingerprint": "6cf7134cbb81f125b92aa0bf93dea498067712e9293d3380a5a8892b82bdb6c5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6cf7134cbb81f125b92aa0bf93dea498067712e9293d3380a5a8892b82bdb6c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/idp-fixture/src/main/resources/oidc/Dockerfile"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `eclipse-temurin:17-jdk` not pinned by digest: `FROM eclipse-temurin:17-jdk` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 70839, "scanner": "repobility-supply-chain", "fingerprint": "09e0920e0ca582cbd068720fcb1dd9798e1347feced2cdf3589431727db47971", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|09e0920e0ca582cbd068720fcb1dd9798e1347feced2cdf3589431727db47971"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/idp-fixture/src/main/resources/oidc/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `eclipse-temurin:11-jre` not pinned by digest: `FROM eclipse-temurin:11-jre` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 70838, "scanner": "repobility-supply-chain", "fingerprint": "512d7ff297cb648d812699d01e2f6881d65eedc93e6c6b118c176a50baacd372", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|512d7ff297cb648d812699d01e2f6881d65eedc93e6c6b118c176a50baacd372"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/idp-fixture/src/main/resources/idp/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `nginx:1.27-alpine` not pinned by digest: `FROM nginx:1.27-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 70837, "scanner": "repobility-supply-chain", "fingerprint": "49634b0fc905327c88022f180bb1c879759894533c246924d4a75a980f616c39", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|49634b0fc905327c88022f180bb1c879759894533c246924d4a75a980f616c39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/idp-fixture/src/main/resources/nginx/Dockerfile"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `nginx:1.27-alpine` not pinned by digest: `FROM nginx:1.27-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 70836, "scanner": "repobility-supply-chain", "fingerprint": "4930eef9022f51beda787e62e45c575ecddb4e7124e07664574b798dfc6903d6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4930eef9022f51beda787e62e45c575ecddb4e7124e07664574b798dfc6903d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/idp-fixture/src/main/resources/nginx/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 70835, "scanner": "repobility-supply-chain", "fingerprint": "d1ecb0ededd13602db89b55149f8ed5500178cba57786ca6cc886435ecebf65c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d1ecb0ededd13602db89b55149f8ed5500178cba57786ca6cc886435ecebf65c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/smb-fixture/src/main/resources/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker.elastic.co/elasticsearch-dev/es-rust-cross-toolchain:1.95` not pinned by digest: `FROM docker.elastic.co/elasticsearch-dev/es-rust-cross-toolchain:1.95` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 70834, "scanner": "repobility-supply-chain", "fingerprint": "d239a354f97340a3e75bc79988594442e90c19691338eb2295d3ea54250bbe0c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d239a354f97340a3e75bc79988594442e90c19691338eb2295d3ea54250bbe0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/plugin/esql-datasource-parquet-rs/native/build-tools/Dockerfile.cargo-zigbuild"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.21.0` not pinned by digest: `FROM alpine:3.21.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 70833, "scanner": "repobility-supply-chain", "fingerprint": "40a0ebeb88afc231f75a7f79730f766d0609589060f8eccbb486920623079382", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|40a0ebeb88afc231f75a7f79730f766d0609589060f8eccbb486920623079382"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/fixtures/krb5kdc-fixture/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `redhat/ubi8 (no tag)` not pinned by digest: `FROM redhat/ubi8 (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 70832, "scanner": "repobility-supply-chain", "fingerprint": "42d213c40c45555fe78288d7727e49c9f2527cce1c11e8d7b4871c9c4476d67b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|42d213c40c45555fe78288d7727e49c9f2527cce1c11e8d7b4871c9c4476d67b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-tools/zstd.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 70829, "scanner": "repobility-docker", "fingerprint": "8645979123c07b305032d360f3365cb58962d8026fb7d48c33f2f061a7f37495", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "elasticsearch-default-2", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|8645979123c07b305032d360f3365cb58962d8026fb7d48c33f2f061a7f37495", "expected_targets": ["/usr/share/elasticsearch/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "qa/remote-clusters/docker-compose.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 70828, "scanner": "repobility-docker", "fingerprint": "60cb486fb9b57201e2b29b152be14e1195ea4f1d150b57c96516317445da2c41", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9200", "target": "9200", "host_ip": "", "published": ""}, {"raw": "9300", "target": "9300", "host_ip": "", "published": ""}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "elasticsearch-default-2", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|60cb486fb9b57201e2b29b152be14e1195ea4f1d150b57c96516317445da2c41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "qa/remote-clusters/docker-compose.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 70826, "scanner": "repobility-docker", "fingerprint": "fc30034b8250367d0c0c748b536de8c55defe1474e9533b75e1da2d20796f2be", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "elasticsearch-default-1", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|fc30034b8250367d0c0c748b536de8c55defe1474e9533b75e1da2d20796f2be", "expected_targets": ["/usr/share/elasticsearch/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "qa/remote-clusters/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 70825, "scanner": "repobility-docker", "fingerprint": "4bdf86b812c56483e63606f1bb02e1cdd6057a878631bb17cfbd0874db278599", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9200", "target": "9200", "host_ip": "", "published": ""}, {"raw": "9300", "target": "9300", "host_ip": "", "published": ""}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "elasticsearch-default-1", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|4bdf86b812c56483e63606f1bb02e1cdd6057a878631bb17cfbd0874db278599"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "qa/remote-clusters/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 70818, "scanner": "repobility-docker", "fingerprint": "1f40be522af6144bdab51e53d353bc417240eaeebd6392d03ffd4a3774b5658e", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "${ES_PORT}:9200", "target": "9200", "host_ip": "", "published": "${ES_PORT}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "es01", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|1f40be522af6144bdab51e53d353bc417240eaeebd6392d03ffd4a3774b5658e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/reference/setup/install/docker/docker-compose.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 70816, "scanner": "repobility-docker", "fingerprint": "56ad9ca57262fee87acfcfdf01c5e29d43db08d2b36bc0c53375b0a3b5eed95a", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "setup", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|56ad9ca57262fee87acfcfdf01c5e29d43db08d2b36bc0c53375b0a3b5eed95a", "expected_targets": ["/usr/share/elasticsearch/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/reference/setup/install/docker/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 70815, "scanner": "repobility-docker", "fingerprint": "7004f0a3643f1c0b48819bab66ad975880dcddbaff546798d27ba027623ee02b", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "setup", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7004f0a3643f1c0b48819bab66ad975880dcddbaff546798d27ba027623ee02b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/reference/setup/install/docker/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 70792, "scanner": "repobility-docker", "fingerprint": "ca661035ca803d52bb526b043c4bf31de3e4b1819f24791f18d845dd02be5a0d", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ca661035ca803d52bb526b043c4bf31de3e4b1819f24791f18d845dd02be5a0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/parquet-rs/native/Dockerfile.rust-toolchain"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED026", "level": "error", "message": {"text": "[MINED026] Fake Verification: assert True, expect(1).toBe(1), or other tautology used to fake passing tests."}, "properties": {"repobilityId": 70776, "scanner": "repobility-threat-engine", "fingerprint": "a08eb5fe039c1701cd539975cd1e0705e4816d4ee8d8597aa0a3b6fe02925112", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "fake-verification", "owasp": null, "cwe_ids": ["CWE-1126"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347959+00:00", "triaged_in_corpus": 15, "observations_count": 29905, "ai_coder_pattern_id": 5}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a08eb5fe039c1701cd539975cd1e0705e4816d4ee8d8597aa0a3b6fe02925112"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "modules/apm/src/main/java/org/elasticsearch/telemetry/apm/AbstractAsyncInstrument.java"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 70775, "scanner": "repobility-threat-engine", "fingerprint": "5f63ed8ebe6bd01e7c2366a79dac19f4b0940a516a30f2079a77ebb6dc07636b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5f63ed8ebe6bd01e7c2366a79dac19f4b0940a516a30f2079a77ebb6dc07636b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-tools/prepare_release_update_documentation.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 70774, "scanner": "repobility-threat-engine", "fingerprint": "0586f65a7880dd6c50c5727a7d0d67dd6ea578bae14ed831c656e4e6230c5d01", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0586f65a7880dd6c50c5727a7d0d67dd6ea578bae14ed831c656e4e6230c5d01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-tools/prepare_release_update_documentation.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 70773, "scanner": "repobility-threat-engine", "fingerprint": "abccbdcc7f12ce85911acd9d6037fa9750b18be95c8eb0e5c7b68a14383135ba", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r'<version>(.+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|82|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-tools/prepare_release_update_documentation.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 70758, "scanner": "repobility-threat-engine", "fingerprint": "ad8ba69df3795b613ad0d70374fef43e6d984b13ff4210139916d9120078493d", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ad8ba69df3795b613ad0d70374fef43e6d984b13ff4210139916d9120078493d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/shadow/XmlClassRelocationTransformer.java"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 70748, "scanner": "repobility-threat-engine", "fingerprint": "0557777f8eef60022330a72dff9ccfb6df850a0a91001165bb54a03e54a6c0f3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0557777f8eef60022330a72dff9ccfb6df850a0a91001165bb54a03e54a6c0f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/integTest/groovy/org/elasticsearch/gradle/internal/info/GlobalBuildInfoPluginFuncTest.groovy"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 70738, "scanner": "repobility-threat-engine", "fingerprint": "2af8578547df983953f3554ce97353b959d7bab1593b18408a7f171ca9412d2f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2af8578547df983953f3554ce97353b959d7bab1593b18408a7f171ca9412d2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/integTest/groovy/org/elasticsearch/gradle/internal/info/GlobalBuildInfoPluginFuncTest.groovy"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 70737, "scanner": "repobility-threat-engine", "fingerprint": "f31009ebd57e0be654d5e4e518d9268eb9c669ad568d24d7dfb6ea680f8c6289", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f31009ebd57e0be654d5e4e518d9268eb9c669ad568d24d7dfb6ea680f8c6289"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/integTest/groovy/org/elasticsearch/gradle/internal/ExportElasticsearchBuildResourcesTaskFuncTest.groovy"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 70736, "scanner": "repobility-threat-engine", "fingerprint": "f10af984c4f17e40af7c0f9fa5284826123a4163708279fe72ed05249cb9edd3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f10af984c4f17e40af7c0f9fa5284826123a4163708279fe72ed05249cb9edd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/integTest/groovy/org/elasticsearch/gradle/internal/ElasticsearchJavaPluginFuncTest.groovy"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 70730, "scanner": "repobility-threat-engine", "fingerprint": "8c081ff7248e6e1e162e0a3e56b767797efc2bb93d186b4fd2b764fb9d9013ba", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8c081ff7248e6e1e162e0a3e56b767797efc2bb93d186b4fd2b764fb9d9013ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "modules/ip-location/qa/multi-project/src/javaRestTest/java/org/elasticsearch/ingest/geoip/GeoIpMultiProjectIT.java"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 70729, "scanner": "repobility-threat-engine", "fingerprint": "e2d2e3ce4d90e0ee5b1593de1845d0a02f2a92342fccb34323758b6030ae0e50", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e2d2e3ce4d90e0ee5b1593de1845d0a02f2a92342fccb34323758b6030ae0e50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distribution/tools/geoip-cli/src/main/java/org/elasticsearch/geoip/GeoIpCli.java"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 70728, "scanner": "repobility-threat-engine", "fingerprint": "d2297f4418779f2b4af662a914517d440da632fd9038670666aad373f87e4bf9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d2297f4418779f2b4af662a914517d440da632fd9038670666aad373f87e4bf9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/integTest/groovy/org/elasticsearch/gradle/internal/BuildPluginFuncTest.groovy"}, "region": {"startLine": 135}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 70726, "scanner": "repobility-threat-engine", "fingerprint": "df7bc1a0ea893e9e4d882da6b06d9651448fd9714c3eaf4994740940729b0897", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "it.delete(pidFile)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|df7bc1a0ea893e9e4d882da6b06d9651448fd9714c3eaf4994740940729b0897"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/main/groovy/org/elasticsearch/gradle/internal/AntFixtureStop.groovy"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 70725, "scanner": "repobility-threat-engine", "fingerprint": "c15968cb8c382e2f38d96ed8f73005507a11a7c8b0cadca31cd8a9a5521d0e35", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "configurations.create(\"${testArchiveProjectName}\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c15968cb8c382e2f38d96ed8f73005507a11a7c8b0cadca31cd8a9a5521d0e35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/integTest/groovy/org/elasticsearch/gradle/internal/InternalDistributionDownloadPluginFuncTest.groovy"}, "region": {"startLine": 153}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 70724, "scanner": "repobility-threat-engine", "fingerprint": "cb4e6f069781387116ac95c8bc500067bd39ebd7bdec4851506064a5f4d7cdf5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "delete.delete(\".settings\");", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cb4e6f069781387116ac95c8bc500067bd39ebd7bdec4851506064a5f4d7cdf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-conventions/src/main/java/org/elasticsearch/gradle/internal/conventions/EclipseConventionPlugin.java"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 70722, "scanner": "repobility-threat-engine", "fingerprint": "7f4130e43a641367447d6a253bba7670f2c9a70e73601ffe6af481e5d9143501", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7f4130e43a641367447d6a253bba7670f2c9a70e73601ffe6af481e5d9143501"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools-internal/src/integTest/groovy/org/elasticsearch/gradle/internal/info/GlobalBuildInfoPluginFuncTest.groovy"}, "region": {"startLine": 102}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 70721, "scanner": "repobility-threat-engine", "fingerprint": "728cac1cb487ab35a123364850042cae3a2d1da8190faeaf3927eda455dcce1c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(g", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|728cac1cb487ab35a123364850042cae3a2d1da8190faeaf3927eda455dcce1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-conventions/src/main/java/org/elasticsearch/gradle/internal/conventions/info/GitInfo.java"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 70720, "scanner": "repobility-threat-engine", "fingerprint": "6d78c6dc831a3ad9820686457825b96fa10aa5ceeac8bbe8e45174e5f3a536b1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6d78c6dc831a3ad9820686457825b96fa10aa5ceeac8bbe8e45174e5f3a536b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/src/main/java/org/elasticsearch/benchmark/esql/datasources/pushdown/WildcardLikeMatcherBenchmark.java"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 70705, "scanner": "repobility-threat-engine", "fingerprint": "68b61be07da36dd2f0f24c59842ad19fdfe4302abc61329cdd2c5d53ae0c2a92", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|68b61be07da36dd2f0f24c59842ad19fdfe4302abc61329cdd2c5d53ae0c2a92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/setup_node.sh"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 70701, "scanner": "repobility-threat-engine", "fingerprint": "85953d02138ab97e400b59dbe7dc5a1b1796a890352567b949443a6c3f419f8d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(execSpec", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|85953d02138ab97e400b59dbe7dc5a1b1796a890352567b949443a6c3f419f8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-conventions/src/main/java/org/elasticsearch/gradle/internal/conventions/info/ParallelDetector.java"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 70700, "scanner": "repobility-threat-engine", "fingerprint": "dc3072bd7179091f24f6992411827be5170adb9e109792477a343d5f2ef809ac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dc3072bd7179091f24f6992411827be5170adb9e109792477a343d5f2ef809ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/flakiness-detection/runners/local.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 70699, "scanner": "repobility-threat-engine", "fingerprint": "f016c2167d799248513cff38274766f95dbd45cf23be829d31610d467372521f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f016c2167d799248513cff38274766f95dbd45cf23be829d31610d467372521f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/flakiness-detection/entrypoints/pr.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 70693, "scanner": "repobility-threat-engine", "fingerprint": "849e98b3b0979e270521967d098b564be6267f6363197f95775224665dbbe219", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((t) => `${t.taskPath}\\0${t.className}\\0${t.methodName}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|849e98b3b0979e270521967d098b564be6267f6363197f95775224665dbbe219"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/smart-retry/summarize-task-status.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 70692, "scanner": "repobility-threat-engine", "fingerprint": "8944170432f98eefde84a70a22e8d7f3b8690fec0ad60b72bf86eede7f720003", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((task) => `${task}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8944170432f98eefde84a70a22e8d7f3b8690fec0ad60b72bf86eede7f720003"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/flakiness-detection/commands.ts"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED104", "level": "error", "message": {"text": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks."}, "properties": {"repobilityId": 70691, "scanner": "repobility-threat-engine", "fingerprint": "089917d218ffaa213cc5a543b8cf4fc2e48218ec0b391170941637fe42c7d8d7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "chmod-777", "owasp": "A05:2021", "cwe_ids": ["CWE-732", "CWE-276"], "languages": ["shell", "bash", "dockerfile"], "precision": 1.0, "promoted_at": "2026-05-19T13:00:00.000000+00:00", "triaged_in_corpus": 0, "observations_count": 0, "ai_coder_pattern_id": 47}, "scanner": "repobility-threat-engine", "correlation_key": "fp|089917d218ffaa213cc5a543b8cf4fc2e48218ec0b391170941637fe42c7d8d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/cuvs-snapshot/configure.sh"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 70827, "scanner": "repobility-docker", "fingerprint": "23c3d1862d15798efd4f0079ffdbd00441ce149659eca6e06b6b7ad4365cc57e", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "elasticsearch-default-2", "variable": "xpack.security.authc.token.enabled", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|23c3d1862d15798efd4f0079ffdbd00441ce149659eca6e06b6b7ad4365cc57e", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "qa/remote-clusters/docker-compose.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 70824, "scanner": "repobility-docker", "fingerprint": "36cdfd6cb031330346f7855edf3dba76e11bb99847e3f4b72091337505e6359e", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "elasticsearch-default-1", "variable": "xpack.security.authc.token.enabled", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|36cdfd6cb031330346f7855edf3dba76e11bb99847e3f4b72091337505e6359e", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "qa/remote-clusters/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 70812, "scanner": "repobility-docker", "fingerprint": "a339f148cf160381a86b86dd0724a613ef5394b96a08788c39a3800c4f694cf4", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "grafana", "variable": "GF_SECURITY_ADMIN_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|a339f148cf160381a86b86dd0724a613ef5394b96a08788c39a3800c4f694cf4", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-tools/prometheus-local/docker-compose.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 70810, "scanner": "repobility-docker", "fingerprint": "9842bb015de4472421ffff58ce6985a6ad535d19c6860c6cb3f89ec74157acc1", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "kibana", "variable": "ELASTICSEARCH_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|9842bb015de4472421ffff58ce6985a6ad535d19c6860c6cb3f89ec74157acc1", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-tools/prometheus-local/docker-compose.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 70807, "scanner": "repobility-docker", "fingerprint": "cbb70c648bd6fde0a9e0deddcf912e5be05f05a29c5ed79bb799f8389514ae7f", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "traefik", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cbb70c648bd6fde0a9e0deddcf912e5be05f05a29c5ed79bb799f8389514ae7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev-tools/prometheus-local/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR005", "level": "error", "message": {"text": "Docker image bakes a secret-like ENV value"}, "properties": {"repobilityId": 70802, "scanner": "repobility-docker", "fingerprint": "986580959fa66c3efe82a3ede699283c8dff38c33d76dc6ffa3330aaadacd663", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ENV assigns a literal value to a secret-like variable name.", "evidence": {"rule_id": "DKR005", "scanner": "repobility-docker", "variable": "LDAP_ADMIN_PASSWORD", "references": ["https://docs.docker.com/build/building/secrets/", "https://docs.docker.com/compose/how-tos/environment-variables/best-practices/"], "correlation_key": "fp|986580959fa66c3efe82a3ede699283c8dff38c33d76dc6ffa3330aaadacd663"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/idp-fixture/src/main/resources/openldap/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR005", "level": "error", "message": {"text": "Docker image bakes a secret-like ENV value"}, "properties": {"repobilityId": 70797, "scanner": "repobility-docker", "fingerprint": "3fa78e0cb06faaa3ce2df22a3575d2b26fb5975b9ab818a53fdfd572138ae1d3", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ENV assigns a literal value to a secret-like variable name.", "evidence": {"rule_id": "DKR005", "scanner": "repobility-docker", "variable": "JETTY_BROWSER_SSL_KEYSTORE_PASSWORD", "references": ["https://docs.docker.com/build/building/secrets/", "https://docs.docker.com/compose/how-tos/environment-variables/best-practices/"], "correlation_key": "fp|3fa78e0cb06faaa3ce2df22a3575d2b26fb5975b9ab818a53fdfd572138ae1d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/test/idp-fixture/src/main/resources/idp/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED005", "level": "error", "message": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "properties": {"repobilityId": 70769, "scanner": "repobility-threat-engine", "fingerprint": "0eb9d7c5826f63b608e6341dc42c6f1d46dbb600475de4acb22849c8f7119fe0", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "lua-loadstring", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["lua"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347908+00:00", "triaged_in_corpus": 20, "observations_count": 291730, "ai_coder_pattern_id": 169}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0eb9d7c5826f63b608e6341dc42c6f1d46dbb600475de4acb22849c8f7119fe0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools/src/integTest/groovy/org/elasticsearch/gradle/plugin/StablePluginBuildPluginFuncTest.groovy"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED005", "level": "error", "message": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "properties": {"repobilityId": 70768, "scanner": "repobility-threat-engine", "fingerprint": "ca807a56d67193edd51ec8396731c58f7f56815d1c46845280c1709e7406c617", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "lua-loadstring", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["lua"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347908+00:00", "triaged_in_corpus": 20, "observations_count": 291730, "ai_coder_pattern_id": 169}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ca807a56d67193edd51ec8396731c58f7f56815d1c46845280c1709e7406c617"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-tools/src/integTest/groovy/org/elasticsearch/gradle/plugin/PluginBuildPluginFuncTest.groovy"}, "region": {"startLine": 165}}}]}]}]}