{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_README", "name": "No README file found", "shortDescription": {"text": "No README file found"}, "fullDescription": {"text": "Create a README.md with: project name and description, installation instructions, usage examples, configuration options, and contribution guidelines."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC024", "name": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default.", "shortDescription": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of servic"}, "fullDescription": {"text": "Disable DTDs and external entities before parsing:\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n  factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n  factory.setXIncludeAware(false);\nOr set FEATURE_SECURE_PROCESSING on the factory."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/435"}, "properties": {"repository": "clojure/clojure", "repoUrl": "https://github.com/clojure/clojure.git", "branch": "master"}, "results": [{"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 23032, "scanner": "repobility-threat-engine", "fingerprint": "67bf3a913b62636cf6b49fd1a7fa6aad0b654634188ff24aa220535c02a3340d", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "eval(input", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|1675|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/LispReader.java"}, "region": {"startLine": 1675}}}]}, {"ruleId": "CORE_NO_README", "level": "warning", "message": {"text": "No README file found"}, "properties": {"repobilityId": 17447, "scanner": "repobility-core", "fingerprint": "b55c73163757fe6b2364bb829fcd26e87b9d9e7b367dd2a3307a814b02b29cbd", "category": "documentation", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_README", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_readme"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23030, "scanner": "repobility-ai-code-hygiene", "fingerprint": "45e3d8dae360082f80fdaa59e403cd181269e72f383485a27d86cfafa576ce33", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/lang/MultiFn.java", "duplicate_line": 270, "correlation_key": "fp|45e3d8dae360082f80fdaa59e403cd181269e72f383485a27d86cfafa576ce33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/Var.java"}, "region": {"startLine": 359}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23029, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0351c864dd0b215a95b3e8d172d8e07f1e026f77d31bf1c5e0542fa9c0d0ad58", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/lang/Ref.java", "duplicate_line": 145, "correlation_key": "fp|0351c864dd0b215a95b3e8d172d8e07f1e026f77d31bf1c5e0542fa9c0d0ad58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/Var.java"}, "region": {"startLine": 277}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23028, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0f5b7ac2dc0eb633818c3ddd2d46b38947185420f974199557fba8ea3af72417", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/lang/APersistentVector.java", "duplicate_line": 228, "correlation_key": "fp|0f5b7ac2dc0eb633818c3ddd2d46b38947185420f974199557fba8ea3af72417"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/PersistentVector.java"}, "region": {"startLine": 261}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23027, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2dada56ec533214ab198c0d7f71c7d213694cf711b121992511dd01c538aee82", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/lang/PersistentTreeMap.java", "duplicate_line": 63, "correlation_key": "fp|2dada56ec533214ab198c0d7f71c7d213694cf711b121992511dd01c538aee82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/PersistentTreeSet.java"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23026, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c5250f5038ebb508180a8c1ee60747f9146090e0653ce2fd070c3fe5a6655f95", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/lang/APersistentVector.java", "duplicate_line": 377, "correlation_key": "fp|c5250f5038ebb508180a8c1ee60747f9146090e0653ce2fd070c3fe5a6655f95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/PersistentQueue.java"}, "region": {"startLine": 163}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23025, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fcdac2523a979239f4a839e11c5159e8a7bb864103f2296d2bb7598b3666ce67", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/lang/APersistentMap.java", "duplicate_line": 321, "correlation_key": "fp|fcdac2523a979239f4a839e11c5159e8a7bb864103f2296d2bb7598b3666ce67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/PersistentQueue.java"}, "region": {"startLine": 134}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23024, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cea6c23af9836514323449feb7a841ab72338da656a32791b3bf7efa9823c7be", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/lang/ASeq.java", "duplicate_line": 131, "correlation_key": "fp|cea6c23af9836514323449feb7a841ab72338da656a32791b3bf7efa9823c7be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/PersistentList.java"}, "region": {"startLine": 218}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23023, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4931e0371bc51f107e274c6319970071df54ce2e8a42cfd19078626b7e5075a3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/lang/ASeq.java", "duplicate_line": 108, "correlation_key": "fp|4931e0371bc51f107e274c6319970071df54ce2e8a42cfd19078626b7e5075a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/LazySeq.java"}, "region": {"startLine": 157}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23022, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6f2db3f04b556a9dfcc7115d3bc5156e5d8843341a4759481d8fe0e843ab8de3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/lang/APersistentSet.java", "duplicate_line": 101, "correlation_key": "fp|6f2db3f04b556a9dfcc7115d3bc5156e5d8843341a4759481d8fe0e843ab8de3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/LazySeq.java"}, "region": {"startLine": 151}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23021, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1da16f998bf998e5cceea953b6a3e6a90787b755d92fb2e0dca5c0906f5f7334", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/lang/APersistentMap.java", "duplicate_line": 321, "correlation_key": "fp|1da16f998bf998e5cceea953b6a3e6a90787b755d92fb2e0dca5c0906f5f7334"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/LazySeq.java"}, "region": {"startLine": 131}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23020, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c1d027b750b93c7a732d5746ec16d4d9a6382eaef5530225aedc32a31658d86", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/lang/AFn.java", "duplicate_line": 17, "correlation_key": "fp|6c1d027b750b93c7a732d5746ec16d4d9a6382eaef5530225aedc32a31658d86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/Keyword.java"}, "region": {"startLine": 106}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23019, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8cc77815a5ad54e6f7722498bc1ce731e723b830b978665e62352d96ff0f3e4a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/lang/APersistentMap.java", "duplicate_line": 12, "correlation_key": "fp|8cc77815a5ad54e6f7722498bc1ce731e723b830b978665e62352d96ff0f3e4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/ATransientMap.java"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23018, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b0418c141f74a8ea97f802db88cc28793a73891f2a44c5ce88299141c8a631e2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/lang/APersistentSet.java", "duplicate_line": 101, "correlation_key": "fp|b0418c141f74a8ea97f802db88cc28793a73891f2a44c5ce88299141c8a631e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/ASeq.java"}, "region": {"startLine": 102}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23017, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2f6444d933e550d3d059595b6e2113dc0688c5757110704f0960de010dad4c09", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/lang/APersistentMap.java", "duplicate_line": 321, "correlation_key": "fp|2f6444d933e550d3d059595b6e2113dc0688c5757110704f0960de010dad4c09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/ASeq.java"}, "region": {"startLine": 82}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23016, "scanner": "repobility-ai-code-hygiene", "fingerprint": "80a07159988a62636382ea0a1aaa2206df629443418087a84ec763d029fd77b9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/lang/APersistentSet.java", "duplicate_line": 101, "correlation_key": "fp|80a07159988a62636382ea0a1aaa2206df629443418087a84ec763d029fd77b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/APersistentVector.java"}, "region": {"startLine": 368}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23015, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f67cba7b48ecb6dd946ff610b0953bfbc60fb694f7103d8d706d60869a6d4e6c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/lang/APersistentMap.java", "duplicate_line": 324, "correlation_key": "fp|f67cba7b48ecb6dd946ff610b0953bfbc60fb694f7103d8d706d60869a6d4e6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/APersistentVector.java"}, "region": {"startLine": 351}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23014, "scanner": "repobility-ai-code-hygiene", "fingerprint": "372fa729a67402f4112d4dd5ce328fa38976bc1c03e3ae362949a7304e6f3a51", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/lang/APersistentMap.java", "duplicate_line": 321, "correlation_key": "fp|372fa729a67402f4112d4dd5ce328fa38976bc1c03e3ae362949a7304e6f3a51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/APersistentSet.java"}, "region": {"startLine": 81}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23013, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9620b4c3434d1a31d937702c06113d4a1509ead01c34daa3d61a3038e322a5ad", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/jvm/clojure/asm/ClassWriter.java", "duplicate_line": 118, "correlation_key": "fp|9620b4c3434d1a31d937702c06113d4a1509ead01c34daa3d61a3038e322a5ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/asm/FieldWriter.java"}, "region": {"startLine": 47}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 17448, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 23036, "scanner": "repobility-threat-engine", "fingerprint": "462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29"}}}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 23035, "scanner": "repobility-threat-engine", "fingerprint": "aaeb26e1562c274186d887e840936c1a834a10040c3d5a26be9605a1cba8a6c4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url\n        (p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aaeb26e1562c274186d887e840936c1a834a10040c3d5a26be9605a1cba8a6c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/clj/clojure/repl.clj"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 23034, "scanner": "repobility-threat-engine", "fingerprint": "25828b77dc02a0b5cde291ab7e4ba1a865fbad55db03f2b1b2c1cdfdb27e32ca", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(U", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|25828b77dc02a0b5cde291ab7e4ba1a865fbad55db03f2b1b2c1cdfdb27e32ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/DynamicClassLoader.java"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 23033, "scanner": "repobility-threat-engine", "fingerprint": "6aeadff9b37da0573981a419dd76864f12659ec2484db9aa609910bb61674a5a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6aeadff9b37da0573981a419dd76864f12659ec2484db9aa609910bb61674a5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/RT.java"}, "region": {"startLine": 299}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 23031, "scanner": "repobility-threat-engine", "fingerprint": "3d303a4a1657d48f6531285ad1e14c8eb059e38332a103e91a3a6a31cb2ff822", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "SAXParserFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3d303a4a1657d48f6531285ad1e14c8eb059e38332a103e91a3a6a31cb2ff822"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/jvm/clojure/lang/XMLHandler.java"}, "region": {"startLine": 78}}}]}]}]}