{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qj8w-gfj5-8c6v", "name": "serialize-javascript: GHSA-qj8w-gfj5-8c6v", "shortDescription": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "fullDescription": {"text": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-48c2-rrv3-qjmp", "name": "yaml: GHSA-48c2-rrv3-qjmp", "shortDescription": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "fullDescription": {"text": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v3rj-xjv7-4jmq", "name": "smol-toml: GHSA-v3rj-xjv7-4jmq", "shortDescription": {"text": "smol-toml: GHSA-v3rj-xjv7-4jmq"}, "fullDescription": {"text": "smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jxxr-4gwj-5jf2", "name": "brace-expansion: GHSA-jxxr-4gwj-5jf2", "shortDescription": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "fullDescription": {"text": "brace-expansion: Large numeric range defeats documented `max` DoS protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `scan_agent` has cognitive complexity 24 (SonarSource scale). Cognitive co", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `scan_agent` has cognitive complexity 24 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion al"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 24."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `@opennextjs/aws` is 1 major version(s) behind (3.0.0 -> 4.0.3)", "shortDescription": {"text": "npm package `@opennextjs/aws` is 1 major version(s) behind (3.0.0 -> 4.0.3)"}, "fullDescription": {"text": "`@opennextjs/aws` is pinned/resolved at 3.0.0 but the latest stable release on the npm registry is 4.0.3 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "GHSA-73rr-hh4g-fpgx", "name": "diff: GHSA-73rr-hh4g-fpgx", "shortDescription": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "fullDescription": {"text": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.", "shortDescription": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 24 more): Same pattern found in 24 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0104", "name": "rustls-webpki: RUSTSEC-2026-0104", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0104"}, "fullDescription": {"text": "Reachable panic in certificate revocation list parsing"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0099", "name": "rustls-webpki: RUSTSEC-2026-0099", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0099"}, "fullDescription": {"text": "Name constraints were accepted for certificates asserting a wildcard name"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0098", "name": "rustls-webpki: RUSTSEC-2026-0098", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0098"}, "fullDescription": {"text": "Name constraints for URI names were incorrectly accepted"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ph9p-34f9-6g65", "name": "tmp: GHSA-ph9p-34f9-6g65", "shortDescription": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "fullDescription": {"text": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c6j-r48x-rmvq", "name": "serialize-javascript: GHSA-5c6j-r48x-rmvq", "shortDescription": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "fullDescription": {"text": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v39h-62p7-jpjc", "name": "fast-uri: GHSA-v39h-62p7-jpjc", "shortDescription": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "fullDescription": {"text": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q3j6-qgpj-74h6", "name": "fast-uri: GHSA-q3j6-qgpj-74h6", "shortDescription": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "fullDescription": {"text": "fast-uri vulnerable to path traversal via percent-encoded dot segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0097", "name": "rand: RUSTSEC-2026-0097", "shortDescription": {"text": "rand: RUSTSEC-2026-0097"}, "fullDescription": {"text": "Rand is unsound with a custom logger using `rand::rng()`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "Workflow container/services image `rust:1.95-bullseye` unpinned", "shortDescription": {"text": "Workflow container/services image `rust:1.95-bullseye` unpinned"}, "fullDescription": {"text": "`container/services image: rust:1.95-bullseye` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.recall` used but never assigned in __init__", "shortDescription": {"text": "`self.recall` used but never assigned in __init__"}, "fullDescription": {"text": "Method `f1` of class `EvalMetrics` reads `self.recall`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/999"}, "properties": {"repository": "fallow-rs/fallow", "repoUrl": "https://github.com/fallow-rs/fallow", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 93686, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 93685, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 93677, "scanner": "osv-scanner", "fingerprint": "04ec746a4913e242e217551eb95acba416737e4e0f6c7bac8df234ae717d296f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qj8w-gfj5-8c6v", "level": "warning", "message": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "properties": {"repobilityId": 93675, "scanner": "osv-scanner", "fingerprint": "6d05c42dab288f1a6c216d173976bb6e3cf8a71a728257b76dbd1ce749dbe2ab", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34043"], "package": "serialize-javascript", "rule_id": "GHSA-qj8w-gfj5-8c6v", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2026-34043|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 93673, "scanner": "osv-scanner", "fingerprint": "a4d6a1e93148d53df04eb8cb213466093f9b35dc1b84002fd48bba5e9bd1b0c1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-48c2-rrv3-qjmp", "level": "warning", "message": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "properties": {"repobilityId": 93669, "scanner": "osv-scanner", "fingerprint": "4cd63ad2879a87c6691c389f59a796354259828fe915c663291a98b8043152d1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33532"], "package": "yaml", "rule_id": "GHSA-48c2-rrv3-qjmp", "scanner": "osv-scanner", "correlation_key": "vuln|yaml|CVE-2026-33532|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v3rj-xjv7-4jmq", "level": "warning", "message": {"text": "smol-toml: GHSA-v3rj-xjv7-4jmq"}, "properties": {"repobilityId": 93668, "scanner": "osv-scanner", "fingerprint": "98f0e3c30de1c766e161222a196e7e5ff00a2e01b45b1d1d598bc6c0d84f64d5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "smol-toml", "rule_id": "GHSA-v3rj-xjv7-4jmq", "scanner": "osv-scanner", "correlation_key": "vuln|smol-toml|GHSA-V3RJ-XJV7-4JMQ|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 93667, "scanner": "osv-scanner", "fingerprint": "b770cc9bed1cc9676e6e5bb5efa94e8dc7a0c2b9ae532bc335f2a97fb881cbb0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 93665, "scanner": "osv-scanner", "fingerprint": "98dca8f191e5307d47759e34aad31a85b14c825679cfb5df89859cf3a3d3da06", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jxxr-4gwj-5jf2", "level": "warning", "message": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "properties": {"repobilityId": 93664, "scanner": "osv-scanner", "fingerprint": "1321ce3e1a7db07767eec483b2288d1417b9a55887607bca05032d7c033f8bb9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45149"], "package": "brace-expansion", "rule_id": "GHSA-jxxr-4gwj-5jf2", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-45149|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 93663, "scanner": "osv-scanner", "fingerprint": "4e5862d3d335a0a33a3f2e7c108f4a932a655e9a934a84a492113d66e7661f0e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 93656, "scanner": "repobility-threat-engine", "fingerprint": "68f5f0f012e8f3a863d43ecb373bb54b3060ad5a1f30f9eacb1e0d4db631bdcf", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|188|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/src/analysis-utils.ts"}, "region": {"startLine": 188}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `scan_agent` has cognitive complexity 24 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, for=5, if=5, nested_bonus=11, ternary=1."}, "properties": {"repobilityId": 93629, "scanner": "repobility-threat-engine", "fingerprint": "fc41456e10c21f70bab31812e73c52ce2010a5aff619112df2e83f2a9825fb22", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 24 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "scan_agent", "breakdown": {"if": 5, "for": 5, "ternary": 1, "continue": 2, "nested_bonus": 11}, "complexity": 24, "correlation_key": "fp|fc41456e10c21f70bab31812e73c52ce2010a5aff619112df2e83f2a9825fb22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/scan-hidden-unicode.py"}, "region": {"startLine": 191}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 93626, "scanner": "repobility-agent-runtime", "fingerprint": "79c71247403a105b7174e79ad24ff917b3c9a24e77aa2ab1fc0a705e01289dbc", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|79c71247403a105b7174e79ad24ff917b3c9a24e77aa2ab1fc0a705e01289dbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/test-scan-hidden-unicode.sh"}, "region": {"startLine": 54}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 93625, "scanner": "repobility-agent-runtime", "fingerprint": "90109d48e1b13e84036f39826c85ef0dc5125da0e7e3fbc4d6fb744ca8257e06", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|90109d48e1b13e84036f39826c85ef0dc5125da0e7e3fbc4d6fb744ca8257e06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/scan-hidden-unicode.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@opennextjs/aws` is 1 major version(s) behind (3.0.0 -> 4.0.3)"}, "properties": {"repobilityId": 93624, "scanner": "repobility-dependency-currency", "fingerprint": "c94324ba7a4424e06bf8c575c79fc49fb0c5d104b71bbdd79dfdbfbb431f7f77", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@opennextjs/aws", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.0.3", "correlation_key": "fp|c94324ba7a4424e06bf8c575c79fc49fb0c5d104b71bbdd79dfdbfbb431f7f77", "current_version": "3.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/fixtures/issue-613-opennext-cloudflare-script/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `ionicons` is 1 major version(s) behind (7.4.0 -> 8.0.13)"}, "properties": {"repobilityId": 93621, "scanner": "repobility-dependency-currency", "fingerprint": "6961389fd8a3e3abea8232a2cac16621b9ebd163d6b1df23a89345a673d0fbbc", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "ionicons", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.0.13", "correlation_key": "fp|6961389fd8a3e3abea8232a2cac16621b9ebd163d6b1df23a89345a673d0fbbc", "current_version": "7.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/fixtures/issue-868-ionic-lifecycle/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@sveltejs/adapter-auto` is 4 major version(s) behind (^3.0.0 -> 7.0.1)"}, "properties": {"repobilityId": 93616, "scanner": "repobility-dependency-currency", "fingerprint": "094e04085fd429b883c0eab2e55b158928103b3f42b0dbbd6ff825a2ea5850e4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "4 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@sveltejs/adapter-auto", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.0.1", "correlation_key": "fp|094e04085fd429b883c0eab2e55b158928103b3f42b0dbbd6ff825a2ea5850e4", "current_version": "^3.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/fixtures/sveltekit-alias-project/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `undici` is 8 major version(s) behind (0.0.0 -> 8.3.0)"}, "properties": {"repobilityId": 93613, "scanner": "repobility-dependency-currency", "fingerprint": "569d76a4b937cabf22ab82e798aa790db88e8b755043e68861c06376c5628137", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "8 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "undici", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.3.0", "correlation_key": "fp|569d76a4b937cabf22ab82e798aa790db88e8b755043e68861c06376c5628137", "current_version": "0.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/fixtures/security-catalogue-sinks-882/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `got` is 15 major version(s) behind (0.0.0 -> 15.0.5)"}, "properties": {"repobilityId": 93612, "scanner": "repobility-dependency-currency", "fingerprint": "edbd1bd9b8abbb9a37c13454a74489d42d34a895a664bce12ea185df56218b6a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "15 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "got", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "15.0.5", "correlation_key": "fp|edbd1bd9b8abbb9a37c13454a74489d42d34a895a664bce12ea185df56218b6a", "current_version": "0.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/fixtures/security-catalogue-sinks-882/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `ovsx` is 1 major version(s) behind (0.10.12 -> 1.0.0)"}, "properties": {"repobilityId": 93611, "scanner": "repobility-dependency-currency", "fingerprint": "b1ffaaf600771dae64f675085d0376e03e96479157e9d22f8be4ca687ec573b5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "ovsx", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.0.0", "correlation_key": "fp|b1ffaaf600771dae64f675085d0376e03e96479157e9d22f8be4ca687ec573b5", "current_version": "0.10.12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `vscode-languageclient` is 1 major version(s) behind (9.0.1 -> 10.0.0)"}, "properties": {"repobilityId": 93607, "scanner": "repobility-dependency-currency", "fingerprint": "6480d011fb89e562ebf60a6bd5acfebd0e706cd838c7b1ece7927e24f70b8767", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "vscode-languageclient", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.0", "correlation_key": "fp|6480d011fb89e562ebf60a6bd5acfebd0e706cd838c7b1ece7927e24f70b8767", "current_version": "9.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `tinybench` is 3 major version(s) behind (3.1.1 -> 6.0.2)"}, "properties": {"repobilityId": 93606, "scanner": "repobility-dependency-currency", "fingerprint": "ebf780fef132f40261b7ef27ee0c6e1b0707bb093602d605eca5a8e3f4490e90", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tinybench", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.2", "correlation_key": "fp|ebf780fef132f40261b7ef27ee0c6e1b0707bb093602d605eca5a8e3f4490e90", "current_version": "3.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 93684, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 93683, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 93682, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 93681, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 93670, "scanner": "osv-scanner", "fingerprint": "449fb8c39315127f783b4a23d5d09f7c70ab23216104e14597224c8b31487ddf", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 93640, "scanner": "repobility-threat-engine", "fingerprint": "14cd5f22248941e3c3fd7a775b1587bbc056b2fba257411e2d61c98b87093564", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'expected ' + newVersion + ' but got'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|14cd5f22248941e3c3fd7a775b1587bbc056b2fba257411e2d61c98b87093564"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/sync-npm-versions.sh"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 93639, "scanner": "repobility-threat-engine", "fingerprint": "00eebfa993a65bfdcbe0dad2622123d1c3b99bd2ec2d41b2cf24db4ed25f0f41", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'::warning::Binary verification skipped because ' + SKIP_ENV + ' is set. Only use this when delibera", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|00eebfa993a65bfdcbe0dad2622123d1c3b99bd2ec2d41b2cf24db4ed25f0f41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "action/scripts/install.sh"}, "region": {"startLine": 131}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, else=1, for=1, if=4, nested_bonus=2."}, "properties": {"repobilityId": 93628, "scanner": "repobility-threat-engine", "fingerprint": "22692e5c12cacc6bdb2075469528a34f9fe31dc8984999b8dcbf5d5d51e71f2b", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 4, "for": 1, "else": 1, "continue": 1, "nested_bonus": 2}, "complexity": 9, "correlation_key": "fp|22692e5c12cacc6bdb2075469528a34f9fe31dc8984999b8dcbf5d5d51e71f2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check_telemetry_doc_sync.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@ionic/angular-toolkit` is minor version(s) behind (12.1.1 -> 12.3.0)"}, "properties": {"repobilityId": 93622, "scanner": "repobility-dependency-currency", "fingerprint": "0483ede615fe273bed3ddee8577dcb781fb79587201b4d34a0841ea459382710", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@ionic/angular-toolkit", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "12.3.0", "correlation_key": "fp|0483ede615fe273bed3ddee8577dcb781fb79587201b4d34a0841ea459382710", "current_version": "12.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/fixtures/issue-868-ionic-lifecycle/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `nuxt` is minor version(s) behind (^4.0.0 -> 4.4.7)"}, "properties": {"repobilityId": 93619, "scanner": "repobility-dependency-currency", "fingerprint": "256fd3b751be49e2929fa0beb23ca397f0bbea7002b24e0fe32ad5b56fa2b748", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "nuxt", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.4.7", "correlation_key": "fp|256fd3b751be49e2929fa0beb23ca397f0bbea7002b24e0fe32ad5b56fa2b748", "current_version": "^4.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/fixtures/nuxt-pinia-store-auto-imports-disabled/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tsx` is minor version(s) behind (^4.19.0 -> 4.22.4)"}, "properties": {"repobilityId": 93618, "scanner": "repobility-dependency-currency", "fingerprint": "c120604d9c26367f0a3d6da56065a6350d13a53f1c98a71c698ea810c46e64ff", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tsx", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.22.4", "correlation_key": "fp|c120604d9c26367f0a3d6da56065a6350d13a53f1c98a71c698ea810c46e64ff", "current_version": "^4.19.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/fixtures/issue-621-playwright-webserver-command/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `srvx` is minor version(s) behind (^0.1.0 -> 0.11.16)"}, "properties": {"repobilityId": 93617, "scanner": "repobility-dependency-currency", "fingerprint": "206f190e2989a3532f50c6af62f06add58b2a5ca87eed5720bdc6a7ade3a2a45", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "srvx", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.11.16", "correlation_key": "fp|206f190e2989a3532f50c6af62f06add58b2a5ca87eed5720bdc6a7ade3a2a45", "current_version": "^0.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/fixtures/issue-621-playwright-webserver-command/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `nuxt` is minor version(s) behind (4.0.0 -> 4.4.7)"}, "properties": {"repobilityId": 93615, "scanner": "repobility-dependency-currency", "fingerprint": "2ba448fa102a92e42669d8adebc71ea2c71d8ae8cbc4a500ee8d236e3b4a1543", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "nuxt", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.4.7", "correlation_key": "fp|2ba448fa102a92e42669d8adebc71ea2c71d8ae8cbc4a500ee8d236e3b4a1543", "current_version": "4.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/fixtures/nuxt-default-scan/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `shadcn` is minor version(s) behind (4.6.0 -> 4.10.0)"}, "properties": {"repobilityId": 93614, "scanner": "repobility-dependency-currency", "fingerprint": "1f342cfc0f4f6c1aec90fd3582e4e72b47185f9e0060adcf4d52abccbd543510", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "shadcn", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.10.0", "correlation_key": "fp|1f342cfc0f4f6c1aec90fd3582e4e72b47185f9e0060adcf4d52abccbd543510", "current_version": "4.6.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/fixtures/css-package-subpath-import/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/vscode` is minor version(s) behind (1.96.0 -> 1.120.0)"}, "properties": {"repobilityId": 93609, "scanner": "repobility-dependency-currency", "fingerprint": "19df8ee0c7ae9c2ca07d96891b20b1671592e33f35377a173894f68aabffb3c3", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/vscode", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.120.0", "correlation_key": "fp|19df8ee0c7ae9c2ca07d96891b20b1671592e33f35377a173894f68aabffb3c3", "current_version": "1.96.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `vscode-languageserver-protocol` is minor version(s) behind (3.17.5 -> 3.18.0)"}, "properties": {"repobilityId": 93608, "scanner": "repobility-dependency-currency", "fingerprint": "7631fec96e682699450d95ca19aea668006dceb7fd8e71b02fab8eb5a4c273c0", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "vscode-languageserver-protocol", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.18.0", "correlation_key": "fp|7631fec96e682699450d95ca19aea668006dceb7fd8e71b02fab8eb5a4c273c0", "current_version": "3.17.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `jscpd` is minor version(s) behind (4.0.8 -> 4.2.4)"}, "properties": {"repobilityId": 93605, "scanner": "repobility-dependency-currency", "fingerprint": "0f986ed212f1cbe3e18bbbe8fcc7aaaf31a6bcaa674176042a0afee6fedc5fc3", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jscpd", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.2.4", "correlation_key": "fp|0f986ed212f1cbe3e18bbbe8fcc7aaaf31a6bcaa674176042a0afee6fedc5fc3", "current_version": "4.0.8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `dpdm` is minor version(s) behind (4.0.1 -> 4.2.0)"}, "properties": {"repobilityId": 93604, "scanner": "repobility-dependency-currency", "fingerprint": "1ed205b1e640979f53e165ac16cb297ed636b22f8429d6e84e749fb6adccb038", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dpdm", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.2.0", "correlation_key": "fp|1ed205b1e640979f53e165ac16cb297ed636b22f8429d6e84e749fb6adccb038", "current_version": "4.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `oxlint` is minor version(s) behind (1.67.0 -> 1.68.0)"}, "properties": {"repobilityId": 93603, "scanner": "repobility-dependency-currency", "fingerprint": "20e521e0adfa90a812137645c85f0a7a77bf70f09b4ccca96cd377c69014137e", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "oxlint", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.68.0", "correlation_key": "fp|20e521e0adfa90a812137645c85f0a7a77bf70f09b4ccca96cd377c69014137e", "current_version": "1.67.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `oxfmt` is minor version(s) behind (0.52.0 -> 0.53.0)"}, "properties": {"repobilityId": 93602, "scanner": "repobility-dependency-currency", "fingerprint": "ea6d2bb6fdf0e711689447d739f3d6d4b2ee8e3bb8df4b7d2d3c7f3f057538e3", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "oxfmt", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.53.0", "correlation_key": "fp|ea6d2bb6fdf0e711689447d739f3d6d4b2ee8e3bb8df4b7d2d3c7f3f057538e3", "current_version": "0.52.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 93661, "scanner": "repobility-threat-engine", "fingerprint": "4ea54633a742229c99b5d82fa652bc971987691437e0a463bdfe897b348e8a3e", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4ea54633a742229c99b5d82fa652bc971987691437e0a463bdfe897b348e8a3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/test-scan-hidden-unicode.sh"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED012", "level": "none", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 93660, "scanner": "repobility-threat-engine", "fingerprint": "3f3148d7d2e4a5ef23a3e8786b4369e0ef0602e1d918b8dbeb0067e92b58ab21", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3f3148d7d2e4a5ef23a3e8786b4369e0ef0602e1d918b8dbeb0067e92b58ab21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/test-scan-hidden-unicode.sh"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 93655, "scanner": "repobility-threat-engine", "fingerprint": "698556ad50c8192fdf540edbca0f1367a345e2d20f293ba8c094435c1d1cd465", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|698556ad50c8192fdf540edbca0f1367a345e2d20f293ba8c094435c1d1cd465"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/types/src/discover.rs"}, "region": {"startLine": 249}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 93654, "scanner": "repobility-threat-engine", "fingerprint": "8497c3046589a6a4f9f995a29ce29bf73ef57296d9dabaca7585aeb7596fd0ab", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8497c3046589a6a4f9f995a29ce29bf73ef57296d9dabaca7585aeb7596fd0ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/plugins/obsidian.rs"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 93653, "scanner": "repobility-threat-engine", "fingerprint": "450a1f248a24a8e996d4ec7aef87e715a0e71e65c5f2638a7463c9a95f53378d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|450a1f248a24a8e996d4ec7aef87e715a0e71e65c5f2638a7463c9a95f53378d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/core/src/plugins/lexical.rs"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 93652, "scanner": "repobility-threat-engine", "fingerprint": "335c1bbb2e953945f89fd7b811ddf73df92cb519472b1124d7810e8ee4f4de48", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|335c1bbb2e953945f89fd7b811ddf73df92cb519472b1124d7810e8ee4f4de48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/cli/src/signal/windows.rs"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 93651, "scanner": "repobility-threat-engine", "fingerprint": "2e850651030aff073bad0b074c38184797b0981c3ffeef84e5b6d754967b29ec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2e850651030aff073bad0b074c38184797b0981c3ffeef84e5b6d754967b29ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/cli/src/signal/registry.rs"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 93650, "scanner": "repobility-threat-engine", "fingerprint": "ea781359b4905b27c20d54722d4f1e40ed92b94465ffaa0a37f4ed17be85ad95", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ea781359b4905b27c20d54722d4f1e40ed92b94465ffaa0a37f4ed17be85ad95", "aggregated_count": 13}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "properties": {"repobilityId": 93646, "scanner": "repobility-threat-engine", "fingerprint": "b7fc581a145a09e3bc76dd8590fb91ae56e17dc53c7cde741116b1f512a69e18", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b7fc581a145a09e3bc76dd8590fb91ae56e17dc53c7cde741116b1f512a69e18", "aggregated_count": 24}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 93645, "scanner": "repobility-threat-engine", "fingerprint": "2ed881b5d1506bf6bf22e360ca4ec4f3eb28a8dfbdded3701a9959c704458509", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ed881b5d1506bf6bf22e360ca4ec4f3eb28a8dfbdded3701a9959c704458509"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/cli/src/migrate/jsonc.rs"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 93644, "scanner": "repobility-threat-engine", "fingerprint": "cefccc4edd4a8948bb183b4ad1e7f88edd4b6c16ac6b0bd100f0b8fb29003488", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cefccc4edd4a8948bb183b4ad1e7f88edd4b6c16ac6b0bd100f0b8fb29003488"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/cli/src/ci_template.rs"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 93643, "scanner": "repobility-threat-engine", "fingerprint": "e7ab1797634915b1fc4a162e0871060078d3a438835142c8556d44bb8a118ccb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e7ab1797634915b1fc4a162e0871060078d3a438835142c8556d44bb8a118ccb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/cli/src/check/output.rs"}, "region": {"startLine": 230}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 93641, "scanner": "repobility-threat-engine", "fingerprint": "69c7e65215d9db68f423db7c7bfc12b8c2600e36fd3d33ff7f51cf36f9072f33", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|69c7e65215d9db68f423db7c7bfc12b8c2600e36fd3d33ff7f51cf36f9072f33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "action/scripts/install.sh"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 93634, "scanner": "repobility-threat-engine", "fingerprint": "c17c3c334a0c891d86f3db6af749774e09bf68bbf397b5eac82d842bd1fc7f0c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c17c3c334a0c891d86f3db6af749774e09bf68bbf397b5eac82d842bd1fc7f0c", "aggregated_count": 9}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 93633, "scanner": "repobility-threat-engine", "fingerprint": "6990905f85b03becd8cfc0c646359a0d38528b5e79b822aacb6163f60b18d082", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6990905f85b03becd8cfc0c646359a0d38528b5e79b822aacb6163f60b18d082"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/verify-pack-contents.mjs"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 93632, "scanner": "repobility-threat-engine", "fingerprint": "924107cda6495287c294eb02604e0e7cdeba1463d58e9a5ea56a13246b1a0338", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|924107cda6495287c294eb02604e0e7cdeba1463d58e9a5ea56a13246b1a0338"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/verify-binary.mjs"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 93631, "scanner": "repobility-threat-engine", "fingerprint": "a4c1b71457a29236d863973ecbb9bf84be386df4753262637e20792b5775ec01", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a4c1b71457a29236d863973ecbb9bf84be386df4753262637e20792b5775ec01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/sign-binary.mjs"}, "region": {"startLine": 15}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 93630, "scanner": "repobility-threat-engine", "fingerprint": "1546edbd1ec206d3e853833bc9ae84deffffaaaf9c166b9e72e02b6701c5c4de", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 5, "and": 5, "for": 5, "ternary": 10, "nested_bonus": 8}, "aggregated": true, "complexity": 33, "correlation_key": "fp|1546edbd1ec206d3e853833bc9ae84deffffaaaf9c166b9e72e02b6701c5c4de", "aggregated_count": 4}}}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@ionic/cli` is patch version(s) behind (7.2.0 -> 7.2.1)"}, "properties": {"repobilityId": 93623, "scanner": "repobility-dependency-currency", "fingerprint": "5d7a9636bee2ab7d587252823c1a79dceb9ff31a7d3d65aadfee0be2d7a248a5", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@ionic/cli", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.2.1", "correlation_key": "fp|5d7a9636bee2ab7d587252823c1a79dceb9ff31a7d3d65aadfee0be2d7a248a5", "current_version": "7.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/fixtures/issue-868-ionic-lifecycle/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `pinia` is patch version(s) behind (^3.0.0 -> 3.0.4)"}, "properties": {"repobilityId": 93620, "scanner": "repobility-dependency-currency", "fingerprint": "c2f7587c72abbe322816101ed02ccb7f09568db94c1559ee82d637b817051b86", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "pinia", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.4", "correlation_key": "fp|c2f7587c72abbe322816101ed02ccb7f09568db94c1559ee82d637b817051b86", "current_version": "^3.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/fixtures/nuxt-pinia-store-auto-imports-disabled/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@vscode/vsce` is patch version(s) behind (3.9.1 -> 3.9.2)"}, "properties": {"repobilityId": 93610, "scanner": "repobility-dependency-currency", "fingerprint": "c2e1faaea666e0b5ad0e81ba0460e254f3618c706d637c1739540421430ae8fd", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vscode/vsce", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.9.2", "correlation_key": "fp|c2e1faaea666e0b5ad0e81ba0460e254f3618c706d637c1739540421430ae8fd", "current_version": "3.9.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@commitlint/config-conventional` is patch version(s) behind (21.0.1 -> 21.0.2)"}, "properties": {"repobilityId": 93601, "scanner": "repobility-dependency-currency", "fingerprint": "f7c6d7424816b44e62d70940846ec590e81459a8316386309a6b81b8e0dc2d03", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@commitlint/config-conventional", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "21.0.2", "correlation_key": "fp|f7c6d7424816b44e62d70940846ec590e81459a8316386309a6b81b8e0dc2d03", "current_version": "21.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@commitlint/cli` is patch version(s) behind (21.0.1 -> 21.0.2)"}, "properties": {"repobilityId": 93600, "scanner": "repobility-dependency-currency", "fingerprint": "a0f255cc8317aae51b2a64f0dfa3c9245057c0b71009da13180b38dc1b08d5df", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@commitlint/cli", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "21.0.2", "correlation_key": "fp|a0f255cc8317aae51b2a64f0dfa3c9245057c0b71009da13180b38dc1b08d5df", "current_version": "21.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0104", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0104"}, "properties": {"repobilityId": 93680, "scanner": "osv-scanner", "fingerprint": "40dd4cf0b993f5dca2f8fea5778f6ac0775e7862b74836c19b003f1fe7261434", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-82j2-j2ch-gfr8"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0104", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-82J2-J2CH-GFR8|fuzz/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-82j2-j2ch-gfr8", "RUSTSEC-2026-0104"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["40dd4cf0b993f5dca2f8fea5778f6ac0775e7862b74836c19b003f1fe7261434", "c4c61cb795bee83050bd40cda215879b9571e46341d9435982ae485b09d18f60"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fuzz/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0099", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0099"}, "properties": {"repobilityId": 93679, "scanner": "osv-scanner", "fingerprint": "092b16b4583824a5e1cd22d9dd46adc97472b7e679f4c22f797382af3059572d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-xgp8-3hg3-c2mh"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0099", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-XGP8-3HG3-C2MH|fuzz/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-xgp8-3hg3-c2mh", "RUSTSEC-2026-0099"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["092b16b4583824a5e1cd22d9dd46adc97472b7e679f4c22f797382af3059572d", "c59ad9c0d37d6f3fd31b8e091a95662253518dbfb3dbe84eaca83361cf096ce0"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fuzz/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0098", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0098"}, "properties": {"repobilityId": 93678, "scanner": "osv-scanner", "fingerprint": "78dae44e4c6fa8ebb7d83d367d3eb7ee0a301c94eb8b8b19eaff6d75256f139b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-965h-392x-2mh5"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0098", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-965H-392X-2MH5|fuzz/cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-965h-392x-2mh5", "RUSTSEC-2026-0098"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["58c23b6f2dffe691dcba79fc4aede8dba023152bb4dbcc15805b1eb4a22bde2b", "78dae44e4c6fa8ebb7d83d367d3eb7ee0a301c94eb8b8b19eaff6d75256f139b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fuzz/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ph9p-34f9-6g65", "level": "error", "message": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "properties": {"repobilityId": 93676, "scanner": "osv-scanner", "fingerprint": "5630d8f70cd7ac2303ab16b4463de6a4273da0cd3a7385637d07c5f5337f672d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44705"], "package": "tmp", "rule_id": "GHSA-ph9p-34f9-6g65", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2026-44705|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c6j-r48x-rmvq", "level": "error", "message": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "properties": {"repobilityId": 93674, "scanner": "osv-scanner", "fingerprint": "483e6656fc1868ca3a670386fab8436b9020ecc2110444126cc70411b4e3cb81", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "serialize-javascript", "rule_id": "GHSA-5c6j-r48x-rmvq", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|GHSA-5C6J-R48X-RMVQ|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v39h-62p7-jpjc", "level": "error", "message": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "properties": {"repobilityId": 93672, "scanner": "osv-scanner", "fingerprint": "dce2e6ad6435a5432f64e541e63bc8d8cacf517bf0df4ea44d96250d99963cee", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6322"], "package": "fast-uri", "rule_id": "GHSA-v39h-62p7-jpjc", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6322|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q3j6-qgpj-74h6", "level": "error", "message": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "properties": {"repobilityId": 93671, "scanner": "osv-scanner", "fingerprint": "893a3cda183dce1050d97bd8e77ddd6af8abdfb945d2db6cfc72cd77e1ae53f0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6321"], "package": "fast-uri", "rule_id": "GHSA-q3j6-qgpj-74h6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6321|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 93666, "scanner": "osv-scanner", "fingerprint": "3ce2ddd866cfab0c50582e4640f7dba38975ef2bca5b9d44d252e2c47447adc2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0097", "level": "error", "message": {"text": "rand: RUSTSEC-2026-0097"}, "properties": {"repobilityId": 93662, "scanner": "osv-scanner", "fingerprint": "a22e3aa5f0c463335f53b031b0648b51d94f3563915cac37a8666a217ed7a5dc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-cq8v-f236-94qc"], "package": "rand", "rule_id": "RUSTSEC-2026-0097", "scanner": "osv-scanner", "correlation_key": "vuln|rand|GHSA-CQ8V-F236-94QC|cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-cq8v-f236-94qc", "RUSTSEC-2026-0097"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["a22e3aa5f0c463335f53b031b0648b51d94f3563915cac37a8666a217ed7a5dc", "ee2ad9157999fcb0c8f925391a5e09946511288ceed3e6c5f5b05828611b879f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 93659, "scanner": "repobility-threat-engine", "fingerprint": "1fda57749609c525335699c66b61ce9ad2e57006b79346dd3791643ba368bd4c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "workspacesCache.delete(binaryPath);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1fda57749609c525335699c66b61ce9ad2e57006b79346dd3791643ba368bd4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/src/workspacePicker.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 93658, "scanner": "repobility-threat-engine", "fingerprint": "8a12c1bcf26cc95ac1c92284b829bafdb00650cf343f378a7617bd030a3ca69e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.persist();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8a12c1bcf26cc95ac1c92284b829bafdb00650cf343f378a7617bd030a3ca69e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/src/diagnosticFilter.ts"}, "region": {"startLine": 204}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 93657, "scanner": "repobility-threat-engine", "fingerprint": "da769e7699a638dd2be3966c9dd46bfbdd418ff74cfe34d85b214623ea566613", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(message", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|da769e7699a638dd2be3966c9dd46bfbdd418ff74cfe34d85b214623ea566613"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/src/analysis-utils.ts"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 93649, "scanner": "repobility-threat-engine", "fingerprint": "1ddb0e31adaeab1cc42f67f5f5add496589415c032ca6d86535ea16f8da4575a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1ddb0e31adaeab1cc42f67f5f5add496589415c032ca6d86535ea16f8da4575a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/cli/src/health_types/mod.rs"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 93648, "scanner": "repobility-threat-engine", "fingerprint": "e0dbc26c166027bcc7e13752510f6b25d59f593ca7f75a3d4e8554045b78a5eb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0dbc26c166027bcc7e13752510f6b25d59f593ca7f75a3d4e8554045b78a5eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/cli/src/fix/io.rs"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 93647, "scanner": "repobility-threat-engine", "fingerprint": "a3610e70a9a3a2777581d31e499b43b3dfe13c66d6d5dc166071e30757a0b986", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a3610e70a9a3a2777581d31e499b43b3dfe13c66d6d5dc166071e30757a0b986"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/cli/src/config.rs"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 93642, "scanner": "repobility-threat-engine", "fingerprint": "4fedd27d9c8c843773a2eddfcef040e8b6532e167dcc3516cb13025bd2746bac", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((d) => `export_${d}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4fedd27d9c8c843773a2eddfcef040e8b6532e167dcc3516cb13025bd2746bac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/generate-circular-fixtures.mjs"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 93637, "scanner": "repobility-threat-engine", "fingerprint": "e5d71ecfa42124106b9043c3ab6fff02fdd08e631b053323faee62051412dd66", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url (A", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e5d71ecfa42124106b9043c3ab6fff02fdd08e631b053323faee62051412dd66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editors/vscode/src/license-utils.ts"}, "region": {"startLine": 225}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 93636, "scanner": "repobility-threat-engine", "fingerprint": "94f5ff70b64ee062085a24007e73695610aae380a1dfe1ae1a482afec3a021fd", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|94f5ff70b64ee062085a24007e73695610aae380a1dfe1ae1a482afec3a021fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/extract/src/asset_url.rs"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 93635, "scanner": "repobility-threat-engine", "fingerprint": "36f8516a4a37af22cac66e2fc1175b1674deedd9d93df5a00e6b4e25a29dcd6b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|36f8516a4a37af22cac66e2fc1175b1674deedd9d93df5a00e6b4e25a29dcd6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/verify-pack-contents.mjs"}, "region": {"startLine": 202}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 33 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=5, for=5, if=5, nested_bonus=8, ternary=10."}, "properties": {"repobilityId": 93627, "scanner": "repobility-threat-engine", "fingerprint": "a9124e4d0a238074429646a4039016640d06edb741bf6171dc113063d7786248", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 33 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 5, "and": 5, "for": 5, "ternary": 10, "nested_bonus": 8}, "complexity": 33, "correlation_key": "fp|a9124e4d0a238074429646a4039016640d06edb741bf6171dc113063d7786248"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/coupling-check.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `rust:1.95-bullseye` unpinned"}, "properties": {"repobilityId": 93599, "scanner": "repobility-supply-chain", "fingerprint": "5f55828dec6f9d3d304ff7d6210a77f975bf05d5826c6e84991abf23e512bebb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f55828dec6f9d3d304ff7d6210a77f975bf05d5826c6e84991abf23e512bebb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `rust:1.95-bullseye` unpinned"}, "properties": {"repobilityId": 93598, "scanner": "repobility-supply-chain", "fingerprint": "d154da10bda0081f4f2273cb1e7db85937b10707bb78e36fa8d30b77965da7d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d154da10bda0081f4f2273cb1e7db85937b10707bb78e36fa8d30b77965da7d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 93597, "scanner": "repobility-supply-chain", "fingerprint": "b0f06f4c8da9c127987e59bd67f59eee21a621f19f97747a48eea2972d24da79", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0f06f4c8da9c127987e59bd67f59eee21a621f19f97747a48eea2972d24da79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/fixtures/issue-195-ci-file-args/.github/workflows/deploy.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.recall` used but never assigned in __init__"}, "properties": {"repobilityId": 93596, "scanner": "repobility-ast-engine", "fingerprint": "1d0eb476b35c2b8e42ace1406d67466da1544785313b25d9943186e5734b87d1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1d0eb476b35c2b8e42ace1406d67466da1544785313b25d9943186e5734b87d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/benchmark-corpus/evaluate-results.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.precision` used but never assigned in __init__"}, "properties": {"repobilityId": 93595, "scanner": "repobility-ast-engine", "fingerprint": "76944165c7b3d1d7d17174635740e3d24c5558b4047c971886fe441ed796c62c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|76944165c7b3d1d7d17174635740e3d24c5558b4047c971886fe441ed796c62c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/benchmark-corpus/evaluate-results.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 93638, "scanner": "repobility-threat-engine", "fingerprint": "9f95a91b743274c1b348b1d5582ceddb45256e38886029f915e8f00512f232c0", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(process", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9f95a91b743274c1b348b1d5582ceddb45256e38886029f915e8f00512f232c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "action/scripts/install.sh"}, "region": {"startLine": 128}}}]}]}]}