{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-79cf-xcqc-c78w", "name": "webpack-dev-server: GHSA-79cf-xcqc-c78w", "shortDescription": {"text": "webpack-dev-server: GHSA-79cf-xcqc-c78w"}, "fullDescription": {"text": "webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qj8w-gfj5-8c6v", "name": "serialize-javascript: GHSA-qj8w-gfj5-8c6v", "shortDescription": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "fullDescription": {"text": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-8fgc-7cc6-rx7x", "name": "webpack: GHSA-8fgc-7cc6-rx7x", "shortDescription": {"text": "webpack: GHSA-8fgc-7cc6-rx7x"}, "fullDescription": {"text": "webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38r7-794h-5758", "name": "webpack: GHSA-38r7-794h-5758", "shortDescription": {"text": "webpack: GHSA-38r7-794h-5758"}, "fullDescription": {"text": "webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects \u2192 SSRF + cache persistence"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-73rr-hh4g-fpgx", "name": "diff: GHSA-73rr-hh4g-fpgx", "shortDescription": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "fullDescription": {"text": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED086", "name": "[MINED086] Kotlin Runtime Exception: Throwing bare RuntimeException loses type info.", "shortDescription": {"text": "[MINED086] Kotlin Runtime Exception: Throwing bare RuntimeException loses type info."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED069", "name": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.", "shortDescription": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-489 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED029", "name": "[MINED029] Kotlin Null Bang (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED029] Kotlin Null Bang (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "GHSA-ph9p-34f9-6g65", "name": "tmp: GHSA-ph9p-34f9-6g65", "shortDescription": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "fullDescription": {"text": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c6j-r48x-rmvq", "name": "serialize-javascript: GHSA-5c6j-r48x-rmvq", "shortDescription": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "fullDescription": {"text": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED021", "name": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape.", "shortDescription": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `samples/gradle/wrapper/gradle-wrapper.jar` committed in source repo", "shortDescription": {"text": "Binary file `samples/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "fullDescription": {"text": "`samples/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 1343 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `mikepenz/action-junit-report` pinned to mutable ref `@v6`", "shortDescription": {"text": "Action `mikepenz/action-junit-report` pinned to mutable ref `@v6`"}, "fullDescription": {"text": "`uses: mikepenz/action-junit-report@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.GRADLE_ENCRYPTION_KEY` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.GRADLE_ENCRYPTION_KEY` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GRADLE_ENCRYPTION_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1135"}, "properties": {"repository": "ZacSweers/metro", "repoUrl": "https://github.com/ZacSweers/metro", "branch": "main"}, "results": [{"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 112972, "scanner": "osv-scanner", "fingerprint": "1e269f0078a5e3cc1c509dee74263ab34aa75868fa4a3aa31101875e9eb8615b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-58qx-3vcg-4xpx"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1e269f0078a5e3cc1c509dee74263ab34aa75868fa4a3aa31101875e9eb8615b", "73280fbfb3128fef0e740b68145dcbf82372713a4c2e3c6485753956e15e3d3b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-79cf-xcqc-c78w", "level": "warning", "message": {"text": "webpack-dev-server: GHSA-79cf-xcqc-c78w"}, "properties": {"repobilityId": 112971, "scanner": "osv-scanner", "fingerprint": "32d315e502018fd58470c7040ad332ff6dc1d8fc52ab77ddfc333cffdfb48d3b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6402"], "package": "webpack-dev-server", "rule_id": "GHSA-79cf-xcqc-c78w", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-server|CVE-2026-6402|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 112968, "scanner": "osv-scanner", "fingerprint": "752e17eede96341276e02eac354e5fa2a81ca7d73f60b469a2077ef8e549af45", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qj8w-gfj5-8c6v", "level": "warning", "message": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "properties": {"repobilityId": 112966, "scanner": "osv-scanner", "fingerprint": "49325c92b45b499db08f2dffb8a54c9bd111cfe60071a7933b9802f966956e40", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-34043"], "package": "serialize-javascript", "rule_id": "GHSA-qj8w-gfj5-8c6v", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2026-34043|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-qj8w-gfj5-8c6v"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["49325c92b45b499db08f2dffb8a54c9bd111cfe60071a7933b9802f966956e40", "a239afd79a4b40f8763cd16ea117d9fc4eb9faa8b5dd7a0274398c431c266119"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 112964, "scanner": "osv-scanner", "fingerprint": "f013c1112638ae4a48e16b5078e53b7f0cb897ea1c1d41ace89aa997e812e759", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-q8mj-m7cp-5q26"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["6a5d93273ff068f0cb21a339724986c2aa018eae910c0d0155586babbd55a365", "f013c1112638ae4a48e16b5078e53b7f0cb897ea1c1d41ace89aa997e812e759"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 112958, "scanner": "repobility-threat-engine", "fingerprint": "eac9cb8de997142adda595c81dcb29ef9b1c277bb618dcc4339163317a3b3cad", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "debug=true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eac9cb8de997142adda595c81dcb29ef9b1c277bb618dcc4339163317a3b3cad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle-plugin/src/functionalTest/kotlin/dev/zacsweers/metro/gradle/incremental/BaseIncrementalCompilationTest.kt"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 112899, "scanner": "repobility-ast-engine", "fingerprint": "bdef32716af9dbeb27e38169c139eb9c1e71dcd91d3c126291f8e376e735a7d3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bdef32716af9dbeb27e38169c139eb9c1e71dcd91d3c126291f8e376e735a7d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-compat/fetch-all-ide-kotlin-versions.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 112898, "scanner": "repobility-ast-engine", "fingerprint": "2bd753ed3b69b16519246ba6b862283a8b2d21858f9f8829d66dd02a1c7297bc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2bd753ed3b69b16519246ba6b862283a8b2d21858f9f8829d66dd02a1c7297bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-compat/fetch-all-ide-kotlin-versions.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "GHSA-8fgc-7cc6-rx7x", "level": "note", "message": {"text": "webpack: GHSA-8fgc-7cc6-rx7x"}, "properties": {"repobilityId": 112970, "scanner": "osv-scanner", "fingerprint": "e5f6494bfaf2731408eaaba06438213eaca3e53a536da05482d47025d595a410", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-68458"], "package": "webpack", "rule_id": "GHSA-8fgc-7cc6-rx7x", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68458|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-8fgc-7cc6-rx7x"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["d4b2e8eab0633132cc9b8637e57a38a6fe122325499b347dd4cb3686a4707d1b", "e5f6494bfaf2731408eaaba06438213eaca3e53a536da05482d47025d595a410"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38r7-794h-5758", "level": "note", "message": {"text": "webpack: GHSA-38r7-794h-5758"}, "properties": {"repobilityId": 112969, "scanner": "osv-scanner", "fingerprint": "fdd548ee4637d17b2ba4d71e3c6af0eea1f7d1a9a81c0b44c8ea13bc7c805627", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-68157"], "package": "webpack", "rule_id": "GHSA-38r7-794h-5758", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68157|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-38r7-794h-5758"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["83a3c420dc7d63ef7cc11af7063fb13cc58ea03c923bcc3218031e359762d5c5", "fdd548ee4637d17b2ba4d71e3c6af0eea1f7d1a9a81c0b44c8ea13bc7c805627"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 112963, "scanner": "osv-scanner", "fingerprint": "1ea3dad2f35f7516c4c56aea0f75f2cf0e5ae359e7c887956a1897342be36098", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-73rr-hh4g-fpgx"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1ea3dad2f35f7516c4c56aea0f75f2cf0e5ae359e7c887956a1897342be36098", "9ffd32c880b5c0f7f79486e276d76c14af0a5c688ccadee931ce0b1073fce5aa"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112897, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e105afecd8824a89d8a9f74a0e8b4eba8505e8e6b603a939930180983ce278c4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-compat/src/main/kotlin/dev/zacsweers/metro/compiler/compat/KotlinToolingVersion.kt", "duplicate_line": 5, "correlation_key": "fp|e105afecd8824a89d8a9f74a0e8b4eba8505e8e6b603a939930180983ce278c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle-plugin/src/functionalTest/kotlin/dev/zacsweers/metro/gradle/KotlinToolingVersion.kt"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112896, "scanner": "repobility-ai-code-hygiene", "fingerprint": "706671f2a23f2bd6e9fe62af6acabfe083ed48ae90a3b04be98be098d8ba4693", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-tests/src/generator220/kotlin/dev/zacsweers/metro/compiler/GenerateTestsImpl.kt", "duplicate_line": 4, "correlation_key": "fp|706671f2a23f2bd6e9fe62af6acabfe083ed48ae90a3b04be98be098d8ba4693"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-tests/src/generator2420/kotlin/dev/zacsweers/metro/compiler/GenerateTestsImpl.kt"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112895, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d060d9f0136ed9e3643ea346162cbd4f856331f71fdc44e14535df5fef18bc55", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-tests/src/generator230/kotlin/dev/zacsweers/metro/compiler/GenerateTestsImpl.kt", "duplicate_line": 1, "correlation_key": "fp|d060d9f0136ed9e3643ea346162cbd4f856331f71fdc44e14535df5fef18bc55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-tests/src/generator2420/kotlin/dev/zacsweers/metro/compiler/GenerateTestsImpl.kt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112894, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4841fb70da569f2a8539fb0e91035a8a0c8e49365fed620eae16637a1b1917eb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-tests/src/generator220/kotlin/dev/zacsweers/metro/compiler/MetroJvmPipeline.kt", "duplicate_line": 4, "correlation_key": "fp|4841fb70da569f2a8539fb0e91035a8a0c8e49365fed620eae16637a1b1917eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-tests/src/generator240/kotlin/dev/zacsweers/metro/compiler/MetroJvmPipeline.kt"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112893, "scanner": "repobility-ai-code-hygiene", "fingerprint": "651b2e91fa3e893affff0d305b14ae1a997d6e0e1778b5bbf1be24061ebb4dca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-tests/src/generator2320/kotlin/dev/zacsweers/metro/compiler/MetroDiagnosticsCompat.kt", "duplicate_line": 13, "correlation_key": "fp|651b2e91fa3e893affff0d305b14ae1a997d6e0e1778b5bbf1be24061ebb4dca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-tests/src/generator240/kotlin/dev/zacsweers/metro/compiler/MetroDiagnosticsCompat.kt"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112892, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1e5e9dd8c3df94157d8a55a55a9eb34ebfe3e738337f03e6683e4e063b36caf8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-tests/src/generator220/kotlin/dev/zacsweers/metro/compiler/GenerateTestsImpl.kt", "duplicate_line": 4, "correlation_key": "fp|1e5e9dd8c3df94157d8a55a55a9eb34ebfe3e738337f03e6683e4e063b36caf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-tests/src/generator240/kotlin/dev/zacsweers/metro/compiler/GenerateTestsImpl.kt"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112891, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aff1487fac4ae0247bb83b4f24b58b05dfe362b07e084abbbcc130166a5b4572", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-tests/src/generator230/kotlin/dev/zacsweers/metro/compiler/GenerateTestsImpl.kt", "duplicate_line": 1, "correlation_key": "fp|aff1487fac4ae0247bb83b4f24b58b05dfe362b07e084abbbcc130166a5b4572"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-tests/src/generator240/kotlin/dev/zacsweers/metro/compiler/GenerateTestsImpl.kt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112890, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da817e8499beecb3c3092b8faf18ee2f01a87fb2e386aeea65fed5b09a08bce2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-tests/src/generator220/kotlin/dev/zacsweers/metro/compiler/MetroJvmPipeline.kt", "duplicate_line": 4, "correlation_key": "fp|da817e8499beecb3c3092b8faf18ee2f01a87fb2e386aeea65fed5b09a08bce2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-tests/src/generator2320/kotlin/dev/zacsweers/metro/compiler/MetroJvmPipeline.kt"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112889, "scanner": "repobility-ai-code-hygiene", "fingerprint": "faf5c22efa7643cd4b94161eb453bb96bdadac996cbc39a9273d43baac58ea01", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-tests/src/generator220/kotlin/dev/zacsweers/metro/compiler/GenerateTestsImpl.kt", "duplicate_line": 4, "correlation_key": "fp|faf5c22efa7643cd4b94161eb453bb96bdadac996cbc39a9273d43baac58ea01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-tests/src/generator2320/kotlin/dev/zacsweers/metro/compiler/GenerateTestsImpl.kt"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112888, "scanner": "repobility-ai-code-hygiene", "fingerprint": "90e08575970cabb380ccc7cb25b33cf7640524515434aa512cb12121cffc7d94", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-tests/src/generator230/kotlin/dev/zacsweers/metro/compiler/GenerateTestsImpl.kt", "duplicate_line": 1, "correlation_key": "fp|90e08575970cabb380ccc7cb25b33cf7640524515434aa512cb12121cffc7d94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-tests/src/generator2320/kotlin/dev/zacsweers/metro/compiler/GenerateTestsImpl.kt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112887, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0fa366db824c36c22938673a26fea2c42636ff8cff0e03b7e08fad2c84cdda39", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-tests/src/generator220/kotlin/dev/zacsweers/metro/compiler/MetroJvmPipeline.kt", "duplicate_line": 4, "correlation_key": "fp|0fa366db824c36c22938673a26fea2c42636ff8cff0e03b7e08fad2c84cdda39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-tests/src/generator230/kotlin/dev/zacsweers/metro/compiler/MetroJvmPipeline.kt"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112886, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b0069f4a08b5e0f4effda5e2033720f21ee52f7a828ef6f2f09a145b262bd612", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-tests/src/generator220/kotlin/dev/zacsweers/metro/compiler/MetroDiagnosticsCompat.kt", "duplicate_line": 14, "correlation_key": "fp|b0069f4a08b5e0f4effda5e2033720f21ee52f7a828ef6f2f09a145b262bd612"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-tests/src/generator230/kotlin/dev/zacsweers/metro/compiler/MetroDiagnosticsCompat.kt"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112885, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b7bbf098c4b2901ca0f25b621ab29854bd113b93d81562b172b79e9b6a734c90", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-tests/src/generator220/kotlin/dev/zacsweers/metro/compiler/GenerateTestsImpl.kt", "duplicate_line": 4, "correlation_key": "fp|b7bbf098c4b2901ca0f25b621ab29854bd113b93d81562b172b79e9b6a734c90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-tests/src/generator230/kotlin/dev/zacsweers/metro/compiler/GenerateTestsImpl.kt"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112884, "scanner": "repobility-ai-code-hygiene", "fingerprint": "719af50986e1a3fe4ac470f961de73f3449d20bbf948f3e7858850fa2d269a68", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-compat/k240/src/main/kotlin/dev/zacsweers/metro/compiler/compat/k240/CompatContextImpl.kt", "duplicate_line": 156, "correlation_key": "fp|719af50986e1a3fe4ac470f961de73f3449d20bbf948f3e7858850fa2d269a68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-compat/k240_dev_2124/src/main/kotlin/dev/zacsweers/metro/compiler/compat/k240_dev_2124/IrConstructorCallIrGeneratedDeclarationsRegistrarCompat.kt"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112883, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9eb6d1ae134b0bcbd9e626552f7848437e116223d94effb1c27c13da1d3b9850", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-compat/k240/src/main/kotlin/dev/zacsweers/metro/compiler/compat/k240/IrConstructorCallIrGeneratedDeclarationsRegistrarCompat.kt", "duplicate_line": 5, "correlation_key": "fp|9eb6d1ae134b0bcbd9e626552f7848437e116223d94effb1c27c13da1d3b9850"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-compat/k240_dev_2124/src/main/kotlin/dev/zacsweers/metro/compiler/compat/k240_dev_2124/IrConstructorCallIrGeneratedDeclarationsRegistrarCompat.kt"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112882, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3e1a619d23f87b7438bbd0f3e15de07192b5ad9caab598ad1c350f0dc90d9cc5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-compat/k230/src/main/kotlin/dev/zacsweers/metro/compiler/compat/k230/CompatContextImpl.kt", "duplicate_line": 107, "correlation_key": "fp|3e1a619d23f87b7438bbd0f3e15de07192b5ad9caab598ad1c350f0dc90d9cc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-compat/k240_dev_2124/src/main/kotlin/dev/zacsweers/metro/compiler/compat/k240_dev_2124/CompatContextImpl.kt"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112881, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6dd94bdbd72347bd9bbdf76106c3649011d1ef577af9bfcc094665af5849c780", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-compat/k240/src/main/kotlin/dev/zacsweers/metro/compiler/compat/k240/CompatContextImpl.kt", "duplicate_line": 50, "correlation_key": "fp|6dd94bdbd72347bd9bbdf76106c3649011d1ef577af9bfcc094665af5849c780"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-compat/k240_dev_2124/src/main/kotlin/dev/zacsweers/metro/compiler/compat/k240_dev_2124/CompatContextImpl.kt"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112880, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8773313507673dfd80c766af595e60458f8fd2ff82557d0aa55a961249d3d84", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-compat/k240/src/main/kotlin/dev/zacsweers/metro/compiler/compat/k240/CompatContextImpl.kt", "duplicate_line": 156, "correlation_key": "fp|f8773313507673dfd80c766af595e60458f8fd2ff82557d0aa55a961249d3d84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-compat/k240/src/main/kotlin/dev/zacsweers/metro/compiler/compat/k240/IrConstructorCallIrGeneratedDeclarationsRegistrarCompat.kt"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112879, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d720f6156b11c2dcfa86bbca29c77bdbfb94b45d6a69c3b8d4d6c29b07781d9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-compat/k230/src/main/kotlin/dev/zacsweers/metro/compiler/compat/k230/CompatContextImpl.kt", "duplicate_line": 107, "correlation_key": "fp|9d720f6156b11c2dcfa86bbca29c77bdbfb94b45d6a69c3b8d4d6c29b07781d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-compat/k240/src/main/kotlin/dev/zacsweers/metro/compiler/compat/k240/CompatContextImpl.kt"}, "region": {"startLine": 51}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 112878, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6676bbd6afb0ff03141dcb129102c2870f3be9c70c5e5e4c76bf5f9c613a0341", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compiler-compat/k230/src/main/kotlin/dev/zacsweers/metro/compiler/compat/k230/CompatContextImpl.kt", "duplicate_line": 118, "correlation_key": "fp|6676bbd6afb0ff03141dcb129102c2870f3be9c70c5e5e4c76bf5f9c613a0341"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler-compat/k2320/src/main/kotlin/dev/zacsweers/metro/compiler/compat/k2320/CompatContextImpl.kt"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED086", "level": "none", "message": {"text": "[MINED086] Kotlin Runtime Exception: Throwing bare RuntimeException loses type info."}, "properties": {"repobilityId": 112960, "scanner": "repobility-threat-engine", "fingerprint": "ed7375ba154d3de15dbd1ea930751a6e757474c7e8defedc62c274cfaed289d1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-runtime-exception", "owasp": null, "cwe_ids": [], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348138+00:00", "triaged_in_corpus": 12, "observations_count": 751, "ai_coder_pattern_id": 156}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ed7375ba154d3de15dbd1ea930751a6e757474c7e8defedc62c274cfaed289d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "samples/android-app/src/main/kotlin/dev/zacsweers/metro/sample/android/MetroFragmentFactory.kt"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "properties": {"repobilityId": 112959, "scanner": "repobility-threat-engine", "fingerprint": "2352bf159d1904b7827c9056eaea4a6c0fcc5080acd1cc2a306d6da9af6dbed3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2352bf159d1904b7827c9056eaea4a6c0fcc5080acd1cc2a306d6da9af6dbed3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle-plugin/src/functionalTest/kotlin/dev/zacsweers/metro/gradle/incremental/BaseIncrementalCompilationTest.kt"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 112957, "scanner": "repobility-threat-engine", "fingerprint": "8a77ffb0a8fcdda223aabe32cdaf0e5bdc6cae13db4c9684d2f2d4932a1285a8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8a77ffb0a8fcdda223aabe32cdaf0e5bdc6cae13db4c9684d2f2d4932a1285a8"}}}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 112953, "scanner": "repobility-threat-engine", "fingerprint": "42fc4030f57c04d8ace60c0c7e321d52477b44af5460a2f3247591bde9511d4d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|42fc4030f57c04d8ace60c0c7e321d52477b44af5460a2f3247591bde9511d4d"}}}, {"ruleId": "MINED029", "level": "none", "message": {"text": "[MINED029] Kotlin Null Bang (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 112949, "scanner": "repobility-threat-engine", "fingerprint": "ad842c01ab1aaff8047a8b5ab111c8d9f3a9829618376d58c0beb1e5520ff316", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ad842c01ab1aaff8047a8b5ab111c8d9f3a9829618376d58c0beb1e5520ff316", "aggregated_count": 11}}}, {"ruleId": "GHSA-ph9p-34f9-6g65", "level": "error", "message": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "properties": {"repobilityId": 112967, "scanner": "osv-scanner", "fingerprint": "143304508a3d498935093ceca4d6880821ad913da28fe9d813a14f7848d52f06", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44705"], "package": "tmp", "rule_id": "GHSA-ph9p-34f9-6g65", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2026-44705|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-ph9p-34f9-6g65"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["143304508a3d498935093ceca4d6880821ad913da28fe9d813a14f7848d52f06", "ba06f8f8d804a09e4925e64af9e403ebbb04b081e1d959e1d70a5240d36222f9"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c6j-r48x-rmvq", "level": "error", "message": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "properties": {"repobilityId": 112965, "scanner": "osv-scanner", "fingerprint": "5ce7c9471a4c54196eb5e08305e61c4c5364695c0aee7eb6bb946f19c4dfd5a2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "package": "serialize-javascript", "rule_id": "GHSA-5c6j-r48x-rmvq", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|GHSA-5C6J-R48X-RMVQ|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-5c6j-r48x-rmvq"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["374209aad6bff5d4ee8e5ae3d497de05a6833561d73afba10d33dc993652bc6e", "5ce7c9471a4c54196eb5e08305e61c4c5364695c0aee7eb6bb946f19c4dfd5a2"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED021", "level": "error", "message": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"repobilityId": 112962, "scanner": "repobility-threat-engine", "fingerprint": "bc9ec8ddbe037242a2ab8319294df6b36b0ed02a03e1f41e4a20454f9980b447", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bc9ec8ddbe037242a2ab8319294df6b36b0ed02a03e1f41e4a20454f9980b447"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/trace-project.sh"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 112961, "scanner": "repobility-threat-engine", "fingerprint": "00719548e4cc00dceffa94c143bfcfc9e54f9a7636c33a598fa0e033179ef2d5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|00719548e4cc00dceffa94c143bfcfc9e54f9a7636c33a598fa0e033179ef2d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/delete_old_version_docs.sh"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 112956, "scanner": "repobility-threat-engine", "fingerprint": "bd0cefd0645948b0a18f31e905e96a9b7303493754b631bae778acc5337fe42d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "factory.create(pluginContext, compatContext, options)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bd0cefd0645948b0a18f31e905e96a9b7303493754b631bae778acc5337fe42d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/src/main/kotlin/dev/zacsweers/metro/compiler/ir/IrDependencyGraph.kt"}, "region": {"startLine": 162}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 112955, "scanner": "repobility-threat-engine", "fingerprint": "7661596ddc931a19f95a3a54fe5cbe083626834a3025adf747dc555bb734a0aa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "factory.create(session, options, compatContext)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7661596ddc931a19f95a3a54fe5cbe083626834a3025adf747dc555bb734a0aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/src/main/kotlin/dev/zacsweers/metro/compiler/fir/MetroFirExtensionRegistrar.kt"}, "region": {"startLine": 265}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 112954, "scanner": "repobility-threat-engine", "fingerprint": "7ab6ccdf6ab77a36b334f2fbda4010bb22bf57d7679eef2a03abe46e34cd82e3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "CompatContext.create(version)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7ab6ccdf6ab77a36b334f2fbda4010bb22bf57d7679eef2a03abe46e34cd82e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/src/main/kotlin/dev/zacsweers/metro/compiler/MetroCompilerPluginRegistrar.kt"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 112948, "scanner": "repobility-threat-engine", "fingerprint": "05348f83e2346e271c6ee954820956462b7c7cf4d5df7b817c97a5fdade7fec8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|05348f83e2346e271c6ee954820956462b7c7cf4d5df7b817c97a5fdade7fec8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/src/main/kotlin/dev/zacsweers/metro/compiler/circuit/CircuitSymbols.kt"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 112947, "scanner": "repobility-threat-engine", "fingerprint": "7328d4a261f33b8057d5a0939e0bd58440867b0649a6b4eafeb76a8cde07f943", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7328d4a261f33b8057d5a0939e0bd58440867b0649a6b4eafeb76a8cde07f943"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/build.gradle.kts"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 112946, "scanner": "repobility-threat-engine", "fingerprint": "ca5ebe9421ca8e4123fd8d4539b796e1450406d332a675ff7f72b78d5fe208d4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ca5ebe9421ca8e4123fd8d4539b796e1450406d332a675ff7f72b78d5fe208d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build.gradle.kts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 112945, "scanner": "repobility-threat-engine", "fingerprint": "62c8863fbdff33a567e177e36392e9a4d03b51808e0f617b4eeac18ab029d9d7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url (i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|62c8863fbdff33a567e177e36392e9a4d03b51808e0f617b4eeac18ab029d9d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ide-integration-tests/download-ides.sh"}, "region": {"startLine": 234}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 112944, "scanner": "repobility-threat-engine", "fingerprint": "70547ca2e63a0a228a303a4f49f5209e5405b1dc26561c016924c479bc99c56c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(\n          p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|70547ca2e63a0a228a303a4f49f5209e5405b1dc26561c016924c479bc99c56c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-logic/src/main/kotlin/metro.base.gradle.kts"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `samples/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 112943, "scanner": "repobility-supply-chain", "fingerprint": "2f1e2b9f62ca853dc9c9a011c9c39878b7dee8ac9149b6340851b08ad58f1f54", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2f1e2b9f62ca853dc9c9a011c9c39878b7dee8ac9149b6340851b08ad58f1f54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "samples/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `benchmark/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 112942, "scanner": "repobility-supply-chain", "fingerprint": "0321ad8721a9fec54e994c41a9155c1095d6a16c54fc327ecb525ed2dfba3211", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0321ad8721a9fec54e994c41a9155c1095d6a16c54fc327ecb525ed2dfba3211"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmark/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 112941, "scanner": "repobility-supply-chain", "fingerprint": "e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `ide-integration-tests/test-project/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 112940, "scanner": "repobility-supply-chain", "fingerprint": "edb8f1043bf99dbfb18d2eaa7c8ac4fd70ceba80053eb1a14e3aa4892cf15d3a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|edb8f1043bf99dbfb18d2eaa7c8ac4fd70ceba80053eb1a14e3aa4892cf15d3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ide-integration-tests/test-project/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `ide-integration-tests/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 112939, "scanner": "repobility-supply-chain", "fingerprint": "ca32a12090b474d8b52c764153987ebcf6580c629e42de6a108680c1f3b028c1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca32a12090b474d8b52c764153987ebcf6580c629e42de6a108680c1f3b028c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ide-integration-tests/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `mikepenz/action-junit-report` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 112926, "scanner": "repobility-supply-chain", "fingerprint": "ce7480dc81fc057cf66010f3ab6bd17e1c90cb7efa199c26e7e2f3d37ce3f36c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ce7480dc81fc057cf66010f3ab6bd17e1c90cb7efa199c26e7e2f3d37ce3f36c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 197}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 112925, "scanner": "repobility-supply-chain", "fingerprint": "0e621027735a80c2f141ca550fe52e48f34336bc3d6fa6331faafe662fad7012", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0e621027735a80c2f141ca550fe52e48f34336bc3d6fa6331faafe662fad7012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `mikepenz/action-junit-report` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 112924, "scanner": "repobility-supply-chain", "fingerprint": "62cdf509e07d76d7026fd70b21c0d7739083413c0f945a50df0d8a8fa5956795", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|62cdf509e07d76d7026fd70b21c0d7739083413c0f945a50df0d8a8fa5956795"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 112923, "scanner": "repobility-supply-chain", "fingerprint": "781d751ff3c1d0b7f4bdd909d000e000e62bbd75060444db5a58476e73e398fc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|781d751ff3c1d0b7f4bdd909d000e000e62bbd75060444db5a58476e73e398fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `mikepenz/action-junit-report` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 112922, "scanner": "repobility-supply-chain", "fingerprint": "42edf6d1cdc2acf7f087aa3b22b69bbb7a22ad0e5d33072d9c9151562cc39496", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|42edf6d1cdc2acf7f087aa3b22b69bbb7a22ad0e5d33072d9c9151562cc39496"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 112921, "scanner": "repobility-supply-chain", "fingerprint": "441016ffc8b8fca6eb4b88ffac8f19c8bc34652943e1f13f0bcb7d291146caa0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|441016ffc8b8fca6eb4b88ffac8f19c8bc34652943e1f13f0bcb7d291146caa0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 112920, "scanner": "repobility-supply-chain", "fingerprint": "f87c006e519b763888647ce320db3b727b5a4f45abfd167025116a4c0f05e850", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f87c006e519b763888647ce320db3b727b5a4f45abfd167025116a4c0f05e850"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 112919, "scanner": "repobility-supply-chain", "fingerprint": "1cb275b87fd694fbb06ade92223c48cd35e00e4d283ff3be53f2e08c52ece262", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1cb275b87fd694fbb06ade92223c48cd35e00e4d283ff3be53f2e08c52ece262"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 112918, "scanner": "repobility-supply-chain", "fingerprint": "f884679faf5db51a361a3080acca7b645e28e46a96c17a73e56c6f065b446ddf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f884679faf5db51a361a3080acca7b645e28e46a96c17a73e56c6f065b446ddf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmarks.yml"}, "region": {"startLine": 645}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 112917, "scanner": "repobility-supply-chain", "fingerprint": "cdc59ec4142b31645be593ece9acb563a803a346971bea7b283c00e83444c2f2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cdc59ec4142b31645be593ece9acb563a803a346971bea7b283c00e83444c2f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmarks.yml"}, "region": {"startLine": 604}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 112916, "scanner": "repobility-supply-chain", "fingerprint": "825223c58d200e5e31bcc2dac756195de7820b52d6af275c2a7f133b7f65cab3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|825223c58d200e5e31bcc2dac756195de7820b52d6af275c2a7f133b7f65cab3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmarks.yml"}, "region": {"startLine": 591}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 112915, "scanner": "repobility-supply-chain", "fingerprint": "242ca1bc33a68968053a69160a873466d542a962b81f88db384f974ccbdd5b76", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|242ca1bc33a68968053a69160a873466d542a962b81f88db384f974ccbdd5b76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmarks.yml"}, "region": {"startLine": 553}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 112914, "scanner": "repobility-supply-chain", "fingerprint": "6ce91f0eb1fc35ac22813911694f35f85f00fbaab647c7704636eade661d8f4b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ce91f0eb1fc35ac22813911694f35f85f00fbaab647c7704636eade661d8f4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmarks.yml"}, "region": {"startLine": 508}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 112913, "scanner": "repobility-supply-chain", "fingerprint": "93bbcc4fbfc37af1ea0c0c83d2524005f909fcc12883651178d88d50192e398d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93bbcc4fbfc37af1ea0c0c83d2524005f909fcc12883651178d88d50192e398d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmarks.yml"}, "region": {"startLine": 460}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 112912, "scanner": "repobility-supply-chain", "fingerprint": "c1759a091b33ca78b2efeec739b1dd55b8b70c6c89a83e55dd05e49433ce6d9b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c1759a091b33ca78b2efeec739b1dd55b8b70c6c89a83e55dd05e49433ce6d9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmarks.yml"}, "region": {"startLine": 421}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 112911, "scanner": "repobility-supply-chain", "fingerprint": "598fcfd363fe2c1c568c432990d460c183d7658d0f143df24fe6be93dc17cc2c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|598fcfd363fe2c1c568c432990d460c183d7658d0f143df24fe6be93dc17cc2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmarks.yml"}, "region": {"startLine": 414}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 112910, "scanner": "repobility-supply-chain", "fingerprint": "3e2d0e678666eea9114f01cb35b683d6036ac32b917e61e71776aeb09a49dbe5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e2d0e678666eea9114f01cb35b683d6036ac32b917e61e71776aeb09a49dbe5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmarks.yml"}, "region": {"startLine": 330}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 112909, "scanner": "repobility-supply-chain", "fingerprint": "c7dab4bee953acac77e63b60f49a9c4712a0374b2295acffd87dba5ac42b9138", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c7dab4bee953acac77e63b60f49a9c4712a0374b2295acffd87dba5ac42b9138"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmarks.yml"}, "region": {"startLine": 293}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 112908, "scanner": "repobility-supply-chain", "fingerprint": "c6df2565c39fc8673b0a394e46c78712787047f516870c25f8dfe0f4a0cfdf4f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c6df2565c39fc8673b0a394e46c78712787047f516870c25f8dfe0f4a0cfdf4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmarks.yml"}, "region": {"startLine": 212}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 112907, "scanner": "repobility-supply-chain", "fingerprint": "a2040f255a163f04306a36ac8f573ea667bf876e637d0409b3c21e678d9c46d3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a2040f255a163f04306a36ac8f573ea667bf876e637d0409b3c21e678d9c46d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmarks.yml"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 112904, "scanner": "repobility-supply-chain", "fingerprint": "67e7d7695aa206c3f951470d877ef9a6ea1d413c6130857bb6ce4b6030d3174e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|67e7d7695aa206c3f951470d877ef9a6ea1d413c6130857bb6ce4b6030d3174e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs-site.yml"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 112903, "scanner": "repobility-supply-chain", "fingerprint": "e5ce13d34e8ef21bc471dc827c103d6e64280f7ef335ec29b5fd9efb05aeb2de", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e5ce13d34e8ef21bc471dc827c103d6e64280f7ef335ec29b5fd9efb05aeb2de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs-site.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 112902, "scanner": "repobility-supply-chain", "fingerprint": "7a518934c071acc33a0b89445130b2631cf6314998a002964de56cf3acc04cb1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7a518934c071acc33a0b89445130b2631cf6314998a002964de56cf3acc04cb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-ide-mappings.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 112901, "scanner": "repobility-supply-chain", "fingerprint": "9a18ded0a82d6ced8f1a0a8acd5965b6be6347f7910654975341584010782c73", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a18ded0a82d6ced8f1a0a8acd5965b6be6347f7910654975341584010782c73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-ide-mappings.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 112900, "scanner": "repobility-supply-chain", "fingerprint": "6447654358ea165fab9bd949b2b44b1de8af4da0300029df1b4cc34a96334737", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6447654358ea165fab9bd949b2b44b1de8af4da0300029df1b4cc34a96334737"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-ide-mappings.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 112952, "scanner": "repobility-threat-engine", "fingerprint": "933510576ef5caba6e6a7af5a524bf363edd59ee9124d50bf99c4f6cdec0747d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(existing", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|933510576ef5caba6e6a7af5a524bf363edd59ee9124d50bf99c4f6cdec0747d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/src/main/kotlin/dev/zacsweers/metro/compiler/NameAllocator.kt"}, "region": {"startLine": 244}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 112951, "scanner": "repobility-threat-engine", "fingerprint": "ebd3a7a097b88443f61acb4bc5106e3b6b2a95fae5cf95bdc7ebec78f9d194a3", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(len", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ebd3a7a097b88443f61acb4bc5106e3b6b2a95fae5cf95bdc7ebec78f9d194a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/src/main/kotlin/dev/zacsweers/metro/compiler/ClassIdUtils.kt"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 112950, "scanner": "repobility-threat-engine", "fingerprint": "48aa8e1b64f32485329476f7f5c064df386d4b58bd5c674f5037af461f608984", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(index", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|48aa8e1b64f32485329476f7f5c064df386d4b58bd5c674f5037af461f608984"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compiler/src/main/kotlin/dev/zacsweers/metro/compiler/BitField.kt"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GRADLE_ENCRYPTION_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 112938, "scanner": "repobility-supply-chain", "fingerprint": "fb2ca05e0aeacff4c30ddb523c6e151fac55fe9531b8ab9b012b52037e1e73ed", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fb2ca05e0aeacff4c30ddb523c6e151fac55fe9531b8ab9b012b52037e1e73ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-regression.yml"}, "region": {"startLine": 367}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GRADLE_ENCRYPTION_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 112937, "scanner": "repobility-supply-chain", "fingerprint": "f9840f7a7ed7188eda0cf3daa1b2573e5c1586285d51c0d9594ad1286e055eb7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f9840f7a7ed7188eda0cf3daa1b2573e5c1586285d51c0d9594ad1286e055eb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-regression.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GRADLE_ENCRYPTION_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 112936, "scanner": "repobility-supply-chain", "fingerprint": "957da0905ce28f6758bc5216a94398d104db41dee1ba4bb1e561916ff235b1f5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|957da0905ce28f6758bc5216a94398d104db41dee1ba4bb1e561916ff235b1f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ide-integration.yml"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GRADLE_ENCRYPTION_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 112935, "scanner": "repobility-supply-chain", "fingerprint": "9c90af3837ec4d22e5abdd3dcd33c1d6d05a1c4eacdd938bdde70d5f026dad70", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c90af3837ec4d22e5abdd3dcd33c1d6d05a1c4eacdd938bdde70d5f026dad70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ide-integration.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.S` on a `pull_request` trigger"}, "properties": {"repobilityId": 112934, "scanner": "repobility-supply-chain", "fingerprint": "38df9848868ca98eb8cf1679db51a1f975dc8a5e6b075d9aff8dc4bd317623f1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|38df9848868ca98eb8cf1679db51a1f975dc8a5e6b075d9aff8dc4bd317623f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 335}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.S` on a `pull_request` trigger"}, "properties": {"repobilityId": 112933, "scanner": "repobility-supply-chain", "fingerprint": "09c43c45aeb4d64e06523d3cf6a57c8ab62b78bf379b3c223b291c4acdfa9a2f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|09c43c45aeb4d64e06523d3cf6a57c8ab62b78bf379b3c223b291c4acdfa9a2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 334}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GRADLE_ENCRYPTION_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 112932, "scanner": "repobility-supply-chain", "fingerprint": "eaa3d092947842b146556ce4f0cf36d702ee93e225a35ebb3890326bf28d5b6e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eaa3d092947842b146556ce4f0cf36d702ee93e225a35ebb3890326bf28d5b6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 326}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GRADLE_ENCRYPTION_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 112931, "scanner": "repobility-supply-chain", "fingerprint": "604e616a2bdac3d78d044ae3c28317b3bcafa80a0cb79dc9d830fac04ae292ba", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|604e616a2bdac3d78d044ae3c28317b3bcafa80a0cb79dc9d830fac04ae292ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 276}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GRADLE_ENCRYPTION_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 112930, "scanner": "repobility-supply-chain", "fingerprint": "9fd1713227338aced50b49f39b90420b7348a8707a8df994ebaa0ee3d8d4d875", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9fd1713227338aced50b49f39b90420b7348a8707a8df994ebaa0ee3d8d4d875"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 235}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GRADLE_ENCRYPTION_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 112929, "scanner": "repobility-supply-chain", "fingerprint": "15c70b69bca1f8faed5928800d70ccfd1382aaf062280d0083ff079f1063e8a3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|15c70b69bca1f8faed5928800d70ccfd1382aaf062280d0083ff079f1063e8a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GRADLE_ENCRYPTION_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 112928, "scanner": "repobility-supply-chain", "fingerprint": "d7fcb76f7e5b1d61565bb76346182664c352972a756f09917813bb65c1478871", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d7fcb76f7e5b1d61565bb76346182664c352972a756f09917813bb65c1478871"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GRADLE_ENCRYPTION_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 112927, "scanner": "repobility-supply-chain", "fingerprint": "f69050f86d7b7d98bff9f4beed263441ae9bd85a236b3d59df554fad2a2c1518", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f69050f86d7b7d98bff9f4beed263441ae9bd85a236b3d59df554fad2a2c1518"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GRADLE_ENCRYPTION_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 112906, "scanner": "repobility-supply-chain", "fingerprint": "e26d89558f3fd347e1fac000a546b9dd79ba16e7d75086b457e21b00b86b9c18", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e26d89558f3fd347e1fac000a546b9dd79ba16e7d75086b457e21b00b86b9c18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs-site.yml"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.GRADLE_ENCRYPTION_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 112905, "scanner": "repobility-supply-chain", "fingerprint": "9feb89c22585605ca21b07a69e60322d75b4eaa154b9c1769ca9916c93ed2bdd", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9feb89c22585605ca21b07a69e60322d75b4eaa154b9c1769ca9916c93ed2bdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs-site.yml"}, "region": {"startLine": 45}}}]}]}]}