{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `deepdiff` has no version pin: Unpinned pip requirement means every fresh install may resol", "shortDescription": {"text": "[MINED124] requirements.txt: `deepdiff` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible inst"}, "fullDescription": {"text": "Replace `deepdiff` with `deepdiff==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 15 (SonarSource scale). Cognitive complexi", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weig"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 15."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC119", "name": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbo", "shortDescription": {"text": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets."}, "fullDescription": {"text": "Use 0600 (owner rw only) for secrets, 0644 for general files, 0700 for directories with secrets. Java: `setReadable(true, true)` (owner-only)."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI halluci", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.25, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `lang/java/ipc/abcoder-java-analyzer-1.0-SNAPSHOT.jar` committed in source repo: `lang/java/ipc/a", "shortDescription": {"text": "[MINED134] Binary file `lang/java/ipc/abcoder-java-analyzer-1.0-SNAPSHOT.jar` committed in source repo: `lang/java/ipc/abcoder-java-analyzer-1.0-SNAPSHOT.jar` is a .jar binary (18,763,322 bytes) committed to a repo that otherwise has 226 so"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at ", "shortDescription": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compro"}, "fullDescription": {"text": "Replace with: `uses: actions/upload-artifact@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED130", "name": "[MINED130] Lockfile pulls package from off-canonical host `bnpm.byted.org`: `package-lock.json` resolved URL for `node_m", "shortDescription": {"text": "[MINED130] Lockfile pulls package from off-canonical host `bnpm.byted.org`: `package-lock.json` resolved URL for `node_modules/@ampproject/remapping` is `https://bnpm.byted.org/@ampproject/remapping/-/remapping-2.3.0.tgz...` \u2014 host `bnpm.by"}, "fullDescription": {"text": "Verify the host is intentional. If your org uses a private registry, add it to your scanner's allowlist (CANONICAL_NPM_HOSTS). Otherwise, regenerate the lockfile against the canonical registry."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED128", "name": "[MINED128] go.mod replaces `a.b/c` \u2014 points to a LOCAL path: `replace a.b/c => ../.` overrides the canonical dependency ", "shortDescription": {"text": "[MINED128] go.mod replaces `a.b/c` \u2014 points to a LOCAL path: `replace a.b/c => ../.` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules th"}, "fullDescription": {"text": "If the replace is intentional (e.g. waiting on an upstream fix), vendor the dependency into the repo and add a comment explaining the reason. Remove the replace once upstream merges."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /refresh-token has no auth: Express route POST /refresh-token declared without an auth middlewar", "shortDescription": {"text": "[MINED113] Express POST /refresh-token has no auth: Express route POST /refresh-token declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken "}, "fullDescription": {"text": "Add an auth middleware: app.post('/refresh-token', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/224"}, "properties": {"repository": "cloudwego/abcoder", "repoUrl": "https://github.com/cloudwego/abcoder", "branch": "main"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `deepdiff` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 46872, "scanner": "repobility-supply-chain", "fingerprint": "cc28e2646f70df50396f0abb9333500cf2475271eb1e66b916b4521a411b828e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc28e2646f70df50396f0abb9333500cf2475271eb1e66b916b4521a411b828e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=3, if=5, nested_bonus=4, ternary=2."}, "properties": {"repobilityId": 46844, "scanner": "repobility-threat-engine", "fingerprint": "e97a6058d89a854d05e73d4682e8128c16acf6534410f5ba94d0440c37dd1065", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 15 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 5, "elif": 1, "else": 3, "ternary": 2, "nested_bonus": 4}, "complexity": 15, "correlation_key": "fp|e97a6058d89a854d05e73d4682e8128c16acf6534410f5ba94d0440c37dd1065"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/diffjson.py"}, "region": {"startLine": 191}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `format_diff_custom` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=5, if=6, nested_bonus=5."}, "properties": {"repobilityId": 46843, "scanner": "repobility-threat-engine", "fingerprint": "8b16132ac22991246c3bcc5c5d066aa336d17a40b9dd60906fea95c0b7a648aa", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 16 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "format_diff_custom", "breakdown": {"if": 6, "for": 5, "nested_bonus": 5}, "complexity": 16, "correlation_key": "fp|8b16132ac22991246c3bcc5c5d066aa336d17a40b9dd60906fea95c0b7a648aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/diffjson.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC119", "level": "warning", "message": {"text": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets."}, "properties": {"repobilityId": 46826, "scanner": "repobility-threat-engine", "fingerprint": "ef22582e4522ab47391cfb2467de02cd394824ab1b2fd36fc7c4730052cfa949", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.Chmod(destPath, 0755)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC119", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|internal/cmd/init_spec.go|151|sec119"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/cmd/init_spec.go"}, "region": {"startLine": 151}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `process_directory_comparison` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=7, if=2, nested_bonus=3, or=1, ternary=1."}, "properties": {"repobilityId": 46845, "scanner": "repobility-threat-engine", "fingerprint": "b0e697e9e3c17dcfd17e7cf5153263aef04b7290ad3f252367158b47bfe6621f", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 14 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "process_directory_comparison", "breakdown": {"if": 2, "or": 1, "for": 7, "ternary": 1, "nested_bonus": 3}, "complexity": 14, "correlation_key": "fp|b0e697e9e3c17dcfd17e7cf5153263aef04b7290ad3f252367158b47bfe6621f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/diffjson.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 46841, "scanner": "repobility-threat-engine", "fingerprint": "a667949681c3ccc9f1ec404e8fa31b20fda80e90f401530e09495d5a4edba50f", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = filepath.Abs(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a667949681c3ccc9f1ec404e8fa31b20fda80e90f401530e09495d5a4edba50f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/utils/files.go"}, "region": {"startLine": 28}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 46840, "scanner": "repobility-threat-engine", "fingerprint": "de20c206168756626edfd08cbcb9e0a143933586900594bcc4474d16fb10dfdd", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = filepath.Abs(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|de20c206168756626edfd08cbcb9e0a143933586900594bcc4474d16fb10dfdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/lsp/lsp.go"}, "region": {"startLine": 168}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 46835, "scanner": "repobility-threat-engine", "fingerprint": "6f2f91422fd81b6b67dd05a6e53a33630b35848f657298e267e58bfde4025b45", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"jdt-language-server-\" + jdtlsVersion + \".tar.gz\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6f2f91422fd81b6b67dd05a6e53a33630b35848f657298e267e58bfde4025b45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/java/pb/lib.go"}, "region": {"startLine": 140}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 7043, "scanner": "repobility-threat-engine", "fingerprint": "597715303fd2acacf30b368b372a7b233a2c044a351b8a5313e5a72791d08a2c", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = eg.Wait(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|597715303fd2acacf30b368b372a7b233a2c044a351b8a5313e5a72791d08a2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/collect/collect.go"}, "region": {"startLine": 1301}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 7042, "scanner": "repobility-threat-engine", "fingerprint": "72ccc765ea15affb21098cf6becb650836beb95ca5ae46b540efdb351aac39d0", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = filepath.Rel(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|72ccc765ea15affb21098cf6becb650836beb95ca5ae46b540efdb351aac39d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/collect/export.go"}, "region": {"startLine": 41}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 7041, "scanner": "repobility-threat-engine", "fingerprint": "263e21054cc55fac48cf0c330004586dd71bb0c047bea20524a21ed87c610821", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = filepath.Abs(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|263e21054cc55fac48cf0c330004586dd71bb0c047bea20524a21ed87c610821"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/parse.go"}, "region": {"startLine": 70}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7040, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6beecbf83bc7a3a130a84b2ff5d18fd2c4ac5425a932c3e3936f31a0de30800d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ts-parser/src/parser/TypeParser.ts", "duplicate_line": 371, "correlation_key": "fp|6beecbf83bc7a3a130a84b2ff5d18fd2c4ac5425a932c3e3936f31a0de30800d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/src/parser/VarParser.ts"}, "region": {"startLine": 384}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7039, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ceca6fda876bb003d006870c322ea01b8e30e9efbde6dc8172b0dbc01c256f25", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "testdata/python/0_simple/test.py", "duplicate_line": 35, "correlation_key": "fp|ceca6fda876bb003d006870c322ea01b8e30e9efbde6dc8172b0dbc01c256f25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "testdata/python/1_single/main.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7038, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4b93fc8f03d36d947ab846a6426924edc9bcf0cda57ec86803d5c19a4772b40e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "testdata/python/0_simple/test3.py", "duplicate_line": 1, "correlation_key": "fp|4b93fc8f03d36d947ab846a6426924edc9bcf0cda57ec86803d5c19a4772b40e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "testdata/python/1_single/main.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7037, "scanner": "repobility-ai-code-hygiene", "fingerprint": "66248c7b71cd936601f177141754f583abf8bf32fc418e751b91b8710a1a2862", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/utils/slice.go", "duplicate_line": 2, "correlation_key": "fp|66248c7b71cd936601f177141754f583abf8bf32fc418e751b91b8710a1a2862"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/utils/strings.go"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7036, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a38fc23beccc669664536687f65c65357b3dad7117a0679cc0dd7d633f8ca49", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/utils/err.go", "duplicate_line": 14, "correlation_key": "fp|3a38fc23beccc669664536687f65c65357b3dad7117a0679cc0dd7d633f8ca49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/utils/err.go"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7035, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b852ee11b0e93d2199b494b05d285f0de1402fd25e2fbdd7c30d729dfe7bd9d2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "lang/collect/export.go", "duplicate_line": 626, "correlation_key": "fp|b852ee11b0e93d2199b494b05d285f0de1402fd25e2fbdd7c30d729dfe7bd9d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/cpp/spec.go"}, "region": {"startLine": 255}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 46865, "scanner": "repobility-threat-engine", "fingerprint": "46a53925a5b1bd8fa710e6ef660280b4a5e98d8d9134501792fc24a770fbd5c2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|46a53925a5b1bd8fa710e6ef660280b4a5e98d8d9134501792fc24a770fbd5c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/test-repo/src/services/api.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 46864, "scanner": "repobility-threat-engine", "fingerprint": "93c37ad39389befde0cf1e4909ef78c5fff553457499462edb6a6e46a4620199", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|93c37ad39389befde0cf1e4909ef78c5fff553457499462edb6a6e46a4620199"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/test-repo/src/services/ExportDefault.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 46861, "scanner": "repobility-threat-engine", "fingerprint": "58e1b0cf4fe8cd3493703eda27a59de9030203abece4fa86b750f1e30e7e0296", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|58e1b0cf4fe8cd3493703eda27a59de9030203abece4fa86b750f1e30e7e0296"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/test-repo/src/config/app.config.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 46860, "scanner": "repobility-threat-engine", "fingerprint": "a9d0060e26c2e64e45dbfa0debe9056912222ec4942f1073bac29ea38ff519b7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a9d0060e26c2e64e45dbfa0debe9056912222ec4942f1073bac29ea38ff519b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/src/utils/typescript-structure.ts"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 46859, "scanner": "repobility-threat-engine", "fingerprint": "80eb45aca3cd3afda48389737a56f778d0cc3145d2a78147a49d5f3aa5c76a81", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|80eb45aca3cd3afda48389737a56f778d0cc3145d2a78147a49d5f3aa5c76a81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/src/utils/parsing-strategy.ts"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 46858, "scanner": "repobility-threat-engine", "fingerprint": "9211e629afaf047dd99ae9d6452cd646977ae554f2fee587893f4e2881cd6732", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9211e629afaf047dd99ae9d6452cd646977ae554f2fee587893f4e2881cd6732"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/src/utils/graph-builder.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 46856, "scanner": "repobility-threat-engine", "fingerprint": "57cb4c05469177af97dc487413e302e0fa0c3b9adf41658e7a99dda368f8aef6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|57cb4c05469177af97dc487413e302e0fa0c3b9adf41658e7a99dda368f8aef6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/test-repo/src/routes/AuthRoutes.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 46855, "scanner": "repobility-threat-engine", "fingerprint": "185bcabe4ea4f802663cf0a3c40cd1fb4ed476713e481ee4a412199bdd8ec9b7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|185bcabe4ea4f802663cf0a3c40cd1fb4ed476713e481ee4a412199bdd8ec9b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/src/utils/cluster-processor.ts"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 46854, "scanner": "repobility-threat-engine", "fingerprint": "59e16626edcc40c31d2a974a989623eff166c65ea1308e447f0660a13d01e93b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|59e16626edcc40c31d2a974a989623eff166c65ea1308e447f0660a13d01e93b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/src/parser/RepositoryParser.ts"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 46853, "scanner": "repobility-threat-engine", "fingerprint": "dc495931fe10ccd594ead31c7c77f06bc2fd305548c052c38b6f9feadb646876", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|dc495931fe10ccd594ead31c7c77f06bc2fd305548c052c38b6f9feadb646876", "aggregated_count": 4}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 46852, "scanner": "repobility-threat-engine", "fingerprint": "aac774843d5c672c240506993127128e7148dbc04148cdbddce7ae55d8034097", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aac774843d5c672c240506993127128e7148dbc04148cdbddce7ae55d8034097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/src/utils/tsconfig-cache.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 46851, "scanner": "repobility-threat-engine", "fingerprint": "45a2fa2c8ed9fb5c16a07582bbe5c32388137cdae3943b07b57bfc65d4634dab", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|45a2fa2c8ed9fb5c16a07582bbe5c32388137cdae3943b07b57bfc65d4634dab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/src/parser/RepositoryParser.ts"}, "region": {"startLine": 221}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 46850, "scanner": "repobility-threat-engine", "fingerprint": "979124fed0ea62a985a74e8994b638d4c879fd4ccbb6b8ea9bc064422b7b478d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|979124fed0ea62a985a74e8994b638d4c879fd4ccbb6b8ea9bc064422b7b478d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/src/parser/ModuleParser.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 46849, "scanner": "repobility-threat-engine", "fingerprint": "0190d4d3317f3451b6ed1e876fd6829280a4bb59402f9117c5f5c5de7b266624", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0190d4d3317f3451b6ed1e876fd6829280a4bb59402f9117c5f5c5de7b266624", "aggregated_count": 12}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 46848, "scanner": "repobility-threat-engine", "fingerprint": "2a428f08ab70459dd48b43e64c709b4e964ceff78a1a71a1c09fdd952c7a94ba", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a428f08ab70459dd48b43e64c709b4e964ceff78a1a71a1c09fdd952c7a94ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/src/parser/RepositoryParser.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 46847, "scanner": "repobility-threat-engine", "fingerprint": "a665bad6cefb70b40db9ca12116d371205db146e5a4447fa34dae25464854377", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a665bad6cefb70b40db9ca12116d371205db146e5a4447fa34dae25464854377"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/src/parser/ModuleParser.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 46846, "scanner": "repobility-threat-engine", "fingerprint": "e379f14ddf948c9328eec71cc52acd29d813b6678beffa3de46ff1e33e0045fe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e379f14ddf948c9328eec71cc52acd29d813b6678beffa3de46ff1e33e0045fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/src/index.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 46842, "scanner": "repobility-threat-engine", "fingerprint": "8fbbcc86b403f6a8ddd23b71548b3b2366fee29296b9a88b47c8c953add097b4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8fbbcc86b403f6a8ddd23b71548b3b2366fee29296b9a88b47c8c953add097b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/diffjson.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 46839, "scanner": "repobility-threat-engine", "fingerprint": "6d6974cd6ae9b88d7a4ba4a238be693376a2b20e873bc3a10c887ce9243cae5b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6d6974cd6ae9b88d7a4ba4a238be693376a2b20e873bc3a10c887ce9243cae5b", "aggregated_count": 2}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 46838, "scanner": "repobility-threat-engine", "fingerprint": "079cf2c4f903d60171c61afb8fa16732de039b61c774fd8bf430db46f7663e54", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|079cf2c4f903d60171c61afb8fa16732de039b61c774fd8bf430db46f7663e54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llm/agent/cmd.go"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 46837, "scanner": "repobility-threat-engine", "fingerprint": "d1dbdd6c498137574852a16bcecf1c2cf427df0ddfa265808299b64f1a7cce84", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d1dbdd6c498137574852a16bcecf1c2cf427df0ddfa265808299b64f1a7cce84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/rust/utils/lsp.go"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 46836, "scanner": "repobility-threat-engine", "fingerprint": "361ab5e8f2a92a7e2d5d3a7aed1b01f37884fabe8efcd5fac5c7d33a8374b79a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|361ab5e8f2a92a7e2d5d3a7aed1b01f37884fabe8efcd5fac5c7d33a8374b79a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/lsp/client.go"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 46830, "scanner": "repobility-threat-engine", "fingerprint": "9c7786c6bc1d3f5f0f9e3cc9679a260e14e258a213e1a9b201242f190a523951", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9c7786c6bc1d3f5f0f9e3cc9679a260e14e258a213e1a9b201242f190a523951", "aggregated_count": 13}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 46829, "scanner": "repobility-threat-engine", "fingerprint": "7f991fd297517e2ef10d019be0503b1e53d0b8ae98ec1e18671f8eb81d4f7333", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7f991fd297517e2ef10d019be0503b1e53d0b8ae98ec1e18671f8eb81d4f7333"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/java/lib_ipc.go"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 46828, "scanner": "repobility-threat-engine", "fingerprint": "400b7cd48cf8beab3ed1ef51095deea86e9d12e21b5d910a5b38fd797fa2daa1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|400b7cd48cf8beab3ed1ef51095deea86e9d12e21b5d910a5b38fd797fa2daa1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/cxx/spec.go"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 46827, "scanner": "repobility-threat-engine", "fingerprint": "1cbc35bb6a05c276df7e11c9b048aca55826ffaddd07c11287f7d2aaa0018233", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1cbc35bb6a05c276df7e11c9b048aca55826ffaddd07c11287f7d2aaa0018233"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/cpp/spec.go"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 7049, "scanner": "repobility-threat-engine", "fingerprint": "0c9e84d0f8054c82cd2a40b6c554f5b6f3d2cf0635bb403401a202accc98fc86", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|5|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/test-repo/src/utils/Validation.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 7048, "scanner": "repobility-threat-engine", "fingerprint": "b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 7047, "scanner": "repobility-threat-engine", "fingerprint": "5adc9cbc6322cc19cb968f1724fd8ad1ec2b8fb2c1bbab38693297298210f626", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`No tsconfig.json found for package ${pkg.name || pkg.path}, skipping.`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|30|console.log no tsconfig.json found for package pkg.name pkg.path skipping."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/src/parser/RepositoryParser.ts"}, "region": {"startLine": 309}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 7046, "scanner": "repobility-threat-engine", "fingerprint": "2abc79b48323908e81601ee13b5d4e126b6476ee734f7870a18d602b4d32d854", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "Logger.error('Token verification failed:', error)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|2|logger.error token verification failed: error"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/test-repo/src/middleware/AuthMiddleware.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 7045, "scanner": "repobility-threat-engine", "fingerprint": "8ade66ce27988f788d250e01cea6eca3759d077de7f957b49fa83adab2932dbd", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "Logger.error('Token refresh error:', error)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|12|logger.error token refresh error: error"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/test-repo/src/routes/AuthRoutes.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 7044, "scanner": "repobility-threat-engine", "fingerprint": "ffe4d81a7489f28099dfb64f1d43f221c7bd1f8d79fc0a1d608b942842e235c6", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ffe4d81a7489f28099dfb64f1d43f221c7bd1f8d79fc0a1d608b942842e235c6"}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `lang/java/ipc/abcoder-java-analyzer-1.0-SNAPSHOT.jar` committed in source repo: `lang/java/ipc/abcoder-java-analyzer-1.0-SNAPSHOT.jar` is a .jar binary (18,763,322 bytes) committed to a repo that otherwise has 226 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 46889, "scanner": "repobility-supply-chain", "fingerprint": "ae98fbb1ab8f6e990c18e3a95992b872f73fde46f6dc0a417d3ee8e7e62c1bd0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae98fbb1ab8f6e990c18e3a95992b872f73fde46f6dc0a417d3ee8e7e62c1bd0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/java/ipc/abcoder-java-analyzer-1.0-SNAPSHOT.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46888, "scanner": "repobility-supply-chain", "fingerprint": "3d02c7d294e59496144b52b805dc16bc4fa0c6ce06a15c17f562cdfee909b672", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3d02c7d294e59496144b52b805dc16bc4fa0c6ce06a15c17f562cdfee909b672"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/regression.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46887, "scanner": "repobility-supply-chain", "fingerprint": "e0ceb3a4d1795d2e4f7fb25e5040d9642f12c0d3f7a5fb86b65882815525db85", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e0ceb3a4d1795d2e4f7fb25e5040d9642f12c0d3f7a5fb86b65882815525db85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/regression.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46886, "scanner": "repobility-supply-chain", "fingerprint": "0ccfb3739ed3ce41259e236cefcad8a0b77fac3bda5139308868df419c7ff7aa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0ccfb3739ed3ce41259e236cefcad8a0b77fac3bda5139308868df419c7ff7aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/regression.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46885, "scanner": "repobility-supply-chain", "fingerprint": "cd48f424336bf60f21401aae1661641a69fd8db8a34657a8026e3ebebcb5e86f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd48f424336bf60f21401aae1661641a69fd8db8a34657a8026e3ebebcb5e86f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/regression.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46884, "scanner": "repobility-supply-chain", "fingerprint": "00058f1b01af098d3727e93071f45c1a7ac7a09a370be8081a43d7db7556ac7d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|00058f1b01af098d3727e93071f45c1a7ac7a09a370be8081a43d7db7556ac7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/regression.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46883, "scanner": "repobility-supply-chain", "fingerprint": "f86857615448cd887ce27dd63e2915c8d6c353adb8b7aaa1f37169437b5ff097", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f86857615448cd887ce27dd63e2915c8d6c353adb8b7aaa1f37169437b5ff097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/regression.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46882, "scanner": "repobility-supply-chain", "fingerprint": "0ea48ff89951adf68e210d7e3206bc21247c1e763989af02bc17a14d7d79e1df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0ea48ff89951adf68e210d7e3206bc21247c1e763989af02bc17a14d7d79e1df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/regression.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46881, "scanner": "repobility-supply-chain", "fingerprint": "dd291aa8b51ba00c4bc1b762a249d99e0def085a36a5e527897eada60f1af66b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dd291aa8b51ba00c4bc1b762a249d99e0def085a36a5e527897eada60f1af66b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/regression.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46880, "scanner": "repobility-supply-chain", "fingerprint": "6c53a8eb5ef02a3756b98e76c10150e42cef33fdd0b3c516f5c6dba1adbbf15b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c53a8eb5ef02a3756b98e76c10150e42cef33fdd0b3c516f5c6dba1adbbf15b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go-test.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46879, "scanner": "repobility-supply-chain", "fingerprint": "0e84d82bb33cdb441a90d4f083364b441c8eb172002245bd712f7751ab7d2821", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0e84d82bb33cdb441a90d4f083364b441c8eb172002245bd712f7751ab7d2821"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go-test.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46878, "scanner": "repobility-supply-chain", "fingerprint": "5daeac32cf7810e4e74dc3458eadac576386b22c46d1fca67e2fbe4080f081c6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5daeac32cf7810e4e74dc3458eadac576386b22c46d1fca67e2fbe4080f081c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go-test.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `apache/skywalking-eyes/header` pinned to mutable ref `@v0.4.0`: `uses: apache/skywalking-eyes/header@v0.4.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46877, "scanner": "repobility-supply-chain", "fingerprint": "412a54fd8bb45225fff19424fce099f76150787786c1d0460feab9783695fa9a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|412a54fd8bb45225fff19424fce099f76150787786c1d0460feab9783695fa9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-check.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46876, "scanner": "repobility-supply-chain", "fingerprint": "7a6af9991ae661d1c337e0ba596f6b6c91697b9cd134342d642a7120fa0a5407", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7a6af9991ae661d1c337e0ba596f6b6c91697b9cd134342d642a7120fa0a5407"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-check.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED130", "level": "error", "message": {"text": "[MINED130] Lockfile pulls package from off-canonical host `bnpm.byted.org`: `package-lock.json` resolved URL for `node_modules/@ampproject/remapping` is `https://bnpm.byted.org/@ampproject/remapping/-/remapping-2.3.0.tgz...` \u2014 host `bnpm.byted.org` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry."}, "properties": {"repobilityId": 46875, "scanner": "repobility-supply-chain", "fingerprint": "8ee3538c9a45e1c0c89a59f6e228528f46a5af8ace1a422cc2c1b45d725746a3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-lockfile-off-registry", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8ee3538c9a45e1c0c89a59f6e228528f46a5af8ace1a422cc2c1b45d725746a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/src/parser/test/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED130", "level": "error", "message": {"text": "[MINED130] Lockfile pulls package from off-canonical host `bnpm.byted.org`: `package-lock.json` resolved URL for `node_modules/@ampproject/remapping` is `https://bnpm.byted.org/@ampproject/remapping/-/remapping-2.3.0.tgz...` \u2014 host `bnpm.byted.org` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry."}, "properties": {"repobilityId": 46874, "scanner": "repobility-supply-chain", "fingerprint": "0c0a089f996316394f327df4570fa2e0ee716adde0674f779213db9de598023e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-lockfile-off-registry", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0c0a089f996316394f327df4570fa2e0ee716adde0674f779213db9de598023e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/src/utils/test/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `a.b/c` \u2014 points to a LOCAL path: `replace a.b/c => ../.` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 46873, "scanner": "repobility-supply-chain", "fingerprint": "3222e311960b9f90a9f1830bebab7a7c12661e35e5dc3a7a676591c0c65dd9ea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3222e311960b9f90a9f1830bebab7a7c12661e35e5dc3a7a676591c0c65dd9ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "testdata/go/0_golang/cmd/go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /refresh-token has no auth: Express route POST /refresh-token declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 46871, "scanner": "repobility-route-auth", "fingerprint": "ec5e525415412d23cd2507faab3f5ddbae27f3067bb5fa207fdc9257cdbe4076", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ec5e525415412d23cd2507faab3f5ddbae27f3067bb5fa207fdc9257cdbe4076"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/test-repo/src/routes/AuthRoutes.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /login has no auth: Express route POST /login declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 46870, "scanner": "repobility-route-auth", "fingerprint": "7fc09ccc314c85fe1c7221c866f0e47fb693c0b4a80f532645107f98e6b811d9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7fc09ccc314c85fe1c7221c866f0e47fb693c0b4a80f532645107f98e6b811d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/test-repo/src/routes/AuthRoutes.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /register has no auth: Express route POST /register declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 46869, "scanner": "repobility-route-auth", "fingerprint": "308f431e87fddec66a14b86a536b2a6dd6749a55669986fe2716a961f985ff1c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|308f431e87fddec66a14b86a536b2a6dd6749a55669986fe2716a961f985ff1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/test-repo/src/routes/AuthRoutes.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 46868, "scanner": "repobility-route-auth", "fingerprint": "c60e9f9ad3be242c9d48499b0658980fee203a2bd62fb0014c4b776aba8afe6b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|c60e9f9ad3be242c9d48499b0658980fee203a2bd62fb0014c4b776aba8afe6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/test-repo/src/routes/UserRoutes.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/hash-password has no auth: Express route POST /api/hash-password declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 46867, "scanner": "repobility-route-auth", "fingerprint": "9b3d7900aa5e0c8727ceaedcd9173b8296cafc4d3890ca6fe00e94848d9a3460", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|9b3d7900aa5e0c8727ceaedcd9173b8296cafc4d3890ca6fe00e94848d9a3460"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/test-repo/src/index.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/token has no auth: Express route POST /api/token declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 46866, "scanner": "repobility-route-auth", "fingerprint": "320bf5181bc0e3c1b4a37f73fabfaf31c71ac112c451760f9892da38bb908d58", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|320bf5181bc0e3c1b4a37f73fabfaf31c71ac112c451760f9892da38bb908d58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/test-repo/src/index.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 46863, "scanner": "repobility-threat-engine", "fingerprint": "9998d9446da72d1594bec70533b0cbcd4b2573d9f40331a29d611913f264b090", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post('/refresh-token', async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9998d9446da72d1594bec70533b0cbcd4b2573d9f40331a29d611913f264b090"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/test-repo/src/routes/AuthRoutes.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 46862, "scanner": "repobility-threat-engine", "fingerprint": "b1e39d4c9221dfe8b1e30715ca2a59a3b4fdfaf1eba32503d3bbc50fa57206e1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/api/token', (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b1e39d4c9221dfe8b1e30715ca2a59a3b4fdfaf1eba32503d3bbc50fa57206e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/test-repo/src/index.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 46857, "scanner": "repobility-threat-engine", "fingerprint": "ab5a32156de5ca07c94938f2e21966314f8975d569cecaf4e219dfcfb0c1eb36", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "activeWorkers.delete(workerId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ab5a32156de5ca07c94938f2e21966314f8975d569cecaf4e219dfcfb0c1eb36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ts-parser/src/utils/cluster-processor.ts"}, "region": {"startLine": 217}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 46834, "scanner": "repobility-threat-engine", "fingerprint": "763107a8ca618970de08d1bcdc299f62e298b04f31159a8c44ed2af612ebbb99", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Get(j", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|763107a8ca618970de08d1bcdc299f62e298b04f31159a8c44ed2af612ebbb99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/java/pb/lib.go"}, "region": {"startLine": 143}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 46833, "scanner": "repobility-threat-engine", "fingerprint": "607264c6e08c65b247f54793284d43d477a1e322fc0d689cab3c336ed2bc788a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(cmd,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|607264c6e08c65b247f54793284d43d477a1e322fc0d689cab3c336ed2bc788a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/rust/repo.go"}, "region": {"startLine": 157}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 46832, "scanner": "repobility-threat-engine", "fingerprint": "20cbf6572916d6df17df92d21e6568e39aa51a3000b0c33905c35a9fc21df996", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(path)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|20cbf6572916d6df17df92d21e6568e39aa51a3000b0c33905c35a9fc21df996"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/lsp/client.go"}, "region": {"startLine": 247}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 46831, "scanner": "repobility-threat-engine", "fingerprint": "751fb20a2280d723f5e8a961da5ad79fc5a60399353a8086127a16fe0706d4d7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|751fb20a2280d723f5e8a961da5ad79fc5a60399353a8086127a16fe0706d4d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lang/java/ipc/server.go"}, "region": {"startLine": 180}}}]}]}]}