{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED083", "name": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool.", "shortDescription": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-664 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED085", "name": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM.", "shortDescription": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1075 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `github/lock` pinned to mutable ref `@v2`", "shortDescription": {"text": "Action `github/lock` pinned to mutable ref `@v2`"}, "fullDescription": {"text": "`uses: github/lock@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "private-key", "name": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.", "shortDescription": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "pkcs12-file", "name": "Found a PKCS #12 file, which commonly contain bundled private keys.", "shortDescription": {"text": "Found a PKCS #12 file, which commonly contain bundled private keys."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1421"}, "properties": {"repository": "airlift/airlift", "repoUrl": "https://github.com/airlift/airlift", "branch": "master"}, "results": [{"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 145719, "scanner": "repobility-threat-engine", "fingerprint": "28abe3155b36ecacc94a31cca7374a02f01ca3995e19d859bef982840f757558", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"-----BEGIN \" + type + \"-----\\n\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|28abe3155b36ecacc94a31cca7374a02f01ca3995e19d859bef982840f757558"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "security/src/main/java/io/airlift/security/pem/PemWriter.java"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 145718, "scanner": "repobility-threat-engine", "fingerprint": "774137771e28bd4975347b3de8eb3e155050638eb311fa03142203ce331fd18a", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Failed to read \" + description + \" file: \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|774137771e28bd4975347b3de8eb3e155050638eb311fa03142203ce331fd18a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "opentelemetry/src/main/java/io/airlift/opentelemetry/OpenTelemetryExporterModule.java"}, "region": {"startLine": 177}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145687, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b3243388b95c938e0355aab5b34844eebd61e0dbeb1cc107c4fa976e773ef0fb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "log-manager/src/main/java/io/airlift/log/RollingFileMessageOutput.java", "duplicate_line": 126, "correlation_key": "fp|b3243388b95c938e0355aab5b34844eebd61e0dbeb1cc107c4fa976e773ef0fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "log-manager/src/main/java/io/airlift/log/SocketMessageOutput.java"}, "region": {"startLine": 74}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145686, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0f264258dfc02f88925a4a6a8759e85ef705fb3f99105cf03d0c8bed6f5d74e8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "http-server/src/main/java/io/airlift/http/server/BinderUtils.java", "duplicate_line": 2, "correlation_key": "fp|0f264258dfc02f88925a4a6a8759e85ef705fb3f99105cf03d0c8bed6f5d74e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "jaxrs/src/main/java/io/airlift/jaxrs/BinderUtils.java"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145685, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d9b9eec19feb7337e72187b114db45954a10536400197e52d0458f7abad414c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "http-client/src/main/java/io/airlift/http/client/jetty/MonitoredQueuedThreadPoolMBean.java", "duplicate_line": 2, "correlation_key": "fp|8d9b9eec19feb7337e72187b114db45954a10536400197e52d0458f7abad414c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "http-server/src/main/java/io/airlift/http/server/jetty/MonitoredQueuedThreadPoolMBean.java"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145684, "scanner": "repobility-ai-code-hygiene", "fingerprint": "29b35d7a94bb22012519a74eb7cc746b39cd6a66267dc9fb50511ff2e09944c4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "http-client/src/main/java/io/airlift/http/client/jetty/DefaultHttpClientLogger.java", "duplicate_line": 80, "correlation_key": "fp|29b35d7a94bb22012519a74eb7cc746b39cd6a66267dc9fb50511ff2e09944c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "http-server/src/main/java/io/airlift/http/server/JettyRequestLog.java"}, "region": {"startLine": 127}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145683, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6acb93dffcd0ed3447b07d286809fb9e3bf084e5af01a34995c6ddf65cfeba3c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "http-client/src/main/java/io/airlift/http/client/HttpClientConfig.java", "duplicate_line": 381, "correlation_key": "fp|6acb93dffcd0ed3447b07d286809fb9e3bf084e5af01a34995c6ddf65cfeba3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "http-server/src/main/java/io/airlift/http/server/HttpsConfig.java"}, "region": {"startLine": 137}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145682, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ba1a90e9dc5799824bfd2a3cd8af80526a0d816ddda3b415560a18a0c1a582f5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "http-client/src/main/java/io/airlift/http/client/jetty/ConnectionStats.java", "duplicate_line": 2, "correlation_key": "fp|ba1a90e9dc5799824bfd2a3cd8af80526a0d816ddda3b415560a18a0c1a582f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "http-server/src/main/java/io/airlift/http/server/ConnectionStats.java"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145681, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1f85d58322526c22ebe20a9b17d89d9a9d814dd3d124fe64c66eca16a3d63b80", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "http-client/src/main/java/io/airlift/http/client/jetty/JettyResponse.java", "duplicate_line": 51, "correlation_key": "fp|1f85d58322526c22ebe20a9b17d89d9a9d814dd3d124fe64c66eca16a3d63b80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "http-client/src/main/java/io/airlift/http/client/testing/TestingResponse.java"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145680, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cca0c05719bcbf4c07de08b88a2079ce230d879245f58113638107b42918122a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/src/main/java/io/airlift/discovery/client/CachingServiceSelector.java", "duplicate_line": 62, "correlation_key": "fp|cca0c05719bcbf4c07de08b88a2079ce230d879245f58113638107b42918122a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/src/main/java/io/airlift/discovery/client/testing/StaticServiceSelector.java"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145679, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4aafe0acc5266e641353ba6d2d7e0f23e21351926642666afceb56ef79642b75", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/src/main/java/io/airlift/discovery/client/CachingServiceSelector.java", "duplicate_line": 62, "correlation_key": "fp|4aafe0acc5266e641353ba6d2d7e0f23e21351926642666afceb56ef79642b75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/src/main/java/io/airlift/discovery/client/testing/SimpleServiceSelector.java"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145678, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b7ad60c94718b13dbc16d739e9579b411ff870af9673c958b5bc243d90152a64", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/src/main/java/io/airlift/discovery/client/ServiceAnnouncement.java", "duplicate_line": 32, "correlation_key": "fp|b7ad60c94718b13dbc16d739e9579b411ff870af9673c958b5bc243d90152a64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/src/main/java/io/airlift/discovery/client/ServiceDescriptor.java"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145677, "scanner": "repobility-ai-code-hygiene", "fingerprint": "229564e34852836d04228220ae03713100cd1976940b7b932e49e9cbd5a454fd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/src/main/java/io/airlift/discovery/client/HttpDiscoveryAnnouncementClient.java", "duplicate_line": 161, "correlation_key": "fp|229564e34852836d04228220ae03713100cd1976940b7b932e49e9cbd5a454fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/src/main/java/io/airlift/discovery/client/HttpDiscoveryLookupClient.java"}, "region": {"startLine": 146}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145676, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8c1b893e6038b94ef80c85fc7ea721851e485b4efb4ccab8e8588582e616702a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bootstrap/src/main/java/io/airlift/bootstrap/LifeCycleManager.java", "duplicate_line": 184, "correlation_key": "fp|8c1b893e6038b94ef80c85fc7ea721851e485b4efb4ccab8e8588582e616702a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration/src/main/java/io/airlift/configuration/secrets/ThreadContextClassLoader.java"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145675, "scanner": "repobility-ai-code-hygiene", "fingerprint": "175f7c43aa65cd9548cc51a836914e08ef82406c34860c5b338410fcc5967f22", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bootstrap/src/main/java/io/airlift/bootstrap/LifeCycleManager.java", "duplicate_line": 182, "correlation_key": "fp|175f7c43aa65cd9548cc51a836914e08ef82406c34860c5b338410fcc5967f22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration/src/main/java/io/airlift/configuration/ConfigurationFactory.java"}, "region": {"startLine": 641}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145674, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8113c0b9d5a9761d9506b7babf712d031b7bed90081fd333acd5d79db5ec3f6e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/main/java/io/airlift/api/builders/DeprecationBuilder.java", "duplicate_line": 69, "correlation_key": "fp|8113c0b9d5a9761d9506b7babf712d031b7bed90081fd333acd5d79db5ec3f6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/io/airlift/api/validation/DeprecationValidator.java"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145673, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7e077e710a496df751cfec4682066d53f763b70a7d92d923c0c43c2990f00b74", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/main/java/io/airlift/api/builders/ServiceMetadataBuilder.java", "duplicate_line": 27, "correlation_key": "fp|7e077e710a496df751cfec4682066d53f763b70a7d92d923c0c43c2990f00b74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/io/airlift/api/model/ModelServiceMetadata.java"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 145717, "scanner": "repobility-threat-engine", "fingerprint": "9f0f85696ad5aea3971ff60e72a196c0de367cbba32b647844d1f691e8e88cea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9f0f85696ad5aea3971ff60e72a196c0de367cbba32b647844d1f691e8e88cea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "opentelemetry/src/main/java/io/airlift/opentelemetry/OpenTelemetryExporterConfig.java"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 145712, "scanner": "repobility-threat-engine", "fingerprint": "b33b9fa30193bee8937fded79de0a89e3cbc0227353c6d1fa8988e662e74e331", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b33b9fa30193bee8937fded79de0a89e3cbc0227353c6d1fa8988e662e74e331"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 145711, "scanner": "repobility-threat-engine", "fingerprint": "9baa1438545c6baf38f3f3b02d2e47b42f0ccaca11a371ed452fe2769126ea14", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|129|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/main/java/io/airlift/mcp/messages/MessageWriterImpl.java"}, "region": {"startLine": 129}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 145710, "scanner": "repobility-threat-engine", "fingerprint": "47581ece40ef11ae16cc8d16928f6f880f0cf763c43a1b9f2ee78a32ac64aee8", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|223|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/src/main/java/io/airlift/discovery/client/ServiceDescriptor.java"}, "region": {"startLine": 223}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 145709, "scanner": "repobility-threat-engine", "fingerprint": "4e19bc51fa8bdca773c520fa38699f989f5ba612212f4efce003288e39cc9d0d", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|31|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/src/main/java/io/airlift/discovery/client/ServiceAnnouncement.java"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 145708, "scanner": "repobility-threat-engine", "fingerprint": "a2a3690bbab8863115fb94478a552b122ae1900caa365473d2963ab60f65a640", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "Logger.get(SecretsPluginManager.class)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|5|logger.get secretspluginmanager.class"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "configuration/src/main/java/io/airlift/configuration/secrets/SecretsPluginManager.java"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 145707, "scanner": "repobility-threat-engine", "fingerprint": "91f7c64f6ce2fa3e2e9d55c0a2979c6dd4086a5fdb24891e12d7c1a5838be1c2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|91f7c64f6ce2fa3e2e9d55c0a2979c6dd4086a5fdb24891e12d7c1a5838be1c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "stats/src/main/java/io/airlift/stats/PauseMeter.java"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 145706, "scanner": "repobility-threat-engine", "fingerprint": "763718d722193467bdd782107a3bd2736eda00ea15270d95525d7fd1f98d3b70", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|763718d722193467bdd782107a3bd2736eda00ea15270d95525d7fd1f98d3b70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bootstrap/src/main/java/io/airlift/bootstrap/LifeCycleManager.java"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 145705, "scanner": "repobility-threat-engine", "fingerprint": "29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc"}}}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 145700, "scanner": "repobility-threat-engine", "fingerprint": "d9c0b920ad236c79dfadd5af03a0f7d96df975058b831c82c6440aaccc0e0bf3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d9c0b920ad236c79dfadd5af03a0f7d96df975058b831c82c6440aaccc0e0bf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skeleton-server/src/main/java/io/airlift/skeleton/Main.java"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 145699, "scanner": "repobility-threat-engine", "fingerprint": "cfca68d437388cf8fa21efb36f7e28608df045b3bb340904edccb32f33402916", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cfca68d437388cf8fa21efb36f7e28608df045b3bb340904edccb32f33402916"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sample-server/src/main/java/io/airlift/sample/Main.java"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 145698, "scanner": "repobility-threat-engine", "fingerprint": "d92cf3722c57d0c5e297871617c95e1893a7bd1f77f646d4184671fbceee1f48", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d92cf3722c57d0c5e297871617c95e1893a7bd1f77f646d4184671fbceee1f48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/io/airlift/api/compatability/ApiCompatibilityTester.java"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 145715, "scanner": "repobility-threat-engine", "fingerprint": "1b6c4bca2609434b5e16bb8ce88493c5e12193a51b3859fb339d474576db3b15", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "sample.update(value);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1b6c4bca2609434b5e16bb8ce88493c5e12193a51b3859fb339d474576db3b15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "stats/src/main/java/io/airlift/stats/MeterStat.java"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 145714, "scanner": "repobility-threat-engine", "fingerprint": "879905fa34b7ac6f7bb16552d9c6822717d42f2eacde39bc4b0d06cfa17d0ae0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "signature.update(rawCertificate);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|879905fa34b7ac6f7bb16552d9c6822717d42f2eacde39bc4b0d06cfa17d0ae0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "security/src/main/java/io/airlift/security/cert/CertificateBuilder.java"}, "region": {"startLine": 250}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 145713, "scanner": "repobility-threat-engine", "fingerprint": "e900a738565253810234953d8252fa59619288c4538d4249870885b0307ab6ef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "allResponse.update(1);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e900a738565253810234953d8252fa59619288c4538d4249870885b0307ab6ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "http-client/src/main/java/io/airlift/http/client/RequestStats.java"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 145704, "scanner": "repobility-threat-engine", "fingerprint": "a3bc07bb4b88586dcc3e0132b0bbacca659f1833e64bd58d928b16c8999f8e74", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a3bc07bb4b88586dcc3e0132b0bbacca659f1833e64bd58d928b16c8999f8e74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/io/airlift/api/openapi/models/Server.java"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 145703, "scanner": "repobility-threat-engine", "fingerprint": "d80fa26bdcd01eb232369bf30dafcf3fdfdcc80749c9ee7cbaf28c51484f6f28", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d80fa26bdcd01eb232369bf30dafcf3fdfdcc80749c9ee7cbaf28c51484f6f28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/io/airlift/api/openapi/models/SecurityScheme.java"}, "region": {"startLine": 188}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 145702, "scanner": "repobility-threat-engine", "fingerprint": "798072d6fcc8a31c669db87bbb6963be7d947cfe239e88481d292d51fa3dfab2", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|798072d6fcc8a31c669db87bbb6963be7d947cfe239e88481d292d51fa3dfab2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/io/airlift/api/openapi/models/OAuthFlow.java"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 145701, "scanner": "repobility-threat-engine", "fingerprint": "ab12c7b6a82165e62aa4c47f07d9f00647bc8864ebe2f3044e8854d927b57ae1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\", \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ab12c7b6a82165e62aa4c47f07d9f00647bc8864ebe2f3044e8854d927b57ae1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/main/java/io/airlift/api/openapi/OpenApiResource.java"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/lock` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 145697, "scanner": "repobility-supply-chain", "fingerprint": "db7a4eee2f1b411d89d8d2f4733cf6ef193b9f75540846bff234c0aec92c95bf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db7a4eee2f1b411d89d8d2f4733cf6ef193b9f75540846bff234c0aec92c95bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/lock` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 145696, "scanner": "repobility-supply-chain", "fingerprint": "3abee1c3616e44eb7b563325b43bd85895534a6752f7b9e77e44eb3a77756748", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3abee1c3616e44eb7b563325b43bd85895534a6752f7b9e77e44eb3a77756748"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 145695, "scanner": "repobility-supply-chain", "fingerprint": "90e84519167a5d9501ce9d8aab80a7a53aa6246e3766eb874d48c127deeafab9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|90e84519167a5d9501ce9d8aab80a7a53aa6246e3766eb874d48c127deeafab9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 145694, "scanner": "repobility-supply-chain", "fingerprint": "b3003124d8879cc424e8f7962a3d559cab83315ec301bf62c02210a0b64b4d64", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b3003124d8879cc424e8f7962a3d559cab83315ec301bf62c02210a0b64b4d64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 145693, "scanner": "repobility-supply-chain", "fingerprint": "3531b726b43537e395b8fc9eacd15fbe66d3fb806b1d1b1ddb2ce7925234fa38", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3531b726b43537e395b8fc9eacd15fbe66d3fb806b1d1b1ddb2ce7925234fa38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 145692, "scanner": "repobility-supply-chain", "fingerprint": "501abd0686be05e36e858afc111cd4f45e72c8703c61e19761210add2a1afacb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|501abd0686be05e36e858afc111cd4f45e72c8703c61e19761210add2a1afacb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 145691, "scanner": "repobility-supply-chain", "fingerprint": "72f68cd2b40507e61c7c93da585b69a0d7deac3ae1d327217721983871feba82", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|72f68cd2b40507e61c7c93da585b69a0d7deac3ae1d327217721983871feba82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 145690, "scanner": "repobility-supply-chain", "fingerprint": "6e7f9efaba7293a3732ef1bbae42a0033c6c537660527e1a2fe3729fe32c8b47", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e7f9efaba7293a3732ef1bbae42a0033c6c537660527e1a2fe3729fe32c8b47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 145689, "scanner": "repobility-supply-chain", "fingerprint": "7e4233ea1cd21538a716df8ac450f56d24be5a52cda0bee79025c63afd97a932", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e4233ea1cd21538a716df8ac450f56d24be5a52cda0bee79025c63afd97a932"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/snapshot-release.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 145688, "scanner": "repobility-supply-chain", "fingerprint": "26fd4c874611f5c1b87177e34694c10920b89c39fce37315c9da81ffd14adfbd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|26fd4c874611f5c1b87177e34694c10920b89c39fce37315c9da81ffd14adfbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/snapshot-release.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 145725, "scanner": "gitleaks", "fingerprint": "9be80185c52c0407871c2eee6147dbe0ffce545d2f56bdc47e8f96f7444299db", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|2|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["private-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["34d9e1952c3be0365a43f5051c4d7a77f21ce2affa6428c2e97301273c985bb9", "9be80185c52c0407871c2eee6147dbe0ffce545d2f56bdc47e8f96f7444299db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "security/src/test/resources/ec.client.pkcs1.pem"}, "region": {"startLine": 23}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 145724, "scanner": "gitleaks", "fingerprint": "99acfb6f3c210d906831ed825d0a9b117b89d4bae97aa400bc437d922666320c", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|5|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["private-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["99acfb6f3c210d906831ed825d0a9b117b89d4bae97aa400bc437d922666320c", "eacdbb5881efafb863ae7f9568a0e400db73ba9fabbe923d67b2c9b6bb14775b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "security/src/test/resources/dsa.client.pkcs1.pem"}, "region": {"startLine": 55}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 145723, "scanner": "gitleaks", "fingerprint": "280fedfcedd6458f81b10ef5fd19eb27ec417482ed1d371e98e03aaadf8c642f", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|6|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["private-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["280fedfcedd6458f81b10ef5fd19eb27ec417482ed1d371e98e03aaadf8c642f", "94d5c806020c22490ff324e0af18ea8899ff316f9ddbab87d4a6ffd759c0f8f8"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "security/src/test/resources/rsa.client.pkcs1.pem"}, "region": {"startLine": 61}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 145722, "scanner": "gitleaks", "fingerprint": "ed26d1661c56f7162c142be1d5dd5b9689981e14c4d68d920693b82119ddb0f4", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 13 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|1|redacted", "duplicate_count": 13, "duplicate_rule_ids": ["private-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["2186054b8878a6cb926e164b84273fea07f7a6f6befde73b7b560fc25cd38172", "2410907aa4327319870150e83f194e961bde5004489c9e417819a69c8c2fd468", "3719a523bd6884df7100d7532ada1f7bf12ab987dc84119dcf3c982f39fc9adc", "421ac4937a7a38bdc64fd3c8d0093c9b45d4889a364f62f747b04197abcb358a", "55fd601c35df7c0c29fa9e4d8499af115e128d85f77356b7821e70da430b2d57", "565dce70f7ecab39e39daf4d6b71421ef0f8a446f21753511d4cf649b0b79a4b", "5d8cbbf8274eff9d2403e9c39dc8a553907061577d5c8f3adba2fd2d2add7a48", "658c6b6ef068830683a168a3c7be98d2e4d690d37621f2e8ffcc49292bc85958", "66bf6234f6f592cb70de3738f6e03c210a9c67489d9c93800a09dc9325a9ec77", "682d085b07d383e219e9623342b6142383412f8c61178df8bfa098a732df42b5", "9e330be2acf87b12b3f846f32e25e696887429fc6a1ad04c4c0f5ec0781d5ee8", "b1e19de0b94156a79cdd6ae3db2403a6796830616c5a663487920caceddf5ded"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "security/src/test/resources/ec.client.pkcs1.key"}, "region": {"startLine": 1}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 145721, "scanner": "gitleaks", "fingerprint": "59cb2f31f716ff6300a9a700a3f325ce4d6c7ce40e6b20823e33dbe3bca0a49c", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|3|redacted", "duplicate_count": 2, "duplicate_rule_ids": ["private-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["59cb2f31f716ff6300a9a700a3f325ce4d6c7ce40e6b20823e33dbe3bca0a49c", "e0ee9cfe541e4ecc040b0af1532de43c0239234415d7d5dd117734465b43847c", "f41a81a9209f305ba1952c74757727d54dffa8f8a1703852768958438afabe6e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "http-server/src/test/resources/clientcert-pem/server.pem"}, "region": {"startLine": 31}}}]}, {"ruleId": "pkcs12-file", "level": "error", "message": {"text": "Found a PKCS #12 file, which commonly contain bundled private keys."}, "properties": {"repobilityId": 145720, "scanner": "gitleaks", "fingerprint": "eb8af8a67d89c7615c2d7167fc36ba344b344dc024695c768264fbea19f5223a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTEDfREDACTEDiREDACTEDlREDACTEDeREDACTED REDACTEDdREDACTEDeREDACTEDtREDACTEDeREDACTEDcREDACTEDtREDACTEDeREDACTEDdREDACTED:REDACTED REDACTED/REDACTEDtREDACTEDmREDACTEDpREDACTED/REDACTEDrREDACTEDeREDACTEDpREDACTEDoREDACTEDbREDACTEDiREDACTEDlREDACTEDiREDACTEDtREDACTEDyREDACTED-REDACTEDaREDACTEDnRED", "rule_id": "pkcs12-file", "scanner": "gitleaks", "detector": "pkcs12-file", "correlation_key": "secret|token||token token token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "http-server/src/test/resources/multiple-certs/server.p12"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 145716, "scanner": "repobility-threat-engine", "fingerprint": "8bbcbad17a95246c7cf7d0268a8d21ca479f561f3a8ca230a42e38169003f688", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8bbcbad17a95246c7cf7d0268a8d21ca479f561f3a8ca230a42e38169003f688"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/main/java/io/airlift/mcp/handler/ResourceTemplateHandler.java"}, "region": {"startLine": 13}}}]}]}]}