{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo", "shortDescription": {"text": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "fullDescription": {"text": "`gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 926 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1118"}, "properties": {"repository": "open-telemetry/opentelemetry-kotlin", "repoUrl": "https://github.com/open-telemetry/opentelemetry-kotlin", "branch": "main"}, "results": [{"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 110735, "scanner": "osv-scanner", "fingerprint": "03a832fab91f2798f7faa8de15038cc744bd8e4001d3d2c9ba3502d42905624d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 110722, "scanner": "repobility-threat-engine", "fingerprint": "27c0b398009e0caae904f9d7f35b56860f697468289d7eb62130a7c917b1843a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url = \"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|27c0b398009e0caae904f9d7f35b56860f697468289d7eb62130a7c917b1843a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/logging/LogExportTest.kt"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 110721, "scanner": "repobility-threat-engine", "fingerprint": "ea11943e9cb442bc35ea78dc2c50146a81abdd26c3dde8ed3c4b2bd0ff8fea11", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url = \"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ea11943e9cb442bc35ea78dc2c50146a81abdd26c3dde8ed3c4b2bd0ff8fea11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/init/CompatMeterProviderConfigTest.kt"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 110720, "scanner": "repobility-threat-engine", "fingerprint": "2e00f12434a8d75de88e7bea2342bf0a1b1e4f2fea9e9200d0d143092f2cea5b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url = \"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2e00f12434a8d75de88e7bea2342bf0a1b1e4f2fea9e9200d0d143092f2cea5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/factory/ResourceFactoryTest.kt"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110713, "scanner": "repobility-ai-code-hygiene", "fingerprint": "13e4342d45932df17fdeb655c529ab2d52c19e425433bd7f55b3bb289ee3687c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "implementation/src/commonTest/kotlin/io/opentelemetry/kotlin/tracing/TracerSamplerTest.kt", "duplicate_line": 30, "correlation_key": "fp|13e4342d45932df17fdeb655c529ab2d52c19e425433bd7f55b3bb289ee3687c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "implementation/src/commonTest/kotlin/io/opentelemetry/kotlin/tracing/TracerSpanContextTest.kt"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110712, "scanner": "repobility-ai-code-hygiene", "fingerprint": "acd851316c0804752b2634d98533aea220ddc54db3e7f275f269d5e55931a310", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "implementation/src/commonTest/kotlin/io/opentelemetry/kotlin/logging/LoggerProviderImplTest.kt", "duplicate_line": 82, "correlation_key": "fp|acd851316c0804752b2634d98533aea220ddc54db3e7f275f269d5e55931a310"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "implementation/src/commonTest/kotlin/io/opentelemetry/kotlin/tracing/TracerProviderImplTest.kt"}, "region": {"startLine": 89}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110711, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1889d264c6a43b9c84046a4e42b645b038e8f23d8caace9e0dfc86330ae2a776", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "implementation/src/commonTest/kotlin/io/opentelemetry/kotlin/tracing/SpanEndTest.kt", "duplicate_line": 18, "correlation_key": "fp|1889d264c6a43b9c84046a4e42b645b038e8f23d8caace9e0dfc86330ae2a776"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "implementation/src/commonTest/kotlin/io/opentelemetry/kotlin/tracing/SpanMetaPropertiesTest.kt"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110710, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e6152840a50bd331b3b1581c60c06061288939999d5c2d8334cc66353c901104", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "implementation/src/commonTest/kotlin/io/opentelemetry/kotlin/tracing/SpanEventTest.kt", "duplicate_line": 18, "correlation_key": "fp|e6152840a50bd331b3b1581c60c06061288939999d5c2d8334cc66353c901104"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "implementation/src/commonTest/kotlin/io/opentelemetry/kotlin/tracing/SpanLinkTest.kt"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110709, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8be982271a5b339d110538b0d9d9c75305f1cf830103a86251699bebd8e09820", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "implementation/src/commonTest/kotlin/io/opentelemetry/kotlin/attributes/AttributesMutatorImplTest.kt", "duplicate_line": 259, "correlation_key": "fp|8be982271a5b339d110538b0d9d9c75305f1cf830103a86251699bebd8e09820"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "implementation/src/commonTest/kotlin/io/opentelemetry/kotlin/tracing/SpanAttributesTest.kt"}, "region": {"startLine": 170}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110708, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dbf68513740da0a4b36e71cc0dd7b6df8d58f5b1027f3076a653f2b3bcc11bde", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "implementation/src/commonTest/kotlin/io/opentelemetry/kotlin/propagation/W3CTraceContextPropagatorFuzzTest.kt", "duplicate_line": 22, "correlation_key": "fp|dbf68513740da0a4b36e71cc0dd7b6df8d58f5b1027f3076a653f2b3bcc11bde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "implementation/src/commonTest/kotlin/io/opentelemetry/kotlin/propagation/W3CTraceContextPropagatorTest.kt"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110707, "scanner": "repobility-ai-code-hygiene", "fingerprint": "87dcfc4b9448b5bd8ee6b26240221982a9a15cd3c7ed33fb0ed9749b713cf45f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/propagation/CompatPropagatorApiTest.kt", "duplicate_line": 44, "correlation_key": "fp|87dcfc4b9448b5bd8ee6b26240221982a9a15cd3c7ed33fb0ed9749b713cf45f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "implementation/src/commonTest/kotlin/io/opentelemetry/kotlin/propagation/CorePropagatorApiTest.kt"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110706, "scanner": "repobility-ai-code-hygiene", "fingerprint": "de46a4e25a505e0d66e0c99d81486cc7f704db22f986cea764545c095b61079c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "implementation/src/commonTest/kotlin/io/opentelemetry/kotlin/logging/LogMetaPropertiesTest.kt", "duplicate_line": 16, "correlation_key": "fp|de46a4e25a505e0d66e0c99d81486cc7f704db22f986cea764545c095b61079c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "implementation/src/commonTest/kotlin/io/opentelemetry/kotlin/logging/LogSimplePropertiesTest.kt"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110705, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9329b9538dc2801cc970ae07933341330e15b00f6a21d0c91e726a9adbce7dc7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/factory/TraceFlagsFactoryTest.kt", "duplicate_line": 39, "correlation_key": "fp|9329b9538dc2801cc970ae07933341330e15b00f6a21d0c91e726a9adbce7dc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "implementation/src/commonTest/kotlin/io/opentelemetry/kotlin/factory/TraceFlagsFactoryImplTest.kt"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110704, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d1e0a6f94d1ac87883965e42d0088f34f90e1edc6505300184babd8ef0df46a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/factory/CompatBaggageFactoryTest.kt", "duplicate_line": 26, "correlation_key": "fp|8d1e0a6f94d1ac87883965e42d0088f34f90e1edc6505300184babd8ef0df46a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "implementation/src/commonTest/kotlin/io/opentelemetry/kotlin/factory/BaggageFactoryImplTest.kt"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110703, "scanner": "repobility-ai-code-hygiene", "fingerprint": "36ba1ed82507a42c90e717e035a178ee0cdb16d6c62620880a9c00cae8b97f91", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/src/jvmAndAndroidMain/kotlin/io/opentelemetry/kotlin/logging/LoggerAdapter.kt", "duplicate_line": 22, "correlation_key": "fp|36ba1ed82507a42c90e717e035a178ee0cdb16d6c62620880a9c00cae8b97f91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "implementation/src/commonMain/kotlin/io/opentelemetry/kotlin/logging/LoggerImpl.kt"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110702, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bd9bfd645ce957bfd4d5d0656b55ad3a9dbae8447bca1716f1ea35b3ac2b328e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/src/jvmAndAndroidMain/kotlin/io/opentelemetry/kotlin/factory/CompatSpanContextFactory.kt", "duplicate_line": 47, "correlation_key": "fp|bd9bfd645ce957bfd4d5d0656b55ad3a9dbae8447bca1716f1ea35b3ac2b328e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "implementation/src/commonMain/kotlin/io/opentelemetry/kotlin/factory/SpanContextFactoryImpl.kt"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110701, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fdde9bae63e6aa58a2ce16164a15bc522098ab9c2e3f8d441dccf1c96b52218c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/src/jvmAndAndroidMain/kotlin/io/opentelemetry/kotlin/CompatOpenTelemetryImpl.kt", "duplicate_line": 15, "correlation_key": "fp|fdde9bae63e6aa58a2ce16164a15bc522098ab9c2e3f8d441dccf1c96b52218c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "implementation/src/commonMain/kotlin/io/opentelemetry/kotlin/OpenTelemetryImpl.kt"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110700, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8247316e009e093bd3c1a469cf0304e363926d837e48b7f36dc8adfa2020dab8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters-persistence/src/appleTest/kotlin/io/opentelemetry/kotlin/export/TelemetryFileSystemImplGzipTest.kt", "duplicate_line": 13, "correlation_key": "fp|8247316e009e093bd3c1a469cf0304e363926d837e48b7f36dc8adfa2020dab8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters-persistence/src/jvmTest/kotlin/io/opentelemetry/kotlin/export/TelemetryFileSystemImplGzipTest.kt"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110699, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8ee3bc5d0bfad0c7ceb237aeb0f5accde29e13cd229d3c023885e34004c1cce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters-persistence/src/appleMain/kotlin/io/opentelemetry/kotlin/export/GzipCompression.apple.kt", "duplicate_line": 3, "correlation_key": "fp|f8ee3bc5d0bfad0c7ceb237aeb0f5accde29e13cd229d3c023885e34004c1cce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters-persistence/src/jvmAndAndroidMain/kotlin/io/opentelemetry/kotlin/export/GzipCompression.jvm.kt"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110698, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cb67f0249d60c10a270933df85de8066ecc9d7bd5d44bfcff4c8485b9022119b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters-persistence/src/commonTest/kotlin/io/opentelemetry/kotlin/logging/export/PersistingLogRecordProcessorTest.kt", "duplicate_line": 240, "correlation_key": "fp|cb67f0249d60c10a270933df85de8066ecc9d7bd5d44bfcff4c8485b9022119b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters-persistence/src/commonTest/kotlin/io/opentelemetry/kotlin/tracing/export/PersistingSpanProcessorTest.kt"}, "region": {"startLine": 233}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110697, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2fe3720057c3f65447049d445083c0dd5c1807c3d86c56a63c27444137ec0825", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters-persistence/src/appleTest/kotlin/io/opentelemetry/kotlin/export/TelemetryFileSystemImplGzipTest.kt", "duplicate_line": 14, "correlation_key": "fp|2fe3720057c3f65447049d445083c0dd5c1807c3d86c56a63c27444137ec0825"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters-persistence/src/commonTest/kotlin/io/opentelemetry/kotlin/export/TelemetryFileSystemImplTest.kt"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110696, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dd91c4ad222bd8f7c96878f87e714c2ad651fb87cff94dba459d84449ca37ec9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters-persistence/src/commonMain/kotlin/io/opentelemetry/kotlin/logging/export/PersistingLogRecordProcessor.kt", "duplicate_line": 94, "correlation_key": "fp|dd91c4ad222bd8f7c96878f87e714c2ad651fb87cff94dba459d84449ca37ec9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters-persistence/src/commonMain/kotlin/io/opentelemetry/kotlin/tracing/export/PersistingSpanProcessor.kt"}, "region": {"startLine": 109}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110695, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e3dfb5041ec316d92df409e1cc96cdcd8caf697cf4a2737a3b5906fd29b8f5e3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters-otlp/src/commonTest/kotlin/io/opentelemetry/kotlin/logging/export/OtlpHttpLogRecordExporterTest.kt", "duplicate_line": 35, "correlation_key": "fp|e3dfb5041ec316d92df409e1cc96cdcd8caf697cf4a2737a3b5906fd29b8f5e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters-otlp/src/commonTest/kotlin/io/opentelemetry/kotlin/tracing/export/OtlpHttpSpanExporterTest.kt"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110694, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ef73671f3740b6b3eba4fdeb2bd5834e680774eb719d1d28db0cb5a17475cd6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters-in-memory/src/commonTest/kotlin/io/opentelemetry/kotlin/logging/export/InMemoryLogRecordExporterTest.kt", "duplicate_line": 15, "correlation_key": "fp|9ef73671f3740b6b3eba4fdeb2bd5834e680774eb719d1d28db0cb5a17475cd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters-in-memory/src/commonTest/kotlin/io/opentelemetry/kotlin/tracing/export/InMemorySpanExporterTest.kt"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110693, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bd47157a7dbe33bbe69d6c001ac2428d6117a242ec5f27e1c033593d2bdb7aa5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters-core/src/commonTest/kotlin/io/opentelemetry/kotlin/logging/export/CompositeLogRecordProcessorTest.kt", "duplicate_line": 120, "correlation_key": "fp|bd47157a7dbe33bbe69d6c001ac2428d6117a242ec5f27e1c033593d2bdb7aa5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters-core/src/commonTest/kotlin/io/opentelemetry/kotlin/tracing/export/CompositeSpanProcessorTest.kt"}, "region": {"startLine": 197}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110692, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e113f47956a4b442b303623a1771c19e0c704d6449847072e8d0a344c9e200c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters-core/src/commonTest/kotlin/io/opentelemetry/kotlin/logging/export/CompositeLogRecordExporterTest.kt", "duplicate_line": 25, "correlation_key": "fp|5e113f47956a4b442b303623a1771c19e0c704d6449847072e8d0a344c9e200c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters-core/src/commonTest/kotlin/io/opentelemetry/kotlin/tracing/export/CompositeSpanExporterTest.kt"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110691, "scanner": "repobility-ai-code-hygiene", "fingerprint": "58cec08f929127941b60a6d7538490046ed665c9ee5fb6fa1d0b97b9cbdd886c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "exporters-core/src/commonMain/kotlin/io/opentelemetry/kotlin/logging/export/BatchLogRecordProcessorImpl.kt", "duplicate_line": 21, "correlation_key": "fp|58cec08f929127941b60a6d7538490046ed665c9ee5fb6fa1d0b97b9cbdd886c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters-core/src/commonMain/kotlin/io/opentelemetry/kotlin/tracing/export/BatchSpanProcessorImpl.kt"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110690, "scanner": "repobility-ai-code-hygiene", "fingerprint": "df20ee633b590e1dacd3be9c01b8a3cb7087f9043b8fd5ef46274dcc6a08de6b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/tracing/model/ReadWriteSpanAdapterTest.kt", "duplicate_line": 53, "correlation_key": "fp|df20ee633b590e1dacd3be9c01b8a3cb7087f9043b8fd5ef46274dcc6a08de6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/tracing/model/ReadableSpanAdapterTest.kt"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110689, "scanner": "repobility-ai-code-hygiene", "fingerprint": "97130f8ca9eb8f1557c45f91cce90dbe9cb453dd936317968d5d8245d03741db", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/logging/export/LogRecordExporterAdapterTest.kt", "duplicate_line": 55, "correlation_key": "fp|97130f8ca9eb8f1557c45f91cce90dbe9cb453dd936317968d5d8245d03741db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/tracing/export/SpanProcessorAdapterTest.kt"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110688, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b38ba7cda59d8529ca04fd9949aecef10eaf0f288f35d63acbc0d04a4fe66257", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/logging/export/LogRecordExporterAdapterTest.kt", "duplicate_line": 18, "correlation_key": "fp|b38ba7cda59d8529ca04fd9949aecef10eaf0f288f35d63acbc0d04a4fe66257"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/tracing/export/SpanExporterAdapterTest.kt"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110687, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b429bc5d0918be3b33fabc65b27678cf39d783a555ec0a61b5edf400f13edb80", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/tracing/OtelJavaSpanExportTest.kt", "duplicate_line": 96, "correlation_key": "fp|b429bc5d0918be3b33fabc65b27678cf39d783a555ec0a61b5edf400f13edb80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/tracing/SpanExportTest.kt"}, "region": {"startLine": 100}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110686, "scanner": "repobility-ai-code-hygiene", "fingerprint": "53a7c7e2d99133067f51d950975cf6c4bdabbb18ab7a22f4ba5fb53d67d66526", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/fakes/otel/java/FakeOtelJavaLogRecordExporter.kt", "duplicate_line": 10, "correlation_key": "fp|53a7c7e2d99133067f51d950975cf6c4bdabbb18ab7a22f4ba5fb53d67d66526"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/fakes/otel/java/FakeOtelJavaSpanExporter.kt"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110685, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e3303899d822f00183b37f25afa9332ee94616db589fc016cbc7b264ad5686b4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/src/jvmAndAndroidMain/kotlin/io/opentelemetry/kotlin/tracing/model/ReadWriteSpanAdapter.kt", "duplicate_line": 26, "correlation_key": "fp|e3303899d822f00183b37f25afa9332ee94616db589fc016cbc7b264ad5686b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/src/jvmAndAndroidMain/kotlin/io/opentelemetry/kotlin/tracing/model/SpanAdapter.kt"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110684, "scanner": "repobility-ai-code-hygiene", "fingerprint": "753248e42775480ac088e3425aeca543a6c7dba7f19d69643f45d727690ac681", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/src/jvmAndAndroidMain/kotlin/io/opentelemetry/kotlin/logging/export/ReadWriteLogRecordAdapter.kt", "duplicate_line": 54, "correlation_key": "fp|753248e42775480ac088e3425aeca543a6c7dba7f19d69643f45d727690ac681"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/src/jvmAndAndroidMain/kotlin/io/opentelemetry/kotlin/tracing/model/ReadWriteSpanAdapter.kt"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 110733, "scanner": "repobility-threat-engine", "fingerprint": "42fc4030f57c04d8ace60c0c7e321d52477b44af5460a2f3247591bde9511d4d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|42fc4030f57c04d8ace60c0c7e321d52477b44af5460a2f3247591bde9511d4d"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 110729, "scanner": "repobility-threat-engine", "fingerprint": "384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af"}}}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 110725, "scanner": "repobility-threat-engine", "fingerprint": "46ff68ff7db83cf00f6ffbe7599b4e89bcb5b035260aaef0cd3674555248b181", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|46ff68ff7db83cf00f6ffbe7599b4e89bcb5b035260aaef0cd3674555248b181"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test-fakes/src/commonMain/kotlin/io/opentelemetry/kotlin/tracing/FakeSpan.kt"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 110724, "scanner": "repobility-threat-engine", "fingerprint": "163bc4d7edce0ea9033d05f5e1fa38f55ad83b52b958cb815ae986e89ca66623", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|163bc4d7edce0ea9033d05f5e1fa38f55ad83b52b958cb815ae986e89ca66623"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/fakes/otel/java/FakeOtelJavaReadWriteSpan.kt"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC134", "level": "none", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 110723, "scanner": "repobility-threat-engine", "fingerprint": "943db4f1688a94baa0438c393039e40582f1cf55d3dc9e61da8acb662837143f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|943db4f1688a94baa0438c393039e40582f1cf55d3dc9e61da8acb662837143f"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 110719, "scanner": "repobility-threat-engine", "fingerprint": "29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc"}}}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 110734, "scanner": "repobility-threat-engine", "fingerprint": "38f5efa5c8fa84ee649068747d7a467df576d99fa45ab133bfa6d9bcf0e59b20", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|38f5efa5c8fa84ee649068747d7a467df576d99fa45ab133bfa6d9bcf0e59b20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "semconv/src/commonMain/kotlin/io/opentelemetry/kotlin/semconv/TlsAttributes.kt"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 110728, "scanner": "repobility-threat-engine", "fingerprint": "5b47e7d544752b88beb88f9f25861a9d78371c50132c52ec8f700c9ea48a7619", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fileSystem.delete(record.filename)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5b47e7d544752b88beb88f9f25861a9d78371c50132c52ec8f700c9ea48a7619"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters-persistence/src/commonMain/kotlin/io/opentelemetry/kotlin/export/TelemetryRepositoryImpl.kt"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 110727, "scanner": "repobility-threat-engine", "fingerprint": "9c9d6766ac1eb1789ffad50850d2a9bf073ee44355f376b455e3a6493f94ab74", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fileSystem.delete(path)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9c9d6766ac1eb1789ffad50850d2a9bf073ee44355f376b455e3a6493f94ab74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters-persistence/src/commonMain/kotlin/io/opentelemetry/kotlin/export/TelemetryFileSystemImpl.kt"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 110726, "scanner": "repobility-threat-engine", "fingerprint": "bb5ff857335e6856a415ea71f9e341ba64a1aca436006b1db99ab7acbafa4cc4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "repository.delete(record)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bb5ff857335e6856a415ea71f9e341ba64a1aca436006b1db99ab7acbafa4cc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "exporters-persistence/src/commonMain/kotlin/io/opentelemetry/kotlin/export/PersistingExporter.kt"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 110718, "scanner": "repobility-threat-engine", "fingerprint": "b22ccf3d6532d20a2fcb80f813917109e77436155774f13228d661faf3db3600", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b22ccf3d6532d20a2fcb80f813917109e77436155774f13228d661faf3db3600"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/src/jvmAndAndroidMain/kotlin/io/opentelemetry/kotlin/logging/OtelJavaLoggerBuilderAdapter.kt"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 110717, "scanner": "repobility-threat-engine", "fingerprint": "ce776fe45c8e1cb4ae23d0be54f750e7c3c99310d77b235f029e7e04b9fcfa70", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ce776fe45c8e1cb4ae23d0be54f750e7c3c99310d77b235f029e7e04b9fcfa70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/src/jvmAndAndroidMain/kotlin/io/opentelemetry/kotlin/logging/LoggerProviderAdapter.kt"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 110716, "scanner": "repobility-threat-engine", "fingerprint": "55119e430af1c278da153a3fa1c3acc2fb54bb5a3ef3b01341688c06991442bc", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|55119e430af1c278da153a3fa1c3acc2fb54bb5a3ef3b01341688c06991442bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/src/jvmAndAndroidMain/kotlin/io/opentelemetry/kotlin/factory/CompatResourceFactory.kt"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 110715, "scanner": "repobility-supply-chain", "fingerprint": "e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 110732, "scanner": "repobility-threat-engine", "fingerprint": "6bacf84cbf32cf5eac59e8cbeeb4ab6392ac13879bdb895c0c8499af404f5ae9", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(ratio", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6bacf84cbf32cf5eac59e8cbeeb4ab6392ac13879bdb895c0c8499af404f5ae9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "implementation/src/commonMain/kotlin/io/opentelemetry/kotlin/tracing/sampling/ProbabilitySampler.kt"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 110731, "scanner": "repobility-threat-engine", "fingerprint": "b90fef3d5850b63748627d14d6b803561d77c43ca87d5e074017bf8abaeecfa1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(threshold", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b90fef3d5850b63748627d14d6b803561d77c43ca87d5e074017bf8abaeecfa1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "implementation/src/commonMain/kotlin/io/opentelemetry/kotlin/tracing/sampling/OtelTraceState.kt"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 110730, "scanner": "repobility-threat-engine", "fingerprint": "172c1f01e14745b98acd6f70475f739f31d52fb3e035613e8315a666fdecd042", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(value", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|172c1f01e14745b98acd6f70475f739f31d52fb3e035613e8315a666fdecd042"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "implementation/src/commonMain/kotlin/io/opentelemetry/kotlin/config/envar/model/EnvVarName.kt"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 110714, "scanner": "repobility-supply-chain", "fingerprint": "21e1e03236248bc5065edee1fe5cde6bb223b15d103bd8abdd9a0b6689470536", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|21e1e03236248bc5065edee1fe5cde6bb223b15d103bd8abdd9a0b6689470536"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-build.yml"}, "region": {"startLine": 50}}}]}]}]}