{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v3`: `uses: codecov/codecov-action@v3` resolves at wo", "shortDescription": {"text": "[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v3`: `uses: codecov/codecov-action@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromi"}, "fullDescription": {"text": "Replace with: `uses: codecov/codecov-action@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.distribution` used but never assigned in __init__: Method `run` of class `Sdist` reads `self.distributi", "shortDescription": {"text": "[MINED108] `self.distribution` used but never assigned in __init__: Method `run` of class `Sdist` reads `self.distribution`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time"}, "fullDescription": {"text": "Initialize `self.distribution = ` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n ALLOWED = {'images.example.com', 'cdn.example.com'}\n host = urlparse(url).hostname\n if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.AWS_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_re", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.AWS_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_SECRET_ACCESS_KEY }` lets a PR from any fork exfil"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require() loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require() loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1167"}, "properties": {"repository": "bokeh/bokeh", "repoUrl": "https://github.com/bokeh/bokeh", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 116955, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 116944, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 116943, "scanner": "repobility-threat-engine", "fingerprint": "2aa32495efd45d26d7a3681d62c9a2294b67336b93ebbfe2696381433f0459a6", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2aa32495efd45d26d7a3681d62c9a2294b67336b93ebbfe2696381433f0459a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/src/compiler/prelude.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 116954, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7c5bc0a631f56d5b17a226c406a853003157697796c890b11cb572b4944149e3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bokehjs/src/lib/models/glyphs/block.ts", "duplicate_line": 19, "correlation_key": "fp|7c5bc0a631f56d5b17a226c406a853003157697796c890b11cb572b4944149e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/src/lib/models/glyphs/quad.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 116953, "scanner": "repobility-ai-code-hygiene", "fingerprint": "943d01845bcf6e26ae97a494b1304cda94e1ac63bcf95ec6ac27ab8fd1336276", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bokehjs/src/lib/models/glyphs/multi_polygons.ts", "duplicate_line": 129, "correlation_key": "fp|943d01845bcf6e26ae97a494b1304cda94e1ac63bcf95ec6ac27ab8fd1336276"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/src/lib/models/glyphs/patches.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 116952, "scanner": "repobility-ai-code-hygiene", "fingerprint": "398de538d1ac3c235fba07a930baef6b6506a32dda574cedcdb784aba85c991b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bokehjs/src/lib/models/glyphs/multi_line.ts", "duplicate_line": 25, "correlation_key": "fp|398de538d1ac3c235fba07a930baef6b6506a32dda574cedcdb784aba85c991b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/src/lib/models/glyphs/patches.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 116951, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2ff95b9dc6f4bcfb46a4c342b7cd30724fd5c88adb24b86e9ef09530812d06e4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bokehjs/src/lib/models/glyphs/circle.ts", "duplicate_line": 203, "correlation_key": "fp|2ff95b9dc6f4bcfb46a4c342b7cd30724fd5c88adb24b86e9ef09530812d06e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/src/lib/models/glyphs/marker.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 116950, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bae54d84c23d54d5f0dabc8a90085d0ea931769a1c62c3ab8a6f35de22703c69", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bokehjs/src/lib/models/glyphs/hex_tile.ts", "duplicate_line": 145, "correlation_key": "fp|bae54d84c23d54d5f0dabc8a90085d0ea931769a1c62c3ab8a6f35de22703c69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/src/lib/models/glyphs/lrtb.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 116949, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f350d48b4e175caecaffcd794ca5511cf6141d1a573b057cf8ae0cc56f884096", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bokehjs/src/lib/models/callbacks/customjs.ts", "duplicate_line": 20, "correlation_key": "fp|f350d48b4e175caecaffcd794ca5511cf6141d1a573b057cf8ae0cc56f884096"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/src/lib/models/filters/customjs_filter.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 116948, "scanner": "repobility-ai-code-hygiene", "fingerprint": "087e49012b735f701e401111128678eacfc74d9f0c7fab600b376c0568be28e7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bokehjs/src/lib/models/annotations/html/text_annotation.ts", "duplicate_line": 88, "correlation_key": "fp|087e49012b735f701e401111128678eacfc74d9f0c7fab600b376c0568be28e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/src/lib/models/annotations/text_annotation.ts"}, "region": {"startLine": 90}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 116947, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bc6e878cf74c9c1ac27a72a34ffb1e0f6cb8326707ed28065ffb82584c67ebdd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bokehjs/src/lib/models/annotations/html/label_set.ts", "duplicate_line": 41, "correlation_key": "fp|bc6e878cf74c9c1ac27a72a34ffb1e0f6cb8326707ed28065ffb82584c67ebdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/src/lib/models/annotations/label_set.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 116946, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5ac9850cd56c719279cf9cd4c93f0f7d97964d5a9949a40ca514543797421fed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bokehjs/src/lib/models/annotations/html/label.ts", "duplicate_line": 22, "correlation_key": "fp|5ac9850cd56c719279cf9cd4c93f0f7d97964d5a9949a40ca514543797421fed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/src/lib/models/annotations/label.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 116945, "scanner": "repobility-ai-code-hygiene", "fingerprint": "524510d744eb4aec41f6a1fe6394b9d58c43eb0df881ea2b0f67dce7de9df315", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bokehjs/src/lib/models/annotations/html/label_set.ts", "duplicate_line": 101, "correlation_key": "fp|524510d744eb4aec41f6a1fe6394b9d58c43eb0df881ea2b0f67dce7de9df315"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/src/lib/models/annotations/html/text_annotation.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 116942, "scanner": "repobility-threat-engine", "fingerprint": "10f3474a1fa03398661061c547bcc72762dfca3fe5dfc046af5ad5f88285a8ae", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Cannot find Bokeh \" + version + \". You have to load it prior to loading plugins.\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|10f3474a1fa03398661061c547bcc72762dfca3fe5dfc046af5ad5f88285a8ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/src/compiler/prelude.ts"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 116940, "scanner": "repobility-threat-engine", "fingerprint": "9dd9473179bb3aabdbf7402a4ec2f1dff9b7aa892052548d70b0cc49b550c64f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9dd9473179bb3aabdbf7402a4ec2f1dff9b7aa892052548d70b0cc49b550c64f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/src/compiler/compiler.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 116939, "scanner": "repobility-threat-engine", "fingerprint": "04c02806f0bff74a217d9086be918d29630580e28e497a5f382f9b66a41dd198", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|04c02806f0bff74a217d9086be918d29630580e28e497a5f382f9b66a41dd198"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/src/compiler/build.ts"}, "region": {"startLine": 236}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 116938, "scanner": "repobility-threat-engine", "fingerprint": "07e5b641a16d0459fe1d5f0facd1de1592936eeb7d08b58b037b57b08f9e65e3", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "print(report_diagnostics(tsconfig.diagnostics)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|28|print report_diagnostics tsconfig.diagnostics"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/src/compiler/build.ts"}, "region": {"startLine": 289}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 116936, "scanner": "repobility-threat-engine", "fingerprint": "7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "aggregated_count": 3}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 116935, "scanner": "repobility-threat-engine", "fingerprint": "fa2d1e847e4a609060bc9a15a81e839134dc473a3892be08d4904d97eabde40c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fa2d1e847e4a609060bc9a15a81e839134dc473a3892be08d4904d97eabde40c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/examples/tap/tap.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 116934, "scanner": "repobility-threat-engine", "fingerprint": "3036c644e733d3024a7868d31137ee7119492923aa056d6d34cb0048ca688697", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3036c644e733d3024a7868d31137ee7119492923aa056d6d34cb0048ca688697"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/examples/hover/hover.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 116933, "scanner": "repobility-threat-engine", "fingerprint": "2af675f19d31f61e338956ac6024d3edbf6a2d7def336d409d415d243dcee196", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2af675f19d31f61e338956ac6024d3edbf6a2d7def336d409d415d243dcee196"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/examples/donut/donut.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 116931, "scanner": "repobility-threat-engine", "fingerprint": "3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 116927, "scanner": "repobility-threat-engine", "fingerprint": "f1e161962fe043d40b0b62354f7238946ffae30e19da416a3889d752e32876be", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f1e161962fe043d40b0b62354f7238946ffae30e19da416a3889d752e32876be", "aggregated_count": 8}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 116926, "scanner": "repobility-threat-engine", "fingerprint": "37852f64a5fe14066ed025209f7473c3e19b460e088d65033701a45176245e9f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|37852f64a5fe14066ed025209f7473c3e19b460e088d65033701a45176245e9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/examples/legends/legends.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 116925, "scanner": "repobility-threat-engine", "fingerprint": "313157f8e798862be72280cd3e68cee2d3c9bc01b00a98a182129a993a5e18e3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|313157f8e798862be72280cd3e68cee2d3c9bc01b00a98a182129a993a5e18e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/examples/burtin/burtin.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 116924, "scanner": "repobility-threat-engine", "fingerprint": "2a1dba7ff66838e22f1af8ffc5a843254975c62255e5a495ec52d761948db4ee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a1dba7ff66838e22f1af8ffc5a843254975c62255e5a495ec52d761948db4ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/examples/anscombe/anscombe.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v3`: `uses: codecov/codecov-action@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116983, "scanner": "repobility-supply-chain", "fingerprint": "3426f63c5762f8454adb92ca6918bfa600a2962bdb50ed4fd5438c1a316b87d6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3426f63c5762f8454adb92ca6918bfa600a2962bdb50ed4fd5438c1a316b87d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-ci.yml"}, "region": {"startLine": 239}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116982, "scanner": "repobility-supply-chain", "fingerprint": "77aed9e2b2a8b44b662c87da0a80cd585e7d90a605292cfbe30a3c4b091bfada", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|77aed9e2b2a8b44b662c87da0a80cd585e7d90a605292cfbe30a3c4b091bfada"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-ci.yml"}, "region": {"startLine": 226}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v3`: `uses: codecov/codecov-action@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116981, "scanner": "repobility-supply-chain", "fingerprint": "71cf31a9b2495d5b5e971f0ea8f8edc6921ee61a3335060f2abbbedbb9945fe2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|71cf31a9b2495d5b5e971f0ea8f8edc6921ee61a3335060f2abbbedbb9945fe2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-ci.yml"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116980, "scanner": "repobility-supply-chain", "fingerprint": "adfc674c3069e92e9d2d366f5f02b3e0871e96ac38f239526b6d9a80565281eb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|adfc674c3069e92e9d2d366f5f02b3e0871e96ac38f239526b6d9a80565281eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-ci.yml"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v3`: `uses: codecov/codecov-action@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116979, "scanner": "repobility-supply-chain", "fingerprint": "2f4865dcc2b4355accec9244bb8b6ae7dfe19e96b46b2880e58ed8abff3cca23", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2f4865dcc2b4355accec9244bb8b6ae7dfe19e96b46b2880e58ed8abff3cca23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-ci.yml"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116978, "scanner": "repobility-supply-chain", "fingerprint": "1c79c575ea661a037483e378f394fd3ec14cd7e2dbfa519e992ed4b69135d9a6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1c79c575ea661a037483e378f394fd3ec14cd7e2dbfa519e992ed4b69135d9a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-ci.yml"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v3`: `uses: actions/upload-artifact@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116977, "scanner": "repobility-supply-chain", "fingerprint": "547f73d5cfcc1f901bfeb72ca2d208647f2efad9a024706f017133a10f676937", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|547f73d5cfcc1f901bfeb72ca2d208647f2efad9a024706f017133a10f676937"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-ci.yml"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116976, "scanner": "repobility-supply-chain", "fingerprint": "c0de7e8c08035f6602b41bf523dfbc6b67aa912bc7db4573df7ac7f0edd1ddd4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c0de7e8c08035f6602b41bf523dfbc6b67aa912bc7db4573df7ac7f0edd1ddd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-ci.yml"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116975, "scanner": "repobility-supply-chain", "fingerprint": "fe91ed8bb8672b76d1223e9f29ca7eac7bc348b6d2409ba476199eb1bdf4a942", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe91ed8bb8672b76d1223e9f29ca7eac7bc348b6d2409ba476199eb1bdf4a942"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-ci.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v3`: `uses: actions/upload-artifact@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116974, "scanner": "repobility-supply-chain", "fingerprint": "7a2fa33f544f8ed4a6cc7f587698adcc505bb7b31267cc4c3648a4102a0ac984", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7a2fa33f544f8ed4a6cc7f587698adcc505bb7b31267cc4c3648a4102a0ac984"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-ci.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `conda-incubator/setup-miniconda` pinned to mutable ref `@v2`: `uses: conda-incubator/setup-miniconda@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116973, "scanner": "repobility-supply-chain", "fingerprint": "b0fa88450eb2836260e501f546e8624ef26394adfcb5c453a8c1102096769d1e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0fa88450eb2836260e501f546e8624ef26394adfcb5c453a8c1102096769d1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-ci.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116972, "scanner": "repobility-supply-chain", "fingerprint": "06e6bb64415deb7fe8955bb55ab5cc6bf004c4fef87da1c4a130b8795f283a62", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|06e6bb64415deb7fe8955bb55ab5cc6bf004c4fef87da1c4a130b8795f283a62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-ci.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `conda-incubator/setup-miniconda` pinned to mutable ref `@v2`: `uses: conda-incubator/setup-miniconda@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116971, "scanner": "repobility-supply-chain", "fingerprint": "45fbe80aaa02aa722155ab6c2ef3ab78b9563877bd1c8532e450c231ba537d49", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45fbe80aaa02aa722155ab6c2ef3ab78b9563877bd1c8532e450c231ba537d49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-release-build.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116970, "scanner": "repobility-supply-chain", "fingerprint": "251bd94354e3d911034a8c015acff4f6466fafb5ccfd199e865449fa942c0d2d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|251bd94354e3d911034a8c015acff4f6466fafb5ccfd199e865449fa942c0d2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-release-build.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v1`: `uses: actions/upload-artifact@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116969, "scanner": "repobility-supply-chain", "fingerprint": "73a0687c0f372e1fe9f1316ab44983fc837812b8d5a8196e0e05cb9e38cd52a1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|73a0687c0f372e1fe9f1316ab44983fc837812b8d5a8196e0e05cb9e38cd52a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokehjs-ci.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116968, "scanner": "repobility-supply-chain", "fingerprint": "948c8253596843b9ca14a6d43017a4fc9bfb8b1ba5eebb32105b92b0a68fee66", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|948c8253596843b9ca14a6d43017a4fc9bfb8b1ba5eebb32105b92b0a68fee66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokehjs-ci.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116967, "scanner": "repobility-supply-chain", "fingerprint": "8bdd583e3a5139afa83787d56180223f3bbd9b9dc46073e3c238188ec956df64", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8bdd583e3a5139afa83787d56180223f3bbd9b9dc46073e3c238188ec956df64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokehjs-ci.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `conda-incubator/setup-miniconda` pinned to mutable ref `@v2`: `uses: conda-incubator/setup-miniconda@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116966, "scanner": "repobility-supply-chain", "fingerprint": "a441ee181428f60de37bf7e7f65b3ed89f985cd94b7892ec22f4fbfaef86434d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a441ee181428f60de37bf7e7f65b3ed89f985cd94b7892ec22f4fbfaef86434d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-release-deploy.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116965, "scanner": "repobility-supply-chain", "fingerprint": "cc071a494c47b21ab2c163005c570b493397d7167d2e32b0e4197dcd093a11b3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc071a494c47b21ab2c163005c570b493397d7167d2e32b0e4197dcd093a11b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-release-deploy.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v2`: `uses: github/codeql-action/analyze@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116964, "scanner": "repobility-supply-chain", "fingerprint": "5b4e2fda5f857d7edc8a62bf75c2f143a35377d85d9dfc4259396de1831db0fb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5b4e2fda5f857d7edc8a62bf75c2f143a35377d85d9dfc4259396de1831db0fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v2`: `uses: github/codeql-action/init@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116963, "scanner": "repobility-supply-chain", "fingerprint": "58385216628b14f0ecbc1aeaaa468904e0aba0946ee51822b36017f1b82307a2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|58385216628b14f0ecbc1aeaaa468904e0aba0946ee51822b36017f1b82307a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116962, "scanner": "repobility-supply-chain", "fingerprint": "5b90d49293d4882c9e96edfd70a9772309f6f7745c6b55527344e92092e8182a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5b90d49293d4882c9e96edfd70a9772309f6f7745c6b55527344e92092e8182a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v1`: `uses: actions/upload-artifact@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116961, "scanner": "repobility-supply-chain", "fingerprint": "3ff7686cacee718c4e9777191af196d739274db8148823fc3f024422ad701109", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ff7686cacee718c4e9777191af196d739274db8148823fc3f024422ad701109"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-docker-build.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v2`: `uses: actions/upload-artifact@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116960, "scanner": "repobility-supply-chain", "fingerprint": "e3827414ce1eb45ae210fbdf5142c3570cbafdf6842305c6048147522a1ca1f8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e3827414ce1eb45ae210fbdf5142c3570cbafdf6842305c6048147522a1ca1f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-docker-build.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 116959, "scanner": "repobility-supply-chain", "fingerprint": "0e3009cee7c0177f15efe1b830d327fee9c45ce42e23162e4d3e91031b854a3f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0e3009cee7c0177f15efe1b830d327fee9c45ce42e23162e4d3e91031b854a3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bokeh-docker-build.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.distribution` used but never assigned in __init__: Method `run` of class `Sdist` reads `self.distribution`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 116958, "scanner": "repobility-ast-engine", "fingerprint": "1d04c91f2b381f585b24b080dd5217a17b707ec529e934329a95f7ade85fa60d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1d04c91f2b381f585b24b080dd5217a17b707ec529e934329a95f7ade85fa60d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup.py"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.distribution` used but never assigned in __init__: Method `run` of class `EditableWheel` reads `self.distribution`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 116957, "scanner": "repobility-ast-engine", "fingerprint": "aa162293320df80daa60aef0b4d592757308627113ddb69b5a66a3ed9bd5970c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aa162293320df80daa60aef0b4d592757308627113ddb69b5a66a3ed9bd5970c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.distribution` used but never assigned in __init__: Method `run` of class `Build` reads `self.distribution`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 116956, "scanner": "repobility-ast-engine", "fingerprint": "4d5b21eadead101b42b4520e5323f8eb976ecc655c07ca98e5000a89e8189097", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4d5b21eadead101b42b4520e5323f8eb976ecc655c07ca98e5000a89e8189097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 116937, "scanner": "repobility-threat-engine", "fingerprint": "6e3c1c0384b44bd6213f37d4bf93dd31c6c648ee3a81cd7d41c1ccfa1e028d98", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "socket.destroy()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6e3c1c0384b44bd6213f37d4bf93dd31c6c648ee3a81cd7d41c1ccfa1e028d98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/make/tasks/_util.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 116932, "scanner": "repobility-threat-engine", "fingerprint": "422637a3e9d1a4c4e381ad2f14c5ab74d74757aa471a0ad15e21c11fd1583cab", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|422637a3e9d1a4c4e381ad2f14c5ab74d74757aa471a0ad15e21c11fd1583cab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bokehjs/examples/donut/donut.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any