{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 14 more): Same pattern found in 14 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `V2rayNG/gradle/wrapper/gradle-wrapper.jar` committed in source repo", "shortDescription": {"text": "Binary file `V2rayNG/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "fullDescription": {"text": "`V2rayNG/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (59,203 bytes) committed to a repo that otherwise has 142 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `svenstaro/upload-release-action` pinned to mutable ref `@v2`", "shortDescription": {"text": "Action `svenstaro/upload-release-action` pinned to mutable ref `@v2`"}, "fullDescription": {"text": "`uses: svenstaro/upload-release-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/903"}, "properties": {"repository": "2dust/v2rayNG", "repoUrl": "https://github.com/2dust/v2rayNG", "branch": "master"}, "results": [{"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 84284, "scanner": "repobility-threat-engine", "fingerprint": "2090912c6051db5150e72c585f345d4b884204e9e17175c46b4415a34af6535d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|25|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/viewmodel/LogcatViewModel.kt"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84261, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ba76317698b97436a3e71a9db67cbc21e1349255a977e4650ae5d7fcf5040ec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/RoutingEditActivity.kt", "duplicate_line": 140, "correlation_key": "fp|1ba76317698b97436a3e71a9db67cbc21e1349255a977e4650ae5d7fcf5040ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/UserAssetUrlActivity.kt"}, "region": {"startLine": 106}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84260, "scanner": "repobility-ai-code-hygiene", "fingerprint": "74137077c5d977ac294c9de45f19cd9fd912e76563da8bd1baa53e86102aadf0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/RoutingSettingRecyclerAdapter.kt", "duplicate_line": 48, "correlation_key": "fp|74137077c5d977ac294c9de45f19cd9fd912e76563da8bd1baa53e86102aadf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/SubSettingRecyclerAdapter.kt"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84259, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0ab831d4d96a01c1db8fdd0c4f12f23b903b915ccc67cbad375578add933d7c5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/MainActivity.kt", "duplicate_line": 379, "correlation_key": "fp|0ab831d4d96a01c1db8fdd0c4f12f23b903b915ccc67cbad375578add933d7c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/SubSettingActivity.kt"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84258, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e15d008976dcc2f3476afebb044dba762be8196f10ba689a77f5b6e375e16a06", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/RoutingEditActivity.kt", "duplicate_line": 141, "correlation_key": "fp|e15d008976dcc2f3476afebb044dba762be8196f10ba689a77f5b6e375e16a06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/SubEditActivity.kt"}, "region": {"startLine": 171}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84257, "scanner": "repobility-ai-code-hygiene", "fingerprint": "74f846dc03c0525bf9534e643fd2730215d8ff3b2a17b1ff436077076c68ae26", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/RoutingEditActivity.kt", "duplicate_line": 141, "correlation_key": "fp|74f846dc03c0525bf9534e643fd2730215d8ff3b2a17b1ff436077076c68ae26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/ServerProxyChainActivity.kt"}, "region": {"startLine": 171}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84256, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0859ac5e807f47a31a4a186da6f9069fa7e0161f9d5c93a0f34f2a01875aa834", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/ServerActivity.kt", "duplicate_line": 595, "correlation_key": "fp|0859ac5e807f47a31a4a186da6f9069fa7e0161f9d5c93a0f34f2a01875aa834"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/ServerProxyChainActivity.kt"}, "region": {"startLine": 120}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84255, "scanner": "repobility-ai-code-hygiene", "fingerprint": "936c970b3aeb6c45f67a658f49e4cb3a02ae995a93fe2115294d1d3d63a9768f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/RoutingEditActivity.kt", "duplicate_line": 141, "correlation_key": "fp|936c970b3aeb6c45f67a658f49e4cb3a02ae995a93fe2115294d1d3d63a9768f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/ServerGroupActivity.kt"}, "region": {"startLine": 116}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84254, "scanner": "repobility-ai-code-hygiene", "fingerprint": "04b18fdb06136bf8b604fade756ab2a419287f8fa5188444f9b19ddc1c259002", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/ServerActivity.kt", "duplicate_line": 617, "correlation_key": "fp|04b18fdb06136bf8b604fade756ab2a419287f8fa5188444f9b19ddc1c259002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/ServerGroupActivity.kt"}, "region": {"startLine": 111}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84253, "scanner": "repobility-ai-code-hygiene", "fingerprint": "59e4cc15e14d0df240a9a6d0987d92c586939d8f322ad328b45844195182c9e8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/ServerCustomConfigActivity.kt", "duplicate_line": 76, "correlation_key": "fp|59e4cc15e14d0df240a9a6d0987d92c586939d8f322ad328b45844195182c9e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/ServerGroupActivity.kt"}, "region": {"startLine": 75}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84252, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0dddd770c5692f853e21ca8a999ee34bf379282178f3e3eeebea107a5ac1c144", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/RoutingEditActivity.kt", "duplicate_line": 141, "correlation_key": "fp|0dddd770c5692f853e21ca8a999ee34bf379282178f3e3eeebea107a5ac1c144"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/ServerCustomConfigActivity.kt"}, "region": {"startLine": 100}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84251, "scanner": "repobility-ai-code-hygiene", "fingerprint": "adbfc623a501bcd721e09c797d5bdfc6bfcdf5d45beb41b187794acc0ebfc15a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/ServerActivity.kt", "duplicate_line": 615, "correlation_key": "fp|adbfc623a501bcd721e09c797d5bdfc6bfcdf5d45beb41b187794acc0ebfc15a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/ServerCustomConfigActivity.kt"}, "region": {"startLine": 93}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84250, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d8e3a9632897d42f347e94787a02a5c76e322467f0ad2ebebb7afac72fa49610", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/RoutingEditActivity.kt", "duplicate_line": 141, "correlation_key": "fp|d8e3a9632897d42f347e94787a02a5c76e322467f0ad2ebebb7afac72fa49610"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/ServerActivity.kt"}, "region": {"startLine": 622}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 84280, "scanner": "repobility-threat-engine", "fingerprint": "da46a28bd5a0793d1138b7d1905c6c281042b8ad55c10271a27e49aa8d6bca83", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|da46a28bd5a0793d1138b7d1905c6c281042b8ad55c10271a27e49aa8d6bca83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/service/DialerWebviewService.kt"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 84279, "scanner": "repobility-threat-engine", "fingerprint": "14ce4ae7a22d633b8fe645d2ab2c7e5422f6d980891ae5a572bf746a645a7bfd", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|14ce4ae7a22d633b8fe645d2ab2c7e5422f6d980891ae5a572bf746a645a7bfd"}}}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 84285, "scanner": "repobility-threat-engine", "fingerprint": "c913be3ff2de30f157d59519212ca4439ab5be97b735fc749500a7b32541192c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(lst", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c913be3ff2de30f157d59519212ca4439ab5be97b735fc749500a7b32541192c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/viewmodel/LogcatViewModel.kt"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 84283, "scanner": "repobility-threat-engine", "fingerprint": "67a03c589d1b4f920cc1df679783e925ed2de1f6e2446925eee05174be37714a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "file.delete()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|67a03c589d1b4f920cc1df679783e925ed2de1f6e2446925eee05174be37714a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/UserAssetUrlActivity.kt"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 84282, "scanner": "repobility-threat-engine", "fingerprint": "b0ac15f6fc484fdf6e90b6802699e6e7b16edb8493d83cfb4abdbac95cc3529e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "viewModel.update(subId, subItem)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b0ac15f6fc484fdf6e90b6802699e6e7b16edb8493d83cfb4abdbac95cc3529e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/SubSettingRecyclerAdapter.kt"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 84281, "scanner": "repobility-threat-engine", "fingerprint": "0788e0b60346639bbcdb87d534b3cf39a7ff812958196a6d8272a4e5b98c5b66", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "viewModel.update(position, ruleset)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0788e0b60346639bbcdb87d534b3cf39a7ff812958196a6d8272a4e5b98c5b66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/ui/RoutingSettingRecyclerAdapter.kt"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 84278, "scanner": "repobility-threat-engine", "fingerprint": "5920606d44b2566324bbd2fafa12e04ec170ff68f9b5e839ee0b33f37af9f561", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5920606d44b2566324bbd2fafa12e04ec170ff68f9b5e839ee0b33f37af9f561"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/fmt/Hysteria2Fmt.kt"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 84277, "scanner": "repobility-threat-engine", "fingerprint": "8be2576fc54ea9dbf6bfd00eca40e3951dc5d27bd910fd97a547503de82997b6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8be2576fc54ea9dbf6bfd00eca40e3951dc5d27bd910fd97a547503de82997b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/extension/_Ext.kt"}, "region": {"startLine": 182}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 84276, "scanner": "repobility-threat-engine", "fingerprint": "3b4c2d72c971866c97c9a5a37a0ba6da234b75af666abb3d5bc90716ec1f61d5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3b4c2d72c971866c97c9a5a37a0ba6da234b75af666abb3d5bc90716ec1f61d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/java/com/v2ray/ang/core/CoreConfigContextBuilder.kt"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `V2rayNG/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 84275, "scanner": "repobility-supply-chain", "fingerprint": "12befa06b036d9fbd7aeaad6349b937c37d74b3fadb1af36527cc4ddad836c6d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12befa06b036d9fbd7aeaad6349b937c37d74b3fadb1af36527cc4ddad836c6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `svenstaro/upload-release-action` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 84274, "scanner": "repobility-supply-chain", "fingerprint": "776e3cf9e324d2941ac9721d057ebcea36f72a0fa79642341806889c05e7bc17", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|776e3cf9e324d2941ac9721d057ebcea36f72a0fa79642341806889c05e7bc17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 84273, "scanner": "repobility-supply-chain", "fingerprint": "a02eef6afb28d05122a0bb6eab135ab58994734d546ddaf7cbb1a0147aa2e03b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a02eef6afb28d05122a0bb6eab135ab58994734d546ddaf7cbb1a0147aa2e03b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 84272, "scanner": "repobility-supply-chain", "fingerprint": "5da8f44304cd22824cf6fb2da1a691233f3850afdf72cebeaddf567f7b27d4aa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5da8f44304cd22824cf6fb2da1a691233f3850afdf72cebeaddf567f7b27d4aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 84271, "scanner": "repobility-supply-chain", "fingerprint": "bbc64a7172a650cdd1833ff8a953112302f89a0e4445f586c844f8972b62b267", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bbc64a7172a650cdd1833ff8a953112302f89a0e4445f586c844f8972b62b267"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `timheuer/base64-to-file` pinned to mutable ref `@v2.0.0`"}, "properties": {"repobilityId": 84270, "scanner": "repobility-supply-chain", "fingerprint": "af4c167c62e66ea05fe1ecc4d86b44e5ea816d3c39ae449ed4a06123a0237bbb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|af4c167c62e66ea05fe1ecc4d86b44e5ea816d3c39ae449ed4a06123a0237bbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 84269, "scanner": "repobility-supply-chain", "fingerprint": "7084ab304c3c06fa7030cf86b5b4ffc7f774048d7a7ae00bfece984bf5a1d7cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7084ab304c3c06fa7030cf86b5b4ffc7f774048d7a7ae00bfece984bf5a1d7cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `robinraju/release-downloader` pinned to mutable ref `@v1.13`"}, "properties": {"repobilityId": 84268, "scanner": "repobility-supply-chain", "fingerprint": "4d8c863f598ab95b9e15b5f67d327222fb1cd5bb967f8b6da991478d72818030", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d8c863f598ab95b9e15b5f67d327222fb1cd5bb967f8b6da991478d72818030"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache/save` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 84267, "scanner": "repobility-supply-chain", "fingerprint": "e4a8b70fa1d14828b5b9f6aced1d368fc02d2fd30daea1abc926a246fe7f44f0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e4a8b70fa1d14828b5b9f6aced1d368fc02d2fd30daea1abc926a246fe7f44f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache/restore` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 84266, "scanner": "repobility-supply-chain", "fingerprint": "141744941bc949ad89549b578f48af5c5cf6ee9bfaac3825e80ac66ce0b764cb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|141744941bc949ad89549b578f48af5c5cf6ee9bfaac3825e80ac66ce0b764cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `android-actions/setup-android` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 84265, "scanner": "repobility-supply-chain", "fingerprint": "4dc922ec8a6f4760ff6a7b47638d891445eb00df043791c7a32d2880f58ab04d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4dc922ec8a6f4760ff6a7b47638d891445eb00df043791c7a32d2880f58ab04d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 84264, "scanner": "repobility-supply-chain", "fingerprint": "c277ed4a816028e08c7ef9d63d6f72bfb22226f8e295a6f0f22d9d5e3f8df70c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c277ed4a816028e08c7ef9d63d6f72bfb22226f8e295a6f0f22d9d5e3f8df70c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ashutoshgngwr/validate-fastlane-supply-metadata` pinned to mutable ref `@v2.1.0`"}, "properties": {"repobilityId": 84263, "scanner": "repobility-supply-chain", "fingerprint": "3698aa54b15310bc29450a04bf6a670e3061398e6b1c6fdecf168de7f8e3f5e1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3698aa54b15310bc29450a04bf6a670e3061398e6b1c6fdecf168de7f8e3f5e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fastlane.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 84262, "scanner": "repobility-supply-chain", "fingerprint": "4993ea59c49941fbafb8534040a1be93401f6534762e087bba80600e02e73cae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4993ea59c49941fbafb8534040a1be93401f6534762e087bba80600e02e73cae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fastlane.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 84286, "scanner": "gitleaks", "fingerprint": "95301ce0aaa2fdb150da91801bf726f50ea00dc6b4fa8919e7fe5fd45d36c464", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "key=\"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|5|key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "V2rayNG/app/src/main/res/xml/pref_settings.xml"}, "region": {"startLine": 51}}}]}]}]}