{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/292"}, "properties": {"repository": "jackwener/OpenCLI", "repoUrl": "https://github.com/jackwener/OpenCLI", "branch": "main"}, "results": [{"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9191, "scanner": "repobility-journey-contract", "fingerprint": "5c5282adbc840f49892fc3ab9cb714b23927234c33711ba602fefe41e7918566", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clis/slock/_utils.js|4|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clis/slock/_utils.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9190, "scanner": "repobility-journey-contract", "fingerprint": "b669d9e4061538f39527cd8706fd29139b665464819d2f1043b1ad51c505dcad", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clis/mubu/utils.js|23|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clis/mubu/utils.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 9186, "scanner": "repobility-threat-engine", "fingerprint": "bb11489027c62ee91fa6330146f37bd4388c87f5792e144ee901c647e8e90afa", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|src/electron-apps.ts|69|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/electron-apps.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 9185, "scanner": "repobility-threat-engine", "fingerprint": "2e601b6b6a89185a7e77ca60a45304c75e4825fd340d86736d4ff7cec0f53606", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|src/external.ts|52|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/external.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 9183, "scanner": "repobility-threat-engine", "fingerprint": "f23e29ab54d4da348b82d62ff1b53f3a08cacce8a56614434abf392258fe83a3", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f23e29ab54d4da348b82d62ff1b53f3a08cacce8a56614434abf392258fe83a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/execution.ts"}, "region": {"startLine": 320}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 9182, "scanner": "repobility-threat-engine", "fingerprint": "cf7d3d29360e054d72f15ccb1e9762a5edaee4486c0bbfdf3ae6f532a6cf45ab", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(e){}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cf7d3d29360e054d72f15ccb1e9762a5edaee4486c0bbfdf3ae6f532a6cf45ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli.ts"}, "region": {"startLine": 963}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 9181, "scanner": "repobility-threat-engine", "fingerprint": "948b0825b8248a797a23f682fbe260dd7bb2b7cd3f0822a37944cebc910cbba5", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|948b0825b8248a797a23f682fbe260dd7bb2b7cd3f0822a37944cebc910cbba5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/runtime.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9178, "scanner": "repobility-threat-engine", "fingerprint": "685fd1ca72d50b31204d32475bd4c9006cf83cba319bc8322bf3ca7cf397c846", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "Math.random()", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|clis/instagram/post.js|499|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clis/instagram/post.js"}, "region": {"startLine": 499}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9177, "scanner": "repobility-threat-engine", "fingerprint": "dae3271a54db2d57dd2227063b39fa35e405ae88cb55a80076f7c06472bcbbb7", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "Math.random()", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|57|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clis/maimai/search-talents.js"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9176, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a5605e703036cc60a1827ef313fcb923202ded4a026da42d0cf13439b4885f62", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "clis/codex/model.js", "duplicate_line": 24, "correlation_key": "fp|a5605e703036cc60a1827ef313fcb923202ded4a026da42d0cf13439b4885f62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clis/cursor/model.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9175, "scanner": "repobility-ai-code-hygiene", "fingerprint": "be11c07570044cb84052d94c707be7db37628b50eb1b3c7dd293229d0444cad6", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "clis/ctrip/hotel-suggest.js", "duplicate_line": 13, "correlation_key": "fp|be11c07570044cb84052d94c707be7db37628b50eb1b3c7dd293229d0444cad6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clis/ctrip/search.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9174, "scanner": "repobility-ai-code-hygiene", "fingerprint": "af3df07ed88b0c945fe68e44f5b36b2d813d08cbbb42a8bdf76c22ab184c8618", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "clis/codex/history.js", "duplicate_line": 9, "correlation_key": "fp|af3df07ed88b0c945fe68e44f5b36b2d813d08cbbb42a8bdf76c22ab184c8618"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clis/codex/projects.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9173, "scanner": "repobility-ai-code-hygiene", "fingerprint": "38c5e830ba18b7a85cf950182a265795855a95edc56bc0f0cf6170f37fd958c4", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "clis/chatgpt/utils.js", "duplicate_line": 71, "correlation_key": "fp|38c5e830ba18b7a85cf950182a265795855a95edc56bc0f0cf6170f37fd958c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clis/claude/utils.js"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9172, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a1b5e075b3b1d90774263f03dff645451d03699e947c96571fa63bbb40c698a2", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "clis/1688/shared.js", "duplicate_line": 103, "correlation_key": "fp|a1b5e075b3b1d90774263f03dff645451d03699e947c96571fa63bbb40c698a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clis/amazon/shared.js"}, "region": {"startLine": 52}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9171, "scanner": "repobility-ai-code-hygiene", "fingerprint": "511bd1fcbec2591b8b790a2e0cb558fd53b479e1408d10d30737c8fc0065a25f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "clis/1point3acres/latest.js", "duplicate_line": 19, "correlation_key": "fp|511bd1fcbec2591b8b790a2e0cb558fd53b479e1408d10d30737c8fc0065a25f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clis/1point3acres/search.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9170, "scanner": "repobility-ai-code-hygiene", "fingerprint": "404b9f0e4a4e032e6bc137ce8ab3cdc8f0186f67efc1ea3c34f6f687316bff22", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "clis/1point3acres/digest.js", "duplicate_line": 18, "correlation_key": "fp|404b9f0e4a4e032e6bc137ce8ab3cdc8f0186f67efc1ea3c34f6f687316bff22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clis/1point3acres/hot.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9169, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0cd800b5a1b8f98cf99fb584682bfb387225c27c3fd68f86c741491305d9afdd", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "autoresearch/eval-browse.ts", "duplicate_line": 27, "correlation_key": "fp|0cd800b5a1b8f98cf99fb584682bfb387225c27c3fd68f86c741491305d9afdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "autoresearch/eval-zhihu.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9168, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0ffc2d3e2bbc7bcaf2bfb65415c6dcff047da7ad1d11ba85da1d4f1ddec53880", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "autoresearch/eval-v2ex.ts", "duplicate_line": 7, "correlation_key": "fp|0ffc2d3e2bbc7bcaf2bfb65415c6dcff047da7ad1d11ba85da1d4f1ddec53880"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "autoresearch/eval-zhihu.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9167, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ddacffa797360e8345d0c188651b52f101545379352dda16f1c9b3e1144e2c46", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "autoresearch/eval-browse.ts", "duplicate_line": 27, "correlation_key": "fp|ddacffa797360e8345d0c188651b52f101545379352dda16f1c9b3e1144e2c46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "autoresearch/eval-v2ex.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9166, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d08769503e1ef8a0bba59e1c52bb13c6a1005514b8d50f4ef6f2ad3f2e45fdb", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "autoresearch/eval-publish.ts", "duplicate_line": 56, "correlation_key": "fp|2d08769503e1ef8a0bba59e1c52bb13c6a1005514b8d50f4ef6f2ad3f2e45fdb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "autoresearch/eval-save.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9165, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da681b9902a5b8a1ebf24db7a1f2b2ccd00b27d63ecacf3a57ce05d396c4f6a3", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "autoresearch/eval-browse.ts", "duplicate_line": 23, "correlation_key": "fp|da681b9902a5b8a1ebf24db7a1f2b2ccd00b27d63ecacf3a57ce05d396c4f6a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "autoresearch/eval-save.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 9164, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d9918813075ab8fbae086a52b46a54038679363d865a7b93ee2cd880272e7b73", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "draft", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|d9918813075ab8fbae086a52b46a54038679363d865a7b93ee2cd880272e7b73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clis/weixin/create-draft.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9188, "scanner": "repobility-threat-engine", "fingerprint": "fcc1ac72b99a0f2849991a4bc03abcc0f9016943cff7825850f61282439142c8", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log(`  Edit the file and add your Client ID and Secret, then run: opencli spotify auth`)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|scripts/postinstall.js|15|console.log edit the file and add your client id and secret then run: opencli spotify auth"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/postinstall.js"}, "region": {"startLine": 159}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9187, "scanner": "repobility-threat-engine", "fingerprint": "79f992a9c67a85d85cfdfaf59a8a215d84458c9786a239708fcc79637f90a565", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`  ${config.defaultContextId} \u2014 default, not connected`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|src/cli.ts|315|console.log config.defaultcontextid default not connected"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli.ts"}, "region": {"startLine": 3151}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 9184, "scanner": "repobility-threat-engine", "fingerprint": "75f18ac8b864166e25602abf2173bf612fdf43d808a54fd30a961602a93d8693", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|75f18ac8b864166e25602abf2173bf612fdf43d808a54fd30a961602a93d8693"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 9180, "scanner": "repobility-threat-engine", "fingerprint": "a0d26ba9b4df32e50ac3a2172c7bcb910780192e3d92aeb18151489dc0cd5980", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a0d26ba9b4df32e50ac3a2172c7bcb910780192e3d92aeb18151489dc0cd5980"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9179, "scanner": "repobility-threat-engine", "fingerprint": "05cdbf4c017b7862a15c32d6f1e4783fe737e79f10d984aa5a00ebdce4adc9b1", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|src/plugin.ts|223|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/plugin.ts"}, "region": {"startLine": 223}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 9189, "scanner": "repobility-threat-engine", "fingerprint": "dbd9cc9c581f3c941df7670db02de7878d89e99cb81bfbffde6e082dd5ab83fc", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|clis/instagram/post.js|180|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clis/instagram/post.js"}, "region": {"startLine": 180}}}]}]}]}