{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "When dependency installation comes after COPY ., any source change invalidates the dependency layer and makes Docker rebuild much more slowly."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `_match_values_copy_tensors` has cognitive complexity 17 (SonarSource scal", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `_match_values_copy_tensors` has cognitive complexity 17 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, "}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 17."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "Mutable default argument in `__init__` (list)", "shortDescription": {"text": "Mutable default argument in `__init__` (list)"}, "fullDescription": {"text": "`def __init__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "QA001", "name": "[QA001] No Tests Found: No test files or test directories found.", "shortDescription": {"text": "[QA001] No Tests Found: No test files or test directories found."}, "fullDescription": {"text": "Add unit tests. Start with critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility", "category": "testing", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CFG001", "name": "[CFG001] Docker Runs as Root: Container runs as root user. Consider adding a non-root USER directive.", "shortDescription": {"text": "[CFG001] Docker Runs as Root: Container runs as root user. Consider adding a non-root USER directive."}, "fullDescription": {"text": "Add 'USER nonroot' after installing dependencies."}, "properties": {"scanner": "repobility", "category": "docker", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "SEC011", "name": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted", "shortDescription": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "fullDescription": {"text": "Use torch.load(..., weights_only=True) or use safetensors format."}, "properties": {"scanner": "repobility", "category": "deserialization", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility", "category": "path_traversal", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "Package indexes increase image size and can expose stale metadata in the final image layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "QA002", "name": "[QA002] No CI/CD Configuration: No CI/CD pipeline found. Note: some CI systems (Gitea Actions, Drone) may be configured ", "shortDescription": {"text": "[QA002] No CI/CD Configuration: No CI/CD pipeline found. Note: some CI systems (Gitea Actions, Drone) may be configured externally."}, "fullDescription": {"text": "Add GitHub Actions, GitLab CI, or similar."}, "properties": {"scanner": "repobility", "category": "practices", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility", "category": "crypto", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CFG003", "name": "[CFG003] Docker COPY Everything: Copying entire directory may include secrets and build artifacts.", "shortDescription": {"text": "[CFG003] Docker COPY Everything: Copying entire directory may include secrets and build artifacts."}, "fullDescription": {"text": "Use .dockerignore and COPY specific files/directories."}, "properties": {"scanner": "repobility", "category": "docker", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Variable-selected base images can be safe, but Repobility cannot verify that the resolved image is pinned."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.", "shortDescription": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED072", "name": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in.", "shortDescription": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 14 more): Same pattern found in 14 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `node:20` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `node:20` not pinned by digest"}, "fullDescription": {"text": "`FROM node:20` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self._streaming_state` used but never assigned in __init__", "shortDescription": {"text": "`self._streaming_state` used but never assigned in __init__"}, "fullDescription": {"text": "Method `forward` of class `RawStreamingConv1d` reads `self._streaming_state`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/3"}, "properties": {"repository": "NVIDIA/personaplex", "repoUrl": "https://github.com/NVIDIA/personaplex", "branch": "main"}, "results": [{"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 42378, "scanner": "repobility-docker", "fingerprint": "919728730da353233e1b18b2dd9f368d894d05072568a54a2a393a05266cab2d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:20", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|919728730da353233e1b18b2dd9f368d894d05072568a54a2a393a05266cab2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 42377, "scanner": "repobility-docker", "fingerprint": "74638e0158fdb1807ad1bb847cb7a1eb757d1809a8465518d052672c20e3344b", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 5 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 5, "correlation_key": "fp|74638e0158fdb1807ad1bb847cb7a1eb757d1809a8465518d052672c20e3344b", "dependency_install_line": 7}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 42374, "scanner": "repobility-docker", "fingerprint": "b5f2b07fd15bceb2a91913967fede1203400f989095192c2f95892cd80d561ab", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|b5f2b07fd15bceb2a91913967fede1203400f989095192c2f95892cd80d561ab", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 42372, "scanner": "repobility-docker", "fingerprint": "d81054a6ece0a0dc1917f7ea8736be67dc15361d92288b06a29377b3b3ea5a93", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${BASE_IMAGE}:${BASE_IMAGE_TAG}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d81054a6ece0a0dc1917f7ea8736be67dc15361d92288b06a29377b3b3ea5a93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `_match_values_copy_tensors` has cognitive complexity 17 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, for=1, if=6, nested_bonus=9."}, "properties": {"repobilityId": 42365, "scanner": "repobility-threat-engine", "fingerprint": "ff062ca0cf7dbf21ae11d61fb00e3a264f3f1b4ec0e4443368b9c73d3179c8e4", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 17 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_match_values_copy_tensors", "breakdown": {"if": 6, "for": 1, "else": 1, "nested_bonus": 9}, "complexity": 17, "correlation_key": "fp|ff062ca0cf7dbf21ae11d61fb00e3a264f3f1b4ec0e4443368b9c73d3179c8e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/utils/compile.py"}, "region": {"startLine": 255}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 42355, "scanner": "repobility-threat-engine", "fingerprint": "9a844cf9758274b7a55ea28ee8dcb4bc194e80078a68d528419dd8ab02404c42", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ivElement>(null);\n  const textSeed = useMemo(() => Math.round(1000000 * Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9a844cf9758274b7a55ea28ee8dcb4bc194e80078a68d528419dd8ab02404c42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/Conversation/Conversation.tsx"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 42348, "scanner": "repobility-ast-engine", "fingerprint": "c1194a9de2bf0297a419a8ba3d5cf0b18a869c7a1eaa7bd49046fa0f05d008f4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c1194a9de2bf0297a419a8ba3d5cf0b18a869c7a1eaa7bd49046fa0f05d008f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/models/lm.py"}, "region": {"startLine": 242}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (dict)"}, "properties": {"repobilityId": 42347, "scanner": "repobility-ast-engine", "fingerprint": "7c29aa7069682ab92e3dc21638905c23fc9d9f0686b6a528a4d44bf57bafb3f7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7c29aa7069682ab92e3dc21638905c23fc9d9f0686b6a528a4d44bf57bafb3f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/seanet.py"}, "region": {"startLine": 295}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 42346, "scanner": "repobility-ast-engine", "fingerprint": "b8b1fa1210fa7127111ce7bdc7a574b5e6356eec831d5d0ea027bdb6599106f5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b8b1fa1210fa7127111ce7bdc7a574b5e6356eec831d5d0ea027bdb6599106f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/seanet.py"}, "region": {"startLine": 295}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (dict)"}, "properties": {"repobilityId": 42345, "scanner": "repobility-ast-engine", "fingerprint": "98f71b78be3f87fefd6a45dbd7cdca15e4c00125ec6a5fb00800b8a54cdddee2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|98f71b78be3f87fefd6a45dbd7cdca15e4c00125ec6a5fb00800b8a54cdddee2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/seanet.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 42344, "scanner": "repobility-ast-engine", "fingerprint": "0594bafe3281cd67e3eea2f1e9741cf491afee99af46467472dbb5c095d6e1e4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0594bafe3281cd67e3eea2f1e9741cf491afee99af46467472dbb5c095d6e1e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/seanet.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (dict)"}, "properties": {"repobilityId": 42343, "scanner": "repobility-ast-engine", "fingerprint": "52b7633a5820eee1821632a02f435bc0ccc706b60446356cd6374fcb8a35eaad", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|52b7633a5820eee1821632a02f435bc0ccc706b60446356cd6374fcb8a35eaad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/seanet.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 42342, "scanner": "repobility-ast-engine", "fingerprint": "32b3a52e78ef4c517b1f2786dae2d224e789654c068b99185452cbecb834c1c9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|32b3a52e78ef4c517b1f2786dae2d224e789654c068b99185452cbecb834c1c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/seanet.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (dict)"}, "properties": {"repobilityId": 42341, "scanner": "repobility-ast-engine", "fingerprint": "5430620d122f5843b9d684415010af87231bbfe428ef95cbd6c8e998d2dd5a27", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5430620d122f5843b9d684415010af87231bbfe428ef95cbd6c8e998d2dd5a27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/conv.py"}, "region": {"startLine": 291}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (dict)"}, "properties": {"repobilityId": 42340, "scanner": "repobility-ast-engine", "fingerprint": "e9158d81e70fb760d22fdae6f10d73182cb65eef626e2a718aaae20ba1755871", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e9158d81e70fb760d22fdae6f10d73182cb65eef626e2a718aaae20ba1755871"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/conv.py"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (dict)"}, "properties": {"repobilityId": 42339, "scanner": "repobility-ast-engine", "fingerprint": "b2770f592d43cbee5d4361c92814337cb90a92023c28a94906e8d9b5c8655697", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b2770f592d43cbee5d4361c92814337cb90a92023c28a94906e8d9b5c8655697"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/conv.py"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (dict)"}, "properties": {"repobilityId": 42338, "scanner": "repobility-ast-engine", "fingerprint": "e713ec5757113e46f9e593f39903c93ba5a94bdb88774411e5c22b766f40ccd6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e713ec5757113e46f9e593f39903c93ba5a94bdb88774411e5c22b766f40ccd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/conv.py"}, "region": {"startLine": 137}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 2058, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "QA001", "level": "warning", "message": {"text": "[QA001] No Tests Found: No test files or test directories found."}, "properties": {"repobilityId": 1172, "scanner": "repobility", "fingerprint": "be028542411e0ec312e12d2f50c11c24019b2976e2d4ab2f349dbb0805b2af21", "category": "testing", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "No test files or standard test directories detected", "evidence": {}}}, {"ruleId": "CFG001", "level": "warning", "message": {"text": "[CFG001] Docker Runs as Root: Container runs as root user. Consider adding a non-root USER directive."}, "properties": {"repobilityId": 1171, "scanner": "repobility", "fingerprint": "125ed293f4fff0b11eea6b392f84581995109d5901d427ac89c52cd70be6b21e", "category": "docker", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "No USER directive found in Dockerfile", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC011", "level": "warning", "message": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "properties": {"repobilityId": 1170, "scanner": "repobility", "fingerprint": "3aac7a677fef173c2091671d71e02447734bfe7ee4e3a0a9cdd34090388018b4", "category": "deserialization", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/models/loaders.py"}, "region": {"startLine": 160}}}]}, {"ruleId": "SEC011", "level": "warning", "message": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "properties": {"repobilityId": 1169, "scanner": "repobility", "fingerprint": "1e34e19b24bb1effb6561ab23d4c0b8d93180ca8db97d461051db33154af72a9", "category": "deserialization", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/models/lm.py"}, "region": {"startLine": 979}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 1168, "scanner": "repobility", "fingerprint": "8f277b663425717e715551eec05840170fa1febf4706496020e974f03a146dc2", "category": "path_traversal", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/offline.py"}, "region": {"startLine": 145}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 1167, "scanner": "repobility", "fingerprint": "0cfabe5e2d6b5eb1136a4dbde010cf116a0a69de62ebd9f27d2ecc3e79f63012", "category": "path_traversal", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/server.py"}, "region": {"startLine": 333}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 1164, "scanner": "repobility", "fingerprint": "a32c1a70db101787faa12d0b464c454fac4eda94d9635330c0aafab94ad0025f", "category": "practices", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {}}}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 42380, "scanner": "repobility-docker", "fingerprint": "58561b99200697341e4a7f6a3e219ae5672abf213557f9648d84008b8cbfd7c2", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "personaplex", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|58561b99200697341e4a7f6a3e219ae5672abf213557f9648d84008b8cbfd7c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 42379, "scanner": "repobility-docker", "fingerprint": "25fda68d8d2ea5001df034d8d53e0fc8b35dead7fa19fb119cfff82c99d5fca2", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "personaplex", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|25fda68d8d2ea5001df034d8d53e0fc8b35dead7fa19fb119cfff82c99d5fca2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 42376, "scanner": "repobility-docker", "fingerprint": "e0e392b88bd92666fc410a57e577b0d494f21d4a4f2d5847f4c605252d5d06c1", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e0e392b88bd92666fc410a57e577b0d494f21d4a4f2d5847f4c605252d5d06c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 42375, "scanner": "repobility-docker", "fingerprint": "ed2ba03e31b941d93e4acf05bf6cdc1cb53389c47682bafe230d679033d79db6", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|ed2ba03e31b941d93e4acf05bf6cdc1cb53389c47682bafe230d679033d79db6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 42373, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `backward` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=2, for=3, if=3, nested_bonus=2, recursion=1."}, "properties": {"repobilityId": 42366, "scanner": "repobility-threat-engine", "fingerprint": "66515403607caf51beb59626e420018a5f35b0983001e94072460f92be471cd3", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "backward", "breakdown": {"if": 3, "for": 3, "else": 2, "recursion": 1, "nested_bonus": 2}, "complexity": 11, "correlation_key": "fp|66515403607caf51beb59626e420018a5f35b0983001e94072460f92be471cd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/utils/compile.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "QA002", "level": "note", "message": {"text": "[QA002] No CI/CD Configuration: No CI/CD pipeline found. Note: some CI systems (Gitea Actions, Drone) may be configured externally."}, "properties": {"repobilityId": 1173, "scanner": "repobility", "fingerprint": "40585ee1ee112f949b34e55e68a3e84102f978dc6172e8e31dd501bbf93145a9", "category": "practices", "severity": "low", "confidence": null, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "No standard CI config files found \u2014 CI may be configured externally", "evidence": {}}}, {"ruleId": "SEC015", "level": "note", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 1166, "scanner": "repobility", "fingerprint": "57934b7ed1c85236e972ed1b5c7d57c4846d2fb58c4e66a8c0e6f903faccef41", "category": "crypto", "severity": "low", "confidence": null, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "No security-sensitive keywords nearby \u2014 may be non-security use (UI, shuffling, etc.)", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/Conversation/Conversation.tsx"}, "region": {"startLine": 113}}}]}, {"ruleId": "CFG003", "level": "note", "message": {"text": "[CFG003] Docker COPY Everything: Copying entire directory may include secrets and build artifacts."}, "properties": {"repobilityId": 1165, "scanner": "repobility", "fingerprint": "4faca82776bae8ff556bb27f0051847e9113a71686448ecfcb9546e5ca51b88e", "category": "docker", "severity": "low", "confidence": null, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 42371, "scanner": "repobility-docker", "fingerprint": "3d5114dccd29cff75883e418b3f13e42df10ee33eef795c33f27d73d19bbb355", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${BASE_IMAGE}:${BASE_IMAGE_TAG}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|3d5114dccd29cff75883e418b3f13e42df10ee33eef795c33f27d73d19bbb355"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 42370, "scanner": "repobility-threat-engine", "fingerprint": "0e713c4425506f10f74eb83a6f030fc8b02cfdebabfb0b502de24ec8accd91b8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0e713c4425506f10f74eb83a6f030fc8b02cfdebabfb0b502de24ec8accd91b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/utils/sampling.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 42369, "scanner": "repobility-threat-engine", "fingerprint": "6f1b1663d9e21edb44b0360f071f435ef16720134e20fca5a6c3a22d838344f8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6f1b1663d9e21edb44b0360f071f435ef16720134e20fca5a6c3a22d838344f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/conv.py"}, "region": {"startLine": 279}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 42368, "scanner": "repobility-threat-engine", "fingerprint": "60cd94a02f603494c52ba6552a6ba986dec3f3560ffd0ee1d1de8b6cdca30e6a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|60cd94a02f603494c52ba6552a6ba986dec3f3560ffd0ee1d1de8b6cdca30e6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/conv.py"}, "region": {"startLine": 278}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 42367, "scanner": "repobility-threat-engine", "fingerprint": "374b2f9ca97c941ea8799534a3f6a7246c4a413e5ec69c34d7f4988e5034f739", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "print_token", "breakdown": {"if": 6, "for": 1, "else": 3, "break": 2, "nested_bonus": 14}, "aggregated": true, "complexity": 26, "correlation_key": "fp|374b2f9ca97c941ea8799534a3f6a7246c4a413e5ec69c34d7f4988e5034f739", "aggregated_count": 2}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 42363, "scanner": "repobility-threat-engine", "fingerprint": "751d9cc2532490e02c4ef5d4fe71bcc60b00788ea1134d7e8622e4fd83f73db3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|751d9cc2532490e02c4ef5d4fe71bcc60b00788ea1134d7e8622e4fd83f73db3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/quantization/base.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 42362, "scanner": "repobility-threat-engine", "fingerprint": "bf4742d3732a3d3981ab30e0dd8037de782e12186de1ce2ad5635c34384304c1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bf4742d3732a3d3981ab30e0dd8037de782e12186de1ce2ad5635c34384304c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/conv.py"}, "region": {"startLine": 280}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 42361, "scanner": "repobility-threat-engine", "fingerprint": "641dc833052c0254eaf042b3c75eb5f124c692a2b91d52cfbae64472fde543ce", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|641dc833052c0254eaf042b3c75eb5f124c692a2b91d52cfbae64472fde543ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/client_utils.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 42359, "scanner": "repobility-threat-engine", "fingerprint": "f1465cf3e248ac64846e9803103f168ebc933d14f6bf708274aad1a99a9b39cf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f1465cf3e248ac64846e9803103f168ebc933d14f6bf708274aad1a99a9b39cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/Conversation/hooks/useUserAudio.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 42358, "scanner": "repobility-threat-engine", "fingerprint": "a523eb495e93be8d07b680e21e925d4a04e52b30e907273ddbbffee1d30c86b1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a523eb495e93be8d07b680e21e925d4a04e52b30e907273ddbbffee1d30c86b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/Conversation/hooks/useServerInfo.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 42357, "scanner": "repobility-threat-engine", "fingerprint": "fdcd75f806f44e8c2652cff9390f1a6dce6595c299738c58a5a4ff1acfbc7fd8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fdcd75f806f44e8c2652cff9390f1a6dce6595c299738c58a5a4ff1acfbc7fd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/Conversation/components/TextDisplay/TextDisplay.tsx"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 42356, "scanner": "repobility-threat-engine", "fingerprint": "1660c0e9a58fc0a1ce6c9984d5f694f7abe6c87feb553eb423342d4fca600509", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1660c0e9a58fc0a1ce6c9984d5f694f7abe6c87feb553eb423342d4fca600509"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/Conversation/Conversation.tsx"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 42353, "scanner": "repobility-threat-engine", "fingerprint": "af04b44cf3259ba75a7bf35ce6dc48f15354180dfaf6bd2ee3818f3a3be6c827", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|af04b44cf3259ba75a7bf35ce6dc48f15354180dfaf6bd2ee3818f3a3be6c827", "aggregated_count": 14}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 42352, "scanner": "repobility-threat-engine", "fingerprint": "ef7b009eeede54c78317250716bfffb77161c96e03508ac8489dbf6faf598f91", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ef7b009eeede54c78317250716bfffb77161c96e03508ac8489dbf6faf598f91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/Conversation/Conversation.tsx"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 42351, "scanner": "repobility-threat-engine", "fingerprint": "2b01e9d710932c61996f45fab030d444ef274daad189b1be1631d9408cc68af7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2b01e9d710932c61996f45fab030d444ef274daad189b1be1631d9408cc68af7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/decoder/decoderWorker.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 42350, "scanner": "repobility-threat-engine", "fingerprint": "2bebabe49ce87b8d36fe9b665e81e39fecc58aa1fb4e1fd667e7becd8b49def5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2bebabe49ce87b8d36fe9b665e81e39fecc58aa1fb4e1fd667e7becd8b49def5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/audio-processor.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `print_token` has cognitive complexity 26 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=2, else=3, for=1, if=6, nested_bonus=14."}, "properties": {"repobilityId": 42364, "scanner": "repobility-threat-engine", "fingerprint": "c59bb6605628fa191964892e454e539af6b40b22c1f9e07f682ae1cca360fe13", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 26 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "print_token", "breakdown": {"if": 6, "for": 1, "else": 3, "break": 2, "nested_bonus": 14}, "complexity": 26, "correlation_key": "fp|c59bb6605628fa191964892e454e539af6b40b22c1f9e07f682ae1cca360fe13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/client_utils.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 42360, "scanner": "repobility-threat-engine", "fingerprint": "edc1eb8633e7eb16cf8198835f365059bd48bb8855e9aabee0d28d3ecb3eddcb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eruda.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|edc1eb8633e7eb16cf8198835f365059bd48bb8855e9aabee0d28d3ecb3eddcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/Queue/Queue.tsx"}, "region": {"startLine": 146}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 42354, "scanner": "repobility-threat-engine", "fingerprint": "abcd5fc7de2b1585497b5f169903e35c455f9ba4f2ad6f5e7d21f585eaed727a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(U", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|abcd5fc7de2b1585497b5f169903e35c455f9ba4f2ad6f5e7d21f585eaed727a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/Conversation/Conversation.tsx"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:20` not pinned by digest"}, "properties": {"repobilityId": 42349, "scanner": "repobility-supply-chain", "fingerprint": "8dc3ff8821832ead3a5a038926c4b8bcc4f23309c0b438ff66e7ed9eac00a8c9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8dc3ff8821832ead3a5a038926c4b8bcc4f23309c0b438ff66e7ed9eac00a8c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._streaming_state` used but never assigned in __init__"}, "properties": {"repobilityId": 42337, "scanner": "repobility-ast-engine", "fingerprint": "0b54a5d4732f3c244a905d88cfc8fe89de2e845ae424de64f65081db245ac038", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0b54a5d4732f3c244a905d88cfc8fe89de2e845ae424de64f65081db245ac038"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 487}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.stride` used but never assigned in __init__"}, "properties": {"repobilityId": 42336, "scanner": "repobility-ast-engine", "fingerprint": "6c317c305dc24121808a3f0e1c4ca40beb71d80e2de9bd9bd2835920938ccf8a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6c317c305dc24121808a3f0e1c4ca40beb71d80e2de9bd9bd2835920938ccf8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 484}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._streaming_state` used but never assigned in __init__"}, "properties": {"repobilityId": 42335, "scanner": "repobility-ast-engine", "fingerprint": "953d8b8ad9f2795e89a97d78b4400fd23df62d85a657b460417678c2ef2266ca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|953d8b8ad9f2795e89a97d78b4400fd23df62d85a657b460417678c2ef2266ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 460}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._streaming_state` used but never assigned in __init__"}, "properties": {"repobilityId": 42334, "scanner": "repobility-ast-engine", "fingerprint": "f5efd48771e954d89650251c0761ce783fca428abac0df2613443496fd1ff9f5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f5efd48771e954d89650251c0761ce783fca428abac0df2613443496fd1ff9f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 459}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._streaming_state` used but never assigned in __init__"}, "properties": {"repobilityId": 42333, "scanner": "repobility-ast-engine", "fingerprint": "4b8efe7d84a8561a3fc865c3e9ff8e1e6c5d224c65dd88dc2a5d01a48a64b095", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4b8efe7d84a8561a3fc865c3e9ff8e1e6c5d224c65dd88dc2a5d01a48a64b095"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 453}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._streaming_state` used but never assigned in __init__"}, "properties": {"repobilityId": 42332, "scanner": "repobility-ast-engine", "fingerprint": "328acbb177365780452afbf1d682d3f96c6bacfabc66135825a28773339602d6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|328acbb177365780452afbf1d682d3f96c6bacfabc66135825a28773339602d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 452}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._streaming_state` used but never assigned in __init__"}, "properties": {"repobilityId": 42331, "scanner": "repobility-ast-engine", "fingerprint": "3550368c1721e3659cf832c8653b4bee128d072488b59575ec411d620898d676", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3550368c1721e3659cf832c8653b4bee128d072488b59575ec411d620898d676"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 449}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._apply_named_streaming` used but never assigned in __init__"}, "properties": {"repobilityId": 42330, "scanner": "repobility-ast-engine", "fingerprint": "042cd2335453343b3c6fcdd7b87d049b377ee1475bf570e35ba1f449e1c352d4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|042cd2335453343b3c6fcdd7b87d049b377ee1475bf570e35ba1f449e1c352d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 416}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.parameters` used but never assigned in __init__"}, "properties": {"repobilityId": 42329, "scanner": "repobility-ast-engine", "fingerprint": "39fe7c51f3aad6353b35972a7f3f1bf5821eb21dd5df19bb770c478bf4f2dae3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|39fe7c51f3aad6353b35972a7f3f1bf5821eb21dd5df19bb770c478bf4f2dae3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 398}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._apply_named_streaming` used but never assigned in __init__"}, "properties": {"repobilityId": 42328, "scanner": "repobility-ast-engine", "fingerprint": "8e0d930d8b4214323068d2128054299dacd259e3d0f89927277d2fce235ffe71", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8e0d930d8b4214323068d2128054299dacd259e3d0f89927277d2fce235ffe71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 401}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_streaming_state` used but never assigned in __init__"}, "properties": {"repobilityId": 42327, "scanner": "repobility-ast-engine", "fingerprint": "13f576fb152409caacb2f1125ae00a6052041c2fdf27c1b88fa6774c7996db6b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|13f576fb152409caacb2f1125ae00a6052041c2fdf27c1b88fa6774c7996db6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 387}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._apply_named_streaming` used but never assigned in __init__"}, "properties": {"repobilityId": 42326, "scanner": "repobility-ast-engine", "fingerprint": "54d92d7da710f109ee3c3e3cde28ea2f78de5da8beab4e79ef0c4f30c4c4463b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|54d92d7da710f109ee3c3e3cde28ea2f78de5da8beab4e79ef0c4f30c4c4463b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 364}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._apply_named_streaming` used but never assigned in __init__"}, "properties": {"repobilityId": 42325, "scanner": "repobility-ast-engine", "fingerprint": "89913bf3a75e813c946d2b6548f75f94ba67990d694775c0dc5f952b25f4d922", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|89913bf3a75e813c946d2b6548f75f94ba67990d694775c0dc5f952b25f4d922"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 355}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._stop_streaming` used but never assigned in __init__"}, "properties": {"repobilityId": 42324, "scanner": "repobility-ast-engine", "fingerprint": "a06330abdd4bb058a6adf532d43fcdab30db8dbf37d2875dd9f52706525df6f4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a06330abdd4bb058a6adf532d43fcdab30db8dbf37d2875dd9f52706525df6f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 342}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._start_streaming` used but never assigned in __init__"}, "properties": {"repobilityId": 42323, "scanner": "repobility-ast-engine", "fingerprint": "1cdd39a6d428401f874e97a4af14956a131f0ccd87dc3f893dfa948a42b18b6c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1cdd39a6d428401f874e97a4af14956a131f0ccd87dc3f893dfa948a42b18b6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 338}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._start_streaming` used but never assigned in __init__"}, "properties": {"repobilityId": 42322, "scanner": "repobility-ast-engine", "fingerprint": "c44bc36ba35cefe7aeed777e223346b1f473a14c0bd445388f8332abce77d9c0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c44bc36ba35cefe7aeed777e223346b1f473a14c0bd445388f8332abce77d9c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 332}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._apply_named_streaming` used but never assigned in __init__"}, "properties": {"repobilityId": 42321, "scanner": "repobility-ast-engine", "fingerprint": "f315d51e73282097490e58631eb7e4d200b8d7fe69ae1b0729ae9936c67176b1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f315d51e73282097490e58631eb7e4d200b8d7fe69ae1b0729ae9936c67176b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 326}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._apply_named_streaming` used but never assigned in __init__"}, "properties": {"repobilityId": 42320, "scanner": "repobility-ast-engine", "fingerprint": "868a3f0c229efae5fc10b324641030634569448439a660bb1b4f1a7782cf3fc2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|868a3f0c229efae5fc10b324641030634569448439a660bb1b4f1a7782cf3fc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 320}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.named_children` used but never assigned in __init__"}, "properties": {"repobilityId": 42319, "scanner": "repobility-ast-engine", "fingerprint": "64d69b5da233515b6207683f35cdd83f0386555b066a40d4c2671a4d171f2503", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|64d69b5da233515b6207683f35cdd83f0386555b066a40d4c2671a4d171f2503"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/modules/streaming.py"}, "region": {"startLine": 313}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._remove_pending` used but never assigned in __init__"}, "properties": {"repobilityId": 42318, "scanner": "repobility-ast-engine", "fingerprint": "5b08814c2d0c98d0bd51413f08c3e958c2ac9d3bc9d56e36f03743fd06c16d35", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5b08814c2d0c98d0bd51413f08c3e958c2ac9d3bc9d56e36f03743fd06c16d35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/client_utils.py"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.print_token` used but never assigned in __init__"}, "properties": {"repobilityId": 42317, "scanner": "repobility-ast-engine", "fingerprint": "29b1a33d6c1f7718e4f31ac91248af913e36e4f0f92fa3d1881b215123b587fe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|29b1a33d6c1f7718e4f31ac91248af913e36e4f0f92fa3d1881b215123b587fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/client_utils.py"}, "region": {"startLine": 198}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._remove_pending` used but never assigned in __init__"}, "properties": {"repobilityId": 42316, "scanner": "repobility-ast-engine", "fingerprint": "6e8f56942e372de94fc7b66050324f98029f03aacb83955949b6dbc8717f6ace", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6e8f56942e372de94fc7b66050324f98029f03aacb83955949b6dbc8717f6ace"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/client_utils.py"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._remove_pending` used but never assigned in __init__"}, "properties": {"repobilityId": 42315, "scanner": "repobility-ast-engine", "fingerprint": "cd7695aa7c6c01bce2a9fccee18a74689c8dde8ef3e13e72b4dc5e1c3631e37f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cd7695aa7c6c01bce2a9fccee18a74689c8dde8ef3e13e72b4dc5e1c3631e37f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/client_utils.py"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.erase` used but never assigned in __init__"}, "properties": {"repobilityId": 42314, "scanner": "repobility-ast-engine", "fingerprint": "e868f6482f2c8b0998d93983599e8478d4811941e06108e0889b72b213cbc9be", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e868f6482f2c8b0998d93983599e8478d4811941e06108e0889b72b213cbc9be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/client_utils.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._add` used but never assigned in __init__"}, "properties": {"repobilityId": 42313, "scanner": "repobility-ast-engine", "fingerprint": "45c437d077d84a85d6780df705c48de8bdaae7bde00d7010841daf70976db57b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|45c437d077d84a85d6780df705c48de8bdaae7bde00d7010841daf70976db57b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "moshi/moshi/client_utils.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 2057, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 1163, "scanner": "repobility", "fingerprint": "c0fd07c57880ff3ddc2207c562f846fba34028fad3c8ac3a333df1b705cffd65", "category": "testing", "severity": "high", "confidence": null, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {}}}]}]}