{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: connection.execute('SELECT * FROM t WHERE id = ?', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/472"}, "properties": {"repository": "dodo-reach/hermes-desktop", "repoUrl": "https://github.com/dodo-reach/hermes-desktop", "branch": "main"}, "results": [{"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 27598, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c21c87f88c9b0b22c50fa8d4d319a61d3f2d52fc45a84ce62ef48a547b13c739", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Sources/HermesDesktop/Services/FileEditorService.swift", "duplicate_line": 191, "correlation_key": "fp|c21c87f88c9b0b22c50fa8d4d319a61d3f2d52fc45a84ce62ef48a547b13c739"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Sources/HermesDesktop/Services/SkillBrowserService.swift"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 27605, "scanner": "repobility-threat-engine", "fingerprint": "29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc"}}}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 27604, "scanner": "repobility-threat-engine", "fingerprint": "75668dbf46078285952dec85e2f64db9e0fb6b411e018104b04893095aeb1ed4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(\n        s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|75668dbf46078285952dec85e2f64db9e0fb6b411e018104b04893095aeb1ed4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Sources/HermesDesktop/Services/UpdateCheckService.swift"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 27603, "scanner": "repobility-threat-engine", "fingerprint": "b6117f40f256bac3bf75af8f27013fcca20ca0bff52765fc2d369fff809cf83c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b6117f40f256bac3bf75af8f27013fcca20ca0bff52765fc2d369fff809cf83c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Sources/HermesDesktop/Services/Storage/AppPaths.swift"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 27602, "scanner": "repobility-threat-engine", "fingerprint": "a77bb74fcec3a7a376173d07c6e186ce104a5cc8929329a7e8939a0e9ce28f3f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a77bb74fcec3a7a376173d07c6e186ce104a5cc8929329a7e8939a0e9ce28f3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Sources/HermesDesktop/Services/SSH/SSHTransport.swift"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 27601, "scanner": "repobility-threat-engine", "fingerprint": "c899d033c1311ec142c839c0d8aaab57ba9f0b858d80c3721da12de22d1f6355", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".execute(\n                    f\"SELECT", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|215|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Sources/HermesDesktop/Services/UsageBrowserService.swift"}, "region": {"startLine": 215}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 27600, "scanner": "repobility-threat-engine", "fingerprint": "28e8369b8a3598a77ff1ffe10e91252f639507750e03e7af887dab95e0c6f242", "category": "injection", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "SQL string interpolation is near request/data/parameter input; user-controlled taint is plausible.", "evidence": {"match": "search_sql = f\"SELECT", "reason": "SQL string interpolation is near request/data/parameter input; user-controlled taint is plausible.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "code|injection|token|630|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Sources/HermesDesktop/Services/SessionBrowserService.swift"}, "region": {"startLine": 630}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 27599, "scanner": "repobility-threat-engine", "fingerprint": "4c44f522582adbe4a5c993167d49e2fc157662373b698e117640712b0bbbc2fc", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".execute(\n                f\"SELECT", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|1960|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Sources/HermesDesktop/Services/KanbanBrowserService.swift"}, "region": {"startLine": 1960}}}]}]}]}