{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `beautifulsoup4` has no version pin: Unpinned pip requirement means every fresh install may", "shortDescription": {"text": "[MINED124] requirements.txt: `beautifulsoup4` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducibl"}, "fullDescription": {"text": "Replace `beautifulsoup4` with `beautifulsoup4==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "[MINED109] Mutable default argument in `has_permission` (dict): `def has_permission(... = []/{}/set())` \u2014 Python's defau", "shortDescription": {"text": "[MINED109] Mutable default argument in `has_permission` (dict): `def has_permission(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it"}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def has_permission(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB004", "name": "robots.txt blocks the full public site", "shortDescription": {"text": "robots.txt blocks the full public site"}, "fullDescription": {"text": "Replace full-site blocking with specific private path disallows, or add explicit Allow rules for public docs and landing pages."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC012", "name": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json", "shortDescription": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, "}, "fullDescription": {"text": "Set docs_url=None, redoc_url=None, and openapi_url=None for production apps unless the docs are intentionally public and protected by routing, ingress, or an authenticated docs handler."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE "}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /oauth/clients/{client"}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC003", "name": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code.", "shortDescription": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "fullDescription": {"text": "Never commit secrets. Use .env files with .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC014", "name": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.", "shortDescription": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "fullDescription": {"text": "Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `get_by_user_id` has cognitive complexity 18 (SonarSource scale). Cognitiv", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `get_by_user_id` has cognitive complexity 18 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursio"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 18."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "Add regression tests for anonymous denial, cross-user object denial, admin role limits, and super_admin-only behavior."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `open-webui` image is selected through a build variable", "shortDescription": {"text": "Compose service `open-webui` image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 1 more): Same pattern found in 1 additional files. ", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout (and 17 more): Same pattern found in 17 additional files. Review if needed.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout (and 17 more): Same pattern found in 17 additional files. Review if needed.", "shortDescription": {"text": "[SEC078] Python: requests without timeout (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED072", "name": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in.", "shortDescription": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workfl", "shortDescription": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise ("}, "fullDescription": {"text": "Replace with: `uses: actions/setup-python@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "[MINED131] pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.15.5`: `.pre-commit-", "shortDescription": {"text": "[MINED131] pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.15.5`: `.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev: v0.15.5`. If `{rev}` is a branch or vers"}, "fullDescription": {"text": "Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `python:3.11-slim-bookworm` not pinned by digest: `FROM python:3.11-slim-bookworm` resolves t", "shortDescription": {"text": "[MINED118] Dockerfile FROM `python:3.11-slim-bookworm` not pinned by digest: `FROM python:3.11-slim-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially differe"}, "fullDescription": {"text": "Replace with: `FROM python:3.11-slim-bookworm@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "[MINED110] Blocking call `time.sleep` inside async function `_inner`: `time.sleep` is a synchronous (blocking) call. Whe", "shortDescription": {"text": "[MINED110] Blocking call `time.sleep` inside async function `_inner`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making pr"}, "fullDescription": {"text": "Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._current_bucket` used but never assigned in __init__: Method `_get_count_memory` of class `RateLimiter`", "shortDescription": {"text": "[MINED108] `self._current_bucket` used but never assigned in __init__: Method `_get_count_memory` of class `RateLimiter` reads `self._current_bucket`, but no assignment to it exists in __init__ (and no class-level fallback). This raises Att"}, "fullDescription": {"text": "Initialize `self._current_bucket = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{user_id}/profile/image."}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `collections` used but not imported: The file uses `collections.something(...)` but never imp", "shortDescription": {"text": "[MINED107] Missing import: `collections` used but not imported: The file uses `collections.something(...)` but never imports `collections`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import collections` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "Use a server-side one-time authorization code tied to a registered callback allowlist. Do not append access tokens to callback URLs or fragments."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR005", "name": "Docker image bakes a secret-like ENV value", "shortDescription": {"text": "Docker image bakes a secret-like ENV value"}, "fullDescription": {"text": "Remove the secret from the Dockerfile, rotate the value if real, and inject runtime secrets through your platform secret manager."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/732"}, "properties": {"repository": "open-webui/open-webui", "repoUrl": "https://github.com/open-webui/open-webui", "branch": "main"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `beautifulsoup4` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 59847, "scanner": "repobility-supply-chain", "fingerprint": "21d2183ca37f1564405e51266037e39619a5c1fdce4d067075cfa7cc49f2e6fb", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|21d2183ca37f1564405e51266037e39619a5c1fdce4d067075cfa7cc49f2e6fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/requirements-min.txt"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pydub` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 59846, "scanner": "repobility-supply-chain", "fingerprint": "8b4747fc6ce0ab5abcdbe60c5395fed0e01ce7c4b7427e29f65349099027d771", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8b4747fc6ce0ab5abcdbe60c5395fed0e01ce7c4b7427e29f65349099027d771"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/requirements-min.txt"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `openai` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 59845, "scanner": "repobility-supply-chain", "fingerprint": "bfe86ba1c383ef79e54d7c1e9dc13a53b303db2fbd3b73326512b753cd837107", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bfe86ba1c383ef79e54d7c1e9dc13a53b303db2fbd3b73326512b753cd837107"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/requirements-min.txt"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `redis` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 59844, "scanner": "repobility-supply-chain", "fingerprint": "c3aa0d0b074dd92fb7cb9ab461b4a783d7ef3e2ca56f421e64f620482eb62486", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c3aa0d0b074dd92fb7cb9ab461b4a783d7ef3e2ca56f421e64f620482eb62486"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/requirements-min.txt"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `aiofiles` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 59843, "scanner": "repobility-supply-chain", "fingerprint": "ba1817f99323e3603df0b7d7ada91bc4abcf4b3cbe74d0ecd1f39467004f0c5d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba1817f99323e3603df0b7d7ada91bc4abcf4b3cbe74d0ecd1f39467004f0c5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/requirements-min.txt"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `aiocache` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 59842, "scanner": "repobility-supply-chain", "fingerprint": "6aa511669977d0ea408db69cc23f5811f163135c503db12654cbf8e793eca6dd", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6aa511669977d0ea408db69cc23f5811f163135c503db12654cbf8e793eca6dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/requirements-min.txt"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `async-timeout` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 59841, "scanner": "repobility-supply-chain", "fingerprint": "43327ef32cc532551084308b36101c309336c93518d74cc6cbfb675389dfaaf7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|43327ef32cc532551084308b36101c309336c93518d74cc6cbfb675389dfaaf7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/requirements-min.txt"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `cryptography` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 59840, "scanner": "repobility-supply-chain", "fingerprint": "fd039eee3e4541affbc891af1d9fd5edf62677acdb44aa5e2dd7a52c515994b5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fd039eee3e4541affbc891af1d9fd5edf62677acdb44aa5e2dd7a52c515994b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/requirements-min.txt"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `has_permission` (dict): `def has_permission(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 59835, "scanner": "repobility-ast-engine", "fingerprint": "9845f70c4559be73dba7b5528e20646947fb15c513d1af7965d9b3337ae9a3f7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9845f70c4559be73dba7b5528e20646947fb15c513d1af7965d9b3337ae9a3f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/access_control/__init__.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `search_notes` (dict): `def search_notes(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 59833, "scanner": "repobility-ast-engine", "fingerprint": "c6d089e08d95a06be5067eed12221954216c9b6f172c3985dda62118b49bac2b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c6d089e08d95a06be5067eed12221954216c9b6f172c3985dda62118b49bac2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/models/notes.py"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `get_feedback_items` (dict): `def get_feedback_items(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 59832, "scanner": "repobility-ast-engine", "fingerprint": "3bbd76e2a33a00f409a5d63c6292b30fae1170b8d613a84ab5cf96daa328ff70", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3bbd76e2a33a00f409a5d63c6292b30fae1170b8d613a84ab5cf96daa328ff70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/models/feedbacks.py"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `search_models` (dict): `def search_models(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 59831, "scanner": "repobility-ast-engine", "fingerprint": "c9deef27ff81bff5178e57f4f83bcf1909cc7e9ab7455fe7712a63dda9ab397b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c9deef27ff81bff5178e57f4f83bcf1909cc7e9ab7455fe7712a63dda9ab397b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/models/models.py"}, "region": {"startLine": 275}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `search_prompts` (dict): `def search_prompts(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 59829, "scanner": "repobility-ast-engine", "fingerprint": "08a39db9d6a13e4dc625112711484ed44a45cadace94f27c7dd5fe3996da495d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|08a39db9d6a13e4dc625112711484ed44a45cadace94f27c7dd5fe3996da495d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/models/prompts.py"}, "region": {"startLine": 291}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `search_skills` (dict): `def search_skills(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 59828, "scanner": "repobility-ast-engine", "fingerprint": "3b16c1b808fc847719810a2c100fc706ad38c225d08fda38747ac2aeb9dc9d51", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3b16c1b808fc847719810a2c100fc706ad38c225d08fda38747ac2aeb9dc9d51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/models/skills.py"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `__init__` (list): `def __init__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 59806, "scanner": "repobility-ast-engine", "fingerprint": "cd60f71163bdfe77b0e1b8b547a065be6f6faa0a815bdc7f6c7fc258b816b00c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cd60f71163bdfe77b0e1b8b547a065be6f6faa0a815bdc7f6c7fc258b816b00c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/socket/utils.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `__init__` (list): `def __init__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 59805, "scanner": "repobility-ast-engine", "fingerprint": "e28f87b673287e0c17e0555e84d92f1f20f7dab6a6ce39feab46feafac470a7f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e28f87b673287e0c17e0555e84d92f1f20f7dab6a6ce39feab46feafac470a7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/socket/utils.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59791, "scanner": "repobility-ast-engine", "fingerprint": "0c150adc4cf4fd59f127f98144213c23cfee975db929801dc71c5ae20ec15a34", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0c150adc4cf4fd59f127f98144213c23cfee975db929801dc71c5ae20ec15a34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/env.py"}, "region": {"startLine": 421}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59790, "scanner": "repobility-ast-engine", "fingerprint": "f0d08b7581a6c3b7f4bfce72e0cc6d4efe8ef291bd6d1ce9fc79d275bec74624", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f0d08b7581a6c3b7f4bfce72e0cc6d4efe8ef291bd6d1ce9fc79d275bec74624"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/env.py"}, "region": {"startLine": 353}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59789, "scanner": "repobility-ast-engine", "fingerprint": "93bdf005323a2f86b86948bc5c4210ae93867eed3fb6f9c4f9570ffa905fae47", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|93bdf005323a2f86b86948bc5c4210ae93867eed3fb6f9c4f9570ffa905fae47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/env.py"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59788, "scanner": "repobility-ast-engine", "fingerprint": "c6364594bd9387776858e2e556721574e978e1d8adaa52c8be4e7a2a69a357b8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c6364594bd9387776858e2e556721574e978e1d8adaa52c8be4e7a2a69a357b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/env.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59787, "scanner": "repobility-ast-engine", "fingerprint": "806cfb123e74b59f2701ede51c7c2a3c18b3acf456585551390a07b3c123b606", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|806cfb123e74b59f2701ede51c7c2a3c18b3acf456585551390a07b3c123b606"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 717}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59786, "scanner": "repobility-ast-engine", "fingerprint": "cf6efcb207808c83b136383cb92616a9e78b956e7c741e8d29e43d91cfe7abd4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cf6efcb207808c83b136383cb92616a9e78b956e7c741e8d29e43d91cfe7abd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 909}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59785, "scanner": "repobility-ast-engine", "fingerprint": "da68ddb49ae50e7cf0b82862c71cbae68b51b8d026e33547073a44f1b5423bf7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|da68ddb49ae50e7cf0b82862c71cbae68b51b8d026e33547073a44f1b5423bf7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 899}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59784, "scanner": "repobility-ast-engine", "fingerprint": "aa917a1757c760cf709ffec28500ede005f197418c0ff0a124ee7ee9a259a80b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aa917a1757c760cf709ffec28500ede005f197418c0ff0a124ee7ee9a259a80b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 889}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59783, "scanner": "repobility-ast-engine", "fingerprint": "7256f28f1ba97234d4235c1f86b60d605d60c64ff80f4cba7f659c72aae48010", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7256f28f1ba97234d4235c1f86b60d605d60c64ff80f4cba7f659c72aae48010"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 879}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59782, "scanner": "repobility-ast-engine", "fingerprint": "41db3a9d2eaf57cbb466d5ded46e3b64c448fba613994629568ce1911004b86e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|41db3a9d2eaf57cbb466d5ded46e3b64c448fba613994629568ce1911004b86e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 866}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59781, "scanner": "repobility-ast-engine", "fingerprint": "f2a571db86574e4d55359cd309efa50c954e63bf2cbba7b65ac934134452989e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f2a571db86574e4d55359cd309efa50c954e63bf2cbba7b65ac934134452989e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 856}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59780, "scanner": "repobility-ast-engine", "fingerprint": "bc4c3be39e778a7a48dc834a3be2468b3b1f6abf9859131ea23b05657d895b21", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bc4c3be39e778a7a48dc834a3be2468b3b1f6abf9859131ea23b05657d895b21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 846}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59779, "scanner": "repobility-ast-engine", "fingerprint": "622c318733675201a03e0f346869baa1a48d796f233e806131944bc6e184e463", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|622c318733675201a03e0f346869baa1a48d796f233e806131944bc6e184e463"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 832}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59778, "scanner": "repobility-ast-engine", "fingerprint": "9943f52fdcd728997c10dc93225aab53f6ee93329a5803ecf9d6d49e97fdaa42", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9943f52fdcd728997c10dc93225aab53f6ee93329a5803ecf9d6d49e97fdaa42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 822}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59777, "scanner": "repobility-ast-engine", "fingerprint": "bcf598ad8a8c41471161d2dbfc877ed97448194942137a57f0f97aa5ca9b1c51", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bcf598ad8a8c41471161d2dbfc877ed97448194942137a57f0f97aa5ca9b1c51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 812}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59776, "scanner": "repobility-ast-engine", "fingerprint": "2146c5c907c6788e81ac02a28a07c6ab41ec1be28df10af61feaf7a7c00cf8ed", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2146c5c907c6788e81ac02a28a07c6ab41ec1be28df10af61feaf7a7c00cf8ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 802}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59775, "scanner": "repobility-ast-engine", "fingerprint": "b92bb2dbb45e48100a87b1e1c9d5d215a48bc8e0ab2f34534ac36dad6033541b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b92bb2dbb45e48100a87b1e1c9d5d215a48bc8e0ab2f34534ac36dad6033541b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 703}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59774, "scanner": "repobility-ast-engine", "fingerprint": "f09b34d87735bac9d9ac5203ccbb2f07ce9c74d0d56f7462235b2aebb82e5c66", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f09b34d87735bac9d9ac5203ccbb2f07ce9c74d0d56f7462235b2aebb82e5c66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 693}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59773, "scanner": "repobility-ast-engine", "fingerprint": "34911a79c6adfe97ffd5290a54ac82c7470a398f98c72f686b7fc30bae34b488", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|34911a79c6adfe97ffd5290a54ac82c7470a398f98c72f686b7fc30bae34b488"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 683}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59772, "scanner": "repobility-ast-engine", "fingerprint": "791f4376e24d5a537e46a806ead569d215670f5eae9b4adec023b63da044a98d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|791f4376e24d5a537e46a806ead569d215670f5eae9b4adec023b63da044a98d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 673}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59771, "scanner": "repobility-ast-engine", "fingerprint": "35518e28a4983fbf6e3ac8c95a7394baa64af86540df97d16c4e0a5957f4325a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|35518e28a4983fbf6e3ac8c95a7394baa64af86540df97d16c4e0a5957f4325a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 1563}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59770, "scanner": "repobility-ast-engine", "fingerprint": "f4d7c3c358b72f04e805d1672f61ef2652c9a304419285b078e1c2dcded8d76c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f4d7c3c358b72f04e805d1672f61ef2652c9a304419285b078e1c2dcded8d76c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/config.py"}, "region": {"startLine": 468}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59769, "scanner": "repobility-ast-engine", "fingerprint": "36b0bc5bbd44f035189cbf1be12a57f75782c7f4254e19cccaef7000a96be4fc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|36b0bc5bbd44f035189cbf1be12a57f75782c7f4254e19cccaef7000a96be4fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/__init__.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `generate_function_chat_completion` (dict): `def generate_function_chat_completion(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 59768, "scanner": "repobility-ast-engine", "fingerprint": "c4718ffaf5777c32f1022f88f49502d9810465e86e9edd3958002a22fd024beb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c4718ffaf5777c32f1022f88f49502d9810465e86e9edd3958002a22fd024beb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/functions.py"}, "region": {"startLine": 147}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59767, "scanner": "repobility-ast-engine", "fingerprint": "a648eda450ee515b759bec58f72632b6ed4f9cc6a78fc7a28e9e44b5ab86ddeb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a648eda450ee515b759bec58f72632b6ed4f9cc6a78fc7a28e9e44b5ab86ddeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contribution_stats.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59766, "scanner": "repobility-ast-engine", "fingerprint": "156f5c34707635c7f94efd75540efc2bdd3b3b3fb8f578f61da1b12bef968f69", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|156f5c34707635c7f94efd75540efc2bdd3b3b3fb8f578f61da1b12bef968f69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contribution_stats.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "WEB004", "level": "warning", "message": {"text": "robots.txt blocks the full public site"}, "properties": {"repobilityId": 59765, "scanner": "repobility-web-presence", "fingerprint": "ae387e8c6becb9b4e9f73bf4e6fa3e56bf76b60772363944d40d3059b3d7a921", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "robots.txt contains a global disallow rule for the root path.", "evidence": {"rule_id": "WEB004", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309"], "correlation_key": "fp|ae387e8c6becb9b4e9f73bf4e6fa3e56bf76b60772363944d40d3059b3d7a921"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 59763, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 59758, "scanner": "repobility-journey-contract", "fingerprint": "4c9302a64bf2a50474be965d9e0a296ae89b7ef29f2c9be63865a8deb926e5f0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/users/{param}/profile/image", "correlation_key": "fp|4c9302a64bf2a50474be965d9e0a296ae89b7ef29f2c9be63865a8deb926e5f0", "backend_endpoint_count": 471}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/components/workspace/Prompts/PromptEditor.svelte"}, "region": {"startLine": 659}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 59757, "scanner": "repobility-journey-contract", "fingerprint": "f2c2fe1f5c7fd7d077ba45b3555492332352665a56ab13db59245332094b77a7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/terminals", "correlation_key": "fp|f2c2fe1f5c7fd7d077ba45b3555492332352665a56ab13db59245332094b77a7", "backend_endpoint_count": 471}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/components/chat/FileNav/FilePreview.svelte"}, "region": {"startLine": 111}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 59756, "scanner": "repobility-journey-contract", "fingerprint": "96db6a896662a24aecf991b9fb139d3ad82a8c21143effd079c4dfc55023955f", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/routes/+layout.svelte|190|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/+layout.svelte"}, "region": {"startLine": 190}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 59755, "scanner": "repobility-journey-contract", "fingerprint": "4c7049733d650d1c63999b32046aa44dddbc1e8456cacd2be3415826dee0ee4b", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|55|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/components/chat/XTerminal.svelte"}, "region": {"startLine": 55}}}]}, {"ruleId": "AUC012", "level": "warning", "message": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"repobilityId": 59752, "scanner": "repobility-access-control", "fingerprint": "27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899", "category": "auth", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"apps": [{"line": 749, "file_path": "backend/open_webui/main.py", "docs_url_disabled": false, "redoc_url_disabled": true, "openapi_url_disabled": false}, {"line": 138, "file_path": "backend/open_webui/retrieval/web/yandex.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}], "scanner": "repobility-access-control", "correlation_key": "fp|27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899"}}}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /events/{event_id}/delete."}, "properties": {"repobilityId": 59751, "scanner": "repobility-access-control", "fingerprint": "dab58df290ccca0fdde5a66839c40342751c028c416f9910c00700a35e2654cb", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/events/{event_id}/delete", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|316|auc009", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/calendar.py"}, "region": {"startLine": 316}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /events/{event_id}/update."}, "properties": {"repobilityId": 59750, "scanner": "repobility-access-control", "fingerprint": "83ff48e7361f3bc15e104ae3827071dd6e4b8e3da08ca152df980edd4b7d260e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/events/{event_id}/update", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|293|auc009", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/calendar.py"}, "region": {"startLine": 293}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /events/{event_id}."}, "properties": {"repobilityId": 59749, "scanner": "repobility-access-control", "fingerprint": "6c3581f81617ba63fa1cc810f6d2bf90c1bf9be38555b2d3c56bc506b7b79ca7", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/events/{event_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|281|auc009", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/calendar.py"}, "region": {"startLine": 281}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /events/search."}, "properties": {"repobilityId": 59748, "scanner": "repobility-access-control", "fingerprint": "acc4543259df9eb259967286c70ca60dd32435deeb26b5b9c29320c9e5ba6cfb", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/events/search", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|269|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/calendar.py"}, "region": {"startLine": 269}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /events/create."}, "properties": {"repobilityId": 59747, "scanner": "repobility-access-control", "fingerprint": "3c6d7a87d27d3eeb35ba1ad4b9fd710604bb54be607bb6c4ce4835ee7e32a90e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/events/create", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|262|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/calendar.py"}, "region": {"startLine": 262}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /."}, "properties": {"repobilityId": 59746, "scanner": "repobility-access-control", "fingerprint": "b5450705580c258ac33c0c511ad9c06e3d112eaf565febd09643266479ff0fa4", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|85|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/calendar.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /models/{url_idx}."}, "properties": {"repobilityId": 59745, "scanner": "repobility-access-control", "fingerprint": "9a60f9da28acd9ca2c3067399faec5481cb4f4cc8a2194ae583f1d39d6b3e642", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/models/{url_idx}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|570|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/openai.py"}, "region": {"startLine": 570}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /models."}, "properties": {"repobilityId": 59744, "scanner": "repobility-access-control", "fingerprint": "5f385f39b9b659542232e9ac1e08565b6853ac5506149956c966828afb99b5ca", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/models", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|569|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/openai.py"}, "region": {"startLine": 569}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/version/updates."}, "properties": {"repobilityId": 59743, "scanner": "repobility-access-control", "fingerprint": "322c9946595e31d54d5ec862f3e50b06699c38802fb7995cbe94d7d059a3b0c9", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/version/updates", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|backend/open_webui/main.py|2568|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/main.py"}, "region": {"startLine": 2568}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/config."}, "properties": {"repobilityId": 59742, "scanner": "repobility-access-control", "fingerprint": "f1e6af0f929438fceb837753a5a0ec5d17acef7c2139297754a3587e5f2d930a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/config", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|backend/open_webui/main.py|2367|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/main.py"}, "region": {"startLine": 2367}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /oauth/clients/{client_id}/authorize."}, "properties": {"repobilityId": 59741, "scanner": "repobility-access-control", "fingerprint": "f8b8f3c1b95818baa43f509943d6e2dc05ab5b7dd6c49e6082a17c5145470f2d", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/oauth/clients/{client_id}/authorize", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|backend/open_webui/main.py|2746|auc004", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/main.py"}, "region": {"startLine": 2746}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/version."}, "properties": {"repobilityId": 59740, "scanner": "repobility-access-control", "fingerprint": "0a36e86f21b983619c057af76edf4a00eaee79f40bb18c09e526194c9883fe3e", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/version", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|backend/open_webui/main.py|2560|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/main.py"}, "region": {"startLine": 2560}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/webhook."}, "properties": {"repobilityId": 59739, "scanner": "repobility-access-control", "fingerprint": "251f95687f95a79a371811264d2f595c44b1f4eeb7338220cc5ed6314426d7f0", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/webhook", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|backend/open_webui/main.py|2553|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/main.py"}, "region": {"startLine": 2553}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/webhook."}, "properties": {"repobilityId": 59738, "scanner": "repobility-access-control", "fingerprint": "eaedb9a811481e55b089413bb67e71ea4430bef1f4abb27e743c83e8a03980f4", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/webhook", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|backend/open_webui/main.py|2546|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/main.py"}, "region": {"startLine": 2546}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/tasks/chat/{chat_id:path}/stop."}, "properties": {"repobilityId": 59737, "scanner": "repobility-access-control", "fingerprint": "6a1c4838082bdf4dbfb55a787d31780470ebe59881062ab6f98ac8747a162028", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/tasks/chat/{chat_id:path}/stop", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|backend/open_webui/main.py|2345|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/main.py"}, "region": {"startLine": 2345}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/tasks/chat/{chat_id:path}."}, "properties": {"repobilityId": 59736, "scanner": "repobility-access-control", "fingerprint": "5bed2825c347c334cf7aaa181be6de77ab7e0b535717a983b65c85322e6e6e67", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/tasks/chat/{chat_id:path}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|backend/open_webui/main.py|2327|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/main.py"}, "region": {"startLine": 2327}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/tasks."}, "properties": {"repobilityId": 59735, "scanner": "repobility-access-control", "fingerprint": "f8ec19b0fbd00ef7af4e443b2131c99272601eed75dfb8eee968008bee001866", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/tasks", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|backend/open_webui/main.py|2322|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/main.py"}, "region": {"startLine": 2322}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/tasks/stop/{task_id}."}, "properties": {"repobilityId": 59734, "scanner": "repobility-access-control", "fingerprint": "21183f3e68c71f522c85fffe009958be8d942794c3a15c359e119d441ca423fe", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/tasks/stop/{task_id}", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|backend/open_webui/main.py|2313|auc004", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/main.py"}, "region": {"startLine": 2313}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/models/unload."}, "properties": {"repobilityId": 59733, "scanner": "repobility-access-control", "fingerprint": "9ce6afbe0a6c10ff469fd701796bc7d52c754efcd0833fa08b9656095d92b8eb", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/models/unload", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|backend/open_webui/main.py|1538|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/main.py"}, "region": {"startLine": 1538}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/models/base."}, "properties": {"repobilityId": 59732, "scanner": "repobility-access-control", "fingerprint": "a0cf53c96022108487048569dec27e5633c9b7b23aba92b7f321b937b5166a7b", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/models/base", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|backend/open_webui/main.py|1528|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/main.py"}, "region": {"startLine": 1528}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 59721, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["FastAPI", "Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 59714, "scanner": "repobility-docker", "fingerprint": "9d9e2e6d60ee85350f6b84486d31b533bcec5043362e5ae734ca7c3e10c134fa", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9d9e2e6d60ee85350f6b84486d31b533bcec5043362e5ae734ca7c3e10c134fa", "missing_patterns": [".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 41}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 59713, "scanner": "repobility-agent-runtime", "fingerprint": "f57ee76d93189d0b0c5b47ef98217a9f1ee16898fe196d751b0d0e89416b0c36", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|f57ee76d93189d0b0c5b47ef98217a9f1ee16898fe196d751b0d0e89416b0c36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/components/layout/Sidebar.svelte"}, "region": {"startLine": 496}}}]}, {"ruleId": "SEC003", "level": "warning", "message": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "properties": {"repobilityId": 59680, "scanner": "repobility-threat-engine", "fingerprint": "881f65e6753ce2a6652a2a55e387d0bad7bca5779896096481b49ade78a07f4f", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.9 bits) \u2014 may be placeholder or common string", "evidence": {"match": "SECRET_KEY=\"${WEBUI_SECRET_KEY:-}\"", "reason": "Low entropy value (3.9 bits) \u2014 may be placeholder or common string", "rule_id": "SEC003", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|backend/start.sh|6|secret_key webui_secret_key:-"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/start.sh"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 59678, "scanner": "repobility-threat-engine", "fingerprint": "f4ea22134ec47b26001f6d1635570e97351af5251e185a1e491bf51550c16bc5", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "verify = False", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|28|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/mcp/client.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 59664, "scanner": "repobility-threat-engine", "fingerprint": "c452245900b95714f8254f4a3fdd66eaf0c250bb99bf7a28ab277cf9532cabf2", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c452245900b95714f8254f4a3fdd66eaf0c250bb99bf7a28ab277cf9532cabf2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/filter.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 59663, "scanner": "repobility-threat-engine", "fingerprint": "7d991940798aa9a477ec6fd061c9531eef657edc0b731e0e960af7b99a9648a8", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7d991940798aa9a477ec6fd061c9531eef657edc0b731e0e960af7b99a9648a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/web/main.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 59662, "scanner": "repobility-threat-engine", "fingerprint": "8b6a237ab78b9e4c1b3e314e8adfd7f439cefd765801d5325a4ab2bfc7f353cf", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8b6a237ab78b9e4c1b3e314e8adfd7f439cefd765801d5325a4ab2bfc7f353cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/loaders/external_document.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 59648, "scanner": "repobility-threat-engine", "fingerprint": "51e9673ae01a5df642af55d898abf2918517c5a3b3e90d1204c051fb3586a0cf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:  # single PK lookup + access grants\n            async with get_async_db_context(db) as session:", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|51e9673ae01a5df642af55d898abf2918517c5a3b3e90d1204c051fb3586a0cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/models/tools.py"}, "region": {"startLine": 148}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 59647, "scanner": "repobility-threat-engine", "fingerprint": "a1f34e0ce9344c1a840f029ca2d65134c80109c0847ff93c4300768e0f5f4243", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n            id = name.replace(' ', '_').lower()\n            async with get_async_db_context(db)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a1f34e0ce9344c1a840f029ca2d65134c80109c0847ff93c4300768e0f5f4243"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/models/tags.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 59646, "scanner": "repobility-threat-engine", "fingerprint": "3eb459e3899a3efca382be26d4fd6814f735ef676cb4da05cd700a2be3ddc229", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n                memory = await db.get(Memory, id)\n                if not memory or memory.user_", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3eb459e3899a3efca382be26d4fd6814f735ef676cb4da05cd700a2be3ddc229"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/models/memories.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `get_by_user_id` has cognitive complexity 18 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=2, if=7, nested_bonus=8."}, "properties": {"repobilityId": 59638, "scanner": "repobility-threat-engine", "fingerprint": "f1ec1c96c8730807361a9af7901436a725ffb247e04101e8bebf82b09eb9479e", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 18 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "get_by_user_id", "breakdown": {"if": 7, "elif": 1, "else": 2, "nested_bonus": 8}, "complexity": 18, "correlation_key": "fp|f1ec1c96c8730807361a9af7901436a725ffb247e04101e8bebf82b09eb9479e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/models/shared_chats.py"}, "region": {"startLine": 133}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 59764, "scanner": "repobility-web-presence", "fingerprint": "482d9e620e7aee128dea059a6ecbc346bdc9a04f2769a648c687e9421a9bf6ff", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|482d9e620e7aee128dea059a6ecbc346bdc9a04f2769a648c687e9421a9bf6ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "static/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 59762, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 59761, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 59760, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 59753, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["FastAPI", "Next.js"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 59720, "scanner": "repobility-docker", "fingerprint": "dc65b26ec33de275c09b8e18ca707b2bd5aadd28bc7a991b5501c026509cf05b", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "open-webui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|dc65b26ec33de275c09b8e18ca707b2bd5aadd28bc7a991b5501c026509cf05b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 59717, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59712, "scanner": "repobility-ai-code-hygiene", "fingerprint": "16e926ff37ffe6efa9c09fb4ca420b25d47cf819460123a97f6853e1a6a7d50e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/files/index.ts", "duplicate_line": 223, "correlation_key": "fp|16e926ff37ffe6efa9c09fb4ca420b25d47cf819460123a97f6853e1a6a7d50e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/functions/index.ts"}, "region": {"startLine": 94}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59711, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d2dcefc92aebfa43da86bbecf724d26e1d56c68cffb9480294bfc1e096884701", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/channels/index.ts", "duplicate_line": 43, "correlation_key": "fp|d2dcefc92aebfa43da86bbecf724d26e1d56c68cffb9480294bfc1e096884701"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/functions/index.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59710, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d03bd85ed67b6c1c66daf3bfd0c5670a38288ea7df60ad872709e2d5cea7466e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/analytics/index.ts", "duplicate_line": 20, "correlation_key": "fp|d03bd85ed67b6c1c66daf3bfd0c5670a38288ea7df60ad872709e2d5cea7466e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/functions/index.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59709, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ef36ea3468b2264e20fb71c6a28dd1f2b1c7fbc637cb677454ec1e9b2cdb0602", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/evaluations/index.ts", "duplicate_line": 40, "correlation_key": "fp|ef36ea3468b2264e20fb71c6a28dd1f2b1c7fbc637cb677454ec1e9b2cdb0602"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/functions/index.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59708, "scanner": "repobility-ai-code-hygiene", "fingerprint": "85ba70e0d91d39bc804f8f265071772acfe9841973c0a43394a19ea60686583b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/channels/index.ts", "duplicate_line": 43, "correlation_key": "fp|85ba70e0d91d39bc804f8f265071772acfe9841973c0a43394a19ea60686583b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/folders/index.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59707, "scanner": "repobility-ai-code-hygiene", "fingerprint": "563bb2059b901aa38f4d4ce3de698b1b61b9fdaa397f7847574d1dcc07d5c0df", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/files/index.ts", "duplicate_line": 111, "correlation_key": "fp|563bb2059b901aa38f4d4ce3de698b1b61b9fdaa397f7847574d1dcc07d5c0df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/folders/index.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59706, "scanner": "repobility-ai-code-hygiene", "fingerprint": "110ab8d280000b3c62d26733600269db6331671a0873f2e37c58c0a8bc7a93ac", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/analytics/index.ts", "duplicate_line": 14, "correlation_key": "fp|110ab8d280000b3c62d26733600269db6331671a0873f2e37c58c0a8bc7a93ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/files/index.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59705, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b9279b3eca23a463f0d1e403546bfc74750480de4f385fe62df66bee3d126f27", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/channels/index.ts", "duplicate_line": 43, "correlation_key": "fp|b9279b3eca23a463f0d1e403546bfc74750480de4f385fe62df66bee3d126f27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/files/index.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59704, "scanner": "repobility-ai-code-hygiene", "fingerprint": "92ddb6ad39c15b7a3691b100dd3a62cf691bd6de1875abd9d922167841a10535", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/audio/index.ts", "duplicate_line": 65, "correlation_key": "fp|92ddb6ad39c15b7a3691b100dd3a62cf691bd6de1875abd9d922167841a10535"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/files/index.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59703, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f08ca2176e7c6fa451b004d83d835a2c114d06fa8c191877bba4e26205065531", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/automations/index.ts", "duplicate_line": 209, "correlation_key": "fp|f08ca2176e7c6fa451b004d83d835a2c114d06fa8c191877bba4e26205065531"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/evaluations/index.ts"}, "region": {"startLine": 295}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59702, "scanner": "repobility-ai-code-hygiene", "fingerprint": "026c63f91b2e7196a5c475cd30c74b50ee7b92e85898ff61b2b27b4713d05078", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/analytics/index.ts", "duplicate_line": 20, "correlation_key": "fp|026c63f91b2e7196a5c475cd30c74b50ee7b92e85898ff61b2b27b4713d05078"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/evaluations/index.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59701, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0dc04f95b14860bb7d97ff43c756bb17285d9ed57fe81dd9fbe1526d536619f5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/channels/index.ts", "duplicate_line": 43, "correlation_key": "fp|0dc04f95b14860bb7d97ff43c756bb17285d9ed57fe81dd9fbe1526d536619f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/evaluations/index.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59700, "scanner": "repobility-ai-code-hygiene", "fingerprint": "05b4da9c14dce8ac467e41bb3fee682d4bd397c64895703872ddb11b3fe043a2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/audio/index.ts", "duplicate_line": 41, "correlation_key": "fp|05b4da9c14dce8ac467e41bb3fee682d4bd397c64895703872ddb11b3fe043a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/configs/index.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59699, "scanner": "repobility-ai-code-hygiene", "fingerprint": "27d18fc5c17f0b2b8fd40bb0b25cbe3465fbaecffaf2b365260ea805276742dd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/analytics/index.ts", "duplicate_line": 228, "correlation_key": "fp|27d18fc5c17f0b2b8fd40bb0b25cbe3465fbaecffaf2b365260ea805276742dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/channels/index.ts"}, "region": {"startLine": 338}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59698, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1271c601b6b3b9764ba3ae2de8ef407547cbc7545acb2c89325433ef017fd58b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/audio/index.ts", "duplicate_line": 11, "correlation_key": "fp|1271c601b6b3b9764ba3ae2de8ef407547cbc7545acb2c89325433ef017fd58b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/channels/index.ts"}, "region": {"startLine": 152}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59697, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cef9cff5f79ff66c663c43eab0d2598f7171c4cd77347747a16b78036ba37ed6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/auths/index.ts", "duplicate_line": 484, "correlation_key": "fp|cef9cff5f79ff66c663c43eab0d2598f7171c4cd77347747a16b78036ba37ed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/channels/index.ts"}, "region": {"startLine": 146}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59696, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ee1426999ab321bf0251cb6e09bcc10288611b053ba76a71602b946215ce0e5f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/automations/index.ts", "duplicate_line": 87, "correlation_key": "fp|ee1426999ab321bf0251cb6e09bcc10288611b053ba76a71602b946215ce0e5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/calendar/index.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59695, "scanner": "repobility-ai-code-hygiene", "fingerprint": "22fd459ab080d9048685897d6a79229c38b4a2634312b3c7875b459050e77444", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/analytics/index.ts", "duplicate_line": 14, "correlation_key": "fp|22fd459ab080d9048685897d6a79229c38b4a2634312b3c7875b459050e77444"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/calendar/index.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59694, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1d2efa92d094ffa4d30c987704f9b76acb65a6d1eba6428945160557ed776fba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/analytics/index.ts", "duplicate_line": 14, "correlation_key": "fp|1d2efa92d094ffa4d30c987704f9b76acb65a6d1eba6428945160557ed776fba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/automations/index.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59693, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0cccf2850557920998302ab974eb3d885a93f1a1cede0a44adb85027df33e101", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/audio/index.ts", "duplicate_line": 5, "correlation_key": "fp|0cccf2850557920998302ab974eb3d885a93f1a1cede0a44adb85027df33e101"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/auths/index.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59692, "scanner": "repobility-ai-code-hygiene", "fingerprint": "16d4f1e6934fe55e29b071f420c2aa1de68e188e35e42c9f79dac01118fc078e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/apis/analytics/index.ts", "duplicate_line": 20, "correlation_key": "fp|16d4f1e6934fe55e29b071f420c2aa1de68e188e35e42c9f79dac01118fc078e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/apis/audio/index.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59691, "scanner": "repobility-ai-code-hygiene", "fingerprint": "292791ce0e7da78e472115eaf82be8eb9713d3077d07263ca0d430579308ebc3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/open_webui/routers/groups.py", "duplicate_line": 248, "correlation_key": "fp|292791ce0e7da78e472115eaf82be8eb9713d3077d07263ca0d430579308ebc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/users.py"}, "region": {"startLine": 535}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59690, "scanner": "repobility-ai-code-hygiene", "fingerprint": "851a52f5c6136f8bc5a54af60d8d7a12445c44f2f735e7f794dc96289f7f638a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/open_webui/routers/models.py", "duplicate_line": 101, "correlation_key": "fp|851a52f5c6136f8bc5a54af60d8d7a12445c44f2f735e7f794dc96289f7f638a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/users.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59689, "scanner": "repobility-ai-code-hygiene", "fingerprint": "89cadd6f0f95e39a58a1d1969781738cbf3a36c46c13ffeb9068b34163c0aebe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/open_webui/routers/skills.py", "duplicate_line": 177, "correlation_key": "fp|89cadd6f0f95e39a58a1d1969781738cbf3a36c46c13ffeb9068b34163c0aebe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/tools.py"}, "region": {"startLine": 328}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59688, "scanner": "repobility-ai-code-hygiene", "fingerprint": "91004f223ceee0ce0e1de9ae82bb0df081381039c1a04375b12c30db9579eafb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/open_webui/routers/functions.py", "duplicate_line": 45, "correlation_key": "fp|91004f223ceee0ce0e1de9ae82bb0df081381039c1a04375b12c30db9579eafb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/tools.py"}, "region": {"startLine": 176}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59687, "scanner": "repobility-ai-code-hygiene", "fingerprint": "485488f154fa5c9bb8bdd7a649ba2d8f99cbe3940f21ee1dd7e5fae3c6ac9d7f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/open_webui/routers/models.py", "duplicate_line": 98, "correlation_key": "fp|485488f154fa5c9bb8bdd7a649ba2d8f99cbe3940f21ee1dd7e5fae3c6ac9d7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/prompts.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59686, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d954821eabb1cd9664d2e4828d3f72441d78016a5d6af57c33558b87c4019a07", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/open_webui/retrieval/vector/dbs/qdrant.py", "duplicate_line": 7, "correlation_key": "fp|d954821eabb1cd9664d2e4828d3f72441d78016a5d6af57c33558b87c4019a07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/vector/dbs/qdrant_multitenancy.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59685, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca683761e48fdaf0d6a620d652d26283627f763bc71feddd78f031b31dc07883", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/open_webui/retrieval/vector/dbs/opengauss.py", "duplicate_line": 9, "correlation_key": "fp|ca683761e48fdaf0d6a620d652d26283627f763bc71feddd78f031b31dc07883"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/vector/dbs/pgvector.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59684, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7a2c3ccb841aea9a717960e340eb89297e5621bf9c1fb3387d9fe5d010f33215", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/open_webui/retrieval/vector/dbs/elasticsearch.py", "duplicate_line": 59, "correlation_key": "fp|7a2c3ccb841aea9a717960e340eb89297e5621bf9c1fb3387d9fe5d010f33215"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/vector/dbs/opensearch.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59683, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9972984f48572e226aaeafe4ee0031ae4b4da181e5844aac91a1147d637a0c33", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/open_webui/retrieval/vector/dbs/milvus.py", "duplicate_line": 11, "correlation_key": "fp|9972984f48572e226aaeafe4ee0031ae4b4da181e5844aac91a1147d637a0c33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/vector/dbs/milvus_multitenancy.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 59682, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a3ceac7ab20faf8bc41676e545fbcd1e632e5ef77d477bb5968cf64b7ca70fb3", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "old", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|a3ceac7ab20faf8bc41676e545fbcd1e632e5ef77d477bb5968cf64b7ca70fb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/utils/_template_old.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `__getattr__` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, if=4, nested_bonus=4."}, "properties": {"repobilityId": 59637, "scanner": "repobility-threat-engine", "fingerprint": "5cdba0a8fd0a0116d4dac34c13104f5d141d1512352ab69100d57890624caf26", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "__getattr__", "breakdown": {"if": 4, "except": 1, "nested_bonus": 4}, "complexity": 9, "correlation_key": "fp|5cdba0a8fd0a0116d4dac34c13104f5d141d1512352ab69100d57890624caf26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/internal/config.py"}, "region": {"startLine": 236}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 59636, "scanner": "repobility-threat-engine", "fingerprint": "469e3e0bc9c1d584bd691948114766bbbc7dbe98d79bf2bcf29f36b7b936765e", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'<level>{message}</level>' + extra_format + '\\n{exception}'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|469e3e0bc9c1d584bd691948114766bbbc7dbe98d79bf2bcf29f36b7b936765e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/logger.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 59635, "scanner": "repobility-threat-engine", "fingerprint": "a48bedca27bd06a0baf6cdf55e5e22d3722a93443bbe006139ca4034ccd67b48", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'metadata.' + str(field) + '", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a48bedca27bd06a0baf6cdf55e5e22d3722a93443bbe006139ca4034ccd67b48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/vector/dbs/opensearch.py"}, "region": {"startLine": 162}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 59634, "scanner": "repobility-threat-engine", "fingerprint": "a6fd7dbfd4de3b751ec8a8ead984b3638957f3affe19abe8a6a7cbf3aa80b816", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"[ERROR: \" + str(err) + \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a6fd7dbfd4de3b751ec8a8ead984b3638957f3affe19abe8a6a7cbf3aa80b816"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/constants.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `open-webui` image is selected through a build variable"}, "properties": {"repobilityId": 59719, "scanner": "repobility-docker", "fingerprint": "d192c597baeaf83116a8442e6fab3e7051c00938efa9ae56d6d9c58b2cfcfdb8", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/open-webui/open-webui:${WEBUI_DOCKER_TAG-main}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d192c597baeaf83116a8442e6fab3e7051c00938efa9ae56d6d9c58b2cfcfdb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ollama` image is selected through a build variable"}, "properties": {"repobilityId": 59718, "scanner": "repobility-docker", "fingerprint": "12aeab91261d57627887efdb8fa1fe2fe3a66efd9e236c55819fed5bb2d3787d", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ollama/ollama:${OLLAMA_DOCKER_TAG-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|12aeab91261d57627887efdb8fa1fe2fe3a66efd9e236c55819fed5bb2d3787d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 59681, "scanner": "repobility-threat-engine", "fingerprint": "a47500dcb5dd8630e3186c195d4356ba3278ee55312c633df4483e18c915d13e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a47500dcb5dd8630e3186c195d4356ba3278ee55312c633df4483e18c915d13e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/prepare-pyodide.js"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 59677, "scanner": "repobility-threat-engine", "fingerprint": "deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "aggregated_count": 1}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 59676, "scanner": "repobility-threat-engine", "fingerprint": "2bc56c8a16366fa4aff0f86c4a3323d0aa5e774a41ce5413cbd283afbda782d3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2bc56c8a16366fa4aff0f86c4a3323d0aa5e774a41ce5413cbd283afbda782d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/webhook.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 59675, "scanner": "repobility-threat-engine", "fingerprint": "be51f6f0315fdcb251f1dd7c9e571b2d3379b98a6dbe9ba435084109f96792c1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|be51f6f0315fdcb251f1dd7c9e571b2d3379b98a6dbe9ba435084109f96792c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/validate.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 59674, "scanner": "repobility-threat-engine", "fingerprint": "b05394818b0167014cb9746f6bb6eab370fb008aca778b341fda19044103d959", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b05394818b0167014cb9746f6bb6eab370fb008aca778b341fda19044103d959"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/images/comfyui.py"}, "region": {"startLine": 190}}}]}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 59672, "scanner": "repobility-threat-engine", "fingerprint": "71b38a4f77a05f6bfd16b2fbcd1b951e2a53f712faa7be5e8d969d6783a4c212", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|71b38a4f77a05f6bfd16b2fbcd1b951e2a53f712faa7be5e8d969d6783a4c212"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 59668, "scanner": "repobility-threat-engine", "fingerprint": "8a77ffb0a8fcdda223aabe32cdaf0e5bdc6cae13db4c9684d2f2d4932a1285a8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8a77ffb0a8fcdda223aabe32cdaf0e5bdc6cae13db4c9684d2f2d4932a1285a8"}}}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 59661, "scanner": "repobility-threat-engine", "fingerprint": "3ed4a11ec48650075e843160edf55362aa121897a652d0286a1dc826dd94d954", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3ed4a11ec48650075e843160edf55362aa121897a652d0286a1dc826dd94d954", "aggregated_count": 1}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 59657, "scanner": "repobility-threat-engine", "fingerprint": "233c5ff424bf50cd15192d14743f67b90793bfa1fab81c490adaa04a81aadf90", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|233c5ff424bf50cd15192d14743f67b90793bfa1fab81c490adaa04a81aadf90", "aggregated_count": 17}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 59656, "scanner": "repobility-threat-engine", "fingerprint": "6a8f205498c3610e2797093b9c0915ac8b78ebd1436c59596b78e3a5098eaa81", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a8f205498c3610e2797093b9c0915ac8b78ebd1436c59596b78e3a5098eaa81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/loaders/external_web.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 59655, "scanner": "repobility-threat-engine", "fingerprint": "22c7d80f097e4be1eaf4effc1418c9c453f1c7e17eb723aa368bb7b1982adb0d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|22c7d80f097e4be1eaf4effc1418c9c453f1c7e17eb723aa368bb7b1982adb0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/loaders/external_document.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 59654, "scanner": "repobility-threat-engine", "fingerprint": "5829678063dfbd1626774632e8050c1647cf7dbfe65da4ed6a91c790142a50ec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5829678063dfbd1626774632e8050c1647cf7dbfe65da4ed6a91c790142a50ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/loaders/datalab_marker.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 59653, "scanner": "repobility-threat-engine", "fingerprint": "60ea8b64e0e0b055aafeb008900f1204b39f3dd5ae6bf83646af00e4d894de02", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|60ea8b64e0e0b055aafeb008900f1204b39f3dd5ae6bf83646af00e4d894de02"}}}, {"ruleId": "SEC136", "level": "none", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 59649, "scanner": "repobility-threat-engine", "fingerprint": "177c770515f587906108b42e96cd3338ec47ddf67f686d5997cc1b924f1a1bdf", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|177c770515f587906108b42e96cd3338ec47ddf67f686d5997cc1b924f1a1bdf"}}}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 59645, "scanner": "repobility-threat-engine", "fingerprint": "ca2a9c8bff0b2b16c725bf0c6cbafb554e8f49f72f84b9e5c3736438d6bee1f1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ca2a9c8bff0b2b16c725bf0c6cbafb554e8f49f72f84b9e5c3736438d6bee1f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/models/auths.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 59644, "scanner": "repobility-threat-engine", "fingerprint": "87a374dc589dd420ec377c72db2b292cf3fbbfe6642b8efe3d05d9fe2427b14e", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|87a374dc589dd420ec377c72db2b292cf3fbbfe6642b8efe3d05d9fe2427b14e"}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 57 more): Same pattern found in 57 additional files. Review if needed."}, "properties": {"repobilityId": 59640, "scanner": "repobility-threat-engine", "fingerprint": "18d68a6eee36bb39f2a40a071b4f688647f43b11c60f2adefda97496e56ac780", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 57 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "__getattr__", "breakdown": {"if": 4, "except": 1, "nested_bonus": 4}, "aggregated": true, "complexity": 9, "correlation_key": "fp|18d68a6eee36bb39f2a40a071b4f688647f43b11c60f2adefda97496e56ac780", "aggregated_count": 57}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 59632, "scanner": "repobility-threat-engine", "fingerprint": "091a09b8c764f855918622fcf41c76ebcaf1ff1f761099248b190e861f32eaba", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|091a09b8c764f855918622fcf41c76ebcaf1ff1f761099248b190e861f32eaba", "aggregated_count": 10}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 59631, "scanner": "repobility-threat-engine", "fingerprint": "239a3c91063d5fc50d9fe2b8f269cded6a74a65f57d7f853346f6fe06ed75ea5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|239a3c91063d5fc50d9fe2b8f269cded6a74a65f57d7f853346f6fe06ed75ea5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/loaders/external_document.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 59630, "scanner": "repobility-threat-engine", "fingerprint": "fa4f65f5a1cc3ffd5f2ee3ec55c89c6797b4c4d0bd7040268d83267a4a8c4e4c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fa4f65f5a1cc3ffd5f2ee3ec55c89c6797b4c4d0bd7040268d83267a4a8c4e4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/models/auths.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 59629, "scanner": "repobility-threat-engine", "fingerprint": "9b74adb7ff29ba10f45eb4a43effa86f77fc84090ee11de2dea6781c27250d04", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9b74adb7ff29ba10f45eb4a43effa86f77fc84090ee11de2dea6781c27250d04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/__init__.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59863, "scanner": "repobility-supply-chain", "fingerprint": "7b7e566f390826a3af49d6c1fbb19a4a48e2d1c10551bfd62d5d4c2b48ece137", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7b7e566f390826a3af49d6c1fbb19a4a48e2d1c10551bfd62d5d4c2b48ece137"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backend.yaml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59862, "scanner": "repobility-supply-chain", "fingerprint": "bf414f0590d23025e559eb0fea7c29d253411edd2b126c52d1e6211b14e07dd7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf414f0590d23025e559eb0fea7c29d253411edd2b126c52d1e6211b14e07dd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backend.yaml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v5`: `uses: actions/download-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59861, "scanner": "repobility-supply-chain", "fingerprint": "a1c7e10691811d2028a0f99c32b71ba4096ce8fd3d675733bdcf999b50e8b789", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a1c7e10691811d2028a0f99c32b71ba4096ce8fd3d675733bdcf999b50e8b789"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yaml"}, "region": {"startLine": 173}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59860, "scanner": "repobility-supply-chain", "fingerprint": "9b31a678c8f444073350932aba13a5cb6d77d6dd3a0180741925898f889ed53d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b31a678c8f444073350932aba13a5cb6d77d6dd3a0180741925898f889ed53d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yaml"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59859, "scanner": "repobility-supply-chain", "fingerprint": "45396205389033c57afdf1c1392e638fc392d3f9b83ab051fa546b54ef2ee587", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45396205389033c57afdf1c1392e638fc392d3f9b83ab051fa546b54ef2ee587"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yaml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1`: `uses: pypa/gh-action-pypi-publish@release/v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59858, "scanner": "repobility-supply-chain", "fingerprint": "d74d640cf935107d324b62c32986a644294a992b59be6d5bbce1cdfe5d127106", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d74d640cf935107d324b62c32986a644294a992b59be6d5bbce1cdfe5d127106"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-pypi.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59857, "scanner": "repobility-supply-chain", "fingerprint": "5415204dcf2c79034465708b140fe0557384a0b4ba6ae9fb17aaff19fdfb1f37", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5415204dcf2c79034465708b140fe0557384a0b4ba6ae9fb17aaff19fdfb1f37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-pypi.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v5`: `uses: actions/setup-node@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59856, "scanner": "repobility-supply-chain", "fingerprint": "ddde727c1d7d634999db968ec40e74edc9794abf6ec3afe75dfffa089c3ff1bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ddde727c1d7d634999db968ec40e74edc9794abf6ec3afe75dfffa089c3ff1bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-pypi.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59855, "scanner": "repobility-supply-chain", "fingerprint": "fc59b1e03c315646526d8456bb1c559076e08bfa8f353fb0cf34ebefbb4e8db2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc59b1e03c315646526d8456bb1c559076e08bfa8f353fb0cf34ebefbb4e8db2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-pypi.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59854, "scanner": "repobility-supply-chain", "fingerprint": "d06e3745a132a2c22b74fea77a07d226aa047f68b7ae4b308ef4ae9e856c363a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d06e3745a132a2c22b74fea77a07d226aa047f68b7ae4b308ef4ae9e856c363a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59853, "scanner": "repobility-supply-chain", "fingerprint": "641a149dd979033404c35631e8d2503381e870ff68d312a8383c6f1a65216709", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|641a149dd979033404c35631e8d2503381e870ff68d312a8383c6f1a65216709"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59852, "scanner": "repobility-supply-chain", "fingerprint": "cb9452e1e667bb7b2c0ba8fa5660dcb98cad0c6508f2b33c93d2c80f9efda0ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb9452e1e667bb7b2c0ba8fa5660dcb98cad0c6508f2b33c93d2c80f9efda0ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v5`: `uses: actions/setup-node@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59851, "scanner": "repobility-supply-chain", "fingerprint": "aaf042de84af9788b1ec3469f2ff162d525e382afebd9a2281a42d27bf0b7beb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aaf042de84af9788b1ec3469f2ff162d525e382afebd9a2281a42d27bf0b7beb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/frontend.yaml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59850, "scanner": "repobility-supply-chain", "fingerprint": "bf4618a38c482b2ab1daea4162f83f57ba9eeaf2076bf56a350ad7b9016f66ff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf4618a38c482b2ab1daea4162f83f57ba9eeaf2076bf56a350ad7b9016f66ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/frontend.yaml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v5`: `uses: actions/setup-node@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59849, "scanner": "repobility-supply-chain", "fingerprint": "0a65f365f3d6559062630257618c8ac7c37c8e3454ae076ec5ccc5809f30f884", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a65f365f3d6559062630257618c8ac7c37c8e3454ae076ec5ccc5809f30f884"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/frontend.yaml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59848, "scanner": "repobility-supply-chain", "fingerprint": "a91599da3990d2a7e507743d8313e2ae2038850f60af6079b77f84e6d1ef7b81", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a91599da3990d2a7e507743d8313e2ae2038850f60af6079b77f84e6d1ef7b81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/frontend.yaml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.15.5`: `.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev: v0.15.5`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 59839, "scanner": "repobility-supply-chain", "fingerprint": "f76399488c94e64b0b2438b61debf8a8672b632132245d7261e308fe5760e654", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f76399488c94e64b0b2438b61debf8a8672b632132245d7261e308fe5760e654"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.11-slim-bookworm` not pinned by digest: `FROM python:3.11-slim-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 59838, "scanner": "repobility-supply-chain", "fingerprint": "b1c263fd12ec8460570631b923e4398a41b488a528eb5eefc998f589ba0f9b04", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b1c263fd12ec8460570631b923e4398a41b488a528eb5eefc998f589ba0f9b04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `_inner`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 59826, "scanner": "repobility-ast-engine", "fingerprint": "0a0267acc6c91f32858a9c9a7fc7817887c96952bd8bada4170722bda948aa95", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0a0267acc6c91f32858a9c9a7fc7817887c96952bd8bada4170722bda948aa95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/redis.py"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._current_bucket` used but never assigned in __init__: Method `_get_count_memory` of class `RateLimiter` reads `self._current_bucket`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59822, "scanner": "repobility-ast-engine", "fingerprint": "b8f1500f882e082372aa52f1bcea2c084c3fa9bc532b8a52d97f1b5fa0093aed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b8f1500f882e082372aa52f1bcea2c084c3fa9bc532b8a52d97f1b5fa0093aed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/rate_limit.py"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._current_bucket` used but never assigned in __init__: Method `_is_limited_memory` of class `RateLimiter` reads `self._current_bucket`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59821, "scanner": "repobility-ast-engine", "fingerprint": "6595cc37c0967a2e9937647769fb6884424570409cf94b21d795c9cb88cb5495", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6595cc37c0967a2e9937647769fb6884424570409cf94b21d795c9cb88cb5495"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/rate_limit.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._bucket_key` used but never assigned in __init__: Method `_get_count_redis` of class `RateLimiter` reads `self._bucket_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59820, "scanner": "repobility-ast-engine", "fingerprint": "f3503b34e82880925951c648ac6b8dc53409f3dfe476ca2941ffca1ff709b561", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f3503b34e82880925951c648ac6b8dc53409f3dfe476ca2941ffca1ff709b561"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/rate_limit.py"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._current_bucket` used but never assigned in __init__: Method `_get_count_redis` of class `RateLimiter` reads `self._current_bucket`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59819, "scanner": "repobility-ast-engine", "fingerprint": "f3736e7fe283795af0aca20c868f18ee85ca0a679201ad2062f2f8bc4ba84385", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f3736e7fe283795af0aca20c868f18ee85ca0a679201ad2062f2f8bc4ba84385"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/rate_limit.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._bucket_key` used but never assigned in __init__: Method `_is_limited_redis` of class `RateLimiter` reads `self._bucket_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59818, "scanner": "repobility-ast-engine", "fingerprint": "0e5bbec48371c01d8da79f542230412d6384db56568bdfcb38efb640322cc2a3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0e5bbec48371c01d8da79f542230412d6384db56568bdfcb38efb640322cc2a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/rate_limit.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._bucket_key` used but never assigned in __init__: Method `_is_limited_redis` of class `RateLimiter` reads `self._bucket_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59817, "scanner": "repobility-ast-engine", "fingerprint": "1c48c075ca856cd0ae0cc21446f03261ebc8ef07ff2e78655ea1e8f10e17dde1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1c48c075ca856cd0ae0cc21446f03261ebc8ef07ff2e78655ea1e8f10e17dde1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/rate_limit.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._current_bucket` used but never assigned in __init__: Method `_is_limited_redis` of class `RateLimiter` reads `self._current_bucket`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59816, "scanner": "repobility-ast-engine", "fingerprint": "8100fbcd7f61e9d74ef1098271062fadb0ba93a2c6ace7825449184fd6f23c2d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8100fbcd7f61e9d74ef1098271062fadb0ba93a2c6ace7825449184fd6f23c2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/rate_limit.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_count` used but never assigned in __init__: Method `remaining` of class `RateLimiter` reads `self.get_count`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59815, "scanner": "repobility-ast-engine", "fingerprint": "620258a26f007f3529cf3e38012dd7cb7abe15157df9b46342a4c4de75259ef4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|620258a26f007f3529cf3e38012dd7cb7abe15157df9b46342a4c4de75259ef4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/rate_limit.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_count_memory` used but never assigned in __init__: Method `get_count` of class `RateLimiter` reads `self._get_count_memory`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59814, "scanner": "repobility-ast-engine", "fingerprint": "c3b926a1fbc0d3a6414a0ab1946395319a13b64a5b8bd6460558c619f31f6e0a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c3b926a1fbc0d3a6414a0ab1946395319a13b64a5b8bd6460558c619f31f6e0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/rate_limit.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_count_redis` used but never assigned in __init__: Method `get_count` of class `RateLimiter` reads `self._get_count_redis`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59813, "scanner": "repobility-ast-engine", "fingerprint": "94efcd8508cde658a05166d978f77b60e9b4de49b8d964a3d0da47526fb902f6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|94efcd8508cde658a05166d978f77b60e9b4de49b8d964a3d0da47526fb902f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/rate_limit.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_count_memory` used but never assigned in __init__: Method `get_count` of class `RateLimiter` reads `self._get_count_memory`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59812, "scanner": "repobility-ast-engine", "fingerprint": "08e6d50504fa426a193252eff794b99e83a24ad37b4cbfe01a3d1d3cc9b6e502", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|08e6d50504fa426a193252eff794b99e83a24ad37b4cbfe01a3d1d3cc9b6e502"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/rate_limit.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._redis_available` used but never assigned in __init__: Method `get_count` of class `RateLimiter` reads `self._redis_available`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59811, "scanner": "repobility-ast-engine", "fingerprint": "c92cc9a5236a340033b08962d1078245116b474c994ea151bcc92fd6ecf6a323", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c92cc9a5236a340033b08962d1078245116b474c994ea151bcc92fd6ecf6a323"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/rate_limit.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._is_limited_memory` used but never assigned in __init__: Method `is_limited` of class `RateLimiter` reads `self._is_limited_memory`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59810, "scanner": "repobility-ast-engine", "fingerprint": "a183eb879f2e081a325884381acbdb9caecfebe0c044a6d5069c0bf949c1145f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a183eb879f2e081a325884381acbdb9caecfebe0c044a6d5069c0bf949c1145f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/rate_limit.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._is_limited_redis` used but never assigned in __init__: Method `is_limited` of class `RateLimiter` reads `self._is_limited_redis`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59809, "scanner": "repobility-ast-engine", "fingerprint": "ac0b681c2348e4ca1a8bcc2ce62f48aa7a1be11f40829545c947c30f3c61f447", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ac0b681c2348e4ca1a8bcc2ce62f48aa7a1be11f40829545c947c30f3c61f447"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/rate_limit.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._is_limited_memory` used but never assigned in __init__: Method `is_limited` of class `RateLimiter` reads `self._is_limited_memory`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59808, "scanner": "repobility-ast-engine", "fingerprint": "6933b742ba16e6ba35eef757225603bf57ab970fec3cce22a23d9b2f46b3c7c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6933b742ba16e6ba35eef757225603bf57ab970fec3cce22a23d9b2f46b3c7c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/rate_limit.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._redis_available` used but never assigned in __init__: Method `is_limited` of class `RateLimiter` reads `self._redis_available`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59807, "scanner": "repobility-ast-engine", "fingerprint": "2a00a0a93cf1e3ce462806b1c3b8d84cccc92525840b0dd68dc4ef218a1cb436", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2a00a0a93cf1e3ce462806b1c3b8d84cccc92525840b0dd68dc4ef218a1cb436"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/rate_limit.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.clear_document` used but never assigned in __init__: Method `remove_user_from_all_documents` of class `YdocManager` reads `self.clear_document`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59804, "scanner": "repobility-ast-engine", "fingerprint": "c3e197442f724bee9fb41559dd5a2723fa3be324673d8c38e7a5866b83e0629a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c3e197442f724bee9fb41559dd5a2723fa3be324673d8c38e7a5866b83e0629a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/socket/utils.py"}, "region": {"startLine": 291}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_users` used but never assigned in __init__: Method `remove_user_from_all_documents` of class `YdocManager` reads `self.get_users`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59803, "scanner": "repobility-ast-engine", "fingerprint": "445566d40dd5dfe4a10cb84a1c9f25bb7bd6285cfb34ac83c248d967020a3671", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|445566d40dd5dfe4a10cb84a1c9f25bb7bd6285cfb34ac83c248d967020a3671"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/socket/utils.py"}, "region": {"startLine": 278}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.clear_document` used but never assigned in __init__: Method `remove_user_from_all_documents` of class `YdocManager` reads `self.clear_document`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59802, "scanner": "repobility-ast-engine", "fingerprint": "1e522a4e69505898f006f16de1d9b87d2c0fbf1660f769d913db3950c8964d38", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1e522a4e69505898f006f16de1d9b87d2c0fbf1660f769d913db3950c8964d38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/socket/utils.py"}, "region": {"startLine": 279}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._compact_updates_redis` used but never assigned in __init__: Method `append_to_updates` of class `YdocManager` reads `self._compact_updates_redis`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59801, "scanner": "repobility-ast-engine", "fingerprint": "22fa987ac6c17e1652ef03c050a95b12da7ed7c3f15932e2cdb7a1827ded910a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|22fa987ac6c17e1652ef03c050a95b12da7ed7c3f15932e2cdb7a1827ded910a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/socket/utils.py"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._compact_updates_memory` used but never assigned in __init__: Method `append_to_updates` of class `YdocManager` reads `self._compact_updates_memory`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59800, "scanner": "repobility-ast-engine", "fingerprint": "7967a86d8a97cc33300cb494cd63f38cf6fdf437973cd0caad5c32e9aba6f3da", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7967a86d8a97cc33300cb494cd63f38cf6fdf437973cd0caad5c32e9aba6f3da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/socket/utils.py"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._extract_s3_key` used but never assigned in __init__: Method `delete_file` of class `S3StorageProvider` reads `self._extract_s3_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59795, "scanner": "repobility-ast-engine", "fingerprint": "6cc7725e7967da031a06d96aff73b31e3045ac22a4dd7ac197910b25f18edb57", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6cc7725e7967da031a06d96aff73b31e3045ac22a4dd7ac197910b25f18edb57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/storage/provider.py"}, "region": {"startLine": 175}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_local_file_path` used but never assigned in __init__: Method `get_file` of class `S3StorageProvider` reads `self._get_local_file_path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59794, "scanner": "repobility-ast-engine", "fingerprint": "04ea3f8b85007a840ae592604bdb10843f910685987ea1026c18b580f5f82456", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|04ea3f8b85007a840ae592604bdb10843f910685987ea1026c18b580f5f82456"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/storage/provider.py"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._extract_s3_key` used but never assigned in __init__: Method `get_file` of class `S3StorageProvider` reads `self._extract_s3_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59793, "scanner": "repobility-ast-engine", "fingerprint": "41298c19e32b4b6cad7526a7697e8646e5cc4e941d2c1afc8cd0baed9c6f7a48", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|41298c19e32b4b6cad7526a7697e8646e5cc4e941d2c1afc8cd0baed9c6f7a48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/storage/provider.py"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.sanitize_tag_value` used but never assigned in __init__: Method `upload_file` of class `S3StorageProvider` reads `self.sanitize_tag_value`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59792, "scanner": "repobility-ast-engine", "fingerprint": "9bcc0c40272008ef60f0b1fb5cb16507e5617cf6a26d41a51c50e7f67f925049", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9bcc0c40272008ef60f0b1fb5cb16507e5617cf6a26d41a51c50e7f67f925049"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/storage/provider.py"}, "region": {"startLine": 148}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 59759, "scanner": "repobility-journey-contract", "fingerprint": "2b5a5ddd041c39567ffb711f34eb4c2ba7873bdf050eb0d54a564f39af2dba75", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|389|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 6}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/components/admin/Users/Groups/Permissions.svelte"}, "region": {"startLine": 389}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{user_id}/profile/image."}, "properties": {"repobilityId": 59731, "scanner": "repobility-access-control", "fingerprint": "8db2871e29da24bb311cdbd1bd12c8804c277c1dbde20b43228bd52905e28d1c", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{user_id}/profile/image", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|481|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/users.py"}, "region": {"startLine": 481}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /list/user/{user_id}."}, "properties": {"repobilityId": 59730, "scanner": "repobility-access-control", "fingerprint": "b776de34bcbd5604c115f98bc4dfdb92442f02b5682e5dcb4dbcb066b85ba604", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/list/user/{user_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|515|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/chats.py"}, "region": {"startLine": 515}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /{memory_id}/update."}, "properties": {"repobilityId": 59729, "scanner": "repobility-access-control", "fingerprint": "499cd250924794f1573c3edde86f7c51c39e6fadddf3229b30a052c42ca42aaa", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{memory_id}/update", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|282|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/memories.py"}, "region": {"startLine": 282}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{id}/files."}, "properties": {"repobilityId": 59728, "scanner": "repobility-access-control", "fingerprint": "cfbab88713617162124de33cac1afa8649461863be7c60756acb7f80f698877d", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{id}/files", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|625|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/knowledge.py"}, "region": {"startLine": 625}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /{id}/update."}, "properties": {"repobilityId": 59727, "scanner": "repobility-access-control", "fingerprint": "8b2d79bcd2313942e943be56e13a06a650b27b8c8982bd29af7aa022806fbe11", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{id}/update", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|438|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/knowledge.py"}, "region": {"startLine": 438}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /{pipeline_id}/valves/update."}, "properties": {"repobilityId": 59726, "scanner": "repobility-access-control", "fingerprint": "9be7029809292740c335b42ca59148c3ad632a689792786dda5bf652e81efe34", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{pipeline_id}/valves/update", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|492|auc003", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/pipelines.py"}, "region": {"startLine": 492}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{pipeline_id}/valves/spec."}, "properties": {"repobilityId": 59725, "scanner": "repobility-access-control", "fingerprint": "2af0bcdb21a535c02803ed82f9d4ff88cd12ab94bb950a274d0f59a0514bb949", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{pipeline_id}/valves/spec", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|451|auc003", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/pipelines.py"}, "region": {"startLine": 451}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{pipeline_id}/valves."}, "properties": {"repobilityId": 59724, "scanner": "repobility-access-control", "fingerprint": "ae1fd1131afb7724bd779f16b184dd43a5fa726501dd51371fb570f8b05724b3", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{pipeline_id}/valves", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|410|auc003", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/pipelines.py"}, "region": {"startLine": 410}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/tasks/stop/{task_id}."}, "properties": {"repobilityId": 59723, "scanner": "repobility-access-control", "fingerprint": "bda1b9a1aa52d2d5eca91a962efa5107b2fa14d431dc579a59cab166c30a8c0d", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/tasks/stop/{task_id}", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|backend/open_webui/main.py|2313|auc003", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/main.py"}, "region": {"startLine": 2313}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/chat/actions/{action_id}."}, "properties": {"repobilityId": 59722, "scanner": "repobility-access-control", "fingerprint": "2387c54b1768450d68f777b8006622ad2b3a1fafc178be3266c8e77f95dcec72", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/chat/actions/{action_id}", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|backend/open_webui/main.py|2296|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/main.py"}, "region": {"startLine": 2296}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 59716, "scanner": "repobility-docker", "fingerprint": "ab47ef9765fcdd9cf57bdabc262313ea54f3ddab40bcdf007b381c17f96a498f", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ab47ef9765fcdd9cf57bdabc262313ea54f3ddab40bcdf007b381c17f96a498f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 59679, "scanner": "repobility-threat-engine", "fingerprint": "d899073847a404a911c1b73914f9cce3e6f681648fd16accf31b44fb518a9ec5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d899073847a404a911c1b73914f9cce3e6f681648fd16accf31b44fb518a9ec5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/mcp/client.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 59673, "scanner": "repobility-threat-engine", "fingerprint": "a421780bc673e5197b44af892f1f3e753c719a408465b72fb3e0100574ee33ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a421780bc673e5197b44af892f1f3e753c719a408465b72fb3e0100574ee33ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/asgi_middleware.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 59671, "scanner": "repobility-threat-engine", "fingerprint": "71b20e472c2901c229cec9d4633da55296834d8c4cecd988361dac87f1009f05", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.post('/create', response_model=Optional[GroupResponse])\nasync def create_new_group(\n    form", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|71b20e472c2901c229cec9d4633da55296834d8c4cecd988361dac87f1009f05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/groups.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 59670, "scanner": "repobility-threat-engine", "fingerprint": "c3ee5114ceb4c93a67bc7681d389d6104bfca176162bfe64d7cc7480671367b4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.post('/')\nasync def create_folder(\n    form_data: FolderForm,\n    user=Depends(get_verified_", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c3ee5114ceb4c93a67bc7681d389d6104bfca176162bfe64d7cc7480671367b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/folders.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 59669, "scanner": "repobility-threat-engine", "fingerprint": "5077c107390e5c72d6d95548c9ece588e2116a17569405732518810196885df2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.post('/create', response_model=AutomationResponse)\nasync def create_new_automation(\n    requ", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5077c107390e5c72d6d95548c9ece588e2116a17569405732518810196885df2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/automations.py"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 59667, "scanner": "repobility-threat-engine", "fingerprint": "a64f3be4c430476f1c31830095dc8dc9a3590a2acf756d301ac1e49906d2ced8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "self.params.update({'token': <redacted>})", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a64f3be4c430476f1c31830095dc8dc9a3590a2acf756d301ac1e49906d2ced8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/code_interpreter.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 59666, "scanner": "repobility-threat-engine", "fingerprint": "a9143449c7f2b4bce0b1d034f8986c9a2de9d2ba27cb2355036dc4c5bb974c9d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "self.redis.delete(self.lock_name)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a9143449c7f2b4bce0b1d034f8986c9a2de9d2ba27cb2355036dc4c5bb974c9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/socket/utils.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 59665, "scanner": "repobility-threat-engine", "fingerprint": "4ed4f00ab12b4154ef945d7cd19eb7905ff62df4213e8f255001d792abd750a0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "collection.delete(ids=ids)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4ed4f00ab12b4154ef945d7cd19eb7905ff62df4213e8f255001d792abd750a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/vector/dbs/chroma.py"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 59660, "scanner": "repobility-threat-engine", "fingerprint": "d2b8b51d1a9916cf7cf53bb0f06d4905ab2646cef978f57189f7fff3fe916951", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d2b8b51d1a9916cf7cf53bb0f06d4905ab2646cef978f57189f7fff3fe916951"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/web/main.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 59659, "scanner": "repobility-threat-engine", "fingerprint": "611839bb270341d3223a70fe1ca2f9e5db6ce2e23303312f1e5993b58c092e9e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|611839bb270341d3223a70fe1ca2f9e5db6ce2e23303312f1e5993b58c092e9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/web/firecrawl.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 59658, "scanner": "repobility-threat-engine", "fingerprint": "c5d9b6e23f1d31e8a3f36fad9d0fb3819ed11ade9e3b815ed693bccf38c2ee32", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c5d9b6e23f1d31e8a3f36fad9d0fb3819ed11ade9e3b815ed693bccf38c2ee32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/loaders/external_document.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 59652, "scanner": "repobility-threat-engine", "fingerprint": "56b795a35c5204ee6be86ab3e37a3c82585a0da036cef906b2b176c2215763ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|56b795a35c5204ee6be86ab3e37a3c82585a0da036cef906b2b176c2215763ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/loaders/external_web.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 59651, "scanner": "repobility-threat-engine", "fingerprint": "de89c7841b53f701b7ac2588992593605e39591eb98fc5566b8bcdde27da613c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.put(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|de89c7841b53f701b7ac2588992593605e39591eb98fc5566b8bcdde27da613c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/loaders/external_document.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 59650, "scanner": "repobility-threat-engine", "fingerprint": "3293f080682bc93a42e68934e229f3e811fa1544520b05560b5775e58e5d2ff7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3293f080682bc93a42e68934e229f3e811fa1544520b05560b5775e58e5d2ff7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/loaders/datalab_marker.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 59643, "scanner": "repobility-threat-engine", "fingerprint": "ff2fc5dd16209a6464285d12d7100f9274996b94f397a5057b18c37f16e94e02", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(\n                    self.external_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ff2fc5dd16209a6464285d12d7100f9274996b94f397a5057b18c37f16e94e02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/loaders/external_web.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 59642, "scanner": "repobility-threat-engine", "fingerprint": "38adf141db3853a3542d4f148710258b2991ea25f168b91b299ed1b507bf1f17", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(check_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|38adf141db3853a3542d4f148710258b2991ea25f168b91b299ed1b507bf1f17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/loaders/datalab_marker.py"}, "region": {"startLine": 147}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 59641, "scanner": "repobility-threat-engine", "fingerprint": "7c7116108758411c66f3213b6bb19c92030ee0a17f8cbde8f7d573a07270c8db", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7c7116108758411c66f3213b6bb19c92030ee0a17f8cbde8f7d573a07270c8db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/models/auths.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `load` has cognitive complexity 39 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=1, elif=3, else=2, except=6, for=2, if=10, nested_bonus=11, or=3, ternary=1."}, "properties": {"repobilityId": 59639, "scanner": "repobility-threat-engine", "fingerprint": "0f1f18a7840773ae8375c3e39127e7ddba77bd35abb5ac886e9bcb2adf3c03c8", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 39 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "load", "breakdown": {"if": 10, "or": 3, "for": 2, "elif": 3, "else": 2, "break": 1, "except": 6, "ternary": 1, "nested_bonus": 11}, "complexity": 39, "correlation_key": "fp|0f1f18a7840773ae8375c3e39127e7ddba77bd35abb5ac886e9bcb2adf3c03c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/loaders/datalab_marker.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 59628, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `collections` used but not imported: The file uses `collections.something(...)` but never imports `collections`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 59837, "scanner": "repobility-ast-engine", "fingerprint": "8c58bdb672c0708117782d02b2d41f1e3ac35e46a0ae02a21001ab50da0b18fe", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8c58bdb672c0708117782d02b2d41f1e3ac35e46a0ae02a21001ab50da0b18fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/vector/dbs/valkey.py"}, "region": {"startLine": 656}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 59836, "scanner": "repobility-ast-engine", "fingerprint": "85922f01703a06770b9b14e5b5dab120899bb22e1c9e0d435df69a110b90f43f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|85922f01703a06770b9b14e5b5dab120899bb22e1c9e0d435df69a110b90f43f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/retrieval/web/utils.py"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `glob` used but not imported: The file uses `glob.something(...)` but never imports `glob`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 59834, "scanner": "repobility-ast-engine", "fingerprint": "fcb40fc324e648f4770e38929262fd2ae9e7719f777341b327da90340b62831b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fcb40fc324e648f4770e38929262fd2ae9e7719f777341b327da90340b62831b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/models/files.py"}, "region": {"startLine": 279}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 59830, "scanner": "repobility-ast-engine", "fingerprint": "26a474a13265d31ebb505c01a5324309aba41826b18a5beab35d3daa9a448464", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|26a474a13265d31ebb505c01a5324309aba41826b18a5beab35d3daa9a448464"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/models/users.py"}, "region": {"startLine": 336}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 59827, "scanner": "repobility-ast-engine", "fingerprint": "d8079114ca1953c392410f5ccdcbef958edf4338b07cbaccc149108882aeaa41", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d8079114ca1953c392410f5ccdcbef958edf4338b07cbaccc149108882aeaa41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/oauth.py"}, "region": {"startLine": 1635}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 59825, "scanner": "repobility-ast-engine", "fingerprint": "64d799eec49f1c3364307566a834fd7218696dbf8ffb4366a83c8c0d3a850f73", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|64d799eec49f1c3364307566a834fd7218696dbf8ffb4366a83c8c0d3a850f73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/auth.py"}, "region": {"startLine": 488}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `string` used but not imported: The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 59824, "scanner": "repobility-ast-engine", "fingerprint": "17cee0843e9b9476211fec49c3c3e514aa9ce4178e5ebe822ba4065fa1370f1e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|17cee0843e9b9476211fec49c3c3e514aa9ce4178e5ebe822ba4065fa1370f1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/misc.py"}, "region": {"startLine": 639}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 59823, "scanner": "repobility-ast-engine", "fingerprint": "60f78ec9e3d99a5f373dd3e5e990d7f2a21d029d2e226feb158e8de0ec19e8d1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|60f78ec9e3d99a5f373dd3e5e990d7f2a21d029d2e226feb158e8de0ec19e8d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/utils/misc.py"}, "region": {"startLine": 646}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 59799, "scanner": "repobility-ast-engine", "fingerprint": "394801945dbb602eefca68122076b0a42c39d7a644707ba2aea0c12261ed5bfd", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|394801945dbb602eefca68122076b0a42c39d7a644707ba2aea0c12261ed5bfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/tools/knowledge_fs.py"}, "region": {"startLine": 380}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 59798, "scanner": "repobility-ast-engine", "fingerprint": "97d24256dfccfddecc3b199c069fc58cdbd8974dc49eca687e20063d97a8bd06", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|97d24256dfccfddecc3b199c069fc58cdbd8974dc49eca687e20063d97a8bd06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/auths.py"}, "region": {"startLine": 1364}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 59797, "scanner": "repobility-ast-engine", "fingerprint": "9ea56d5ba6b8702217c58d3f8dcf19012dacc4d0f983f46f60b9e3e989873d60", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9ea56d5ba6b8702217c58d3f8dcf19012dacc4d0f983f46f60b9e3e989873d60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/scim.py"}, "region": {"startLine": 592}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `json` used but not imported: The file uses `json.something(...)` but never imports `json`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 59796, "scanner": "repobility-ast-engine", "fingerprint": "bc29b56d3352bd93acd419335798ad5296eed6d9a20fff75246a9e79b598cc17", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bc29b56d3352bd93acd419335798ad5296eed6d9a20fff75246a9e79b598cc17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/routers/knowledge.py"}, "region": {"startLine": 609}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 59754, "scanner": "repobility-journey-contract", "fingerprint": "338ebca94b9b733e311209542e2d90eae7e65ae14def6e2ee709b8fd7c215119", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|183|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/auth/+page.svelte"}, "region": {"startLine": 183}}}]}, {"ruleId": "DKR005", "level": "error", "message": {"text": "Docker image bakes a secret-like ENV value"}, "properties": {"repobilityId": 59715, "scanner": "repobility-docker", "fingerprint": "f23da3b162228aca36c28c2beca30a7489dc198dab9201b4956aa3033d6a89aa", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ENV assigns a literal value to a secret-like variable name.", "evidence": {"rule_id": "DKR005", "scanner": "repobility-docker", "variable": "TIKTOKEN_ENCODING_NAME", "references": ["https://docs.docker.com/build/building/secrets/", "https://docs.docker.com/compose/how-tos/environment-variables/best-practices/"], "correlation_key": "fp|f23da3b162228aca36c28c2beca30a7489dc198dab9201b4956aa3033d6a89aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 59633, "scanner": "repobility-threat-engine", "fingerprint": "7b885364e3f1fe4617d3f065c05b59f3b6c571cf243de7cbdefacec4536c303b", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.2 bits) \u2014 likely real secret", "evidence": {"match": "PASSWORD = '<redacted> password provided is incorrect. Please check for typos and try again.'", "reason": "High entropy value (4.2 bits) \u2014 likely real secret", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|4|password redacted password provided is incorrect. please check for typos and try again."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/open_webui/constants.py"}, "region": {"startLine": 42}}}]}]}]}