{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-32g6-mg92-ghm2", "name": "sagemaker: GHSA-32g6-mg92-ghm2", "shortDescription": {"text": "sagemaker: GHSA-32g6-mg92-ghm2"}, "fullDescription": {"text": "SageMaker Workflow component allows possibility of MD5 hash collisions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9wx4-h78v-vm56", "name": "requests: GHSA-9wx4-h78v-vm56", "shortDescription": {"text": "requests: GHSA-9wx4-h78v-vm56"}, "fullDescription": {"text": "Requests `Session` object does not verify requests after making first request with verify=False"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rq6v-x3j8-7qgf", "name": "sagemaker: GHSA-rq6v-x3j8-7qgf", "shortDescription": {"text": "sagemaker: GHSA-rq6v-x3j8-7qgf"}, "fullDescription": {"text": "Amazon SageMaker Python SDK is missing integrity verification in its Triton inference handler"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gc5v-m9x4-r6x2", "name": "requests: GHSA-gc5v-m9x4-r6x2", "shortDescription": {"text": "requests: GHSA-gc5v-m9x4-r6x2"}, "fullDescription": {"text": "Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9hjg-9r4m-mvj7", "name": "requests: GHSA-9hjg-9r4m-mvj7", "shortDescription": {"text": "requests: GHSA-9hjg-9r4m-mvj7"}, "fullDescription": {"text": "Requests vulnerable to .netrc credentials leak via malicious URLs"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-65pc-fj4g-8rjx", "name": "idna: GHSA-65pc-fj4g-8rjx", "shortDescription": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "fullDescription": {"text": "Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pq67-6m6q-mj2v", "name": "urllib3: GHSA-pq67-6m6q-mj2v", "shortDescription": {"text": "urllib3: GHSA-pq67-6m6q-mj2v"}, "fullDescription": {"text": "urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q2x7-8rv6-6q7h", "name": "jinja2: GHSA-q2x7-8rv6-6q7h", "shortDescription": {"text": "jinja2: GHSA-q2x7-8rv6-6q7h"}, "fullDescription": {"text": "Jinja has a sandbox breakout through indirect reference to format method"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-h75v-3vvj-5mfj", "name": "jinja2: GHSA-h75v-3vvj-5mfj", "shortDescription": {"text": "jinja2: GHSA-h75v-3vvj-5mfj"}, "fullDescription": {"text": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-h5c8-rqwp-cp95", "name": "jinja2: GHSA-h5c8-rqwp-cp95", "shortDescription": {"text": "jinja2: GHSA-h5c8-rqwp-cp95"}, "fullDescription": {"text": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cpwx-vrp4-4pq7", "name": "jinja2: GHSA-cpwx-vrp4-4pq7", "shortDescription": {"text": "jinja2: GHSA-cpwx-vrp4-4pq7"}, "fullDescription": {"text": "Jinja2 vulnerable to sandbox breakout through attr filter selecting format method"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hgf8-39gv-g3f2", "name": "werkzeug: GHSA-hgf8-39gv-g3f2", "shortDescription": {"text": "werkzeug: GHSA-hgf8-39gv-g3f2"}, "fullDescription": {"text": "Werkzeug safe_join() allows Windows special device names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f9vj-2wh5-fj8j", "name": "werkzeug: GHSA-f9vj-2wh5-fj8j", "shortDescription": {"text": "werkzeug: GHSA-f9vj-2wh5-fj8j"}, "fullDescription": {"text": "Werkzeug safe_join not safe on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-87hc-h4r5-73f7", "name": "werkzeug: GHSA-87hc-h4r5-73f7", "shortDescription": {"text": "werkzeug: GHSA-87hc-h4r5-73f7"}, "fullDescription": {"text": " Werkzeug safe_join() allows Windows special device names with compound extensions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-29vq-49wr-vm6x", "name": "werkzeug: GHSA-29vq-49wr-vm6x", "shortDescription": {"text": "werkzeug: GHSA-29vq-49wr-vm6x"}, "fullDescription": {"text": " Werkzeug safe_join() allows Windows special device names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jp4c-xjxw-mgf9", "name": "pip: GHSA-jp4c-xjxw-mgf9", "shortDescription": {"text": "pip: GHSA-jp4c-xjxw-mgf9"}, "fullDescription": {"text": "pip Vulnerable to Inclusion of Functionality from Untrusted Control Sphere"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-58qw-9mgm-455v", "name": "pip: GHSA-58qw-9mgm-455v", "shortDescription": {"text": "pip: GHSA-58qw-9mgm-455v"}, "fullDescription": {"text": "pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jg22-mg44-37j8", "name": "aiohttp: GHSA-jg22-mg44-37j8", "shortDescription": {"text": "aiohttp: GHSA-jg22-mg44-37j8"}, "fullDescription": {"text": "AIOHTTP is Vulnerable to Deserialization of Untrusted Data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hg6j-4rv6-33pg", "name": "aiohttp: GHSA-hg6j-4rv6-33pg", "shortDescription": {"text": "aiohttp: GHSA-hg6j-4rv6-33pg"}, "fullDescription": {"text": "AIOHTTP is vulnerable to cross-origin redirect with per-request cookies"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image has no explicit tag", "shortDescription": {"text": "Dockerfile base image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Splitting apt update and install across layers can reuse stale package indexes and make builds less reliable."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC115", "name": "[SEC115] Decompression without size cap (zip/gzip bomb): Decompressing untrusted archives without a size or ratio cap \u2192 ", "shortDescription": {"text": "[SEC115] Decompression without size cap (zip/gzip bomb): Decompressing untrusted archives without a size or ratio cap \u2192 memory/disk exhaustion DoS (10kb \u2192 4GB classic 'zip bomb')."}, "fullDescription": {"text": "Wrap reader with `io.LimitReader(r, MAX_BYTES)`. In Python, iterate `ZipFile.infolist()` and check each entry's `file_size`. Cap total uncompressed bytes (e.g. 100MB)."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC011", "name": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted", "shortDescription": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "fullDescription": {"text": "Use torch.load(..., weights_only=True) or use safetensors format."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 23 (SonarSource scale). Cognitive complexi", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 23 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weig"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 23."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-PY", "name": "Python package `Werkzeug` is 3 major version(s) behind (0.15.6 -> 3.1.8)", "shortDescription": {"text": "Python package `Werkzeug` is 3 major version(s) behind (0.15.6 -> 3.1.8)"}, "fullDescription": {"text": "`Werkzeug==0.15.6` is 3 major version(s) behind the latest stable release on PyPI (3.1.8). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED124", "name": "requirements.txt: `requests` has no version pin", "shortDescription": {"text": "requirements.txt: `requests` has no version pin"}, "fullDescription": {"text": "Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "Mutable default argument in `on_startup` (list)", "shortDescription": {"text": "Mutable default argument in `on_startup` (list)"}, "fullDescription": {"text": "`def on_startup(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-r374-rxx8-8654", "name": "paramiko: GHSA-r374-rxx8-8654", "shortDescription": {"text": "paramiko: GHSA-r374-rxx8-8654"}, "fullDescription": {"text": "Paramiko rsakey.py allows the SHA-1 algorithm"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-68rp-wp8r-4726", "name": "flask: GHSA-68rp-wp8r-4726", "shortDescription": {"text": "flask: GHSA-68rp-wp8r-4726"}, "fullDescription": {"text": "Flask session does not add `Vary: Cookie` header when accessed in some ways"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Pip's package cache increases image size and can preserve unnecessary artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC005", "name": "Duplicate top-level symbol appears in a patch-style file", "shortDescription": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "fullDescription": {"text": "A generated replacement file defining the same public function or class name as another module can mean the new logic is not actually wired into the running code."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED073", "name": "[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data \u2014 denial of ", "shortDescription": {"text": "[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data \u2014 denial of service."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1333,CWE-400 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED077", "name": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.", "shortDescription": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-772 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-wjvx-jhpj-r54r", "name": "sagemaker: GHSA-wjvx-jhpj-r54r", "shortDescription": {"text": "sagemaker: GHSA-wjvx-jhpj-r54r"}, "fullDescription": {"text": "sagemaker-python-sdk vulnerable to Deserialization of Untrusted Data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7pc3-pr3q-58vg", "name": "sagemaker: GHSA-7pc3-pr3q-58vg", "shortDescription": {"text": "sagemaker: GHSA-7pc3-pr3q-58vg"}, "fullDescription": {"text": "sagemaker-python-sdk Command Injection vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2023-74", "name": "requests: PYSEC-2023-74", "shortDescription": {"text": "requests: PYSEC-2023-74"}, "fullDescription": {"text": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2018-28", "name": "requests: PYSEC-2018-28", "shortDescription": {"text": "requests: PYSEC-2018-28"}, "fullDescription": {"text": "The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rjrp-m2jw-pv9c", "name": "sagemaker: GHSA-rjrp-m2jw-pv9c", "shortDescription": {"text": "sagemaker: GHSA-rjrp-m2jw-pv9c"}, "fullDescription": {"text": "SageMaker Python SDK has Exposed HMAC"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7hh5-prp2-mfh5", "name": "sagemaker: GHSA-7hh5-prp2-mfh5", "shortDescription": {"text": "sagemaker: GHSA-7hh5-prp2-mfh5"}, "fullDescription": {"text": "Cleartext storage of HMAC signing key in Amazon SageMaker Python SDK ModelBuilder/Serve path"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-62rc-f4v9-h543", "name": "sagemaker: GHSA-62rc-f4v9-h543", "shortDescription": {"text": "sagemaker: GHSA-62rc-f4v9-h543"}, "fullDescription": {"text": "SageMaker Python SDK has Insecure TLS Configuration"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5r2p-pjr8-7fh7", "name": "sagemaker: GHSA-5r2p-pjr8-7fh7", "shortDescription": {"text": "sagemaker: GHSA-5r2p-pjr8-7fh7"}, "fullDescription": {"text": "SageMaker Python SDK replaced eval() with safe parser in JumpStart search functionality"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-113", "name": "pyarrow: PYSEC-2026-113", "shortDescription": {"text": "pyarrow: PYSEC-2026-113"}, "fullDescription": {"text": "Use After Free vulnerability in Apache Arrow C++.\n\nThis issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It can be triggered when reading an Arrow IPC file (but not an IPC stream) with pre-buffering enabled, if the IPC file contains data with variadic buffers (such as Binary View and String View data). Depending on the number of variadic buffers in a record batch column and on the temporal sequence of multi-threaded IO, a write to a dangling pointer could occur. The value (a `std::shared_ptr<Buffer>` object)\u00a0that is written to the dangling pointer is not under direct control of the attacker.\n\nPre-buffering is disabled by default but can be enabled using a specific C++ API call (`RecordBatchFileReader::PreBufferMetadata`). The functionality is not exposed in language bindings (Python, Ruby, C GLib), so these bindings are not vulnerable.\n\nThe most likely consequence of this issue would be random crashes or memory corruption when reading specific kinds of IPC files. If the appli"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8qvm-5x2c-j2w7", "name": "protobuf: GHSA-8qvm-5x2c-j2w7", "shortDescription": {"text": "protobuf: GHSA-8qvm-5x2c-j2w7"}, "fullDescription": {"text": "protobuf-python has a potential Denial of Service issue"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7gcm-g887-7qv7", "name": "protobuf: GHSA-7gcm-g887-7qv7", "shortDescription": {"text": "protobuf: GHSA-7gcm-g887-7qv7"}, "fullDescription": {"text": "protobuf affected by a JSON recursion depth bypass"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-196", "name": "pip: PYSEC-2026-196", "shortDescription": {"text": "pip: PYSEC-2026-196"}, "fullDescription": {"text": "pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8rrh-rw8j-w5fx", "name": "wheel: GHSA-8rrh-rw8j-w5fx", "shortDescription": {"text": "wheel: GHSA-8rrh-rw8j-w5fx"}, "fullDescription": {"text": "Wheel Affected by Arbitrary File Permission Modification via Path Traversal in wheel unpack"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gm62-xv2j-4w53", "name": "urllib3: GHSA-gm62-xv2j-4w53", "shortDescription": {"text": "urllib3: GHSA-gm62-xv2j-4w53"}, "fullDescription": {"text": "urllib3 allows an unbounded number of links in the decompression chain"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38jv-5279-wg99", "name": "urllib3: GHSA-38jv-5279-wg99", "shortDescription": {"text": "urllib3: GHSA-38jv-5279-wg99"}, "fullDescription": {"text": "Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2xpw-w6gg-jr37", "name": "urllib3: GHSA-2xpw-w6gg-jr37", "shortDescription": {"text": "urllib3: GHSA-2xpw-w6gg-jr37"}, "fullDescription": {"text": "urllib3 streaming API improperly handles highly compressed data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-141", "name": "urllib3: PYSEC-2026-141", "shortDescription": {"text": "urllib3: PYSEC-2026-141"}, "fullDescription": {"text": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g68-c3qc-8985", "name": "werkzeug: GHSA-2g68-c3qc-8985", "shortDescription": {"text": "werkzeug: GHSA-2g68-c3qc-8985"}, "fullDescription": {"text": "Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2023-58", "name": "werkzeug: PYSEC-2023-58", "shortDescription": {"text": "werkzeug: PYSEC-2023-58"}, "fullDescription": {"text": "Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2023-57", "name": "werkzeug: PYSEC-2023-57", "shortDescription": {"text": "werkzeug: PYSEC-2023-57"}, "fullDescription": {"text": "Werkzeug is a comprehensive WSGI web application library. Browsers may allow \"nameless\" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2023-221", "name": "werkzeug: PYSEC-2023-221", "shortDescription": {"text": "werkzeug: PYSEC-2023-221"}, "fullDescription": {"text": "Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2022-203", "name": "werkzeug: PYSEC-2022-203", "shortDescription": {"text": "werkzeug: PYSEC-2022-203"}, "fullDescription": {"text": "** DISPUTED ** Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2023-62", "name": "flask: PYSEC-2023-62", "shortDescription": {"text": "flask: PYSEC-2023-62"}, "fullDescription": {"text": "Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.\n\n1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.\n2. The application sets `session.permanent = True`\n3. The application does not access or modify the session at any point during a request.\n4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default).\n5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\n\nThis happens because vulnerable versions of Flask only set the `Vary: Cookie` heade"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-139", "name": "torch: PYSEC-2026-139", "shortDescription": {"text": "torch: PYSEC-2026-139"}, "fullDescription": {"text": "A vulnerability was identified in PyTorch 2.10.0. The affected element is an unknown function of the component pt2 Loading Handler. The manipulation leads to deserialization. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through a pull request but has not reacted yet."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-161", "name": "starlette: PYSEC-2026-161", "shortDescription": {"text": "starlette: PYSEC-2026-161"}, "fullDescription": {"text": "BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Piping downloaded code directly into a shell bypasses checksum verification and makes builds dependent on mutable remote content."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `docker/xgboost/resources/mms/endpoints-1.0.jar` committed in source repo", "shortDescription": {"text": "Binary file `docker/xgboost/resources/mms/endpoints-1.0.jar` committed in source repo"}, "fullDescription": {"text": "`docker/xgboost/resources/mms/endpoints-1.0.jar` is a .jar binary (5,972 bytes) committed to a repo that otherwise has 207 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v5`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "fullDescription": {"text": "`uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `nvidia/cuda:13.0.2-devel-amzn2023` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `nvidia/cuda:13.0.2-devel-amzn2023` not pinned by digest"}, "fullDescription": {"text": "`FROM nvidia/cuda:13.0.2-devel-amzn2023` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "pre-commit hook `https://github.com/scop/pre-commit-shfmt` pinned to mutable rev `v3.12.0-2`", "shortDescription": {"text": "pre-commit hook `https://github.com/scop/pre-commit-shfmt` pinned to mutable rev `v3.12.0-2`"}, "fullDescription": {"text": "`.pre-commit-config.yaml` references `https://github.com/scop/pre-commit-shfmt` at `rev: v3.12.0-2`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "FastAPI POST /invocations has no auth", "shortDescription": {"text": "FastAPI POST /invocations has no auth"}, "fullDescription": {"text": "Handler `invocations` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self._get_libsvm_data` used but never assigned in __init__", "shortDescription": {"text": "`self._get_libsvm_data` used but never assigned in __init__"}, "fullDescription": {"text": "Method `test_auc_with_invalid_objective` of class `TestInvalidTraining` reads `self._get_libsvm_data`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "Phantom test coverage: test_multi_files_libsvm", "shortDescription": {"text": "Phantom test coverage: test_multi_files_libsvm"}, "fullDescription": {"text": "Test function `test_multi_files_libsvm` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "Blocking call `requests.append` inside async function `run_benchmark`", "shortDescription": {"text": "Blocking call `requests.append` inside async function `run_benchmark`"}, "fullDescription": {"text": "`requests.append` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.ASIMOVBOT_APP_PRIVATE_KEY` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.ASIMOVBOT_APP_PRIVATE_KEY` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASIMOVBOT_APP_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "Missing import: `stat` used but not imported", "shortDescription": {"text": "Missing import: `stat` used but not imported"}, "fullDescription": {"text": "The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1300"}, "properties": {"repository": "aws/deep-learning-containers", "repoUrl": "https://github.com/aws/deep-learning-containers", "branch": "main"}, "results": [{"ruleId": "GHSA-32g6-mg92-ghm2", "level": "warning", "message": {"text": "sagemaker: GHSA-32g6-mg92-ghm2"}, "properties": {"repobilityId": 132601, "scanner": "osv-scanner", "fingerprint": "04ed53da7f7f484fe7e2e7fb68a9701ada7b45a54ced335d03438ca09ce51e01", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-0508"], "package": "sagemaker", "rule_id": "GHSA-32g6-mg92-ghm2", "scanner": "osv-scanner", "correlation_key": "vuln|sagemaker|CVE-2025-0508|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9wx4-h78v-vm56", "level": "warning", "message": {"text": "requests: GHSA-9wx4-h78v-vm56"}, "properties": {"repobilityId": 132600, "scanner": "osv-scanner", "fingerprint": "6bf9996a7adb4cd739142e690fd2da6a661b5a3836de16a854a695f5048f272e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-35195"], "package": "requests", "rule_id": "GHSA-9wx4-h78v-vm56", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2024-35195|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-9wx4-h78v-vm56"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["6bf9996a7adb4cd739142e690fd2da6a661b5a3836de16a854a695f5048f272e", "6e0b0e3a1480c0766e67a835871eb5b6b7b6b9c5b290401f302ef5d8c2e82844"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/ray/ec2/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rq6v-x3j8-7qgf", "level": "warning", "message": {"text": "sagemaker: GHSA-rq6v-x3j8-7qgf"}, "properties": {"repobilityId": 132597, "scanner": "osv-scanner", "fingerprint": "2a5741ea15ce24f606de1dc96660750cd7252a94dc6377db2978353a87d64eb3", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 4 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-8597"], "package": "sagemaker", "rule_id": "GHSA-rq6v-x3j8-7qgf", "scanner": "osv-scanner", "correlation_key": "vuln|sagemaker|CVE-2026-8597|token", "duplicate_count": 4, "duplicate_rule_ids": ["GHSA-rq6v-x3j8-7qgf"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0960d89ca166f924470090b03e8eb2aa9b3f3f198503bfa665d2e89dba9a0ba1", "2340da92d77a70ad04a8acf14bd40c0150474b8832a05cdf6bcc5aa40d07dfc0", "2a5741ea15ce24f606de1dc96660750cd7252a94dc6377db2978353a87d64eb3", "a57f3029afb7d5ab2eb89d31e989f00fc727fc66ecb920e8e2555291f5388dd6", "f704d45ab8d1e537d121517ce538cebe6c57cb873f0f96d55c533597b41eebc6"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/pytorch/integration/sagemaker/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gc5v-m9x4-r6x2", "level": "warning", "message": {"text": "requests: GHSA-gc5v-m9x4-r6x2"}, "properties": {"repobilityId": 132592, "scanner": "osv-scanner", "fingerprint": "b76faf0e6bb78ff57a7317aaadcdc8f70a60dcefd090bdf3f7de4472dbc8d576", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25645"], "package": "requests", "rule_id": "GHSA-gc5v-m9x4-r6x2", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2026-25645|docker/xgboost/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9hjg-9r4m-mvj7", "level": "warning", "message": {"text": "requests: GHSA-9hjg-9r4m-mvj7"}, "properties": {"repobilityId": 132591, "scanner": "osv-scanner", "fingerprint": "79330bf3eee61b5e13d6c809eca65077c047444ba82bc55dc6eec414d908e956", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-47081"], "package": "requests", "rule_id": "GHSA-9hjg-9r4m-mvj7", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2024-47081|docker/xgboost/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65pc-fj4g-8rjx", "level": "warning", "message": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "properties": {"repobilityId": 132585, "scanner": "osv-scanner", "fingerprint": "c1157e993524de20dd3e97b96348de7e6f139b88c32a9c4fbf8385de93639a03", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45409"], "package": "idna", "rule_id": "GHSA-65pc-fj4g-8rjx", "scanner": "osv-scanner", "correlation_key": "vuln|idna|CVE-2024-3651|docker/xgboost/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pq67-6m6q-mj2v", "level": "warning", "message": {"text": "urllib3: GHSA-pq67-6m6q-mj2v"}, "properties": {"repobilityId": 132583, "scanner": "osv-scanner", "fingerprint": "8e991bdbe003116afb1760434a808418bbf536bb11fe8d32c00323841c5aaa82", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-50181"], "package": "urllib3", "rule_id": "GHSA-pq67-6m6q-mj2v", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-50181|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9hjg-9r4m-mvj7", "level": "warning", "message": {"text": "requests: GHSA-9hjg-9r4m-mvj7"}, "properties": {"repobilityId": 132578, "scanner": "osv-scanner", "fingerprint": "7588d3d3e162ad69c2eb99c081002fb66c30355f8a8fe08de9534736df6082e9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-47081"], "package": "requests", "rule_id": "GHSA-9hjg-9r4m-mvj7", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2024-47081|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-9hjg-9r4m-mvj7"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0fedb0b7733e2d2bc53fc90dd07b1b1b8885a3004a18cd9e89a86dcfbef535e1", "7588d3d3e162ad69c2eb99c081002fb66c30355f8a8fe08de9534736df6082e9", "fd2db4aa668a22f0c6e179c2b87847d59df6e4cd8f5f6b0cd5f8c9f394013b29"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q2x7-8rv6-6q7h", "level": "warning", "message": {"text": "jinja2: GHSA-q2x7-8rv6-6q7h"}, "properties": {"repobilityId": 132577, "scanner": "osv-scanner", "fingerprint": "793df4a6c86b1954f636058e51c53bcdef018a50e358456de3cb595826bd9a1f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-56326"], "package": "jinja2", "rule_id": "GHSA-q2x7-8rv6-6q7h", "scanner": "osv-scanner", "correlation_key": "vuln|jinja2|CVE-2024-56326|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-h75v-3vvj-5mfj", "level": "warning", "message": {"text": "jinja2: GHSA-h75v-3vvj-5mfj"}, "properties": {"repobilityId": 132576, "scanner": "osv-scanner", "fingerprint": "5af51cfc76bc20625e2c3b21b663952396984c6fe16a41bac04a6445a6adfa42", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-34064"], "package": "jinja2", "rule_id": "GHSA-h75v-3vvj-5mfj", "scanner": "osv-scanner", "correlation_key": "vuln|jinja2|CVE-2024-34064|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-h5c8-rqwp-cp95", "level": "warning", "message": {"text": "jinja2: GHSA-h5c8-rqwp-cp95"}, "properties": {"repobilityId": 132575, "scanner": "osv-scanner", "fingerprint": "d7764914f653e4d4f912d09c47d63c0fc30b345bc10ee23f75bb1dcba590e7db", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-22195"], "package": "jinja2", "rule_id": "GHSA-h5c8-rqwp-cp95", "scanner": "osv-scanner", "correlation_key": "vuln|jinja2|CVE-2024-22195|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cpwx-vrp4-4pq7", "level": "warning", "message": {"text": "jinja2: GHSA-cpwx-vrp4-4pq7"}, "properties": {"repobilityId": 132574, "scanner": "osv-scanner", "fingerprint": "4dec581b47977de199af61949bc0c63664fd85841d451e100085477be2b1bbd9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-27516"], "package": "jinja2", "rule_id": "GHSA-cpwx-vrp4-4pq7", "scanner": "osv-scanner", "correlation_key": "vuln|jinja2|CVE-2025-27516|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hgf8-39gv-g3f2", "level": "warning", "message": {"text": "werkzeug: GHSA-hgf8-39gv-g3f2"}, "properties": {"repobilityId": 132573, "scanner": "osv-scanner", "fingerprint": "47d7515fb840459d6d71dc495909c7cceae914d87a880f6cedfef66ed9d17a64", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66221"], "package": "werkzeug", "rule_id": "GHSA-hgf8-39gv-g3f2", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2025-66221|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f9vj-2wh5-fj8j", "level": "warning", "message": {"text": "werkzeug: GHSA-f9vj-2wh5-fj8j"}, "properties": {"repobilityId": 132572, "scanner": "osv-scanner", "fingerprint": "f4694b57c2a942d660ede12b42438a6038871b3a0e5d2e70022c40fca35829a3", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-49766"], "package": "werkzeug", "rule_id": "GHSA-f9vj-2wh5-fj8j", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2024-49766|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-87hc-h4r5-73f7", "level": "warning", "message": {"text": "werkzeug: GHSA-87hc-h4r5-73f7"}, "properties": {"repobilityId": 132571, "scanner": "osv-scanner", "fingerprint": "216f19b6060321e7f64607a0deab31ea1d13191f2cc423d3edd6d6825800e1f2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-21860"], "package": "werkzeug", "rule_id": "GHSA-87hc-h4r5-73f7", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2026-21860|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-29vq-49wr-vm6x", "level": "warning", "message": {"text": "werkzeug: GHSA-29vq-49wr-vm6x"}, "properties": {"repobilityId": 132569, "scanner": "osv-scanner", "fingerprint": "06a6705206909a0328e2a0976b515c1ef43b02069d4190bbfb133171cefa0f5a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27199"], "package": "werkzeug", "rule_id": "GHSA-29vq-49wr-vm6x", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2026-27199|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jp4c-xjxw-mgf9", "level": "warning", "message": {"text": "pip: GHSA-jp4c-xjxw-mgf9"}, "properties": {"repobilityId": 132560, "scanner": "osv-scanner", "fingerprint": "5e555090a20d1c7d2d8d36bcd9c5c8889c6abf7299f05ab42bf1cc2c4b1ce863", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6357"], "package": "pip", "rule_id": "GHSA-jp4c-xjxw-mgf9", "scanner": "osv-scanner", "correlation_key": "vuln|pip|CVE-2026-6357|docker/ray/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ray/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-58qw-9mgm-455v", "level": "warning", "message": {"text": "pip: GHSA-58qw-9mgm-455v"}, "properties": {"repobilityId": 132559, "scanner": "osv-scanner", "fingerprint": "d0751acb4a56e1372b5d705e9afceb5975dcf36f8e0d31f9ff23c4c70f0366d3", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-3219"], "package": "pip", "rule_id": "GHSA-58qw-9mgm-455v", "scanner": "osv-scanner", "correlation_key": "vuln|pip|CVE-2026-3219|docker/ray/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ray/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65pc-fj4g-8rjx", "level": "warning", "message": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "properties": {"repobilityId": 132557, "scanner": "osv-scanner", "fingerprint": "a37c4c0a401dd8bb3ff67ba24f88a8805435ffefe42dee285f105e4b65da619a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45409"], "package": "idna", "rule_id": "GHSA-65pc-fj4g-8rjx", "scanner": "osv-scanner", "correlation_key": "vuln|idna|CVE-2024-3651|docker/ray/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ray/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jg22-mg44-37j8", "level": "warning", "message": {"text": "aiohttp: GHSA-jg22-mg44-37j8"}, "properties": {"repobilityId": 132556, "scanner": "osv-scanner", "fingerprint": "b1c41fb2cdf74d4b58e22390546333ed8ead905fa06d0c72823e726393e995a2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34993"], "package": "aiohttp", "rule_id": "GHSA-jg22-mg44-37j8", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34993|docker/ray/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ray/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hg6j-4rv6-33pg", "level": "warning", "message": {"text": "aiohttp: GHSA-hg6j-4rv6-33pg"}, "properties": {"repobilityId": 132555, "scanner": "osv-scanner", "fingerprint": "6b56aec60cf423c2025c716be8d87f5c9bb413cc4672f13a1b2572c92748f598", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47265"], "package": "aiohttp", "rule_id": "GHSA-hg6j-4rv6-33pg", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-47265|docker/ray/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ray/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gc5v-m9x4-r6x2", "level": "warning", "message": {"text": "requests: GHSA-gc5v-m9x4-r6x2"}, "properties": {"repobilityId": 132554, "scanner": "osv-scanner", "fingerprint": "5d1ca852af40b14c43e2d817dc8495b8a2560306946aaccfa6e3158c4f6886d8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-25645"], "package": "requests", "rule_id": "GHSA-gc5v-m9x4-r6x2", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2026-25645|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-gc5v-m9x4-r6x2"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["062199a05b0bac36e69a084aa0e7657ac5e527b002b59a6f5090a00db92c0012", "5d1ca852af40b14c43e2d817dc8495b8a2560306946aaccfa6e3158c4f6886d8", "5e6c86363d46e4e52b4c8f4c756164a716dffef1f9d05c8a646ce5cec179cc7f", "63013523b4b8d9b4eb059f4884dcb665be3c7ba9995bc6671d245309a1ae4454"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/pytorch/2.11/cuda/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jp4c-xjxw-mgf9", "level": "warning", "message": {"text": "pip: GHSA-jp4c-xjxw-mgf9"}, "properties": {"repobilityId": 132552, "scanner": "osv-scanner", "fingerprint": "9ab0c4d8b1e163f5966962a075da91dfc32be72b8f9292f992e39dc61079990a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-6357"], "package": "pip", "rule_id": "GHSA-jp4c-xjxw-mgf9", "scanner": "osv-scanner", "correlation_key": "vuln|pip|CVE-2026-6357|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-jp4c-xjxw-mgf9"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["8d8d6a4dc4e6d20b3f2035f3dc1dfe91758f75e24616069274f87b6e6634365f", "9ab0c4d8b1e163f5966962a075da91dfc32be72b8f9292f992e39dc61079990a"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/pytorch/2.11/cpu/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-58qw-9mgm-455v", "level": "warning", "message": {"text": "pip: GHSA-58qw-9mgm-455v"}, "properties": {"repobilityId": 132551, "scanner": "osv-scanner", "fingerprint": "e5391634f1796b45acdaa6934085a0b9fbd81a5da3968b7ce15d62b9b9649620", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-3219"], "package": "pip", "rule_id": "GHSA-58qw-9mgm-455v", "scanner": "osv-scanner", "correlation_key": "vuln|pip|CVE-2026-3219|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-58qw-9mgm-455v"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["7507de933c13d69df30828c2cfea427dfde5e74b11906ba536c856e963711737", "e5391634f1796b45acdaa6934085a0b9fbd81a5da3968b7ce15d62b9b9649620"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/pytorch/2.11/cpu/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65pc-fj4g-8rjx", "level": "warning", "message": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "properties": {"repobilityId": 132548, "scanner": "osv-scanner", "fingerprint": "9d2f284e9e97e99c8b8c015a7c483017e95f2e7d36c2cfa03b4433f76351e577", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-45409"], "package": "idna", "rule_id": "GHSA-65pc-fj4g-8rjx", "scanner": "osv-scanner", "correlation_key": "vuln|idna|CVE-2024-3651|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-65pc-fj4g-8rjx"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["450918fa2337abb14c673cdf1521be159cebe70ccc2a58075b0b1b70b9d9dcfc", "9d2f284e9e97e99c8b8c015a7c483017e95f2e7d36c2cfa03b4433f76351e577"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/pytorch/2.11/cpu/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jg22-mg44-37j8", "level": "warning", "message": {"text": "aiohttp: GHSA-jg22-mg44-37j8"}, "properties": {"repobilityId": 132547, "scanner": "osv-scanner", "fingerprint": "9d9610a003feb8634fb2f4c5b974d354f26edb373f1dc91069bdd7cb0fece181", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-34993"], "package": "aiohttp", "rule_id": "GHSA-jg22-mg44-37j8", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34993|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-jg22-mg44-37j8"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["9d9610a003feb8634fb2f4c5b974d354f26edb373f1dc91069bdd7cb0fece181", "e38b4d8e2719a1c266b98c7ee753e9bdfd597d1fdb410c9dd90ef827cc57d41a"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/pytorch/2.11/cpu/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hg6j-4rv6-33pg", "level": "warning", "message": {"text": "aiohttp: GHSA-hg6j-4rv6-33pg"}, "properties": {"repobilityId": 132546, "scanner": "osv-scanner", "fingerprint": "f90c1cb8097178b31994d9d61bdf8f0eaff76f4788fe0195c9b925bb4ebe403e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-47265"], "package": "aiohttp", "rule_id": "GHSA-hg6j-4rv6-33pg", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-47265|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-hg6j-4rv6-33pg"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["eef66edd86d0b8aed2d425328a27e4a9f4b1ace0b2e349bf670ca34aa210761f", "f90c1cb8097178b31994d9d61bdf8f0eaff76f4788fe0195c9b925bb4ebe403e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/pytorch/2.11/cpu/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65pc-fj4g-8rjx", "level": "warning", "message": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "properties": {"repobilityId": 132545, "scanner": "osv-scanner", "fingerprint": "044d627c83312ea499ad3a2776ee886441528076ba4d30524dbae490254f8e07", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45409"], "package": "idna", "rule_id": "GHSA-65pc-fj4g-8rjx", "scanner": "osv-scanner", "correlation_key": "vuln|idna|CVE-2024-3651|docker/base/v2/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/base/v2/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65pc-fj4g-8rjx", "level": "warning", "message": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "properties": {"repobilityId": 132544, "scanner": "osv-scanner", "fingerprint": "3a42b28a0d5d4793da2861e6e38b7a355e8c2ac2364963a20f003effdffa10aa", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45409"], "package": "idna", "rule_id": "GHSA-65pc-fj4g-8rjx", "scanner": "osv-scanner", "correlation_key": "vuln|idna|CVE-2024-3651|docker/base/v1/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/base/v1/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 132543, "scanner": "repobility-docker", "fingerprint": "ec663addddd309adb1490cafe4b9d4ae617cb7f98e4f7070e881fd974d089453", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nvidia/cuda:12.9.1-base-amzn2023", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ec663addddd309adb1490cafe4b9d4ae617cb7f98e4f7070e881fd974d089453"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/Dockerfile"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 132541, "scanner": "repobility-docker", "fingerprint": "218bc763abbfad8877ebb04429d194faca196809bfdd2d6ffef6253024fb2d2f", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|218bc763abbfad8877ebb04429d194faca196809bfdd2d6ffef6253024fb2d2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/Dockerfile"}, "region": {"startLine": 168}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 132533, "scanner": "repobility-docker", "fingerprint": "04ba5a1b43c7790a0d944f71294f854945f0e95c8666b85454fb42d9b9a83a3d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "omni-base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|04ba5a1b43c7790a0d944f71294f854945f0e95c8666b85454fb42d9b9a83a3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 441}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 132515, "scanner": "repobility-docker", "fingerprint": "246ae1aafab69ecb2e925b37bca155524c9ab71f11eb2aefff46096995b7e37f", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "alpine/git", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|246ae1aafab69ecb2e925b37bca155524c9ab71f11eb2aefff46096995b7e37f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 132514, "scanner": "repobility-docker", "fingerprint": "9a0d671cd64690aaf9518aa9dcd6518bda9794f6ed443815855ed1522f93b29f", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9a0d671cd64690aaf9518aa9dcd6518bda9794f6ed443815855ed1522f93b29f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 392}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 132498, "scanner": "repobility-docker", "fingerprint": "a824399c5bb8364ec1fcda948092d6bf86b9cd3b47e0d483b9f42326e1be1e51", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "alpine/git", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a824399c5bb8364ec1fcda948092d6bf86b9cd3b47e0d483b9f42326e1be1e51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 132497, "scanner": "repobility-docker", "fingerprint": "d65903b2debd9f18db64747218bcf630b399753a66d444097a057d89b5a507de", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d65903b2debd9f18db64747218bcf630b399753a66d444097a057d89b5a507de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile"}, "region": {"startLine": 99}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 132496, "scanner": "repobility-docker", "fingerprint": "37d2a7119630c5796a7a08bbb44fad13e6f40dc93d3bb9f0524859e0c44d66a7", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|37d2a7119630c5796a7a08bbb44fad13e6f40dc93d3bb9f0524859e0c44d66a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile"}, "region": {"startLine": 102}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 132495, "scanner": "repobility-docker", "fingerprint": "72e673df69c7887673f3058d1b0d79e495b3c2676b651c6772928f4f9e06b465", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|72e673df69c7887673f3058d1b0d79e495b3c2676b651c6772928f4f9e06b465"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile"}, "region": {"startLine": 87}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 132491, "scanner": "repobility-docker", "fingerprint": "48f3b34a043d8eb4e774acde55ad527281885a58656d4783ab90d07f5297b61d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "runtime", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|48f3b34a043d8eb4e774acde55ad527281885a58656d4783ab90d07f5297b61d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile.amzn2023"}, "region": {"startLine": 386}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 132477, "scanner": "repobility-docker", "fingerprint": "c8450cd0f4252869eaebc27f84e34aec3a93901a68446f398f28424627a6062e", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c8450cd0f4252869eaebc27f84e34aec3a93901a68446f398f28424627a6062e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile"}, "region": {"startLine": 137}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 132476, "scanner": "repobility-docker", "fingerprint": "c57591f6da7bca3604928ab6faa45dd3116f56b15be7c611360acc68441f735e", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c57591f6da7bca3604928ab6faa45dd3116f56b15be7c611360acc68441f735e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile"}, "region": {"startLine": 140}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 132475, "scanner": "repobility-docker", "fingerprint": "00f74adbbf10b950ed2d28bad81810b54d7d4cd7edcfc58ba9b3309b7a854509", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|00f74adbbf10b950ed2d28bad81810b54d7d4cd7edcfc58ba9b3309b7a854509"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile"}, "region": {"startLine": 121}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 132471, "scanner": "repobility-docker", "fingerprint": "96c95586a774ecb912fa986a95681b0243571f3e7cfe53543674a879ac6c8545", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|96c95586a774ecb912fa986a95681b0243571f3e7cfe53543674a879ac6c8545"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ray/Dockerfile.gpu"}, "region": {"startLine": 174}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 132470, "scanner": "repobility-docker", "fingerprint": "8b967aed73a0d1666ef2d9506bb42f010e6313f6c3c568b95de38c79ee01c979", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8b967aed73a0d1666ef2d9506bb42f010e6313f6c3c568b95de38c79ee01c979"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ray/Dockerfile.cpu"}, "region": {"startLine": 137}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 132463, "scanner": "repobility-docker", "fingerprint": "20fc42e9247adf8550aebea8f09f0554302cb7ce98d56e442201ed00f6380522", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "runtime-base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|20fc42e9247adf8550aebea8f09f0554302cb7ce98d56e442201ed00f6380522"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/pytorch/2.11/Dockerfile.cpu"}, "region": {"startLine": 154}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 132462, "scanner": "repobility-docker", "fingerprint": "586b2197484bde4aec88207ff18d4f6ee3731194e7ed187f8d57f5aba2389cab", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nvidia/cuda:13.0.2-devel-amzn2023", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|586b2197484bde4aec88207ff18d4f6ee3731194e7ed187f8d57f5aba2389cab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/base/v2/Dockerfile"}, "region": {"startLine": 77}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 132460, "scanner": "repobility-docker", "fingerprint": "f05724e2c8c600d25a1bfa6078b065410bacc7e8487e041d9eb0beb07c2c9a3f", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nvidia/cuda:12.9.1-devel-amzn2023", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f05724e2c8c600d25a1bfa6078b065410bacc7e8487e041d9eb0beb07c2c9a3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/base/v1/Dockerfile"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 132458, "scanner": "repobility-threat-engine", "fingerprint": "dad4f891172a5f2632256d1a3b28a8003f16e92f30ddd2bb8bd7d9628cf2aad4", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.info(f\"No requirements.txt found at {REQ", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dad4f891172a5f2632256d1a3b28a8003f16e92f30ddd2bb8bd7d9628cf2aad4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ray/sagemaker_serve.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC115", "level": "warning", "message": {"text": "[SEC115] Decompression without size cap (zip/gzip bomb): Decompressing untrusted archives without a size or ratio cap \u2192 memory/disk exhaustion DoS (10kb \u2192 4GB classic 'zip bomb')."}, "properties": {"repobilityId": 132456, "scanner": "repobility-threat-engine", "fingerprint": "6dd077e03009b64d5fc7c2763cd3b0c88104d9b9f91c696f755f747b51a95394", "category": "resource_exhaustion", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "zipfile.ZipFile('/root/oss_compliance.zip').extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC115", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6dd077e03009b64d5fc7c2763cd3b0c88104d9b9f91c696f755f747b51a95394"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/common/setup_oss_compliance.sh"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 132455, "scanner": "repobility-threat-engine", "fingerprint": "0b6b60415976607c03aa64af5202614609c102e17f9ccc165f892f3d32c405f9", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|14|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/common/setup_oss_compliance.sh"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC011", "level": "warning", "message": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "properties": {"repobilityId": 132452, "scanner": "repobility-threat-engine", "fingerprint": "bb87a1875c2ce843a2837f5fcb1023c79ad0158c44066e9b8ae9ab23aed2bddd", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "torch.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC011", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|29|sec011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ray/tabular-model/deployment.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 23 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=1, continue=4, else=1, for=1, if=9, nested_bonus=6, ternary=1."}, "properties": {"repobilityId": 132442, "scanner": "repobility-threat-engine", "fingerprint": "849095f91cc6275609b9729d0fefa37c31c5761fccbd27714ff254f83506fff0", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 23 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 9, "and": 1, "for": 1, "else": 1, "ternary": 1, "continue": 4, "nested_bonus": 6}, "complexity": 23, "correlation_key": "fp|849095f91cc6275609b9729d0fefa37c31c5761fccbd27714ff254f83506fff0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/upload_ecr_allowlists.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `Werkzeug` is 3 major version(s) behind (0.15.6 -> 3.1.8)"}, "properties": {"repobilityId": 132438, "scanner": "repobility-dependency-currency", "fingerprint": "0e07233e7d56cb896ed6295afa570e7243a8d4ceb2a2e6724df5c3cb46dda1a9", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "Werkzeug", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "3.1.8", "correlation_key": "fp|0e07233e7d56cb896ed6295afa570e7243a8d4ceb2a2e6724df5c3cb46dda1a9", "current_version": "0.15.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 32}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `urllib3` is 1 major version(s) behind (1.26.20 -> 2.7.0)"}, "properties": {"repobilityId": 132437, "scanner": "repobility-dependency-currency", "fingerprint": "57555f9937b1255c3c418be73cedb2b61e2fe612078f5b3ad929597c3bb787ab", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "urllib3", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2.7.0", "correlation_key": "fp|57555f9937b1255c3c418be73cedb2b61e2fe612078f5b3ad929597c3bb787ab", "current_version": "1.26.20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 31}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `pynvml` is 2 major version(s) behind (11.4.1 -> 13.0.1)"}, "properties": {"repobilityId": 132429, "scanner": "repobility-dependency-currency", "fingerprint": "065109d7e000454cc8592cb6d923e617400e8a20ba37ebb885b18eaf96e63579", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "pynvml", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "13.0.1", "correlation_key": "fp|065109d7e000454cc8592cb6d923e617400e8a20ba37ebb885b18eaf96e63579", "current_version": "11.4.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 21}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `psutil` is 2 major version(s) behind (5.8.0 -> 7.2.2)"}, "properties": {"repobilityId": 132428, "scanner": "repobility-dependency-currency", "fingerprint": "cbfcab0280d2fbdce15aadbcb4cdae8d73b5a9e4e8623f3744242e038a62eb7d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "psutil", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "7.2.2", "correlation_key": "fp|cbfcab0280d2fbdce15aadbcb4cdae8d73b5a9e4e8623f3744242e038a62eb7d", "current_version": "5.8.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 20}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `pandas` is 1 major version(s) behind (2.2.3 -> 3.0.3)"}, "properties": {"repobilityId": 132427, "scanner": "repobility-dependency-currency", "fingerprint": "645aa4eb9268d5b6b86bbede6eb3a10477a37086caa82a0f2e3b7bfe16ad6654", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "pandas", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "3.0.3", "correlation_key": "fp|645aa4eb9268d5b6b86bbede6eb3a10477a37086caa82a0f2e3b7bfe16ad6654", "current_version": "2.2.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 18}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `MarkupSafe` is 2 major version(s) behind (1.1.1 -> 3.0.3)"}, "properties": {"repobilityId": 132424, "scanner": "repobility-dependency-currency", "fingerprint": "badf9d19e42dd05465cde24052a94add24a3ee561ec457656bf61f7121dc0fe7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "MarkupSafe", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "3.0.3", "correlation_key": "fp|badf9d19e42dd05465cde24052a94add24a3ee561ec457656bf61f7121dc0fe7", "current_version": "1.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 13}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `jinja2` is 1 major version(s) behind (2.11.3 -> 3.1.6)"}, "properties": {"repobilityId": 132423, "scanner": "repobility-dependency-currency", "fingerprint": "d50136bca4b83a4934edf3e65bedc43d5b2d0c58e6f2254a1d3f109393b02a8c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jinja2", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "3.1.6", "correlation_key": "fp|d50136bca4b83a4934edf3e65bedc43d5b2d0c58e6f2254a1d3f109393b02a8c", "current_version": "2.11.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 12}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `gunicorn` is 3 major version(s) behind (23.0.0 -> 26.0.0)"}, "properties": {"repobilityId": 132421, "scanner": "repobility-dependency-currency", "fingerprint": "8753883ae0abfdf663049afb66838ce0f533b1463da812672903b45e4644444b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "gunicorn", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "26.0.0", "correlation_key": "fp|8753883ae0abfdf663049afb66838ce0f533b1463da812672903b45e4644444b", "current_version": "23.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 10}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `gevent` is 3 major version(s) behind (23.9.1 -> 26.5.0)"}, "properties": {"repobilityId": 132420, "scanner": "repobility-dependency-currency", "fingerprint": "d17b917ddeb05cd3b2dd8f28c4dbf81e97f7e08ff710755d33e4852589a1bb91", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "gevent", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "26.5.0", "correlation_key": "fp|d17b917ddeb05cd3b2dd8f28c4dbf81e97f7e08ff710755d33e4852589a1bb91", "current_version": "23.9.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 9}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `Flask` is 2 major version(s) behind (1.1.1 -> 3.1.3)"}, "properties": {"repobilityId": 132419, "scanner": "repobility-dependency-currency", "fingerprint": "c630185852da1e23124ea97b443004f1b5cc9fe05ae153c076d8eee96992f9d7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "Flask", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "3.1.3", "correlation_key": "fp|c630185852da1e23124ea97b443004f1b5cc9fe05ae153c076d8eee96992f9d7", "current_version": "1.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 8}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `dask` is 2 major version(s) behind (2024.11.2 -> 2026.3.0)"}, "properties": {"repobilityId": 132418, "scanner": "repobility-dependency-currency", "fingerprint": "1615fee321825eb6e415e3b703eb8eeb1d625941abea7f4f506f590cc295afa6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dask", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2026.3.0", "correlation_key": "fp|1615fee321825eb6e415e3b703eb8eeb1d625941abea7f4f506f590cc295afa6", "current_version": "2024.11.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 7}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `cuda-python` is 1 major version(s) behind (12.6.0 -> 13.3.1)"}, "properties": {"repobilityId": 132417, "scanner": "repobility-dependency-currency", "fingerprint": "a09bda862cc438ef3c50cd0c39fbcad98f68c77f762dc8e8b9cdc408988da531", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cuda-python", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "13.3.1", "correlation_key": "fp|a09bda862cc438ef3c50cd0c39fbcad98f68c77f762dc8e8b9cdc408988da531", "current_version": "12.6.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `certifi` is 1 major version(s) behind (2025.4.26 -> 2026.5.20)"}, "properties": {"repobilityId": 132416, "scanner": "repobility-dependency-currency", "fingerprint": "66acb8ad4e0bfb88e0a22318665e56a83d1a3565f5c9ff8d09a2107093e6a935", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "certifi", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2026.5.20", "correlation_key": "fp|66acb8ad4e0bfb88e0a22318665e56a83d1a3565f5c9ff8d09a2107093e6a935", "current_version": "2025.4.26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `requests` has no version pin"}, "properties": {"repobilityId": 132388, "scanner": "repobility-supply-chain", "fingerprint": "07e6559cac51ab909b99cc99373c44b22bf6d20fe29526121710ff18a200fdd3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|07e6559cac51ab909b99cc99373c44b22bf6d20fe29526121710ff18a200fdd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/ray/ec2/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `pytest` has no version pin"}, "properties": {"repobilityId": 132387, "scanner": "repobility-supply-chain", "fingerprint": "30469e673fd1dcd03593db67b6f9698addb0375f1eea69cfeca1a0d6336c0d55", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|30469e673fd1dcd03593db67b6f9698addb0375f1eea69cfeca1a0d6336c0d55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/pytorch/integration/sagemaker/requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `boto3` has no version pin"}, "properties": {"repobilityId": 132386, "scanner": "repobility-supply-chain", "fingerprint": "982e6b147c0e5767ce80c0ab77ba8a26bf766230d848d2305c83f6d292f7aee1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|982e6b147c0e5767ce80c0ab77ba8a26bf766230d848d2305c83f6d292f7aee1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/pytorch/integration/sagemaker/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `starlette` has no version pin"}, "properties": {"repobilityId": 132385, "scanner": "repobility-supply-chain", "fingerprint": "0da34666d0ebdf56fa9dd51fa257abc3f2c08c698e918131b0e9e92f9801ccd3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0da34666d0ebdf56fa9dd51fa257abc3f2c08c698e918131b0e9e92f9801ccd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/sagemaker/requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `requests` has no version pin"}, "properties": {"repobilityId": 132384, "scanner": "repobility-supply-chain", "fingerprint": "c99c4b4e076ab4e65e84ceb51130e796d38cc892b5e7c15e161dae5048cf66e8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c99c4b4e076ab4e65e84ceb51130e796d38cc892b5e7c15e161dae5048cf66e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/telemetry/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `setuptools<81` has no version pin"}, "properties": {"repobilityId": 132383, "scanner": "repobility-supply-chain", "fingerprint": "581801b127cfd7100210c0c4fe8b05289b7958202c6d9a116b139c50d086cab1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|581801b127cfd7100210c0c4fe8b05289b7958202c6d9a116b139c50d086cab1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `pytest` has no version pin"}, "properties": {"repobilityId": 132357, "scanner": "repobility-supply-chain", "fingerprint": "214fb50852921a77c2f02e64152ae43c517ea55c1769b0f8ef02c5e6b0d32f28", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|214fb50852921a77c2f02e64152ae43c517ea55c1769b0f8ef02c5e6b0d32f28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/requirements.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `fabric` has no version pin"}, "properties": {"repobilityId": 132356, "scanner": "repobility-supply-chain", "fingerprint": "0e63cc9110b0335b7ad535f5295a63c39b801b6051e4c764eb8fa21a0cefc792", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0e63cc9110b0335b7ad535f5295a63c39b801b6051e4c764eb8fa21a0cefc792"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `botocore` has no version pin"}, "properties": {"repobilityId": 132355, "scanner": "repobility-supply-chain", "fingerprint": "a81a00571fd0adfd117f7e6b297234b17691190172613baeb91cc97c7331ece1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a81a00571fd0adfd117f7e6b297234b17691190172613baeb91cc97c7331ece1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `boto3` has no version pin"}, "properties": {"repobilityId": 132354, "scanner": "repobility-supply-chain", "fingerprint": "5691d7237090e4fadd441b407a1a98c252afba1f295f07a6d4497d9538971a7d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5691d7237090e4fadd441b407a1a98c252afba1f295f07a6d4497d9538971a7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `omegaconf` has no version pin"}, "properties": {"repobilityId": 132353, "scanner": "repobility-supply-chain", "fingerprint": "83a450364cdc2a43410c4dfba174befd682e8dcba9290b37250928b3e542ee31", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|83a450364cdc2a43410c4dfba174befd682e8dcba9290b37250928b3e542ee31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `mkdocs-macros-plugin` has no version pin"}, "properties": {"repobilityId": 132352, "scanner": "repobility-supply-chain", "fingerprint": "e6aa7ee8b4baa76f43179ea543a8d77100f9a0dfbca835ff0b612ad16b91bcc7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e6aa7ee8b4baa76f43179ea543a8d77100f9a0dfbca835ff0b612ad16b91bcc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `mkdocs-awesome-nav` has no version pin"}, "properties": {"repobilityId": 132351, "scanner": "repobility-supply-chain", "fingerprint": "9c57ad8d35e7ae2b3fa61aed3b916efbdd0142ce9d36f02dec5cd2b28abc9e25", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c57ad8d35e7ae2b3fa61aed3b916efbdd0142ce9d36f02dec5cd2b28abc9e25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `mkdocs-autorefs` has no version pin"}, "properties": {"repobilityId": 132350, "scanner": "repobility-supply-chain", "fingerprint": "db9a17ec2ccb1768cd16e432759b8840ef166c0c79d53cde27727cfcaa26ada3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db9a17ec2ccb1768cd16e432759b8840ef166c0c79d53cde27727cfcaa26ada3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `jinja2` has no version pin"}, "properties": {"repobilityId": 132349, "scanner": "repobility-supply-chain", "fingerprint": "ffaf7398114cbda334e053904053056ba091269561170a47387ffe762701f0ed", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ffaf7398114cbda334e053904053056ba091269561170a47387ffe762701f0ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `pre-commit` has no version pin"}, "properties": {"repobilityId": 132348, "scanner": "repobility-supply-chain", "fingerprint": "2657aa8f963b33e42b96ee68ad0eeba29ddf675ac81d414e7006d3dfb3f07fe0", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2657aa8f963b33e42b96ee68ad0eeba29ddf675ac81d414e7006d3dfb3f07fe0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 132335, "scanner": "repobility-ast-engine", "fingerprint": "77eae0169ad21af26878e31ec0724663d833e48a69ff7d122ce3d46c9277d5ef", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|77eae0169ad21af26878e31ec0724663d833e48a69ff7d122ce3d46c9277d5ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/autocurrency/agent-fix.py"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 132334, "scanner": "repobility-ast-engine", "fingerprint": "017450c0f2451a1c95fad7142a4f4c74ea12ea887dc9ae455a93c901a192068a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|017450c0f2451a1c95fad7142a4f4c74ea12ea887dc9ae455a93c901a192068a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/autocurrency/agent-fix.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `on_startup` (list)"}, "properties": {"repobilityId": 132333, "scanner": "repobility-ast-engine", "fingerprint": "204b8cc1ae1a601202a76e3187437acd9a93271cbcbfa2b5cf9e796d86a3e71e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|204b8cc1ae1a601202a76e3187437acd9a93271cbcbfa2b5cf9e796d86a3e71e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/hooks.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 132332, "scanner": "repobility-ast-engine", "fingerprint": "3520cb93b07b262293fa72055d03ad43b44e0d32958da34eaf0154847bb06273", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3520cb93b07b262293fa72055d03ad43b44e0d32958da34eaf0154847bb06273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/utils.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 132331, "scanner": "repobility-ast-engine", "fingerprint": "5da3cdc1b875aa5dfa7876f7da2cf9d0fa865495ebb880e8e950f11bdbb3f242", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5da3cdc1b875aa5dfa7876f7da2cf9d0fa865495ebb880e8e950f11bdbb3f242"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/container_helper.py"}, "region": {"startLine": 208}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 132330, "scanner": "repobility-ast-engine", "fingerprint": "c9c91b4c3ed6b5ba7ad6df2e46201c8c7a3ba07d922e640845ca6e808855fc6a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c9c91b4c3ed6b5ba7ad6df2e46201c8c7a3ba07d922e640845ca6e808855fc6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 560}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 132303, "scanner": "repobility-ast-engine", "fingerprint": "7ca5d5b702588d4ba2c4545875d3ca995bef13fb6160a041cd4e76f803a50bf3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7ca5d5b702588d4ba2c4545875d3ca995bef13fb6160a041cd4e76f803a50bf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm/sagemaker/amzn2023/test_sm_model_serving.py"}, "region": {"startLine": 147}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 132302, "scanner": "repobility-ast-engine", "fingerprint": "ddc80c4fc1e70c9def2c6868e02c6e7f8f25512fae44f09060ca58e39eed15cb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ddc80c4fc1e70c9def2c6868e02c6e7f8f25512fae44f09060ca58e39eed15cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/scripts/benchmark/image_benchmark_client.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 132301, "scanner": "repobility-ast-engine", "fingerprint": "add6646d15e9a7acfbee7d2b0970e2709ea4df7aac03ab7564756d9d837ed0d3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|add6646d15e9a7acfbee7d2b0970e2709ea4df7aac03ab7564756d9d837ed0d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/scripts/benchmark/image_benchmark_client.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 132299, "scanner": "repobility-ast-engine", "fingerprint": "ee41cd9a3961454ad66ab10e8a7f8e794cf16d2e3647a75b7210e8680f89bfdf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ee41cd9a3961454ad66ab10e8a7f8e794cf16d2e3647a75b7210e8680f89bfdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/scripts/benchmark/chat_omni_benchmark_client.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 132298, "scanner": "repobility-ast-engine", "fingerprint": "27a15cdb9da4f288dc53075ba2b109e27750cca6d3c68e5ce56fe54f4aa0fabc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|27a15cdb9da4f288dc53075ba2b109e27750cca6d3c68e5ce56fe54f4aa0fabc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/scripts/benchmark/tts_benchmark_client.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 132296, "scanner": "repobility-ast-engine", "fingerprint": "cc134fbdc66b009f3f5d0f6176ddeefd559eb9773fc22fa03905cc69bd3c4f4b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cc134fbdc66b009f3f5d0f6176ddeefd559eb9773fc22fa03905cc69bd3c4f4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/scripts/benchmark/audio_generate_benchmark_client.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 132295, "scanner": "repobility-ast-engine", "fingerprint": "342e4b5d219c176360774fbb11013665ba2bde0677b104911091cd395e856efb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|342e4b5d219c176360774fbb11013665ba2bde0677b104911091cd395e856efb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/scripts/benchmark/video_benchmark_client.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 132273, "scanner": "repobility-ast-engine", "fingerprint": "622e908699d0d32ae11a11364966261c9aeb12b93b9ce9b336eb17cc70c19dc3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|622e908699d0d32ae11a11364966261c9aeb12b93b9ce9b336eb17cc70c19dc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/efa/test_efa.py"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 132271, "scanner": "repobility-ast-engine", "fingerprint": "a6f65f1b9eea3dc4c061a633d98462adf66b301338bf82c9b32e2d93ae0e2449", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a6f65f1b9eea3dc4c061a633d98462adf66b301338bf82c9b32e2d93ae0e2449"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test_utils/aws.py"}, "region": {"startLine": 182}}}]}, {"ruleId": "GHSA-r374-rxx8-8654", "level": "note", "message": {"text": "paramiko: GHSA-r374-rxx8-8654"}, "properties": {"repobilityId": 132586, "scanner": "osv-scanner", "fingerprint": "ebcc4c4f70f7dd149d3af186f72549d228de7ff93c4f4e7620d43e0e014a45cd", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44405"], "package": "paramiko", "rule_id": "GHSA-r374-rxx8-8654", "scanner": "osv-scanner", "correlation_key": "vuln|paramiko|CVE-2026-44405|docker/xgboost/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-68rp-wp8r-4726", "level": "note", "message": {"text": "flask: GHSA-68rp-wp8r-4726"}, "properties": {"repobilityId": 132564, "scanner": "osv-scanner", "fingerprint": "a84ea9f7756914c43bf6feff23b111ad80c6f8e94c3eb18bac2258cf16028d5a", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27205"], "package": "flask", "rule_id": "GHSA-68rp-wp8r-4726", "scanner": "osv-scanner", "correlation_key": "vuln|flask|CVE-2026-27205|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r374-rxx8-8654", "level": "note", "message": {"text": "paramiko: GHSA-r374-rxx8-8654"}, "properties": {"repobilityId": 132549, "scanner": "osv-scanner", "fingerprint": "8150d88f0b8ef8f158cd91728188fc3bffa43cdf4be808d149baad585275c7d7", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44405"], "package": "paramiko", "rule_id": "GHSA-r374-rxx8-8654", "scanner": "osv-scanner", "correlation_key": "vuln|paramiko|CVE-2026-44405|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-r374-rxx8-8654"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["8150d88f0b8ef8f158cd91728188fc3bffa43cdf4be808d149baad585275c7d7", "c3ad3c292c533f0589a3575db4823ef06a5d9deac232bcdaf8959f0b577b9d52"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/pytorch/2.11/cpu/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132542, "scanner": "repobility-docker", "fingerprint": "d0147500dd0554a39e0cf3533725785580efb2b7f6b4092926077b152415b80e", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d0147500dd0554a39e0cf3533725785580efb2b7f6b4092926077b152415b80e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/Dockerfile"}, "region": {"startLine": 103}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132540, "scanner": "repobility-docker", "fingerprint": "26e838413d7d57c41f90e6d3f7c8b8117e100d65bda1d10505f65ded51fcb5d3", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|26e838413d7d57c41f90e6d3f7c8b8117e100d65bda1d10505f65ded51fcb5d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/Dockerfile"}, "region": {"startLine": 217}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132539, "scanner": "repobility-docker", "fingerprint": "cb30e1f9ee2dffde0a114b3349cf020a4513a7c0bbb665c85d4274f0d9fd4060", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|cb30e1f9ee2dffde0a114b3349cf020a4513a7c0bbb665c85d4274f0d9fd4060"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/Dockerfile"}, "region": {"startLine": 162}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132538, "scanner": "repobility-docker", "fingerprint": "789b14743df88601457de6c192edfcac5f28a0fc656e44fb8f1fa59e2012109e", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|789b14743df88601457de6c192edfcac5f28a0fc656e44fb8f1fa59e2012109e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/Dockerfile"}, "region": {"startLine": 118}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132537, "scanner": "repobility-docker", "fingerprint": "f43d3e23a3b0c90630b1a741054d280515dbab4bcec62f02b371a1b2486d0b81", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f43d3e23a3b0c90630b1a741054d280515dbab4bcec62f02b371a1b2486d0b81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/Dockerfile"}, "region": {"startLine": 66}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132531, "scanner": "repobility-docker", "fingerprint": "3a83b634757dd65fc7d315f85e967303aac3fbb73cfadbe75164b6943a3fb320", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|3a83b634757dd65fc7d315f85e967303aac3fbb73cfadbe75164b6943a3fb320"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 331}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132530, "scanner": "repobility-docker", "fingerprint": "c22cf035eb24fa4dad3a82c9f0c9d79b7529b8fdf1659e32299d3cbd6ae4f297", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c22cf035eb24fa4dad3a82c9f0c9d79b7529b8fdf1659e32299d3cbd6ae4f297"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 317}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132527, "scanner": "repobility-docker", "fingerprint": "8d69f5b3da2cabf4f0bdbfa9d7238516a8b551a6a2b750f94416fddb470ab4aa", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|8d69f5b3da2cabf4f0bdbfa9d7238516a8b551a6a2b750f94416fddb470ab4aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 227}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132526, "scanner": "repobility-docker", "fingerprint": "f6f3da4a1739776a5e5caa5c29d17a8ec4f2ac25b4c7d358b7d335f45a8a0605", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f6f3da4a1739776a5e5caa5c29d17a8ec4f2ac25b4c7d358b7d335f45a8a0605"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 217}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132525, "scanner": "repobility-docker", "fingerprint": "6910de86c221a7e4ce6ae85b6144b913d0c98a529f6d5a6f9e890f363ddb2b78", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|6910de86c221a7e4ce6ae85b6144b913d0c98a529f6d5a6f9e890f363ddb2b78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 212}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132524, "scanner": "repobility-docker", "fingerprint": "2794ce0701cac3fd3d16306ec6326c0175933f9497b609a8f45c30c37079bd1b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|2794ce0701cac3fd3d16306ec6326c0175933f9497b609a8f45c30c37079bd1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 208}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132523, "scanner": "repobility-docker", "fingerprint": "b8f57322bd01b75bb7632a9fbbe3eda6d8a8a9949508d403af9af73bd3475013", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|b8f57322bd01b75bb7632a9fbbe3eda6d8a8a9949508d403af9af73bd3475013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 196}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132522, "scanner": "repobility-docker", "fingerprint": "062c5f71bc707fa887630032a1363c5755773c23c33a0cf437c3d2293fd5e1e6", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|062c5f71bc707fa887630032a1363c5755773c23c33a0cf437c3d2293fd5e1e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 191}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132519, "scanner": "repobility-docker", "fingerprint": "7a394e7b6aced00181e1ad1819f52b3a44143e105612ecbc4b9c517c1c50c37d", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|7a394e7b6aced00181e1ad1819f52b3a44143e105612ecbc4b9c517c1c50c37d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 75}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132518, "scanner": "repobility-docker", "fingerprint": "4723b7aa54f6924aef2a876c2fa28777b2d804486c5f47c6d593fc0d5a1f325c", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|4723b7aa54f6924aef2a876c2fa28777b2d804486c5f47c6d593fc0d5a1f325c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 72}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132510, "scanner": "repobility-docker", "fingerprint": "8eae8c3ce62a1a5126ce7447869c75a471bdcfae3e8fe84f7ae71565a0a78655", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|8eae8c3ce62a1a5126ce7447869c75a471bdcfae3e8fe84f7ae71565a0a78655"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 225}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132509, "scanner": "repobility-docker", "fingerprint": "9eaa64dc1f1688d1a472fdd1aa3d8aba87a522bbb050c3dee8ccc6cb32d7d116", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9eaa64dc1f1688d1a472fdd1aa3d8aba87a522bbb050c3dee8ccc6cb32d7d116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 215}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132508, "scanner": "repobility-docker", "fingerprint": "d205b748d2fef252d7dee54523b115dab081084e2d8c735543ee29b324b1a366", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d205b748d2fef252d7dee54523b115dab081084e2d8c735543ee29b324b1a366"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 210}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132507, "scanner": "repobility-docker", "fingerprint": "5264f9b31b437c992e4d5fa6c3b3aa09308a739275e060956f4d13abc41d76cf", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|5264f9b31b437c992e4d5fa6c3b3aa09308a739275e060956f4d13abc41d76cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 205}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132506, "scanner": "repobility-docker", "fingerprint": "2fa08bb07853abf518f1e2379c35de2527fdb6792a7d47434523ca1aa2a3a4bf", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|2fa08bb07853abf518f1e2379c35de2527fdb6792a7d47434523ca1aa2a3a4bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 200}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132505, "scanner": "repobility-docker", "fingerprint": "0f35aaeae53069ceae55de10cd3e22c64112e9242436272dcd75ea560bda05e1", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|0f35aaeae53069ceae55de10cd3e22c64112e9242436272dcd75ea560bda05e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 190}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132504, "scanner": "repobility-docker", "fingerprint": "452dd0156e60dac0c5f51b5c20fc7ae2b19b09cca7562ffa006419f6e3130f80", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|452dd0156e60dac0c5f51b5c20fc7ae2b19b09cca7562ffa006419f6e3130f80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 185}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132501, "scanner": "repobility-docker", "fingerprint": "dd9c0611dc51a94701b77631cada5bd5c1bb9db2eae5af0b8663aa71d431a1f8", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|dd9c0611dc51a94701b77631cada5bd5c1bb9db2eae5af0b8663aa71d431a1f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 69}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132494, "scanner": "repobility-docker", "fingerprint": "83c4ef8bb5fde6b82a1ad811204d0943ce2361265f0a1aaf82e11c7d92c913a7", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|83c4ef8bb5fde6b82a1ad811204d0943ce2361265f0a1aaf82e11c7d92c913a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132493, "scanner": "repobility-docker", "fingerprint": "2ef76519d7bf037f789125416ada50fcfaaa6e20292a098a1547ed2feb3bc8c4", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|2ef76519d7bf037f789125416ada50fcfaaa6e20292a098a1547ed2feb3bc8c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132490, "scanner": "repobility-docker", "fingerprint": "9892a5758600a261fbebdf387dceace4a26004c71918c968b51788782c920c6d", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9892a5758600a261fbebdf387dceace4a26004c71918c968b51788782c920c6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile.amzn2023"}, "region": {"startLine": 263}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132489, "scanner": "repobility-docker", "fingerprint": "ac1585931be934f2842a38063f99a155d01caf292d22cb67d6481a790265077f", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|ac1585931be934f2842a38063f99a155d01caf292d22cb67d6481a790265077f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile.amzn2023"}, "region": {"startLine": 260}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132488, "scanner": "repobility-docker", "fingerprint": "7dbcbde4db55ae9efad91871510d209a5e5fc9a0c58d15fe1c55bafa8009a5a5", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|7dbcbde4db55ae9efad91871510d209a5e5fc9a0c58d15fe1c55bafa8009a5a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile.amzn2023"}, "region": {"startLine": 215}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132485, "scanner": "repobility-docker", "fingerprint": "9b9dc7500c1e949e4840aa2e5680d0db930dee83a07a2258c0466c4ebd873d0b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9b9dc7500c1e949e4840aa2e5680d0db930dee83a07a2258c0466c4ebd873d0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile.amzn2023"}, "region": {"startLine": 158}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132484, "scanner": "repobility-docker", "fingerprint": "777538278408fba66189b2f11e19e8a1254035bbcabefa875ab2558eee59cc07", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|777538278408fba66189b2f11e19e8a1254035bbcabefa875ab2558eee59cc07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile.amzn2023"}, "region": {"startLine": 145}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132483, "scanner": "repobility-docker", "fingerprint": "ab5d65d42b3715d1648324f176f820acc81dcc31e728c5a8739d216c94249124", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|ab5d65d42b3715d1648324f176f820acc81dcc31e728c5a8739d216c94249124"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile.amzn2023"}, "region": {"startLine": 140}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132482, "scanner": "repobility-docker", "fingerprint": "b6780ca4c3e98afb14eef5f786691499d8f1cd6a51cdf8994169dcfa134cef33", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|b6780ca4c3e98afb14eef5f786691499d8f1cd6a51cdf8994169dcfa134cef33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile.amzn2023"}, "region": {"startLine": 130}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132480, "scanner": "repobility-docker", "fingerprint": "fa8359f7cab0b83f8e86c02d9307e7d0ab6c5f350d97077e8156542d19047ac7", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|fa8359f7cab0b83f8e86c02d9307e7d0ab6c5f350d97077e8156542d19047ac7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile.amzn2023"}, "region": {"startLine": 63}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132474, "scanner": "repobility-docker", "fingerprint": "a75543539fb1994e194012c2894890de2d91d7ef2ae488761a279cac9d8e6e07", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|a75543539fb1994e194012c2894890de2d91d7ef2ae488761a279cac9d8e6e07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132473, "scanner": "repobility-docker", "fingerprint": "cead2bfa2d3638a560d44146c3d1dcd27d2e7fead5a4698c2b297609922a348b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|cead2bfa2d3638a560d44146c3d1dcd27d2e7fead5a4698c2b297609922a348b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132466, "scanner": "repobility-docker", "fingerprint": "826bf289926f9db2c4b24dc3243215b2d3e4bf0eac22b1c263110318a8da2f52", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|826bf289926f9db2c4b24dc3243215b2d3e4bf0eac22b1c263110318a8da2f52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/pytorch/2.11/Dockerfile.cuda"}, "region": {"startLine": 89}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 132465, "scanner": "repobility-docker", "fingerprint": "4d53db9e51992e9c0a4b6e9eb1b4ab837b674f663f736c72fd18e9029e1db924", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|4d53db9e51992e9c0a4b6e9eb1b4ab837b674f663f736c72fd18e9029e1db924"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/pytorch/2.11/Dockerfile.cuda"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 132461, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `load_framework_allowlist` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=2, if=5, nested_bonus=5."}, "properties": {"repobilityId": 132443, "scanner": "repobility-threat-engine", "fingerprint": "0e3ab304fc4609215f1c42137a7a870c5cca5ea2bdca90c654aa9a1ddb703029", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 12 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "load_framework_allowlist", "breakdown": {"if": 5, "except": 2, "nested_bonus": 5}, "complexity": 12, "correlation_key": "fp|0e3ab304fc4609215f1c42137a7a870c5cca5ea2bdca90c654aa9a1ddb703029"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/upload_ecr_allowlists.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `evict_models` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, for=1, if=4, nested_bonus=3."}, "properties": {"repobilityId": 132441, "scanner": "repobility-threat-engine", "fingerprint": "1f34d40b0248f8957035f2a6f1a170dcbe95fa1117512ad86ce0172488b6ce9f", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "evict_models", "breakdown": {"if": 4, "for": 1, "continue": 1, "nested_bonus": 3}, "complexity": 9, "correlation_key": "fp|1f34d40b0248f8957035f2a6f1a170dcbe95fa1117512ad86ce0172488b6ce9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/download-model/evict_models.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `wheel` is minor version(s) behind (0.45.1 -> 0.47.0)"}, "properties": {"repobilityId": 132439, "scanner": "repobility-dependency-currency", "fingerprint": "9a22df25e42842423a3fa90b3a5efc8ed9fb3e3677701683813aab8410e09387", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "wheel", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.47.0", "correlation_key": "fp|9a22df25e42842423a3fa90b3a5efc8ed9fb3e3677701683813aab8410e09387", "current_version": "0.45.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 33}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `scipy` is minor version(s) behind (1.15.0 -> 1.17.1)"}, "properties": {"repobilityId": 132436, "scanner": "repobility-dependency-currency", "fingerprint": "944b9a32ac23417c7b860edea037533f291a66aad1f2307bc2522fa9526dc203", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "scipy", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.17.1", "correlation_key": "fp|944b9a32ac23417c7b860edea037533f291a66aad1f2307bc2522fa9526dc203", "current_version": "1.15.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 29}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `scikit-learn` is minor version(s) behind (1.5.2 -> 1.9.0)"}, "properties": {"repobilityId": 132435, "scanner": "repobility-dependency-currency", "fingerprint": "327f86aab929af61994db49a6988214a932fa3a2b44f83852b0e9509ee2b2dbe", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "scikit-learn", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.9.0", "correlation_key": "fp|327f86aab929af61994db49a6988214a932fa3a2b44f83852b0e9509ee2b2dbe", "current_version": "1.5.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 28}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `sagemaker-inference` is minor version(s) behind (1.5.5 -> 1.10.1)"}, "properties": {"repobilityId": 132434, "scanner": "repobility-dependency-currency", "fingerprint": "a207971eb559aa00d7960646a70bc5d2f1ca78163ca892be0494d2bfade44a0b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "sagemaker-inference", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.10.1", "correlation_key": "fp|a207971eb559aa00d7960646a70bc5d2f1ca78163ca892be0494d2bfade44a0b", "current_version": "1.5.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 27}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `retrying` is minor version(s) behind (1.3.3 -> 1.4.2)"}, "properties": {"repobilityId": 132433, "scanner": "repobility-dependency-currency", "fingerprint": "af1d6cd304fcac19f1c29b1f80c1542637e80267ee5bd863c4641d26d89c6bb3", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "retrying", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.4.2", "correlation_key": "fp|af1d6cd304fcac19f1c29b1f80c1542637e80267ee5bd863c4641d26d89c6bb3", "current_version": "1.3.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 25}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `requests` is minor version(s) behind (2.32.3 -> 2.34.2)"}, "properties": {"repobilityId": 132432, "scanner": "repobility-dependency-currency", "fingerprint": "5f4f867bf7fe8236494d1a9e527807c013ddcc0924db4c8c0ab62c34664cf260", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "requests", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2.34.2", "correlation_key": "fp|5f4f867bf7fe8236494d1a9e527807c013ddcc0924db4c8c0ab62c34664cf260", "current_version": "2.32.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 24}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `python-dateutil` is minor version(s) behind (2.8.2 -> 2.9.0.post0)"}, "properties": {"repobilityId": 132430, "scanner": "repobility-dependency-currency", "fingerprint": "34f38e4c3492d50be1ccf5645d0b1bba5c90786ec4aa6ea791482bd24715bddf", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "python-dateutil", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2.9.0.post0", "correlation_key": "fp|34f38e4c3492d50be1ccf5645d0b1bba5c90786ec4aa6ea791482bd24715bddf", "current_version": "2.8.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 22}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `numba` is minor version(s) behind (0.61.0 -> 0.65.1)"}, "properties": {"repobilityId": 132426, "scanner": "repobility-dependency-currency", "fingerprint": "13673257b76f954e4cd3dd684e0ccbe072fa2beb6cb863d6eaf96472d9989d24", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "numba", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.65.1", "correlation_key": "fp|13673257b76f954e4cd3dd684e0ccbe072fa2beb6cb863d6eaf96472d9989d24", "current_version": "0.61.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 16}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `itsdangerous` is minor version(s) behind (2.0.1 -> 2.2.0)"}, "properties": {"repobilityId": 132422, "scanner": "repobility-dependency-currency", "fingerprint": "cd4700d27bb2183a24e37318d80320fe74c9b74596c445149ccc2c062d23037f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "itsdangerous", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2.2.0", "correlation_key": "fp|cd4700d27bb2183a24e37318d80320fe74c9b74596c445149ccc2c062d23037f", "current_version": "2.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 132267, "scanner": "repobility-ai-code-hygiene", "fingerprint": "949c246672366421b103b88b9c369220df1f194cfa9baa40e5acd17fa2402662", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "parse_args", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "scripts/telemetry/deep_learning_container.py", "correlation_key": "fp|949c246672366421b103b88b9c369220df1f194cfa9baa40e5acd17fa2402662"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/autocurrency/agent-fix.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132266, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2c2359fddee748e228018c18b068a5911deae1833810c5e2a07acf80fe72d426", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/ray/ec2/common.py", "duplicate_line": 228, "correlation_key": "fp|2c2359fddee748e228018c18b068a5911deae1833810c5e2a07acf80fe72d426"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/ray/sagemaker/common.py"}, "region": {"startLine": 163}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132265, "scanner": "repobility-ai-code-hygiene", "fingerprint": "52fbefbd94853252235fbf74b503996ba6a082e45f0b33c186d631da27ab4f16", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/vllm/omni_sagemaker_serve.py", "duplicate_line": 27, "correlation_key": "fp|52fbefbd94853252235fbf74b503996ba6a082e45f0b33c186d631da27ab4f16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/vllm/sagemaker_serve.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 132264, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e76d29b2c9008d6dedceb5bdbcbead58ff50f0a97a17beaa20043a74d06694ca", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "fix", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|e76d29b2c9008d6dedceb5bdbcbead58ff50f0a97a17beaa20043a74d06694ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/autocurrency/agent-fix.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132536, "scanner": "repobility-docker", "fingerprint": "253ecd2ce4a0f404f09d0016e848d6b06fed77570d0a7bcf620a32708e12580a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvidia/cuda:${CUDA_VERSION}-base-ubuntu${UBUNTU_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|253ecd2ce4a0f404f09d0016e848d6b06fed77570d0a7bcf620a32708e12580a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/Dockerfile"}, "region": {"startLine": 46}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132535, "scanner": "repobility-docker", "fingerprint": "d56b4432ce1600affe5fa74fbe3a7791ba8d2f46b53ddf5eae49878a7d1ec376", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ubuntu:${UBUNTU_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d56b4432ce1600affe5fa74fbe3a7791ba8d2f46b53ddf5eae49878a7d1ec376"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/Dockerfile"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132534, "scanner": "repobility-docker", "fingerprint": "eea57a5f830a8f833b2d384648f84be78afb7ca2dda3b63ab9b27dd3e5f7411b", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ubuntu:${UBUNTU_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|eea57a5f830a8f833b2d384648f84be78afb7ca2dda3b63ab9b27dd3e5f7411b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/Dockerfile"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132532, "scanner": "repobility-docker", "fingerprint": "a930077e8d9e1255a1694506abf5842095d1f0dfdfd2b949984713f32b5e4128", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvidia/cuda:${CUDA_VERSION}-runtime-amzn2023", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a930077e8d9e1255a1694506abf5842095d1f0dfdfd2b949984713f32b5e4128"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 336}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132528, "scanner": "repobility-docker", "fingerprint": "f6b45b8d2c841f33b7a063d52208434316f471f681ff6fef78ab47ef0e4cfe6c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvidia/cuda:${CUDA_VERSION}-runtime-amzn2023", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f6b45b8d2c841f33b7a063d52208434316f471f681ff6fef78ab47ef0e4cfe6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 253}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132520, "scanner": "repobility-docker", "fingerprint": "ecd848e3e1d2c6e1d8a75a95419ed3e34d1ab0928b3f38a992f292cb5ca2e0e1", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvidia/cuda:${CUDA_VERSION}-devel-amzn2023", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ecd848e3e1d2c6e1d8a75a95419ed3e34d1ab0928b3f38a992f292cb5ca2e0e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 166}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132516, "scanner": "repobility-docker", "fingerprint": "8721f6c24709f92a0f9dfe95c1ca65ed8d85c62f847a6a1484604ee69bb52eed", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvidia/cuda:${CUDA_VERSION}-devel-amzn2023", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|8721f6c24709f92a0f9dfe95c1ca65ed8d85c62f847a6a1484604ee69bb52eed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132512, "scanner": "repobility-docker", "fingerprint": "365975a1657dec32f15bbcfa036b0fc3b1ec2789f949c4601ef9fcfc0cf92926", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvidia/cuda:${CUDA_VERSION}-runtime-amzn2023", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|365975a1657dec32f15bbcfa036b0fc3b1ec2789f949c4601ef9fcfc0cf92926"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 260}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132511, "scanner": "repobility-docker", "fingerprint": "f8729d572c7a4afb49491dd356fb5c8dc8a1f1d94b2e7485800584f5e701810e", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvidia/cuda:${CUDA_VERSION}-runtime-amzn2023", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f8729d572c7a4afb49491dd356fb5c8dc8a1f1d94b2e7485800584f5e701810e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 249}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132502, "scanner": "repobility-docker", "fingerprint": "03c338facc6f48acb73374ba99e5fefd2e466938ffaa4379dc1155c74387e5d3", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvidia/cuda:${CUDA_VERSION}-devel-amzn2023", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|03c338facc6f48acb73374ba99e5fefd2e466938ffaa4379dc1155c74387e5d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 160}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132499, "scanner": "repobility-docker", "fingerprint": "7761c378aa73389d85e4f99726d473b98cf28ddc2048165a3115213a1cdadc74", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvidia/cuda:${CUDA_VERSION}-devel-amzn2023", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|7761c378aa73389d85e4f99726d473b98cf28ddc2048165a3115213a1cdadc74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132492, "scanner": "repobility-docker", "fingerprint": "52c40025ae7869c582266480715a903d804ea0a5e094d523d2d48b59ad172d5a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASE_IMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|52c40025ae7869c582266480715a903d804ea0a5e094d523d2d48b59ad172d5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132486, "scanner": "repobility-docker", "fingerprint": "9b8b022455fe9c46583442b92392cc8ee84c2c603e5429f3ea7834c4a16b6c5d", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvidia/cuda:${CUDA_VERSION}-runtime-amzn2023", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|9b8b022455fe9c46583442b92392cc8ee84c2c603e5429f3ea7834c4a16b6c5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile.amzn2023"}, "region": {"startLine": 164}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132478, "scanner": "repobility-docker", "fingerprint": "63b66b5cf1563ec597f5ffed466ac02c57dac5a88b53e4e882aeb7b08bd722b9", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvidia/cuda:${CUDA_VERSION}-devel-amzn2023", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|63b66b5cf1563ec597f5ffed466ac02c57dac5a88b53e4e882aeb7b08bd722b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile.amzn2023"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132472, "scanner": "repobility-docker", "fingerprint": "a95c97f8206530363b79d3b372fbeafe669006a2cce570a87496977fd1fee654", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASE_IMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a95c97f8206530363b79d3b372fbeafe669006a2cce570a87496977fd1fee654"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132469, "scanner": "repobility-docker", "fingerprint": "428b45f7382294215a7b4a4404aa84081b6020de528cf31a7e69a67a54037ad7", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvidia/cuda:${CUDA_VERSION}-runtime-amzn2023", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|428b45f7382294215a7b4a4404aa84081b6020de528cf31a7e69a67a54037ad7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/pytorch/2.11/Dockerfile.cuda"}, "region": {"startLine": 124}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132468, "scanner": "repobility-docker", "fingerprint": "208978b5ae62a353154f9225bf22923b286b4d08a943d045208aea200b077a0c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvidia/cuda:${CUDA_VERSION}-runtime-amzn2023", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|208978b5ae62a353154f9225bf22923b286b4d08a943d045208aea200b077a0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/pytorch/2.11/Dockerfile.cuda"}, "region": {"startLine": 112}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132467, "scanner": "repobility-docker", "fingerprint": "2d26aaf79ed3587cb054162b0b75f84ab6dea91a57edd52f7ff172e065f29f23", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvidia/cuda:${CUDA_VERSION}-devel-amzn2023", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|2d26aaf79ed3587cb054162b0b75f84ab6dea91a57edd52f7ff172e065f29f23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/pytorch/2.11/Dockerfile.cuda"}, "region": {"startLine": 104}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 132464, "scanner": "repobility-docker", "fingerprint": "930389ce33d3bd3015ed488d31aea30315269cbd4a6069896fc6cca03e192e99", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvidia/cuda:${CUDA_VERSION}-devel-amzn2023", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|930389ce33d3bd3015ed488d31aea30315269cbd4a6069896fc6cca03e192e99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/pytorch/2.11/Dockerfile.cuda"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 132457, "scanner": "repobility-threat-engine", "fingerprint": "0e0eec666904eb49f646baaa13ce5abd8e8203b5695de4017446185f220f1534", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0e0eec666904eb49f646baaa13ce5abd8e8203b5695de4017446185f220f1534"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ray/dockerd_entrypoint.sh"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 132451, "scanner": "repobility-threat-engine", "fingerprint": "503edf8c6e0ac703798879b7100699a25452ed406f46202205c36e0173a69f88", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line", "evidence": {"match": ".eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|32|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ray/tabular-model/deployment.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 132450, "scanner": "repobility-threat-engine", "fingerprint": "171e5d0c66973c8943fef2dda29fec7bf1579f55453686f1ba9c52e3f2e00547", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": ".eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|17|sec045", "duplicate_count": 1, "duplicate_rule_ids": ["SEC045"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["171e5d0c66973c8943fef2dda29fec7bf1579f55453686f1ba9c52e3f2e00547", "17759e49041d1732945a3ba11e44b91157b074bd9c8e0d9c206d5699dc0b764f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ray/audio-model/deployment.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED073", "level": "none", "message": {"text": "[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data \u2014 denial of service."}, "properties": {"repobilityId": 132449, "scanner": "repobility-threat-engine", "fingerprint": "fd87c67a00fa0cb4eae306e987f2e63b0ecc24a213c18a7b424c337121691a48", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "redos-greedy-quantifier", "owasp": "A06:2021", "cwe_ids": ["CWE-1333", "CWE-400"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348072+00:00", "triaged_in_corpus": 12, "observations_count": 12702, "ai_coder_pattern_id": 35}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fd87c67a00fa0cb4eae306e987f2e63b0ecc24a213c18a7b424c337121691a48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/sorter.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 132444, "scanner": "repobility-threat-engine", "fingerprint": "88bc83404cd2ee7008de79d63577b83ca6520a75ef847238a1ec8a3084ede646", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "evict_models", "breakdown": {"if": 4, "for": 1, "continue": 1, "nested_bonus": 3}, "aggregated": true, "complexity": 9, "correlation_key": "fp|88bc83404cd2ee7008de79d63577b83ca6520a75ef847238a1ec8a3084ede646", "aggregated_count": 5}}}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 132440, "scanner": "repobility-threat-engine", "fingerprint": "a1b13bddaf348284f9630ddba647cd3afda9916272d85c388627a10fc100eee8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a1b13bddaf348284f9630ddba647cd3afda9916272d85c388627a10fc100eee8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/download-model/download_model.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "DEPCUR-PY", "level": "none", "message": {"text": "Python package `PyYAML` is patch version(s) behind (6.0.1 -> 6.0.3)"}, "properties": {"repobilityId": 132431, "scanner": "repobility-dependency-currency", "fingerprint": "81894fca5238124fa95357daceb715f8ad5042f7380ed4770f5e6d42dde68baa", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "PyYAML", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "6.0.3", "correlation_key": "fp|81894fca5238124fa95357daceb715f8ad5042f7380ed4770f5e6d42dde68baa", "current_version": "6.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 23}}}]}, {"ruleId": "DEPCUR-PY", "level": "none", "message": {"text": "Python package `multi-model-server` is patch version(s) behind (1.1.2 -> 1.1.11)"}, "properties": {"repobilityId": 132425, "scanner": "repobility-dependency-currency", "fingerprint": "8f4c73a5e578c9916ac81a7e49ea47e1588814085707cddc29db17be05864b3d", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "multi-model-server", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.1.11", "correlation_key": "fp|8f4c73a5e578c9916ac81a7e49ea47e1588814085707cddc29db17be05864b3d", "current_version": "1.1.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 15}}}]}, {"ruleId": "GHSA-wjvx-jhpj-r54r", "level": "error", "message": {"text": "sagemaker: GHSA-wjvx-jhpj-r54r"}, "properties": {"repobilityId": 132603, "scanner": "osv-scanner", "fingerprint": "1770f6948f5e19627c47d7dc83065a5ebcc22a808e8a7e52fc2f0ea5648c5626", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-34072"], "package": "sagemaker", "rule_id": "GHSA-wjvx-jhpj-r54r", "scanner": "osv-scanner", "correlation_key": "vuln|sagemaker|CVE-2024-34072|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7pc3-pr3q-58vg", "level": "error", "message": {"text": "sagemaker: GHSA-7pc3-pr3q-58vg"}, "properties": {"repobilityId": 132602, "scanner": "osv-scanner", "fingerprint": "fac846c6e642f407a1991458a8bf09c4d58fe4b84495def47d89daa4046a7afa", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-34073"], "package": "sagemaker", "rule_id": "GHSA-7pc3-pr3q-58vg", "scanner": "osv-scanner", "correlation_key": "vuln|sagemaker|CVE-2024-34073|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2023-74", "level": "error", "message": {"text": "requests: PYSEC-2023-74"}, "properties": {"repobilityId": 132599, "scanner": "osv-scanner", "fingerprint": "1dd87839a13eeb8d1f613453d9c22ac653c6238e49975581089337ff791c5675", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2023-32681", "GHSA-j8r2-6x86-q33q"], "package": "requests", "rule_id": "PYSEC-2023-74", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2023-32681|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-j8r2-6x86-q33q", "PYSEC-2023-74"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1dd87839a13eeb8d1f613453d9c22ac653c6238e49975581089337ff791c5675", "26951cb4799b0c4c0b68930b682d87b7ca2e3e36058394d7f39e455cbe502c61", "6ca71cb0ede598da43632e9fa48d7aa0642dfb578bd8272d06fc8b2468b56cd9", "f74fce93d83e6ec8089c3b836d11fa51a24bc0adb12698b183dc77556927292b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/ray/ec2/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2018-28", "level": "error", "message": {"text": "requests: PYSEC-2018-28"}, "properties": {"repobilityId": 132598, "scanner": "osv-scanner", "fingerprint": "28b98312608c9e51f64951c22dfee2e7b9866d93ccc94ad75e7bd9094f2eb68a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2018-18074", "GHSA-x84v-xcm2-53pg"], "package": "requests", "rule_id": "PYSEC-2018-28", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2018-18074|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-x84v-xcm2-53pg", "PYSEC-2018-28"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["12e268a6070d5d33dbbb56856c302c4dc07bd92a396e1bfb7dc2ef7544bcecc2", "28b98312608c9e51f64951c22dfee2e7b9866d93ccc94ad75e7bd9094f2eb68a", "79ad3f41a53d543cf21a9dbfef82de27aaa45a5de1651a1ff167e6fcfc4f5c08", "dcaa6432112eaf75edcf31bfc3bbaeae56dc74523398a2f6b21371bc63eab58f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/ray/ec2/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rjrp-m2jw-pv9c", "level": "error", "message": {"text": "sagemaker: GHSA-rjrp-m2jw-pv9c"}, "properties": {"repobilityId": 132596, "scanner": "osv-scanner", "fingerprint": "6e998adc987a2364cbcd28c219541e8eaf42cc4652cb3831bd16b0c68664a0f5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 5 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-1777"], "package": "sagemaker", "rule_id": "GHSA-rjrp-m2jw-pv9c", "scanner": "osv-scanner", "correlation_key": "vuln|sagemaker|CVE-2026-1777|token", "duplicate_count": 5, "duplicate_rule_ids": ["GHSA-rjrp-m2jw-pv9c"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["595528825591590d81efb9cea1314f9f2cf21c56ecd1b745c904baa8a51a3dc0", "6e998adc987a2364cbcd28c219541e8eaf42cc4652cb3831bd16b0c68664a0f5", "73d23970eb9af858e08ca3eeff26711d949f92c0aa1b0e8a5ae220ebae87aedb", "9501043cc92ac39b550a5a4a42ad181d3c44e591f3f0043a55acaeec74bbf8fd", "d0f54dced02a589425f607a1fb022cc192a53dbf028e47fe0c0580936b45ddbe", "e96058054ade071f37d572c1070a9862f2e0449ea78979273baa8dc596a4a926"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/pytorch/integration/sagemaker/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7hh5-prp2-mfh5", "level": "error", "message": {"text": "sagemaker: GHSA-7hh5-prp2-mfh5"}, "properties": {"repobilityId": 132595, "scanner": "osv-scanner", "fingerprint": "01451955a53a55a671a5ba887703484f52dae431e5dc015e929b5da70dc0daa5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 4 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-8596"], "package": "sagemaker", "rule_id": "GHSA-7hh5-prp2-mfh5", "scanner": "osv-scanner", "correlation_key": "vuln|sagemaker|CVE-2026-8596|token", "duplicate_count": 4, "duplicate_rule_ids": ["GHSA-7hh5-prp2-mfh5"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["01451955a53a55a671a5ba887703484f52dae431e5dc015e929b5da70dc0daa5", "068261ede115ef07da5924f709a91a5d83cb6b3f048dbd3c89c318decc57671e", "a87fac993b5cb9c6e4fac55fe7756a75cbaf003a2c538239a0a97cd405e54a0f", "afe73cb8ac95d200776757063cec24b7368c045c2c4e5130497eb4299b701489", "f70231a7bb425ad19efea5f132a3e830f00eb63f6286d5c4bf5c6ce84354d8de"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/pytorch/integration/sagemaker/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-62rc-f4v9-h543", "level": "error", "message": {"text": "sagemaker: GHSA-62rc-f4v9-h543"}, "properties": {"repobilityId": 132594, "scanner": "osv-scanner", "fingerprint": "d80c8440f1bc7b5ca167f5a9612858b95164e598c7ea3f4d274abb2173f7f4d0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 5 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-1778"], "package": "sagemaker", "rule_id": "GHSA-62rc-f4v9-h543", "scanner": "osv-scanner", "correlation_key": "vuln|sagemaker|CVE-2026-1778|token", "duplicate_count": 5, "duplicate_rule_ids": ["GHSA-62rc-f4v9-h543"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["08e8d03cbf82fb314fa7da4264b9f7267cb4c9d69ed9dc6ae9132cfa282b1e01", "362ac34b91e72918eee78bde6979fcd5c04c11e55455d497d4aaa242f07541d3", "b43d042d3d1bcddb3bf4f8dd1c8bc5ac56b90fce122ac0a2a531d54a854ff97d", "c0735d60ccee5a2d6ba2dd3ba0dd125183c2bc3362ff4f98555833a127d0e244", "d80c8440f1bc7b5ca167f5a9612858b95164e598c7ea3f4d274abb2173f7f4d0", "daca5c2d0a5f2f7c681e3184d08150117109a4920bbd2df90b03b4e0195b8344"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/pytorch/integration/sagemaker/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5r2p-pjr8-7fh7", "level": "error", "message": {"text": "sagemaker: GHSA-5r2p-pjr8-7fh7"}, "properties": {"repobilityId": 132593, "scanner": "osv-scanner", "fingerprint": "982e9882cf2dcc8f3b3fad364f02eefefbc69d59e71bf881ac0afec5c99a8a0b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 5 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "package": "sagemaker", "rule_id": "GHSA-5r2p-pjr8-7fh7", "scanner": "osv-scanner", "correlation_key": "vuln|sagemaker|GHSA-5R2P-PJR8-7FH7|token", "duplicate_count": 5, "duplicate_rule_ids": ["GHSA-5r2p-pjr8-7fh7"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["14015cb001df465adfdc46a67f3d1e0941c2574f1a5767cbfc24229df94feb3b", "197198211948940f419c30a4daa59de008f157d76df023fa79c9f176a5cb1c2c", "4175e5bff591d79ee79f38d9fcfa1d91e494e47b5035ac2caab88d45b18ebda3", "982e9882cf2dcc8f3b3fad364f02eefefbc69d59e71bf881ac0afec5c99a8a0b", "9e5c7a0b06067aef6366b1ad60ab858195456503fa71b0e793cd52041ccd4310", "e2c880b8707f365742c5939dc81faf38394c659c8ba373bdd4628a4745c1277b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/pytorch/integration/sagemaker/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-113", "level": "error", "message": {"text": "pyarrow: PYSEC-2026-113"}, "properties": {"repobilityId": 132590, "scanner": "osv-scanner", "fingerprint": "d5e777351bf3a2107191eeaf4fc40150a3e43e99ec56ff7eb0ef22c4cd355cb8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25087"], "package": "pyarrow", "rule_id": "PYSEC-2026-113", "scanner": "osv-scanner", "correlation_key": "vuln|pyarrow|CVE-2026-25087|docker/xgboost/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8qvm-5x2c-j2w7", "level": "error", "message": {"text": "protobuf: GHSA-8qvm-5x2c-j2w7"}, "properties": {"repobilityId": 132589, "scanner": "osv-scanner", "fingerprint": "4c045c39997e1afb5f0070a33dabece0fe5cdb56ec1f0ba19e0d5f11ac978e57", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-4565"], "package": "protobuf", "rule_id": "GHSA-8qvm-5x2c-j2w7", "scanner": "osv-scanner", "correlation_key": "vuln|protobuf|CVE-2025-4565|docker/xgboost/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7gcm-g887-7qv7", "level": "error", "message": {"text": "protobuf: GHSA-7gcm-g887-7qv7"}, "properties": {"repobilityId": 132588, "scanner": "osv-scanner", "fingerprint": "2f24539cd3d905896e9110db9f3ec9eecba50ed8644d4ccf79121824df746398", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-0994"], "package": "protobuf", "rule_id": "GHSA-7gcm-g887-7qv7", "scanner": "osv-scanner", "correlation_key": "vuln|protobuf|CVE-2026-0994|docker/xgboost/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-196", "level": "error", "message": {"text": "pip: PYSEC-2026-196"}, "properties": {"repobilityId": 132587, "scanner": "osv-scanner", "fingerprint": "8ca2d896adc66d7903444d6a2229e0046a018102a6bbaa69c6bbf83820e52915", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8643"], "package": "pip", "rule_id": "PYSEC-2026-196", "scanner": "osv-scanner", "correlation_key": "vuln|pip|CVE-2026-8643|docker/xgboost/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8rrh-rw8j-w5fx", "level": "error", "message": {"text": "wheel: GHSA-8rrh-rw8j-w5fx"}, "properties": {"repobilityId": 132584, "scanner": "osv-scanner", "fingerprint": "14f58a8b3d83613c493b9772f20d60dd2907be94841d817c76a51cc93e0a3e51", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24049"], "package": "wheel", "rule_id": "GHSA-8rrh-rw8j-w5fx", "scanner": "osv-scanner", "correlation_key": "vuln|wheel|CVE-2026-24049|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gm62-xv2j-4w53", "level": "error", "message": {"text": "urllib3: GHSA-gm62-xv2j-4w53"}, "properties": {"repobilityId": 132582, "scanner": "osv-scanner", "fingerprint": "5fb389a22df0ddbc49998599f7532ee4ad2dcbcdad8b0c04d48f06dbf2aa0c81", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66418"], "package": "urllib3", "rule_id": "GHSA-gm62-xv2j-4w53", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-66418|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38jv-5279-wg99", "level": "error", "message": {"text": "urllib3: GHSA-38jv-5279-wg99"}, "properties": {"repobilityId": 132581, "scanner": "osv-scanner", "fingerprint": "fce839e46c249e12e773b6ef05d7e0800f8df900ae823667bd78617ce6e90925", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-21441"], "package": "urllib3", "rule_id": "GHSA-38jv-5279-wg99", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-21441|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2xpw-w6gg-jr37", "level": "error", "message": {"text": "urllib3: GHSA-2xpw-w6gg-jr37"}, "properties": {"repobilityId": 132580, "scanner": "osv-scanner", "fingerprint": "5d8dc525a84401f01506635a624c0e002e113185db58c4cea2f36ef2dbfecb97", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66471"], "package": "urllib3", "rule_id": "GHSA-2xpw-w6gg-jr37", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-66471|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-141", "level": "error", "message": {"text": "urllib3: PYSEC-2026-141"}, "properties": {"repobilityId": 132579, "scanner": "osv-scanner", "fingerprint": "82806bcdd326f061c115d5a4c5b4d306c3b66f9545a8fc1774c273f0d30bb050", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44431", "GHSA-qccp-gfcp-xxvc"], "package": "urllib3", "rule_id": "PYSEC-2026-141", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-44431|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-qccp-gfcp-xxvc", "PYSEC-2026-141"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5dd763dc67ffe6674641ab64f897d91ab52e3d6f3abce21e9f2aa1ac7df2ed81", "82806bcdd326f061c115d5a4c5b4d306c3b66f9545a8fc1774c273f0d30bb050"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g68-c3qc-8985", "level": "error", "message": {"text": "werkzeug: GHSA-2g68-c3qc-8985"}, "properties": {"repobilityId": 132570, "scanner": "osv-scanner", "fingerprint": "8e43ebb644228fa7baf2ffc4507fd49bcf15a57c77e95d4e0b45a37491fce99e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-34069"], "package": "werkzeug", "rule_id": "GHSA-2g68-c3qc-8985", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2024-34069|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2023-58", "level": "error", "message": {"text": "werkzeug: PYSEC-2023-58"}, "properties": {"repobilityId": 132568, "scanner": "osv-scanner", "fingerprint": "ab5115b1afdf79f2c92d04c9af16c947e41744ea205e19ca29a4b1f70c3f13ae", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2023-25577", "GHSA-xg9f-g7g7-2323"], "package": "werkzeug", "rule_id": "PYSEC-2023-58", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2023-25577|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-xg9f-g7g7-2323", "PYSEC-2023-58"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["ab5115b1afdf79f2c92d04c9af16c947e41744ea205e19ca29a4b1f70c3f13ae", "f06dfb6fd44cbd74ab93d9c9813701a302a3fc8fae016d3ae732a3a4bdd19483"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2023-57", "level": "error", "message": {"text": "werkzeug: PYSEC-2023-57"}, "properties": {"repobilityId": 132567, "scanner": "osv-scanner", "fingerprint": "6a518e3889f5d118d700d5ca03e638f6baa68a85e428348a5b1cb910a20115f7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2023-23934", "GHSA-px8h-6qxv-m22q"], "package": "werkzeug", "rule_id": "PYSEC-2023-57", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2023-23934|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-px8h-6qxv-m22q", "PYSEC-2023-57"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["6a518e3889f5d118d700d5ca03e638f6baa68a85e428348a5b1cb910a20115f7", "d0b734270f52e84336a5367c88d8d56183d890a5923eaf6b2fa41dcdc9c1e0c4"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2023-221", "level": "error", "message": {"text": "werkzeug: PYSEC-2023-221"}, "properties": {"repobilityId": 132566, "scanner": "osv-scanner", "fingerprint": "4973d210e8ed60a22016e87029449d2ddc7552e29ec5bdc0842870697772dc1f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-46136", "GHSA-hrfv-mqp8-q5rw"], "package": "werkzeug", "rule_id": "PYSEC-2023-221", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2023-46136|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2022-203", "level": "error", "message": {"text": "werkzeug: PYSEC-2022-203"}, "properties": {"repobilityId": 132565, "scanner": "osv-scanner", "fingerprint": "11b69d8bb66e54da30eea6df253be498658e4c149ff828101c81f3485e57f981", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-29361"], "package": "werkzeug", "rule_id": "PYSEC-2022-203", "scanner": "osv-scanner", "correlation_key": "vuln|werkzeug|CVE-2022-29361|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2023-62", "level": "error", "message": {"text": "flask: PYSEC-2023-62"}, "properties": {"repobilityId": 132563, "scanner": "osv-scanner", "fingerprint": "817aad6903fbfbc62f6d23ce97509ace83f3eef10a599aa13e08d34f6440ea5a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2023-30861", "GHSA-m2qf-hxjv-5gpq"], "package": "flask", "rule_id": "PYSEC-2023-62", "scanner": "osv-scanner", "correlation_key": "vuln|flask|CVE-2023-30861|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-m2qf-hxjv-5gpq", "PYSEC-2023-62"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["817aad6903fbfbc62f6d23ce97509ace83f3eef10a599aa13e08d34f6440ea5a", "d3e31ddd4f60c1964cf3eefc9aaa451c3ebde43842c59ed8c60b19355323b7f3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/3.0-5/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-139", "level": "error", "message": {"text": "torch: PYSEC-2026-139"}, "properties": {"repobilityId": 132562, "scanner": "osv-scanner", "fingerprint": "a5ff993284c741e49e08a949dfea047cd9f6168ed19f32db676f822079704f92", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2026-4538", "CVE-2026-4538"], "package": "torch", "rule_id": "PYSEC-2026-139", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2026-4538|docker/ray/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ray/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-161", "level": "error", "message": {"text": "starlette: PYSEC-2026-161"}, "properties": {"repobilityId": 132561, "scanner": "osv-scanner", "fingerprint": "e44f7400db27e7ea1b4c17dfd8e2e8546c4b33a7c427495bdc932b0118c5f5a0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-48710", "GHSA-86qp-5c8j-p5mr", "X41-2026-002"], "package": "starlette", "rule_id": "PYSEC-2026-161", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-48710|docker/ray/uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-86qp-5c8j-p5mr", "PYSEC-2026-161"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["361d4e77f072a1b8d475a0cb498bc9bb5c15411e5901aefcb1cedc4a58844d8e", "e44f7400db27e7ea1b4c17dfd8e2e8546c4b33a7c427495bdc932b0118c5f5a0"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ray/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-196", "level": "error", "message": {"text": "pip: PYSEC-2026-196"}, "properties": {"repobilityId": 132558, "scanner": "osv-scanner", "fingerprint": "c544782020d75096466979dea6da56880542fba43fc00dc9cc3d8081ca9f8c0a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8643"], "package": "pip", "rule_id": "PYSEC-2026-196", "scanner": "osv-scanner", "correlation_key": "vuln|pip|CVE-2026-8643|docker/ray/uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ray/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-161", "level": "error", "message": {"text": "starlette: PYSEC-2026-161"}, "properties": {"repobilityId": 132553, "scanner": "osv-scanner", "fingerprint": "40491e5f2333381f334d221cd04e95beb439c8250746c48ae950369187edbfbd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-48710", "GHSA-86qp-5c8j-p5mr", "X41-2026-002"], "package": "starlette", "rule_id": "PYSEC-2026-161", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-48710|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-86qp-5c8j-p5mr", "PYSEC-2026-161"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["40491e5f2333381f334d221cd04e95beb439c8250746c48ae950369187edbfbd", "4e03846a99f964434f5aa5539bcc0dd72bf3dfa2b736bae004391b5c90f6ee2f", "96913e007830e0bb87813e284ab69053d5180301b4a29f05ad204685c610d40a", "c4899d301759378fe46c7e1c4b19c01375a3310b57af1cfa16092b597c1e53a3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/pytorch/2.11/cpu/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-196", "level": "error", "message": {"text": "pip: PYSEC-2026-196"}, "properties": {"repobilityId": 132550, "scanner": "osv-scanner", "fingerprint": "cfa9d460a3c91014ea20436f19070057d4710e0739e574638cbbf3a0e745bb2b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-8643"], "package": "pip", "rule_id": "PYSEC-2026-196", "scanner": "osv-scanner", "correlation_key": "vuln|pip|CVE-2026-8643|token", "duplicate_count": 1, "duplicate_rule_ids": ["PYSEC-2026-196"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["cfa9d460a3c91014ea20436f19070057d4710e0739e574638cbbf3a0e745bb2b", "f80d446ba7c8d208aedda1b680afe5c01cefb091b29c4eda42393eef1113fd5f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/pytorch/2.11/cpu/uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 132529, "scanner": "repobility-docker", "fingerprint": "1dea684df72431b090d5396ad397e01cb07986958770116d8b1edbddf793bccd", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1dea684df72431b090d5396ad397e01cb07986958770116d8b1edbddf793bccd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 266}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 132521, "scanner": "repobility-docker", "fingerprint": "2d790143a5ce61c96c5d7459fb218e2f3aab070d5cb29337df5d05fcfbe0ac97", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2d790143a5ce61c96c5d7459fb218e2f3aab070d5cb29337df5d05fcfbe0ac97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 182}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 132517, "scanner": "repobility-docker", "fingerprint": "a3c9050639c37189722b674ca77fda1b3ac1d9a05c916420a0b89e2a887865d7", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a3c9050639c37189722b674ca77fda1b3ac1d9a05c916420a0b89e2a887865d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 57}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 132513, "scanner": "repobility-docker", "fingerprint": "99568597440472545cb944f8db2c3886cbf34e3e7e3c95a25fc1d04fb4f6a511", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|99568597440472545cb944f8db2c3886cbf34e3e7e3c95a25fc1d04fb4f6a511"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 272}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 132503, "scanner": "repobility-docker", "fingerprint": "e91db4d283997d93a9a0a4d8962d86307fba5917ff7b3f3750fc5e2a6c51ee92", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e91db4d283997d93a9a0a4d8962d86307fba5917ff7b3f3750fc5e2a6c51ee92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 176}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 132500, "scanner": "repobility-docker", "fingerprint": "9a5b72b7b04c057384c4c33e568b9582e136165844b88fc146aefe6504374944", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9a5b72b7b04c057384c4c33e568b9582e136165844b88fc146aefe6504374944"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 57}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 132487, "scanner": "repobility-docker", "fingerprint": "b2be9fde00c7f56b6960db71383bcc0b69b517d983036ee76a4f7e4b5f0bf199", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b2be9fde00c7f56b6960db71383bcc0b69b517d983036ee76a4f7e4b5f0bf199"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile.amzn2023"}, "region": {"startLine": 215}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 132481, "scanner": "repobility-docker", "fingerprint": "daa9bebd62f2acf4f09c0eca288f7dafb690182b51657191ea2c54fa6a129381", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|daa9bebd62f2acf4f09c0eca288f7dafb690182b51657191ea2c54fa6a129381"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile.amzn2023"}, "region": {"startLine": 81}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 132479, "scanner": "repobility-docker", "fingerprint": "26f8f499b06ae1e1ca2f4f8ed1daecbb09ff28136da25d71811ee5c18d10a02d", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|26f8f499b06ae1e1ca2f4f8ed1daecbb09ff28136da25d71811ee5c18d10a02d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile.amzn2023"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 132459, "scanner": "repobility-threat-engine", "fingerprint": "df1b6c43a5d683d652e76ccb96bce110de5c2c591ffbb1b62a8418eb56b53ead", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@app.post(\"/invocations\")\nasync def invocations(request: Request)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|df1b6c43a5d683d652e76ccb96bce110de5c2c591ffbb1b62a8418eb56b53ead"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ray/sagemaker_serve.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 132454, "scanner": "repobility-threat-engine", "fingerprint": "4f2e09acf02b74c0427816ed2947f19dad4ea7e75de1b05b9b63f067c3ba47ff", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(model_dir, \"norm_params", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|34|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ray/tabular-model/deployment.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 132453, "scanner": "repobility-threat-engine", "fingerprint": "46393a063739141e3569391bb55d23b16d39ab758637bb983b8e45e4bc7d263e", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "os.path.join(model_dir, \"norm_params", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|34|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ray/tabular-model/deployment.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 132448, "scanner": "repobility-threat-engine", "fingerprint": "3f24c28b8dcaf56148801607b1a077a397f03f5f96450bb2624409d4d18143d5", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"route=(/[^\\s,]+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|28|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/vllm/sagemaker_serve.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 132447, "scanner": "repobility-threat-engine", "fingerprint": "11d03eeb88085f9cb955cc8e1b0ed56da4a9199833e0afda9f372463f0e09f97", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"route=(/[^\\s,]+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|40|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/vllm/omni_sagemaker_serve.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 132446, "scanner": "repobility-threat-engine", "fingerprint": "aadceff7b02c44cff155478641f7d9f5f0247172892e413a7978549c8cc56717", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"(\\d+(?:\\.\\d+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|docs/src/sorter.py|31|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/sorter.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 132445, "scanner": "repobility-threat-engine", "fingerprint": "f60f076d33f9baeb4451380d44266b94f0777ebc2b6e0ea68a457a0da2688f5f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f60f076d33f9baeb4451380d44266b94f0777ebc2b6e0ea68a457a0da2688f5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/image_config.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `docker/xgboost/resources/mms/endpoints-1.0.jar` committed in source repo"}, "properties": {"repobilityId": 132415, "scanner": "repobility-supply-chain", "fingerprint": "fc305c795eaddbbb0b0d051f5dd0e49c94f2a4e1859a9f224805b5411f2961b0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc305c795eaddbbb0b0d051f5dd0e49c94f2a4e1859a9f224805b5411f2961b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/resources/mms/endpoints-1.0.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 132413, "scanner": "repobility-supply-chain", "fingerprint": "bd811b64d343182ea281ef7b7c866e98cb47631ccc92a0b21636075933bf7795", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd811b64d343182ea281ef7b7c866e98cb47631ccc92a0b21636075933bf7795"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-ray-ec2-cpu.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 132412, "scanner": "repobility-supply-chain", "fingerprint": "002be8f19e88cd2bafa5ffd02bcf55ee99ea59cef78ba4ba1def1922dc9c3da1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|002be8f19e88cd2bafa5ffd02bcf55ee99ea59cef78ba4ba1def1922dc9c3da1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-ray-ec2-cpu.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 132411, "scanner": "repobility-supply-chain", "fingerprint": "a52be3566004a7f517d77d87dbfe1e93c3b0dd192b6c41fd2d5beb892c5371e2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a52be3566004a7f517d77d87dbfe1e93c3b0dd192b6c41fd2d5beb892c5371e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-ray-ec2-cpu.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache/save` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 132410, "scanner": "repobility-supply-chain", "fingerprint": "8634daa57f1c796a0f5dca241ce65f7e079931f24531f4ce61aa77bb4527e8a5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8634daa57f1c796a0f5dca241ce65f7e079931f24531f4ce61aa77bb4527e8a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scheduled-check-upstream-releases.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache/restore` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 132409, "scanner": "repobility-supply-chain", "fingerprint": "4611ebaeb91d15e698f1a6c0baa60d0f2fe16f71bfed5700884e635fd478a683", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4611ebaeb91d15e698f1a6c0baa60d0f2fe16f71bfed5700884e635fd478a683"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scheduled-check-upstream-releases.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 132408, "scanner": "repobility-supply-chain", "fingerprint": "65ea1658ad243a16c5ccce307b7992b92a47d5a996e2bd14bcd8cf8755e88df2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|65ea1658ad243a16c5ccce307b7992b92a47d5a996e2bd14bcd8cf8755e88df2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scheduled-check-upstream-releases.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/create-github-app-token` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 132407, "scanner": "repobility-supply-chain", "fingerprint": "f31fff31a7784c9a94dacda60345134c72424940de84973c78e0e4acc9eefa8d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f31fff31a7784c9a94dacda60345134c72424940de84973c78e0e4acc9eefa8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scheduled-check-upstream-releases.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 132406, "scanner": "repobility-supply-chain", "fingerprint": "784c2b7623dd38b8750f6d55e8b7a20402789f040ec51986c08698f3875a083c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|784c2b7623dd38b8750f6d55e8b7a20402789f040ec51986c08698f3875a083c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/agent-currency-fix.yml"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/create-github-app-token` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 132405, "scanner": "repobility-supply-chain", "fingerprint": "950e9e03b0a5273c73ad695b789b03d3edb64fecfaa0bd593e9460dd371981f4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|950e9e03b0a5273c73ad695b789b03d3edb64fecfaa0bd593e9460dd371981f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/agent-currency-fix.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 132404, "scanner": "repobility-supply-chain", "fingerprint": "2366969dff84eec270c987a24ab39b7607246bafdb2e18658df449f14eefd43f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2366969dff84eec270c987a24ab39b7607246bafdb2e18658df449f14eefd43f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/reusable-sglang-upstream-tests.yml"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 132403, "scanner": "repobility-supply-chain", "fingerprint": "9ec919a078ac72b49287cbf2347dee46a0fd8b8a5449abe69af680a2ed1d8a73", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ec919a078ac72b49287cbf2347dee46a0fd8b8a5449abe69af680a2ed1d8a73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/reusable-sglang-upstream-tests.yml"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 132402, "scanner": "repobility-supply-chain", "fingerprint": "86f5dc9d04c1d6c38694f6faac73b1fc9675759116f664a88d452df67cdfdb70", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86f5dc9d04c1d6c38694f6faac73b1fc9675759116f664a88d452df67cdfdb70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/reusable-sglang-upstream-tests.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 132401, "scanner": "repobility-supply-chain", "fingerprint": "8081c481dea8a7fcabb6df1cd9d0c8517a581d64095411cff3384174decea165", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8081c481dea8a7fcabb6df1cd9d0c8517a581d64095411cff3384174decea165"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/autorelease-vllm-omni.yml"}, "region": {"startLine": 433}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 132400, "scanner": "repobility-supply-chain", "fingerprint": "0c7038dd18097df81e9b28ff26e1e423b7e3a82a90593c76424dc63b91a3f957", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0c7038dd18097df81e9b28ff26e1e423b7e3a82a90593c76424dc63b91a3f957"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/autorelease-vllm-omni.yml"}, "region": {"startLine": 414}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 132399, "scanner": "repobility-supply-chain", "fingerprint": "89362580a1f297509ef183d59ba47badb056fc9c30dfb93e397a5721e254630e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|89362580a1f297509ef183d59ba47badb056fc9c30dfb93e397a5721e254630e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/autorelease-vllm-omni.yml"}, "region": {"startLine": 390}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 132398, "scanner": "repobility-supply-chain", "fingerprint": "c913d03c4b3d3e70f42f252bf4c05e5399a3da6f506f4ef2ce4e04068ab1abce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c913d03c4b3d3e70f42f252bf4c05e5399a3da6f506f4ef2ce4e04068ab1abce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/autorelease-vllm-omni.yml"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 132397, "scanner": "repobility-supply-chain", "fingerprint": "1ca1b771c800abd9d114ab4b9f1fd9f860e2c2085ade7fc106dc6aff5d02e9c9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ca1b771c800abd9d114ab4b9f1fd9f860e2c2085ade7fc106dc6aff5d02e9c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/autorelease-vllm-omni.yml"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 132396, "scanner": "repobility-supply-chain", "fingerprint": "ec79b85baa8779122f24a011af23953c6bbf6fd8bd485e90246ffffd1d8ef15c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ec79b85baa8779122f24a011af23953c6bbf6fd8bd485e90246ffffd1d8ef15c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/autorelease-vllm-omni.yml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 132395, "scanner": "repobility-supply-chain", "fingerprint": "42da4552ccdf70d236ac336b9107eb7caf6cb670a65bcac540c6787a532360a9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|42da4552ccdf70d236ac336b9107eb7caf6cb670a65bcac540c6787a532360a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/autorelease-vllm-omni.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 132394, "scanner": "repobility-supply-chain", "fingerprint": "9d1d789e72e464847e1c919b67c4ef2ecf1f92be9283850abbab03ce86fd1bf4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9d1d789e72e464847e1c919b67c4ef2ecf1f92be9283850abbab03ce86fd1bf4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/reusable-sagemaker-xgboost-integ-tests.yml"}, "region": {"startLine": 247}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 132393, "scanner": "repobility-supply-chain", "fingerprint": "1de89672352c763bf6994c456652af5ced5195858080fe50f5020f8e246430dd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1de89672352c763bf6994c456652af5ced5195858080fe50f5020f8e246430dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/reusable-sagemaker-xgboost-integ-tests.yml"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 132392, "scanner": "repobility-supply-chain", "fingerprint": "60142990bc3dd3d093147ccaf311bad382514c49a386eba7f80fa71d560355ae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|60142990bc3dd3d093147ccaf311bad382514c49a386eba7f80fa71d560355ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/reusable-sagemaker-xgboost-integ-tests.yml"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 132391, "scanner": "repobility-supply-chain", "fingerprint": "78f0f7052d898f582ec0bc22f4ba11e51695c388f598f3dff2995922d35c1b30", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|78f0f7052d898f582ec0bc22f4ba11e51695c388f598f3dff2995922d35c1b30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/reusable-sagemaker-xgboost-integ-tests.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 132390, "scanner": "repobility-supply-chain", "fingerprint": "4eb99217d547c3c584db94ad5abfefbaa9c6bff280939dfe3a5b59d6bb87385d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4eb99217d547c3c584db94ad5abfefbaa9c6bff280939dfe3a5b59d6bb87385d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/reusable-sagemaker-xgboost-integ-tests.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 132389, "scanner": "repobility-supply-chain", "fingerprint": "fd6e744f8e04adadc65b91e8024c03e15b82dc199143838bd4fbf4a000cba8d2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fd6e744f8e04adadc65b91e8024c03e15b82dc199143838bd4fbf4a000cba8d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/reusable-sagemaker-xgboost-integ-tests.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda:13.0.2-devel-amzn2023` not pinned by digest"}, "properties": {"repobilityId": 132382, "scanner": "repobility-supply-chain", "fingerprint": "84e0856e5df6003e28f0ef7cbf214ff0e036d895209a265336ff099c4baa024c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|84e0856e5df6003e28f0ef7cbf214ff0e036d895209a265336ff099c4baa024c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/base/v2/Dockerfile"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda:13.0.2-runtime-amzn2023` not pinned by digest"}, "properties": {"repobilityId": 132381, "scanner": "repobility-supply-chain", "fingerprint": "b18fbedea9564b1cba52807fc282f576e50b814a1f95b64b9859442d64627d6f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b18fbedea9564b1cba52807fc282f576e50b814a1f95b64b9859442d64627d6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/base/v2/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda:13.0.2-base-amzn2023` not pinned by digest"}, "properties": {"repobilityId": 132380, "scanner": "repobility-supply-chain", "fingerprint": "2df4cb5717fe35857267e136ae839edd1f4361874840845251a911613d0f8fff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2df4cb5717fe35857267e136ae839edd1f4361874840845251a911613d0f8fff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/base/v2/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda:12.9.1-devel-amzn2023` not pinned by digest"}, "properties": {"repobilityId": 132379, "scanner": "repobility-supply-chain", "fingerprint": "fd84d98b229259a33a0e132dbb103205714c360cffd0834b3b725f86002671e4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fd84d98b229259a33a0e132dbb103205714c360cffd0834b3b725f86002671e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/base/v1/Dockerfile"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda:12.9.1-runtime-amzn2023` not pinned by digest"}, "properties": {"repobilityId": 132378, "scanner": "repobility-supply-chain", "fingerprint": "d11d90837bca6eb9b478058a7c65a3df81a208941a297fa3221799643fa87c1d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d11d90837bca6eb9b478058a7c65a3df81a208941a297fa3221799643fa87c1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/base/v1/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda:12.9.1-base-amzn2023` not pinned by digest"}, "properties": {"repobilityId": 132377, "scanner": "repobility-supply-chain", "fingerprint": "e641dcabe3843eb9d129ccb68b84d6a83d57f82fce204969a9ac634b1abc1a12", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e641dcabe3843eb9d129ccb68b84d6a83d57f82fce204969a9ac634b1abc1a12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/base/v1/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda (no tag)` not pinned by digest"}, "properties": {"repobilityId": 132376, "scanner": "repobility-supply-chain", "fingerprint": "ecea18ad71a856ddd4c06febbd6906c2d80c73939871dd5fe4a5ff074326b66c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ecea18ad71a856ddd4c06febbd6906c2d80c73939871dd5fe4a5ff074326b66c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 260}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda (no tag)` not pinned by digest"}, "properties": {"repobilityId": 132375, "scanner": "repobility-supply-chain", "fingerprint": "3872c37cddfe77bc22eb9a971aa26ebeca3f35223154f1b1210d84ae06c95aa4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3872c37cddfe77bc22eb9a971aa26ebeca3f35223154f1b1210d84ae06c95aa4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 249}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda (no tag)` not pinned by digest"}, "properties": {"repobilityId": 132374, "scanner": "repobility-supply-chain", "fingerprint": "908b3dcef19503ddcaf72cc076b97cdabc53402e135d0178bcab8aa66abf1c97", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|908b3dcef19503ddcaf72cc076b97cdabc53402e135d0178bcab8aa66abf1c97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda (no tag)` not pinned by digest"}, "properties": {"repobilityId": 132373, "scanner": "repobility-supply-chain", "fingerprint": "6089f4d7c671b01b288bead725102a89b3662aa7443f116969e2d969d89a6963", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6089f4d7c671b01b288bead725102a89b3662aa7443f116969e2d969d89a6963"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `alpine/git (no tag)` not pinned by digest"}, "properties": {"repobilityId": 132372, "scanner": "repobility-supply-chain", "fingerprint": "09f5de9f731812abc2a1d5fe303977c754e846d04bb6a301ed14f3cf5ffa37d2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|09f5de9f731812abc2a1d5fe303977c754e846d04bb6a301ed14f3cf5ffa37d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm/Dockerfile.amzn2023"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda (no tag)` not pinned by digest"}, "properties": {"repobilityId": 132371, "scanner": "repobility-supply-chain", "fingerprint": "a0154733a9bf17047993654cb028394087c92adc1869af1555d6cf359c2289c2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a0154733a9bf17047993654cb028394087c92adc1869af1555d6cf359c2289c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile.amzn2023"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda (no tag)` not pinned by digest"}, "properties": {"repobilityId": 132370, "scanner": "repobility-supply-chain", "fingerprint": "218ad016869dd663929457fdaf920595bc89555a1e7d6a96643a5dbbcd046aef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|218ad016869dd663929457fdaf920595bc89555a1e7d6a96643a5dbbcd046aef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sglang/Dockerfile.amzn2023"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda:12.9.1-base-amzn2023` not pinned by digest"}, "properties": {"repobilityId": 132369, "scanner": "repobility-supply-chain", "fingerprint": "cc9378b7453a20a4036adb648e68d180e742e818661eb438cb55d31c83461840", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc9378b7453a20a4036adb648e68d180e742e818661eb438cb55d31c83461840"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/Dockerfile"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `amazonlinux:2023` not pinned by digest"}, "properties": {"repobilityId": 132368, "scanner": "repobility-supply-chain", "fingerprint": "2453e937376f9d205ad29dae7b0ab4c6014776fd310a2f27c8117af4c6b349a0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2453e937376f9d205ad29dae7b0ab4c6014776fd310a2f27c8117af4c6b349a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/xgboost/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda (no tag)` not pinned by digest"}, "properties": {"repobilityId": 132367, "scanner": "repobility-supply-chain", "fingerprint": "ba809585f057bd5c433b50415adc59131c4204d067ccdb808cebcbdde32e5c89", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba809585f057bd5c433b50415adc59131c4204d067ccdb808cebcbdde32e5c89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 336}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda (no tag)` not pinned by digest"}, "properties": {"repobilityId": 132366, "scanner": "repobility-supply-chain", "fingerprint": "42efcd0ccbbcd775d825e1c297b7b281f29ce139d8e12dcea0caedb27e9020e2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|42efcd0ccbbcd775d825e1c297b7b281f29ce139d8e12dcea0caedb27e9020e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 253}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda (no tag)` not pinned by digest"}, "properties": {"repobilityId": 132365, "scanner": "repobility-supply-chain", "fingerprint": "9ef06003e94780dfa65aeedd856c3fbb43a499722a6f518cd6b2f7e426271e53", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ef06003e94780dfa65aeedd856c3fbb43a499722a6f518cd6b2f7e426271e53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda (no tag)` not pinned by digest"}, "properties": {"repobilityId": 132364, "scanner": "repobility-supply-chain", "fingerprint": "075c35476c200a4c0184a0796edb7ab4188ea042fb673008eed71e21b32b729e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|075c35476c200a4c0184a0796edb7ab4188ea042fb673008eed71e21b32b729e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `alpine/git (no tag)` not pinned by digest"}, "properties": {"repobilityId": 132363, "scanner": "repobility-supply-chain", "fingerprint": "ed15da85b49f8b2dceeb2c65b82dbe37da1718c0d6682eda964f655809ad9bf6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed15da85b49f8b2dceeb2c65b82dbe37da1718c0d6682eda964f655809ad9bf6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/vllm_omni/Dockerfile.amzn2023"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda:12.9.1-runtime-amzn2023` not pinned by digest"}, "properties": {"repobilityId": 132362, "scanner": "repobility-supply-chain", "fingerprint": "c8fcca04d395b5df3bbab9e9d9bfaa47bbb0bc17d9876d86438df996a1b68c1d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c8fcca04d395b5df3bbab9e9d9bfaa47bbb0bc17d9876d86438df996a1b68c1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ray/Dockerfile.gpu"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `amazonlinux:2023` not pinned by digest"}, "properties": {"repobilityId": 132361, "scanner": "repobility-supply-chain", "fingerprint": "6a41f58a2f48c77ae432d299475d37a92f8a03a543df1bf3ed962a82e349619b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6a41f58a2f48c77ae432d299475d37a92f8a03a543df1bf3ed962a82e349619b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ray/Dockerfile.gpu"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nvidia/cuda:12.9.1-devel-amzn2023` not pinned by digest"}, "properties": {"repobilityId": 132360, "scanner": "repobility-supply-chain", "fingerprint": "2392532ccc693a62c57b536431fc2504bfca23958b074121317a5b92073e868b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2392532ccc693a62c57b536431fc2504bfca23958b074121317a5b92073e868b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ray/Dockerfile.gpu"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `amazonlinux:2023` not pinned by digest"}, "properties": {"repobilityId": 132359, "scanner": "repobility-supply-chain", "fingerprint": "12e230215f85615ff7c20c1fef4073e596db0ca3ba5f7e859c6c33d94c4aec48", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12e230215f85615ff7c20c1fef4073e596db0ca3ba5f7e859c6c33d94c4aec48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ray/Dockerfile.cpu"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `amazonlinux:2023` not pinned by digest"}, "properties": {"repobilityId": 132358, "scanner": "repobility-supply-chain", "fingerprint": "b9102fe04a737f22ded88d84bc26aaf3843d391a977b2d589724a8bacd1e92db", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b9102fe04a737f22ded88d84bc26aaf3843d391a977b2d589724a8bacd1e92db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ray/Dockerfile.cpu"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/scop/pre-commit-shfmt` pinned to mutable rev `v3.12.0-2`"}, "properties": {"repobilityId": 132347, "scanner": "repobility-supply-chain", "fingerprint": "c3c1de7e6867d20971db81ce3a897c2d1d79796f188e6dae92026ac4a0ce6166", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c3c1de7e6867d20971db81ce3a897c2d1d79796f188e6dae92026ac4a0ce6166"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/reteps/dockerfmt` pinned to mutable rev `v0.3.9`"}, "properties": {"repobilityId": 132346, "scanner": "repobility-supply-chain", "fingerprint": "aad296904491867dbfe8d7a00e4871c4086e31007c0508379580fab5f3cafd4b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aad296904491867dbfe8d7a00e4871c4086e31007c0508379580fab5f3cafd4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/hukkin/mdformat` pinned to mutable rev `1.0.0`"}, "properties": {"repobilityId": 132345, "scanner": "repobility-supply-chain", "fingerprint": "c44257230d341119aa5bdca7e0ea30f8abf7967f44097cb3592996f6fd91bb91", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c44257230d341119aa5bdca7e0ea30f8abf7967f44097cb3592996f6fd91bb91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/rhysd/actionlint` pinned to mutable rev `v1.7.8`"}, "properties": {"repobilityId": 132344, "scanner": "repobility-supply-chain", "fingerprint": "b2fda6405f9300cc23b2018d4df575faf23edc53360704deec5a2b3de3eccd71", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b2fda6405f9300cc23b2018d4df575faf23edc53360704deec5a2b3de3eccd71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/python-jsonschema/check-jsonschema` pinned to mutable rev `0.35.0`"}, "properties": {"repobilityId": 132343, "scanner": "repobility-supply-chain", "fingerprint": "181f700c78fe971a1e1fc2981d2950245e05700809c813dd176a248f6d48daa4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|181f700c78fe971a1e1fc2981d2950245e05700809c813dd176a248f6d48daa4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.14.3`"}, "properties": {"repobilityId": 132342, "scanner": "repobility-supply-chain", "fingerprint": "c7e80d86c216b68f951d23f9f5c3157bce5d8beeec11f794ca8023a409059737", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c7e80d86c216b68f951d23f9f5c3157bce5d8beeec11f794ca8023a409059737"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/crate-ci/typos` pinned to mutable rev `v1.38.1`"}, "properties": {"repobilityId": 132341, "scanner": "repobility-supply-chain", "fingerprint": "f0bd989edc93e7ba8c6dac848880148fed4d4b0d47cedf60827e258423e9a8be", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0bd989edc93e7ba8c6dac848880148fed4d4b0d47cedf60827e258423e9a8be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/gitleaks/gitleaks` pinned to mutable rev `v8.29.0`"}, "properties": {"repobilityId": 132340, "scanner": "repobility-supply-chain", "fingerprint": "1577bc96e40ae3045ac954750c1027a0b5b81dacf6b96d9b34fb4c1eb7b26398", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1577bc96e40ae3045ac954750c1027a0b5b81dacf6b96d9b34fb4c1eb7b26398"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`"}, "properties": {"repobilityId": 132339, "scanner": "repobility-supply-chain", "fingerprint": "bf0e38b48e413e0187c0cc28b7c405d51db7916de4704b979046ffdb0a4d5774", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf0e38b48e413e0187c0cc28b7c405d51db7916de4704b979046ffdb0a4d5774"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /invocations has no auth"}, "properties": {"repobilityId": 132338, "scanner": "repobility-route-auth", "fingerprint": "dd600d0fbaf97c4a5632853c7e3a3ed7075c806177694d048fc911b536c54216", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|dd600d0fbaf97c4a5632853c7e3a3ed7075c806177694d048fc911b536c54216"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ray/sagemaker_serve.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /v1/completions has no auth"}, "properties": {"repobilityId": 132337, "scanner": "repobility-route-auth", "fingerprint": "f30e483534b61a060ca9b3272a864284641e7dbdcc6f7f91a1dab326904b3b12", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|f30e483534b61a060ca9b3272a864284641e7dbdcc6f7f91a1dab326904b3b12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/efa/scripts/toy_proxy_server.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_libsvm_data` used but never assigned in __init__"}, "properties": {"repobilityId": 132329, "scanner": "repobility-ast-engine", "fingerprint": "55ad5366b6482916bb6dbb7025f9f3a6a3c17bd3988d67a3c2ee2c6e6ee677a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|55ad5366b6482916bb6dbb7025f9f3a6a3c17bd3988d67a3c2ee2c6e6ee677a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 759}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_libsvm_data` used but never assigned in __init__"}, "properties": {"repobilityId": 132328, "scanner": "repobility-ast-engine", "fingerprint": "1c6300171226432d700ad0a2162c1f1c723e751b318dc47cbabe3baee8ce4d60", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1c6300171226432d700ad0a2162c1f1c723e751b318dc47cbabe3baee8ce4d60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 746}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_libsvm_data` used but never assigned in __init__"}, "properties": {"repobilityId": 132327, "scanner": "repobility-ast-engine", "fingerprint": "b5937888589c8afa7264d498f9769d41196727d1d9f1bc089adaa39591366845", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b5937888589c8afa7264d498f9769d41196727d1d9f1bc089adaa39591366845"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 733}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_libsvm_data` used but never assigned in __init__"}, "properties": {"repobilityId": 132326, "scanner": "repobility-ast-engine", "fingerprint": "f167857e274aabf142ab9006aa4f52addd50f11200fe51cb4349cdb3d78f86e0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f167857e274aabf142ab9006aa4f52addd50f11200fe51cb4349cdb3d78f86e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 704}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_libsvm_data` used but never assigned in __init__"}, "properties": {"repobilityId": 132325, "scanner": "repobility-ast-engine", "fingerprint": "71f6d346cb49048b394b481ce50e80643a28026c9535006abff682900dadcc04", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|71f6d346cb49048b394b481ce50e80643a28026c9535006abff682900dadcc04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 698}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_libsvm_data` used but never assigned in __init__"}, "properties": {"repobilityId": 132324, "scanner": "repobility-ast-engine", "fingerprint": "eb5f1926cde2df379e0c4fea13a51d5c21854fc4bb14b81f08ffd985cd20688b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eb5f1926cde2df379e0c4fea13a51d5c21854fc4bb14b81f08ffd985cd20688b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 686}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_libsvm_data` used but never assigned in __init__"}, "properties": {"repobilityId": 132323, "scanner": "repobility-ast-engine", "fingerprint": "152281e05bcf056c0b77f2091838eb255ca1f83d62898aa070480fa7706d88ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|152281e05bcf056c0b77f2091838eb255ca1f83d62898aa070480fa7706d88ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 589}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_multi_files_libsvm"}, "properties": {"repobilityId": 132322, "scanner": "repobility-ast-engine", "fingerprint": "9d33343355db970cafaf76df525020d5fa5968204578fc8a771e7209852443ac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9d33343355db970cafaf76df525020d5fa5968204578fc8a771e7209852443ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 315}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_single_file_libsvm_verbosity"}, "properties": {"repobilityId": 132321, "scanner": "repobility-ast-engine", "fingerprint": "ebae1542af9107da81751d83f8f5270d740b52201e5cba833a6fa1e5c79fca01", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ebae1542af9107da81751d83f8f5270d740b52201e5cba833a6fa1e5c79fca01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 299}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_single_file_libsvm_threshold_eval_metric"}, "properties": {"repobilityId": 132320, "scanner": "repobility-ast-engine", "fingerprint": "99240356ecaefafafb7a1e5a22b46b2364f4a8d85415ae3483987a86e951f070", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|99240356ecaefafafb7a1e5a22b46b2364f4a8d85415ae3483987a86e951f070"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 281}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_single_file_libsvm_iterate_objectives"}, "properties": {"repobilityId": 132319, "scanner": "repobility-ast-engine", "fingerprint": "1b86a0bbdca28e5269d81ab21f45189b56dc2adec126376474c5aa664bcaa28e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1b86a0bbdca28e5269d81ab21f45189b56dc2adec126376474c5aa664bcaa28e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 256}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_single_file_output_both_default_and_custom_metrics"}, "properties": {"repobilityId": 132318, "scanner": "repobility-ast-engine", "fingerprint": "1cebda9869b32bdc7deac94072d324852e669e80016c30f2ddbeb31207c8d81a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1cebda9869b32bdc7deac94072d324852e669e80016c30f2ddbeb31207c8d81a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 233}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_single_file_libsvm_hpo_param_non_overlapping"}, "properties": {"repobilityId": 132317, "scanner": "repobility-ast-engine", "fingerprint": "20c32cbad265954b83729fb6833840a918ae711aa565dee008d27713e6b2dd38", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|20c32cbad265954b83729fb6833840a918ae711aa565dee008d27713e6b2dd38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_single_file_libsvm_multiclass_hpo"}, "properties": {"repobilityId": 132316, "scanner": "repobility-ast-engine", "fingerprint": "17e0f4ee8818b6bf14493a6c8f56f8291391d76f75be5efc8524e8812377debd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|17e0f4ee8818b6bf14493a6c8f56f8291391d76f75be5efc8524e8812377debd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 196}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_single_file_libsvm_hpo_param"}, "properties": {"repobilityId": 132315, "scanner": "repobility-ast-engine", "fingerprint": "a0d99f82cfebf6329a2865e6e89e52ec36b9b3e0afd15f89d19c0e15a49060d9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a0d99f82cfebf6329a2865e6e89e52ec36b9b3e0afd15f89d19c0e15a49060d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_single_file_libsvm_weights"}, "properties": {"repobilityId": 132314, "scanner": "repobility-ast-engine", "fingerprint": "a4d9772a8bbad0f6bc0b063b44593f1a454e9b93195f80b4bab903432ebb12eb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a4d9772a8bbad0f6bc0b063b44593f1a454e9b93195f80b4bab903432ebb12eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_single_file_libsvm"}, "properties": {"repobilityId": 132313, "scanner": "repobility-ast-engine", "fingerprint": "c62226f0c0f2912dba0ddfff442b9de8773b710cf21cde0732c607ce84b37039", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c62226f0c0f2912dba0ddfff442b9de8773b710cf21cde0732c607ce84b37039"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_training.py"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_csv_20mb_payload"}, "properties": {"repobilityId": 132312, "scanner": "repobility-ast-engine", "fingerprint": "417f1dbbe45355ed469e60b2e5a36116068d2fa50a6900a129b72a0a7ca28b9a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|417f1dbbe45355ed469e60b2e5a36116068d2fa50a6900a129b72a0a7ca28b9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_scoring.py"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_recordio_protobuf_inference"}, "properties": {"repobilityId": 132311, "scanner": "repobility-ast-engine", "fingerprint": "f59f74b85a302eb727375bdfed7a8923e7365c2c27b4c2de779d998006f91cb8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f59f74b85a302eb727375bdfed7a8923e7365c2c27b4c2de779d998006f91cb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_scoring.py"}, "region": {"startLine": 175}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_libsvm_inference"}, "properties": {"repobilityId": 132310, "scanner": "repobility-ast-engine", "fingerprint": "9b7b8c874c338961e5f9fe80e6e1659479efebeb9a05e306b0c51f6df7f9ce53", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9b7b8c874c338961e5f9fe80e6e1659479efebeb9a05e306b0c51f6df7f9ce53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_scoring.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_csv_inference"}, "properties": {"repobilityId": 132309, "scanner": "repobility-ast-engine", "fingerprint": "b6bba51926f2993ae178c29bc236d294a88d91dac865e5638193c3132eeb5aa1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b6bba51926f2993ae178c29bc236d294a88d91dac865e5638193c3132eeb5aa1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/test_scoring.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_resources"}, "properties": {"repobilityId": 132308, "scanner": "repobility-ast-engine", "fingerprint": "ea25c1e2ccd8f519c2c6d4cb3a32c1279db321b2360fdaaeca138767f2d837c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ea25c1e2ccd8f519c2c6d4cb3a32c1279db321b2360fdaaeca138767f2d837c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/container/conftest.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_gpu_tuning_aucpr"}, "properties": {"repobilityId": 132307, "scanner": "repobility-ast-engine", "fingerprint": "24894a7e6f43dbd77c6f565f8b65bf9a6d00f458ad81d794c9afb80460a9d957", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|24894a7e6f43dbd77c6f565f8b65bf9a6d00f458ad81d794c9afb80460a9d957"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/e2e/test_hpo.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_gpu_tuning_rmse"}, "properties": {"repobilityId": 132306, "scanner": "repobility-ast-engine", "fingerprint": "6925d522d958ea7d78a52e26fb1db0801c7677eaef29d04ed0ef706f56c7b6bc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6925d522d958ea7d78a52e26fb1db0801c7677eaef29d04ed0ef706f56c7b6bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/e2e/test_hpo.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_tuning_aucpr"}, "properties": {"repobilityId": 132305, "scanner": "repobility-ast-engine", "fingerprint": "fc10f2b6a5810884dc762799ac5bfd81cc04c566aae44b22c727c02abd9a7400", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fc10f2b6a5810884dc762799ac5bfd81cc04c566aae44b22c727c02abd9a7400"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/e2e/test_hpo.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_tuning_rmse"}, "properties": {"repobilityId": 132304, "scanner": "repobility-ast-engine", "fingerprint": "4c5923abdfb8bbacd648e5d301e86dfc07594c77abacdc9b7e10f9c78a66edc1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4c5923abdfb8bbacd648e5d301e86dfc07594c77abacdc9b7e10f9c78a66edc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/xgboost/e2e/test_hpo.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `requests.append` inside async function `run_benchmark`"}, "properties": {"repobilityId": 132300, "scanner": "repobility-ast-engine", "fingerprint": "a322ef5cb9fc3523b13fe47c5057eeb58fd8a51a1c860580d224c195506875cf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a322ef5cb9fc3523b13fe47c5057eeb58fd8a51a1c860580d224c195506875cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/scripts/benchmark/image_benchmark_client.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `requests.append` inside async function `run_benchmark`"}, "properties": {"repobilityId": 132297, "scanner": "repobility-ast-engine", "fingerprint": "4e4bec2ead5eb05c9c551508bb5ad7665248f9b5c2578c9b20a0f101107a068b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4e4bec2ead5eb05c9c551508bb5ad7665248f9b5c2578c9b20a0f101107a068b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/scripts/benchmark/tts_benchmark_client.py"}, "region": {"startLine": 147}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `requests.append` inside async function `run_benchmark`"}, "properties": {"repobilityId": 132294, "scanner": "repobility-ast-engine", "fingerprint": "70d370169a6cba3ef0460f2ce383aee8071997470ae5da48c40be3f2e27d6bb0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|70d370169a6cba3ef0460f2ce383aee8071997470ae5da48c40be3f2e27d6bb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/scripts/benchmark/video_benchmark_client.py"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._run` used but never assigned in __init__"}, "properties": {"repobilityId": 132293, "scanner": "repobility-ast-engine", "fingerprint": "078966f34827e1219bd29592ae41801a21d986c5c687711282cef88883159c9b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|078966f34827e1219bd29592ae41801a21d986c5c687711282cef88883159c9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/sagemaker/test_sagemaker_middleware.py"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_scope` used but never assigned in __init__"}, "properties": {"repobilityId": 132292, "scanner": "repobility-ast-engine", "fingerprint": "0aa047040f6014028e8de5617abb0bd4cf81057471e4f6d1291205967ae2e03a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0aa047040f6014028e8de5617abb0bd4cf81057471e4f6d1291205967ae2e03a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/sagemaker/test_sagemaker_middleware.py"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._run` used but never assigned in __init__"}, "properties": {"repobilityId": 132291, "scanner": "repobility-ast-engine", "fingerprint": "81bc10d2212d9f6a1c0d3fd63cada42197e63c00b01d0e7d531c0bf89c9cf010", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|81bc10d2212d9f6a1c0d3fd63cada42197e63c00b01d0e7d531c0bf89c9cf010"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/sagemaker/test_sagemaker_middleware.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_scope` used but never assigned in __init__"}, "properties": {"repobilityId": 132290, "scanner": "repobility-ast-engine", "fingerprint": "9028848067b30e2c02bdc1a5cc03fe4fff338d03d86464f823c5c40757040698", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9028848067b30e2c02bdc1a5cc03fe4fff338d03d86464f823c5c40757040698"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/sagemaker/test_sagemaker_middleware.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._run` used but never assigned in __init__"}, "properties": {"repobilityId": 132289, "scanner": "repobility-ast-engine", "fingerprint": "5e65861552a7c7c30234cc7b6bc690c0c299c901f345ac4e7a94d8b76da1d41e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5e65861552a7c7c30234cc7b6bc690c0c299c901f345ac4e7a94d8b76da1d41e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/sagemaker/test_sagemaker_middleware.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_scope` used but never assigned in __init__"}, "properties": {"repobilityId": 132288, "scanner": "repobility-ast-engine", "fingerprint": "6635a09b8410137014e304e1c4666aa6672dc0b09e178e19c6a21e4442230d46", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6635a09b8410137014e304e1c4666aa6672dc0b09e178e19c6a21e4442230d46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/sagemaker/test_sagemaker_middleware.py"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._run` used but never assigned in __init__"}, "properties": {"repobilityId": 132287, "scanner": "repobility-ast-engine", "fingerprint": "f71c4440b33c9781ed787f1d027f7d2a85e7f1189441caa9e2300b83336c1a75", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f71c4440b33c9781ed787f1d027f7d2a85e7f1189441caa9e2300b83336c1a75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/sagemaker/test_sagemaker_middleware.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_scope` used but never assigned in __init__"}, "properties": {"repobilityId": 132286, "scanner": "repobility-ast-engine", "fingerprint": "f0576cca33884f971470b5229e7828bdc8cf9b59522504d4e7d2c333a593a953", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f0576cca33884f971470b5229e7828bdc8cf9b59522504d4e7d2c333a593a953"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/sagemaker/test_sagemaker_middleware.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._run` used but never assigned in __init__"}, "properties": {"repobilityId": 132285, "scanner": "repobility-ast-engine", "fingerprint": "11ef75c6e545d62f82761133fa78193f9610cc476ce78eeae7cb36b9019658fd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|11ef75c6e545d62f82761133fa78193f9610cc476ce78eeae7cb36b9019658fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/sagemaker/test_sagemaker_middleware.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._run` used but never assigned in __init__"}, "properties": {"repobilityId": 132284, "scanner": "repobility-ast-engine", "fingerprint": "4395161221fff0c8655b57d6cd5de4a232d072c3728d8e176d02fe07000de96b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4395161221fff0c8655b57d6cd5de4a232d072c3728d8e176d02fe07000de96b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/sagemaker/test_sagemaker_middleware.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_scope` used but never assigned in __init__"}, "properties": {"repobilityId": 132283, "scanner": "repobility-ast-engine", "fingerprint": "fc18debea46d34e568d6d906356ed7b7e1653f85c13bd898b70e8e5417d472c8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fc18debea46d34e568d6d906356ed7b7e1653f85c13bd898b70e8e5417d472c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/sagemaker/test_sagemaker_middleware.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._run` used but never assigned in __init__"}, "properties": {"repobilityId": 132282, "scanner": "repobility-ast-engine", "fingerprint": "9f8adc681573df8ef8dc139114fc340d86c3d63a5e4c467b08059a2638cc8c5c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9f8adc681573df8ef8dc139114fc340d86c3d63a5e4c467b08059a2638cc8c5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/sagemaker/test_sagemaker_middleware.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_scope` used but never assigned in __init__"}, "properties": {"repobilityId": 132281, "scanner": "repobility-ast-engine", "fingerprint": "569a5e1df0df521df15b08a92308a8227f6bf435082882db4a1542b73190e0ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|569a5e1df0df521df15b08a92308a8227f6bf435082882db4a1542b73190e0ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/sagemaker/test_sagemaker_middleware.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._run` used but never assigned in __init__"}, "properties": {"repobilityId": 132280, "scanner": "repobility-ast-engine", "fingerprint": "88186a51635d1cccfb4caa1b6defc7481a141039d7a3a9cf84e7da4d23aa0bed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|88186a51635d1cccfb4caa1b6defc7481a141039d7a3a9cf84e7da4d23aa0bed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/sagemaker/test_sagemaker_middleware.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_scope` used but never assigned in __init__"}, "properties": {"repobilityId": 132279, "scanner": "repobility-ast-engine", "fingerprint": "d3d44c440ce57b775b2a17db355bb106988f9376b457379e5f387a8c5b6613c9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d3d44c440ce57b775b2a17db355bb106988f9376b457379e5f387a8c5b6613c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/vllm-omni/sagemaker/test_sagemaker_middleware.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_calls_all_generators"}, "properties": {"repobilityId": 132278, "scanner": "repobility-ast-engine", "fingerprint": "15714a66b7fada6220f7501b33bdcc8ceb5b3c6cf67b4e5efc2e3b90dd2ba0ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|15714a66b7fada6220f7501b33bdcc8ceb5b3c6cf67b4e5efc2e3b90dd2ba0ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/docs/test_generate.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_not_found"}, "properties": {"repobilityId": 132277, "scanner": "repobility-ast-engine", "fingerprint": "d4da07575b97b707b4c8aac8739d7ab9cd059ce20e363bc5470e92b16cb8a7cb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d4da07575b97b707b4c8aac8739d7ab9cd059ce20e363bc5470e92b16cb8a7cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/docs/test_image_config.py"}, "region": {"startLine": 276}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_display_repository_missing"}, "properties": {"repobilityId": 132276, "scanner": "repobility-ast-engine", "fingerprint": "59b95054f5f2c2a6c4b1575d04a03ff99deb8bc19fc8fed91c0cdf702763e4dd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|59b95054f5f2c2a6c4b1575d04a03ff99deb8bc19fc8fed91c0cdf702763e4dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/docs/test_image_config.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_getattr_private"}, "properties": {"repobilityId": 132275, "scanner": "repobility-ast-engine", "fingerprint": "f664f511257e26a8f82ca95195fac8c2380a2a83161cfd980d28b784cd33bdb7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f664f511257e26a8f82ca95195fac8c2380a2a83161cfd980d28b784cd33bdb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/docs/test_image_config.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_getattr_invalid"}, "properties": {"repobilityId": 132274, "scanner": "repobility-ast-engine", "fingerprint": "0e09d54775ba43b9c860d22d21a74a6355c56ff311bd000f5cb697442a33cb9a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0e09d54775ba43b9c860d22d21a74a6355c56ff311bd000f5cb697442a33cb9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/docs/test_image_config.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_efa_sanity_and_nccl"}, "properties": {"repobilityId": 132272, "scanner": "repobility-ast-engine", "fingerprint": "97e4405c21782535c3aeeecab1bff46df34a69928b739c0290c409b48fa11e9d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|97e4405c21782535c3aeeecab1bff46df34a69928b739c0290c409b48fa11e9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/efa/test_efa.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_public_ip` used but never assigned in __init__"}, "properties": {"repobilityId": 132270, "scanner": "repobility-ast-engine", "fingerprint": "6bac5155d814e37615121cef97caa90b761f98b96f155d417137ec69be492b2c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6bac5155d814e37615121cef97caa90b761f98b96f155d417137ec69be492b2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test_utils/aws.py"}, "region": {"startLine": 257}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_codebuild_runner_public_ip` used but never assigned in __init__"}, "properties": {"repobilityId": 132269, "scanner": "repobility-ast-engine", "fingerprint": "a6d563d6e8841ac1e26d161a1b9919ef0892f039bd61aca1597428ae40502162", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a6d563d6e8841ac1e26d161a1b9919ef0892f039bd61aca1597428ae40502162"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test_utils/aws.py"}, "region": {"startLine": 213}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.host` used but never assigned in __init__"}, "properties": {"repobilityId": 132268, "scanner": "repobility-ast-engine", "fingerprint": "be9d2a5c2ae898590917a5176b0d1e807b0f16a48dd34efed373aa049f669836", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|be9d2a5c2ae898590917a5176b0d1e807b0f16a48dd34efed373aa049f669836"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test_utils/aws.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.ASIMOVBOT_APP_PRIVATE_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 132414, "scanner": "repobility-supply-chain", "fingerprint": "d8504909c3b5b6465945070fcfbfcf749f2d786b00c58f7fdc8cf4c26edc1d15", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d8504909c3b5b6465945070fcfbfcf749f2d786b00c58f7fdc8cf4c26edc1d15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prcheck-detect-versions.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `stat` used but not imported"}, "properties": {"repobilityId": 132336, "scanner": "repobility-ast-engine", "fingerprint": "7019f4817e153107726f20cac6ede073d9615caed69833d6ca4ba68f29fab2d7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7019f4817e153107726f20cac6ede073d9615caed69833d6ca4ba68f29fab2d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/download-model/evict_models.py"}, "region": {"startLine": 20}}}]}]}]}