{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g4f-4pwh-qvx6", "name": "ajv: GHSA-2g4f-4pwh-qvx6", "shortDescription": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "fullDescription": {"text": "ajv has ReDoS when using `$data` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4w7w-66w2-5vf9", "name": "vite: GHSA-4w7w-66w2-5vf9", "shortDescription": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "fullDescription": {"text": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r4q5-vmmm-2653", "name": "follow-redirects: GHSA-r4q5-vmmm-2653", "shortDescription": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "fullDescription": {"text": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-67mh-4wv8-2f99", "name": "esbuild: GHSA-67mh-4wv8-2f99", "shortDescription": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "fullDescription": {"text": "esbuild enables any website to send any requests to the development server and read the response"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xwr5-m59h-vwqr", "name": "electron: GHSA-xwr5-m59h-vwqr", "shortDescription": {"text": "electron: GHSA-xwr5-m59h-vwqr"}, "fullDescription": {"text": "Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xj5x-m3f3-5x3h", "name": "electron: GHSA-xj5x-m3f3-5x3h", "shortDescription": {"text": "electron: GHSA-xj5x-m3f3-5x3h"}, "fullDescription": {"text": "Electron: Service worker can spoof executeJavaScript IPC replies"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vmqv-hx8q-j7mg", "name": "electron: GHSA-vmqv-hx8q-j7mg", "shortDescription": {"text": "electron: GHSA-vmqv-hx8q-j7mg"}, "fullDescription": {"text": "Electron has ASAR Integrity Bypass via resource modification"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5p7-gp4j-qhrx", "name": "electron: GHSA-r5p7-gp4j-qhrx", "shortDescription": {"text": "electron: GHSA-r5p7-gp4j-qhrx"}, "fullDescription": {"text": "Electron: Incorrect origin passed to permission request handler for iframe requests"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mwmh-mq4g-g6gr", "name": "electron: GHSA-mwmh-mq4g-g6gr", "shortDescription": {"text": "electron: GHSA-mwmh-mq4g-g6gr"}, "fullDescription": {"text": "Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f3pv-wv63-48x8", "name": "electron: GHSA-f3pv-wv63-48x8", "shortDescription": {"text": "electron: GHSA-f3pv-wv63-48x8"}, "fullDescription": {"text": "Electron: Named window.open targets not scoped to the opener's browsing context"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9w97-2464-8783", "name": "electron: GHSA-9w97-2464-8783", "shortDescription": {"text": "electron: GHSA-9w97-2464-8783"}, "fullDescription": {"text": "Electron: Use-after-free in download save dialog callback"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5rqw-r77c-jp79", "name": "electron: GHSA-5rqw-r77c-jp79", "shortDescription": {"text": "electron: GHSA-5rqw-r77c-jp79"}, "fullDescription": {"text": "Electron: AppleScript injection in app.moveToApplicationsFolder on macOS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4p4r-m79c-wq3v", "name": "electron: GHSA-4p4r-m79c-wq3v", "shortDescription": {"text": "electron: GHSA-4p4r-m79c-wq3v"}, "fullDescription": {"text": "Electron: HTTP Response Header Injection in custom protocol handlers and webRequest"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3c8v-cfp5-9885", "name": "electron: GHSA-3c8v-cfp5-9885", "shortDescription": {"text": "electron: GHSA-3c8v-cfp5-9885"}, "fullDescription": {"text": "Electron: Out-of-bounds read in second-instance IPC on macOS and Linux"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xx6v-rp6x-q39c", "name": "axios: GHSA-xx6v-rp6x-q39c", "shortDescription": {"text": "axios: GHSA-xx6v-rp6x-q39c"}, "fullDescription": {"text": "Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w9j2-pvgh-6h63", "name": "axios: GHSA-w9j2-pvgh-6h63", "shortDescription": {"text": "axios: GHSA-w9j2-pvgh-6h63"}, "fullDescription": {"text": "Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vf2m-468p-8v99", "name": "axios: GHSA-vf2m-468p-8v99", "shortDescription": {"text": "axios: GHSA-vf2m-468p-8v99"}, "fullDescription": {"text": "Axios: HTTP adapter streamed responses bypass maxContentLength"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m7pr-hjqh-92cm", "name": "axios: GHSA-m7pr-hjqh-92cm", "shortDescription": {"text": "axios: GHSA-m7pr-hjqh-92cm"}, "fullDescription": {"text": "Axios: no_proxy bypass via IP alias allows SSRF"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fvcv-3m26-pcqx", "name": "axios: GHSA-fvcv-3m26-pcqx", "shortDescription": {"text": "axios: GHSA-fvcv-3m26-pcqx"}, "fullDescription": {"text": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-898c-q2cr-xwhg", "name": "axios: GHSA-898c-q2cr-xwhg", "shortDescription": {"text": "axios: GHSA-898c-q2cr-xwhg"}, "fullDescription": {"text": "axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-62hf-57xw-28j9", "name": "axios: GHSA-62hf-57xw-28j9", "shortDescription": {"text": "axios: GHSA-62hf-57xw-28j9"}, "fullDescription": {"text": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c9x-8gcm-mpgx", "name": "axios: GHSA-5c9x-8gcm-mpgx", "shortDescription": {"text": "axios: GHSA-5c9x-8gcm-mpgx"}, "fullDescription": {"text": "Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-445q-vr5w-6q77", "name": "axios: GHSA-445q-vr5w-6q77", "shortDescription": {"text": "axios: GHSA-445q-vr5w-6q77"}, "fullDescription": {"text": "Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3w6x-2g7m-8v23", "name": "axios: GHSA-3w6x-2g7m-8v23", "shortDescription": {"text": "axios: GHSA-3w6x-2g7m-8v23"}, "fullDescription": {"text": "Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC042", "name": "[SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes an unsafe pattern. Currently s", "shortDescription": {"text": "[SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes an unsafe pattern. Currently safe when only trusted internal values are interpolated (e.g. self._table in Odoo), but a future contributor can extend t"}, "fullDescription": {"text": "Use psycopg2.sql.SQL() + sql.Identifier() for identifiers:\n from psycopg2 import sql\n cr.execute(sql.SQL('UPDATE {} SET x=%s').format(sql.Identifier(table)), (value,))\nNever use f-string in cr.execute(). Values go through %s parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `wait-on` is 2 major version(s) behind (7.2.0 -> 9.0.10)", "shortDescription": {"text": "npm package `wait-on` is 2 major version(s) behind (7.2.0 -> 9.0.10)"}, "fullDescription": {"text": "`wait-on` is pinned/resolved at 7.2.0 but the latest stable release on the npm registry is 9.0.10 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 552 lines (recommend <300)", "shortDescription": {"text": "Average file size is 552 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-jfqx-fxh3-c62j", "name": "electron: GHSA-jfqx-fxh3-c62j", "shortDescription": {"text": "electron: GHSA-jfqx-fxh3-c62j"}, "fullDescription": {"text": "Electron: Unquoted executable path in app.setLoginItemSettings on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f37v-82c4-4x64", "name": "electron: GHSA-f37v-82c4-4x64", "shortDescription": {"text": "electron: GHSA-f37v-82c4-4x64"}, "fullDescription": {"text": "Electron: Crash in clipboard.readImage() on malformed clipboard image data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9899-m83m-qhpj", "name": "electron: GHSA-9899-m83m-qhpj", "shortDescription": {"text": "electron: GHSA-9899-m83m-qhpj"}, "fullDescription": {"text": "Electron: USB device selection not validated against filtered device list"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xhjh-pmcv-23jw", "name": "axios: GHSA-xhjh-pmcv-23jw", "shortDescription": {"text": "axios: GHSA-xhjh-pmcv-23jw"}, "fullDescription": {"text": "Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vpq2-c234-7xj6", "name": "@tootallnate/once: GHSA-vpq2-c234-7xj6", "shortDescription": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "fullDescription": {"text": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `stream` has cognitive complexity 9 (SonarSource scale). Cognitive complex", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `stream` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all wei"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 9."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n ALLOWED = {'images.example.com', 'cdn.example.com'}\n host = urlparse(url).hostname\n if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v39h-62p7-jpjc", "name": "fast-uri: GHSA-v39h-62p7-jpjc", "shortDescription": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "fullDescription": {"text": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q3j6-qgpj-74h6", "name": "fast-uri: GHSA-q3j6-qgpj-74h6", "shortDescription": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "fullDescription": {"text": "fast-uri vulnerable to path traversal via percent-encoded dot segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5pgg-2g8v-p4x9", "name": "xlsx: GHSA-5pgg-2g8v-p4x9", "shortDescription": {"text": "xlsx: GHSA-5pgg-2g8v-p4x9"}, "fullDescription": {"text": "SheetJS Regular Expression Denial of Service (ReDoS)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4r6h-8v6p-xvw6", "name": "xlsx: GHSA-4r6h-8v6p-xvw6", "shortDescription": {"text": "xlsx: GHSA-4r6h-8v6p-xvw6"}, "fullDescription": {"text": "Prototype Pollution in sheetJS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ph9p-34f9-6g65", "name": "tmp: GHSA-ph9p-34f9-6g65", "shortDescription": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "fullDescription": {"text": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r6q2-hw4h-h46w", "name": "tar: GHSA-r6q2-hw4h-h46w", "shortDescription": {"text": "tar: GHSA-r6q2-hw4h-h46w"}, "fullDescription": {"text": "Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qffp-2rhf-9h96", "name": "tar: GHSA-qffp-2rhf-9h96", "shortDescription": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "fullDescription": {"text": "tar has Hardlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9ppj-qmqm-q256", "name": "tar: GHSA-9ppj-qmqm-q256", "shortDescription": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "fullDescription": {"text": "node-tar Symlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8qq5-rm4j-mr97", "name": "tar: GHSA-8qq5-rm4j-mr97", "shortDescription": {"text": "tar: GHSA-8qq5-rm4j-mr97"}, "fullDescription": {"text": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-83g3-92jg-28cx", "name": "tar: GHSA-83g3-92jg-28cx", "shortDescription": {"text": "tar: GHSA-83g3-92jg-28cx"}, "fullDescription": {"text": "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-34x7-hfp2-rc4v", "name": "tar: GHSA-34x7-hfp2-rc4v", "shortDescription": {"text": "tar: GHSA-34x7-hfp2-rc4v"}, "fullDescription": {"text": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mw96-cpmx-2vgc", "name": "rollup: GHSA-mw96-cpmx-2vgc", "shortDescription": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "fullDescription": {"text": "Rollup 4 has Arbitrary File Write via Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jjp3-mq3x-295m", "name": "electron: GHSA-jjp3-mq3x-295m", "shortDescription": {"text": "electron: GHSA-jjp3-mq3x-295m"}, "fullDescription": {"text": "Electron: Use-after-free in PowerMonitor on Windows and macOS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9wfr-w7mm-pc7f", "name": "electron: GHSA-9wfr-w7mm-pc7f", "shortDescription": {"text": "electron: GHSA-9wfr-w7mm-pc7f"}, "fullDescription": {"text": "Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8337-3p73-46f4", "name": "electron: GHSA-8337-3p73-46f4", "shortDescription": {"text": "electron: GHSA-8337-3p73-46f4"}, "fullDescription": {"text": "Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-532v-xpq5-8h95", "name": "electron: GHSA-532v-xpq5-8h95", "shortDescription": {"text": "electron: GHSA-532v-xpq5-8h95"}, "fullDescription": {"text": "Electron: Use-after-free in offscreen child window paint callback"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8qp-cvcw-x6jj", "name": "axios: GHSA-q8qp-cvcw-x6jj", "shortDescription": {"text": "axios: GHSA-q8qp-cvcw-x6jj"}, "fullDescription": {"text": "Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pf86-5x62-jrwf", "name": "axios: GHSA-pf86-5x62-jrwf", "shortDescription": {"text": "axios: GHSA-pf86-5x62-jrwf"}, "fullDescription": {"text": "Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p92q-9vqr-4j8v", "name": "axios: GHSA-p92q-9vqr-4j8v", "shortDescription": {"text": "axios: GHSA-p92q-9vqr-4j8v"}, "fullDescription": {"text": "Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j5f8-grm9-p9fc", "name": "axios: GHSA-j5f8-grm9-p9fc", "shortDescription": {"text": "axios: GHSA-j5f8-grm9-p9fc"}, "fullDescription": {"text": "Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hfxv-24rg-xrqf", "name": "axios: GHSA-hfxv-24rg-xrqf", "shortDescription": {"text": "axios: GHSA-hfxv-24rg-xrqf"}, "fullDescription": {"text": "Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-777c-7fjr-54vf", "name": "axios: GHSA-777c-7fjr-54vf", "shortDescription": {"text": "axios: GHSA-777c-7fjr-54vf"}, "fullDescription": {"text": "Allocation of Resources Without Limits or Throttling in Axios"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6chq-wfr3-2hj9", "name": "axios: GHSA-6chq-wfr3-2hj9", "shortDescription": {"text": "axios: GHSA-6chq-wfr3-2hj9"}, "fullDescription": {"text": "Axios: Header Injection via Prototype Pollution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-43fc-jf86-j433", "name": "axios: GHSA-43fc-jf86-j433", "shortDescription": {"text": "axios: GHSA-43fc-jf86-j433"}, "fullDescription": {"text": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pjwm-pj3p-43mv", "name": "axios: GHSA-pjwm-pj3p-43mv", "shortDescription": {"text": "axios: GHSA-pjwm-pj3p-43mv"}, "fullDescription": {"text": "axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3g43-6gmg-66jw", "name": "axios: GHSA-3g43-6gmg-66jw", "shortDescription": {"text": "axios: GHSA-3g43-6gmg-66jw"}, "fullDescription": {"text": "axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-35jp-ww65-95wh", "name": "axios: GHSA-35jp-ww65-95wh", "shortDescription": {"text": "axios: GHSA-35jp-ww65-95wh"}, "fullDescription": {"text": "axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x6wf-f3px-wcqx", "name": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx", "shortDescription": {"text": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx"}, "fullDescription": {"text": "xmldom has XML node injection through unvalidated processing instruction serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wh4c-j3r5-mjhp", "name": "@xmldom/xmldom: GHSA-wh4c-j3r5-mjhp", "shortDescription": {"text": "@xmldom/xmldom: GHSA-wh4c-j3r5-mjhp"}, "fullDescription": {"text": "xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j759-j44w-7fr8", "name": "@xmldom/xmldom: GHSA-j759-j44w-7fr8", "shortDescription": {"text": "@xmldom/xmldom: GHSA-j759-j44w-7fr8"}, "fullDescription": {"text": "xmldom has XML node injection through unvalidated comment serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f6ww-3ggp-fr8h", "name": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h", "shortDescription": {"text": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h"}, "fullDescription": {"text": "xmldom has XML injection through unvalidated DocumentType serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2v35-w6hq-6mfw", "name": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw", "shortDescription": {"text": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw"}, "fullDescription": {"text": "xmldom: Uncontrolled recursion in XML serialization leads to DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp() \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp() \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = ?', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED130", "name": "Lockfile pulls package from off-canonical host `registry.npmmirror.com`", "shortDescription": {"text": "Lockfile pulls package from off-canonical host `registry.npmmirror.com`"}, "fullDescription": {"text": "`package-lock.json` resolved URL for `node_modules/@inversifyjs/common` is `https://registry.npmmirror.com/@inversifyjs/common/-/common-1.3.3.tgz...` \u2014 host `registry.npmmirror.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.close` used but never assigned in __init__", "shortDescription": {"text": "`self.close` used but never assigned in __init__"}, "fullDescription": {"text": "Method `__exit__` of class `StealthSession` reads `self.close`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED007", "name": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection.", "shortDescription": {"text": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-89 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "Missing import: `html` used but not imported", "shortDescription": {"text": "Missing import: `html` used but not imported"}, "fullDescription": {"text": "The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1423"}, "properties": {"repository": "violettoolssite/CFspider", "repoUrl": "https://github.com/violettoolssite/CFspider", "branch": "main"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 145950, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 145944, "scanner": "osv-scanner", "fingerprint": "e8eb0ab1ffbb15b3b127c7436af364aa04d69dbc42fb22d21fcb4f304d428269", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 145943, "scanner": "osv-scanner", "fingerprint": "b6e4ab66cc3522d009fa9b7b4cb49ad3d9a60843a6d25559c80bbc6b5b65b8d7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 145940, "scanner": "osv-scanner", "fingerprint": "e2598cdd678ee36350b3ebe476eff57ad9e271a0d02d14de075679d186989bab", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 145931, "scanner": "osv-scanner", "fingerprint": "d5ed12f7486243c555fbed773b248702838c56257ed42617ceba168be7b1518e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 145929, "scanner": "osv-scanner", "fingerprint": "d41619d3fa27a6c14729e152284e286a496d0f6720fd306a770eee6836f5ae60", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 145924, "scanner": "osv-scanner", "fingerprint": "cb1594ee9c9b3c3c79eecd96bfb6310eca5ce408c7b4bcc70dd7d0c68dced8e1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r4q5-vmmm-2653", "level": "warning", "message": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "properties": {"repobilityId": 145923, "scanner": "osv-scanner", "fingerprint": "7b94d9295ad83df2d7a48396a07192307eb2ec178822dcb8b1538f1126d625ef", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "follow-redirects", "rule_id": "GHSA-r4q5-vmmm-2653", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|GHSA-R4Q5-VMMM-2653|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-67mh-4wv8-2f99", "level": "warning", "message": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "properties": {"repobilityId": 145922, "scanner": "osv-scanner", "fingerprint": "ea8a5c7b7605a558ba29575f9af12f92b2cae352685093ca77ae6b26e27f65ae", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "esbuild", "rule_id": "GHSA-67mh-4wv8-2f99", "scanner": "osv-scanner", "correlation_key": "vuln|esbuild|GHSA-67MH-4WV8-2F99|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xwr5-m59h-vwqr", "level": "warning", "message": {"text": "electron: GHSA-xwr5-m59h-vwqr"}, "properties": {"repobilityId": 145921, "scanner": "osv-scanner", "fingerprint": "47b0761c8c68b192ad0bc0921938ec4c33717fb9166b123fc336ab7808a43a98", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34775"], "package": "electron", "rule_id": "GHSA-xwr5-m59h-vwqr", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34775|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xj5x-m3f3-5x3h", "level": "warning", "message": {"text": "electron: GHSA-xj5x-m3f3-5x3h"}, "properties": {"repobilityId": 145920, "scanner": "osv-scanner", "fingerprint": "aed9bccb9cc1c6162bf4f646e26b3cdf1f296b7935cdb66434d23314b39130bc", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34778"], "package": "electron", "rule_id": "GHSA-xj5x-m3f3-5x3h", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34778|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vmqv-hx8q-j7mg", "level": "warning", "message": {"text": "electron: GHSA-vmqv-hx8q-j7mg"}, "properties": {"repobilityId": 145919, "scanner": "osv-scanner", "fingerprint": "e8e721a81abad748a665f665c2dd118732cac538e3816d352a9e23ad7dc73514", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-55305"], "package": "electron", "rule_id": "GHSA-vmqv-hx8q-j7mg", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2025-55305|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5p7-gp4j-qhrx", "level": "warning", "message": {"text": "electron: GHSA-r5p7-gp4j-qhrx"}, "properties": {"repobilityId": 145918, "scanner": "osv-scanner", "fingerprint": "51004323a887b3255548b1fba17b814505ded9fbefaa156b2e93b1cb3ba259a7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34777"], "package": "electron", "rule_id": "GHSA-r5p7-gp4j-qhrx", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34777|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mwmh-mq4g-g6gr", "level": "warning", "message": {"text": "electron: GHSA-mwmh-mq4g-g6gr"}, "properties": {"repobilityId": 145917, "scanner": "osv-scanner", "fingerprint": "09077f533062a4be0a33ef92ea3270aa08b10e1d7dc71411c948f773b56fae31", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34773"], "package": "electron", "rule_id": "GHSA-mwmh-mq4g-g6gr", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34773|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f3pv-wv63-48x8", "level": "warning", "message": {"text": "electron: GHSA-f3pv-wv63-48x8"}, "properties": {"repobilityId": 145914, "scanner": "osv-scanner", "fingerprint": "6e059a3f3d7e70fa9aca744d1dc9171ed3933e2a20f8c5e41c9edea0f438f2d4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34765"], "package": "electron", "rule_id": "GHSA-f3pv-wv63-48x8", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34765|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9w97-2464-8783", "level": "warning", "message": {"text": "electron: GHSA-9w97-2464-8783"}, "properties": {"repobilityId": 145911, "scanner": "osv-scanner", "fingerprint": "b07ee7d078d7803cfe9ca135d2170f0d8f5403e71f741c5b36fb0d4f896a183d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34772"], "package": "electron", "rule_id": "GHSA-9w97-2464-8783", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34772|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5rqw-r77c-jp79", "level": "warning", "message": {"text": "electron: GHSA-5rqw-r77c-jp79"}, "properties": {"repobilityId": 145908, "scanner": "osv-scanner", "fingerprint": "2d70c8bda798b41ebc0eadb3d81b5bf08ce44413b747f110642d78cd5fc4cc4b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34779"], "package": "electron", "rule_id": "GHSA-5rqw-r77c-jp79", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34779|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4p4r-m79c-wq3v", "level": "warning", "message": {"text": "electron: GHSA-4p4r-m79c-wq3v"}, "properties": {"repobilityId": 145906, "scanner": "osv-scanner", "fingerprint": "78988050335da4921fbcbd2e2deff8b1cf54246d907f9c5dbc0fb680e6b97ab6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34767"], "package": "electron", "rule_id": "GHSA-4p4r-m79c-wq3v", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34767|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3c8v-cfp5-9885", "level": "warning", "message": {"text": "electron: GHSA-3c8v-cfp5-9885"}, "properties": {"repobilityId": 145905, "scanner": "osv-scanner", "fingerprint": "8f87a621b2aae748aebb26383aa9f40d7e3cce1a3ea86ed599a55542cf317530", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34776"], "package": "electron", "rule_id": "GHSA-3c8v-cfp5-9885", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34776|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 145904, "scanner": "osv-scanner", "fingerprint": "6d5864ff68ddba1f63a1b3af29aaa21578693cf15f51939dbae397cc92771bac", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xx6v-rp6x-q39c", "level": "warning", "message": {"text": "axios: GHSA-xx6v-rp6x-q39c"}, "properties": {"repobilityId": 145903, "scanner": "osv-scanner", "fingerprint": "a642649248b6adf0c5af355e134b3f18ccb36511a754bf8543807cbafcce6a34", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42042"], "package": "axios", "rule_id": "GHSA-xx6v-rp6x-q39c", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42042|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w9j2-pvgh-6h63", "level": "warning", "message": {"text": "axios: GHSA-w9j2-pvgh-6h63"}, "properties": {"repobilityId": 145901, "scanner": "osv-scanner", "fingerprint": "93f238e937be943ccbb6a685609e4ed06af8ef370d5caf335a06f08c44de4667", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42041"], "package": "axios", "rule_id": "GHSA-w9j2-pvgh-6h63", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42041|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vf2m-468p-8v99", "level": "warning", "message": {"text": "axios: GHSA-vf2m-468p-8v99"}, "properties": {"repobilityId": 145900, "scanner": "osv-scanner", "fingerprint": "6671dcbc6f905949bc4217a9321f9dc114d2c7e40949a4e6f8ed541728925727", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42036"], "package": "axios", "rule_id": "GHSA-vf2m-468p-8v99", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42036|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m7pr-hjqh-92cm", "level": "warning", "message": {"text": "axios: GHSA-m7pr-hjqh-92cm"}, "properties": {"repobilityId": 145896, "scanner": "osv-scanner", "fingerprint": "7126ddcd8ac1350fad008f652721000a1a400f01df31d17467490b89cb281981", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42038"], "package": "axios", "rule_id": "GHSA-m7pr-hjqh-92cm", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42038|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fvcv-3m26-pcqx", "level": "warning", "message": {"text": "axios: GHSA-fvcv-3m26-pcqx"}, "properties": {"repobilityId": 145893, "scanner": "osv-scanner", "fingerprint": "90bf0c5a98b9e0d265fe080ca060de9dd13ab46d16af3fad0226156efa7de9bb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-40175"], "package": "axios", "rule_id": "GHSA-fvcv-3m26-pcqx", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-40175|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-898c-q2cr-xwhg", "level": "warning", "message": {"text": "axios: GHSA-898c-q2cr-xwhg"}, "properties": {"repobilityId": 145892, "scanner": "osv-scanner", "fingerprint": "9b42cc6fedd96738a88c9c4d08faebd1bfe312a79f5537e3640589b4cc4c3e95", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44490"], "package": "axios", "rule_id": "GHSA-898c-q2cr-xwhg", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44490|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-62hf-57xw-28j9", "level": "warning", "message": {"text": "axios: GHSA-62hf-57xw-28j9"}, "properties": {"repobilityId": 145889, "scanner": "osv-scanner", "fingerprint": "81674d3569c2b8e286f63d9a7a3eda5655e80b2536dd3e49e18a60942533a983", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42039"], "package": "axios", "rule_id": "GHSA-62hf-57xw-28j9", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42039|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c9x-8gcm-mpgx", "level": "warning", "message": {"text": "axios: GHSA-5c9x-8gcm-mpgx"}, "properties": {"repobilityId": 145888, "scanner": "osv-scanner", "fingerprint": "d6b5d84a217fe9925c286a60ec9a07c9d0a09b4073067b232627f8bdc5a90351", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42034"], "package": "axios", "rule_id": "GHSA-5c9x-8gcm-mpgx", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42034|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-445q-vr5w-6q77", "level": "warning", "message": {"text": "axios: GHSA-445q-vr5w-6q77"}, "properties": {"repobilityId": 145887, "scanner": "osv-scanner", "fingerprint": "f65ce2f6edae5c36dd532aa581d9f32e5039a956e4e77e227686f94a87722dea", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42037"], "package": "axios", "rule_id": "GHSA-445q-vr5w-6q77", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42037|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3w6x-2g7m-8v23", "level": "warning", "message": {"text": "axios: GHSA-3w6x-2g7m-8v23"}, "properties": {"repobilityId": 145885, "scanner": "osv-scanner", "fingerprint": "3633ba04c384973dcf1d9d245a71cfc6fb0d23c58164c8053d1be4bcbfd62adc", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42044"], "package": "axios", "rule_id": "GHSA-3w6x-2g7m-8v23", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42044|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 145881, "scanner": "osv-scanner", "fingerprint": "e89a464bc802766913fbf468c426c7ee51c3ce41897fc552ba8202339b6eeb9e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 145872, "scanner": "repobility-threat-engine", "fingerprint": "4232ed82684fac776d6d1a61e7c5d1c2aaf07b768b225e34111381c8ac607b86", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ";eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|x27cn/x27cn/obfuscate.py|71|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x27cn/x27cn/obfuscate.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 145870, "scanner": "repobility-threat-engine", "fingerprint": "0b40191c0b2b06c7e46474b56b9faa9180e15590bef3f60e0c8d2425ecd2ad18", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def generate_password", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|x27cn/x27cn/password.py|208|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x27cn/x27cn/password.py"}, "region": {"startLine": 208}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 145869, "scanner": "repobility-threat-engine", "fingerprint": "a896a5caf63ab038451fc462ef475a818a09da096fb4b76c137b5ca6f9453dc9", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def generate_key", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|x27cn/x27cn/core.py|20|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x27cn/x27cn/core.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 145868, "scanner": "repobility-threat-engine", "fingerprint": "27bd21d72be99344a57244217ccc8a9e70fde4ab8b9e32b9f766ae6df34aadf2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "debug=True", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|27bd21d72be99344a57244217ccc8a9e70fde4ab8b9e32b9f766ae6df34aadf2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x27cn/x27cn/cli.py"}, "region": {"startLine": 227}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 145867, "scanner": "repobility-threat-engine", "fingerprint": "07f621786423c1512aa64b75630e2f28ca23d6d22478f62c46670d585b004977", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "debug=True", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|07f621786423c1512aa64b75630e2f28ca23d6d22478f62c46670d585b004977"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x27cn/x27cn/advanced.py"}, "region": {"startLine": 346}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 145858, "scanner": "repobility-threat-engine", "fingerprint": "f3a395e5052ea3fd7724cf13fa99a3b72e0e08323b1ffbc98b12c401952e5642", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f3a395e5052ea3fd7724cf13fa99a3b72e0e08323b1ffbc98b12c401952e5642"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/proxy_server.py"}, "region": {"startLine": 279}}}]}, {"ruleId": "SEC042", "level": "warning", "message": {"text": "[SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes an unsafe pattern. Currently safe when only trusted internal values are interpolated (e.g. self._table in Odoo), but a future contributor can extend the f-string to user input without noticing. CWE-89. Identifiers (table/column names) need a separate escaping path from values."}, "properties": {"repobilityId": 145853, "scanner": "repobility-threat-engine", "fingerprint": "de089e28a9a9439d864555c118f77b96e879a2bdfa08317e33d042ee4e193477", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cursor.execute(f\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC042", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|cfspider/export.py|324|sec042"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/export.py"}, "region": {"startLine": 324}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 145837, "scanner": "repobility-threat-engine", "fingerprint": "0a51bfc4885e8c8b4c28fe8ffcb4b11bd643831bfb3bf1f5201be622a1b59e4a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * 800\n \n const animateMove = () => {\n if (!isActiv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0a51bfc4885e8c8b4c28fe8ffcb4b11bd643831bfb3bf1f5201be622a1b59e4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/src/components/Browser/VirtualMouse.tsx"}, "region": {"startLine": 201}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 145829, "scanner": "repobility-agent-runtime", "fingerprint": "c2ad57fe6135ac9ef81f785256fadb651e5a27fe9e430edb38c248f5767b5067", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|c2ad57fe6135ac9ef81f785256fadb651e5a27fe9e430edb38c248f5767b5067"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/src/store/index.ts"}, "region": {"startLine": 688}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `wait-on` is 2 major version(s) behind (7.2.0 -> 9.0.10)"}, "properties": {"repobilityId": 145828, "scanner": "repobility-dependency-currency", "fingerprint": "085389bda815a88ffe169b6e377e5e5aa7095e117f5f3002818da71ba2164e6b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "wait-on", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.0.10", "correlation_key": "fp|085389bda815a88ffe169b6e377e5e5aa7095e117f5f3002818da71ba2164e6b", "current_version": "7.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `cross-env` is 3 major version(s) behind (7.0.3 -> 10.1.0)"}, "properties": {"repobilityId": 145825, "scanner": "repobility-dependency-currency", "fingerprint": "497780781af1597848c3e5bbed12d43213c9d77e8ad329e5e104171e1fc6679b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cross-env", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.1.0", "correlation_key": "fp|497780781af1597848c3e5bbed12d43213c9d77e8ad329e5e104171e1fc6679b", "current_version": "7.0.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `concurrently` is 2 major version(s) behind (8.2.2 -> 10.0.3)"}, "properties": {"repobilityId": 145824, "scanner": "repobility-dependency-currency", "fingerprint": "5a4fd67fdd30bbdba9aeb610ce0591cb9be5c533312afd52c656317756484aec", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "concurrently", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.3", "correlation_key": "fp|5a4fd67fdd30bbdba9aeb610ce0591cb9be5c533312afd52c656317756484aec", "current_version": "8.2.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vitejs/plugin-react` is 2 major version(s) behind (4.7.0 -> 6.0.2)"}, "properties": {"repobilityId": 145822, "scanner": "repobility-dependency-currency", "fingerprint": "a44fb4f02cf8e47dc1b966883321666756ecd6aa3ee201ac0c7624b21a3a6d4f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitejs/plugin-react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.2", "correlation_key": "fp|a44fb4f02cf8e47dc1b966883321666756ecd6aa3ee201ac0c7624b21a3a6d4f", "current_version": "4.7.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/react-dom` is 1 major version(s) behind (18.3.7 -> 19.2.3)"}, "properties": {"repobilityId": 145821, "scanner": "repobility-dependency-currency", "fingerprint": "98238568597e9e7313502b3f5745733f8782115d0b36012884ded22b4ba6ec8f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/react-dom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "19.2.3", "correlation_key": "fp|98238568597e9e7313502b3f5745733f8782115d0b36012884ded22b4ba6ec8f", "current_version": "18.3.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `react-markdown` is 1 major version(s) behind (9.0.1 -> 10.1.0)"}, "properties": {"repobilityId": 145818, "scanner": "repobility-dependency-currency", "fingerprint": "9918e624a5a2a15c0ae1464efb5348e224e47b5c9bfa59b48e8bd939740b1a41", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-markdown", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.1.0", "correlation_key": "fp|9918e624a5a2a15c0ae1464efb5348e224e47b5c9bfa59b48e8bd939740b1a41", "current_version": "9.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145800, "scanner": "repobility-ast-engine", "fingerprint": "6494fd53f13c358b9042af0251e438004224452f77120cb1ac611425db5abf39", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6494fd53f13c358b9042af0251e438004224452f77120cb1ac611425db5abf39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/mirror.py"}, "region": {"startLine": 399}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145799, "scanner": "repobility-ast-engine", "fingerprint": "ed319d99e14e8f035eba60e053ff07897125fe5d34958f231340912c3e9a9422", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ed319d99e14e8f035eba60e053ff07897125fe5d34958f231340912c3e9a9422"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/human_browser.py"}, "region": {"startLine": 311}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145798, "scanner": "repobility-ast-engine", "fingerprint": "9ccf4875351404f7ac38f21379123a04a6f3e4e2462f3c0631e723364fe05dbb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9ccf4875351404f7ac38f21379123a04a6f3e4e2462f3c0631e723364fe05dbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/batch.py"}, "region": {"startLine": 417}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145797, "scanner": "repobility-ast-engine", "fingerprint": "fdae0bd124608073a2e783e288ad8953132cc767660fc5c7c904c3a1f33d93ce", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fdae0bd124608073a2e783e288ad8953132cc767660fc5c7c904c3a1f33d93ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/batch.py"}, "region": {"startLine": 328}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145796, "scanner": "repobility-ast-engine", "fingerprint": "0b5e4fb0a4aa1b231d459463fb53915fe1a658d832769b06e2c317debba7cf3d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0b5e4fb0a4aa1b231d459463fb53915fe1a658d832769b06e2c317debba7cf3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/batch.py"}, "region": {"startLine": 296}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145782, "scanner": "repobility-ast-engine", "fingerprint": "051857ba5cb60dd4eb7cd1a834d9e6650deceaebc5414fda37fe1d09da7df25c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|051857ba5cb60dd4eb7cd1a834d9e6650deceaebc5414fda37fe1d09da7df25c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/vless_client.py"}, "region": {"startLine": 561}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145781, "scanner": "repobility-ast-engine", "fingerprint": "b97d854abcafa4263d93087b7a6e42b2705e3af26e2f0fe7cae940bba16e101e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b97d854abcafa4263d93087b7a6e42b2705e3af26e2f0fe7cae940bba16e101e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/vless_client.py"}, "region": {"startLine": 544}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145780, "scanner": "repobility-ast-engine", "fingerprint": "7a0fe4b5ccb47d832f75fc6b0f8067db366379bb1fe17025fef637e20344ebcd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7a0fe4b5ccb47d832f75fc6b0f8067db366379bb1fe17025fef637e20344ebcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/vless_client.py"}, "region": {"startLine": 350}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145779, "scanner": "repobility-ast-engine", "fingerprint": "f0603441a5a2f13572985d2486550d9913a16eb07d5f2e9b3c7d9e3c39435fca", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f0603441a5a2f13572985d2486550d9913a16eb07d5f2e9b3c7d9e3c39435fca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/vless_client.py"}, "region": {"startLine": 619}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145778, "scanner": "repobility-ast-engine", "fingerprint": "8ff3bc733060eed648b6e1c593f330e0cc49f042b5c270c171d00b2e479ccac0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8ff3bc733060eed648b6e1c593f330e0cc49f042b5c270c171d00b2e479ccac0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/vless_client.py"}, "region": {"startLine": 523}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145777, "scanner": "repobility-ast-engine", "fingerprint": "52270c7edaa00b960d1672a76e22b019c0ccfa32fc0a8997c20da0ebd83521b7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|52270c7edaa00b960d1672a76e22b019c0ccfa32fc0a8997c20da0ebd83521b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/vless_client.py"}, "region": {"startLine": 445}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145767, "scanner": "repobility-ast-engine", "fingerprint": "c95ed2592474cb05b5eeded3132e26396c349d44bb895638e7afa44e09892391", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c95ed2592474cb05b5eeded3132e26396c349d44bb895638e7afa44e09892391"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/proxy_server.py"}, "region": {"startLine": 256}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145766, "scanner": "repobility-ast-engine", "fingerprint": "4e396c91536c849f6f10110671c10a4eafc4607b24abf6529b06fc90a69a11d3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4e396c91536c849f6f10110671c10a4eafc4607b24abf6529b06fc90a69a11d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/proxy_server.py"}, "region": {"startLine": 274}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145762, "scanner": "repobility-ast-engine", "fingerprint": "79d598a5ea2ff4d769f19af8771859822db6e80a7dfe1b957d335f5a54142d70", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|79d598a5ea2ff4d769f19af8771859822db6e80a7dfe1b957d335f5a54142d70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloak_test.py"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145761, "scanner": "repobility-ast-engine", "fingerprint": "993c3b577e9fc94a41190938aae1799b059894a5460bd6044589f96f84864820", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|993c3b577e9fc94a41190938aae1799b059894a5460bd6044589f96f84864820"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloak_test.py"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145760, "scanner": "repobility-ast-engine", "fingerprint": "81f7babd5ad9d915740eed14a6f6fe6ab94fde9f4d3039f0be803df8cf86492e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|81f7babd5ad9d915740eed14a6f6fe6ab94fde9f4d3039f0be803df8cf86492e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloak_test.py"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145759, "scanner": "repobility-ast-engine", "fingerprint": "b5c7a355b4089ed4b5e2085716094db076ddf20b1112c43dc954ab57d8f039c7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b5c7a355b4089ed4b5e2085716094db076ddf20b1112c43dc954ab57d8f039c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloak_test.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145758, "scanner": "repobility-ast-engine", "fingerprint": "0bad3d0e55d9651a581629bfb5bd47fb2d1211dd141bbcf305c6b2bede0652d7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0bad3d0e55d9651a581629bfb5bd47fb2d1211dd141bbcf305c6b2bede0652d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloak_test.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145757, "scanner": "repobility-ast-engine", "fingerprint": "9979ab078e214002eb67fac1826b9d7656d5ba4f30d4ca5a3ced7a08278f558a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9979ab078e214002eb67fac1826b9d7656d5ba4f30d4ca5a3ced7a08278f558a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloak_test.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145756, "scanner": "repobility-ast-engine", "fingerprint": "db665777eab2ee29e2b707ad55bb528c95e48b4952724a5fcc5a4640517faa63", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|db665777eab2ee29e2b707ad55bb528c95e48b4952724a5fcc5a4640517faa63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloak_test.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145755, "scanner": "repobility-ast-engine", "fingerprint": "58b471fd2b7bf9f7602fc7946d92269a6eb85ce9da6a0f1687265586e5d13179", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|58b471fd2b7bf9f7602fc7946d92269a6eb85ce9da6a0f1687265586e5d13179"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloak_test.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145754, "scanner": "repobility-ast-engine", "fingerprint": "0ca3e268c5e25607f398190f1984db71d50fd9b16b528238cff38ba10e982572", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0ca3e268c5e25607f398190f1984db71d50fd9b16b528238cff38ba10e982572"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloak_test.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145753, "scanner": "repobility-ast-engine", "fingerprint": "f8a51615cadf1cca9786557f8d924e18704def252bc27fccdc1ed155d537686c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f8a51615cadf1cca9786557f8d924e18704def252bc27fccdc1ed155d537686c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloak_test.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145752, "scanner": "repobility-ast-engine", "fingerprint": "17c4aa0ae7875a5b3530d3ce09dae0e906e349099625731444dbea432ba6bbbb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|17c4aa0ae7875a5b3530d3ce09dae0e906e349099625731444dbea432ba6bbbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloak_test.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 145751, "scanner": "repobility-ast-engine", "fingerprint": "3cd121f5b6829b7284bf1045417adb6632a4bf34996388144815402196145f29", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3cd121f5b6829b7284bf1045417adb6632a4bf34996388144815402196145f29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloak_test.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 552 lines (recommend <300)"}, "properties": {"repobilityId": 145741, "scanner": "repobility-core", "fingerprint": "a5cc5af46f34bd6354a1d757c805d2d82e781634abe2057ae290406f56bfb055", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|a5cc5af46f34bd6354a1d757c805d2d82e781634abe2057ae290406f56bfb055"}}}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 145953, "scanner": "repobility-web-presence", "fingerprint": "917d29034a1a49f5ac1966084018b429a570dfe7b41bd7b5ca8942d12145a117", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|917d29034a1a49f5ac1966084018b429a570dfe7b41bd7b5ca8942d12145a117"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/cli.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 145951, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "GHSA-jfqx-fxh3-c62j", "level": "note", "message": {"text": "electron: GHSA-jfqx-fxh3-c62j"}, "properties": {"repobilityId": 145915, "scanner": "osv-scanner", "fingerprint": "2fc41c89bfe6235a6e6f28f0fdc0ae3efa8a6975d7615f89c67dabcd4abb7134", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34768"], "package": "electron", "rule_id": "GHSA-jfqx-fxh3-c62j", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34768|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f37v-82c4-4x64", "level": "note", "message": {"text": "electron: GHSA-f37v-82c4-4x64"}, "properties": {"repobilityId": 145913, "scanner": "osv-scanner", "fingerprint": "0b9df1a19bddec3c1041e7fed77485e92d6e0739f926ee2f56d2be05cbde0d98", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34781"], "package": "electron", "rule_id": "GHSA-f37v-82c4-4x64", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34781|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9899-m83m-qhpj", "level": "note", "message": {"text": "electron: GHSA-9899-m83m-qhpj"}, "properties": {"repobilityId": 145910, "scanner": "osv-scanner", "fingerprint": "20a0f6372eafd4ff93c0083c97d88a52f1a1bdb5c313d976507ccddedfdbf377", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34766"], "package": "electron", "rule_id": "GHSA-9899-m83m-qhpj", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34766|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xhjh-pmcv-23jw", "level": "note", "message": {"text": "axios: GHSA-xhjh-pmcv-23jw"}, "properties": {"repobilityId": 145902, "scanner": "osv-scanner", "fingerprint": "d3251fcd9f49911a5476ee0325a3534ed81fe4dd1e1650377bbdc43b6dddcd56", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42040"], "package": "axios", "rule_id": "GHSA-xhjh-pmcv-23jw", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42040|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vpq2-c234-7xj6", "level": "note", "message": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "properties": {"repobilityId": 145875, "scanner": "osv-scanner", "fingerprint": "4cc0e38da7b6a6c68f8a8e2bf8a96be21854574f89fbcfda2519922edf4ec3be", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-3449"], "package": "@tootallnate/once", "rule_id": "GHSA-vpq2-c234-7xj6", "scanner": "osv-scanner", "correlation_key": "vuln|tootallnate/once|CVE-2026-3449|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 145871, "scanner": "repobility-threat-engine", "fingerprint": "1ff94e78c50d6da88d7806444d43fd2be118c87e5033a86daccfe55937393108", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": "document.write(_", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|x27cn/x27cn/obfuscate.py|43|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x27cn/x27cn/obfuscate.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `stream` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=1, if=5, or=1, recursion=2."}, "properties": {"repobilityId": 145849, "scanner": "repobility-threat-engine", "fingerprint": "8b7070dc4fbfbc6cbcdf9c0b049064dd5149bfcea5f10d57d0da3f5b45d6b2d9", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "stream", "breakdown": {"if": 5, "or": 1, "for": 1, "recursion": 2}, "complexity": 9, "correlation_key": "fp|8b7070dc4fbfbc6cbcdf9c0b049064dd5149bfcea5f10d57d0da3f5b45d6b2d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/async_session.py"}, "region": {"startLine": 209}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `request` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=1, if=7, or=3, recursion=1."}, "properties": {"repobilityId": 145848, "scanner": "repobility-threat-engine", "fingerprint": "418dc2d7e7c571c155edad90d0c27a584901f7a3c2592d9b8d7f1b7bd2695065", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 12 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "request", "breakdown": {"if": 7, "or": 3, "for": 1, "recursion": 1}, "complexity": 12, "correlation_key": "fp|418dc2d7e7c571c155edad90d0c27a584901f7a3c2592d9b8d7f1b7bd2695065"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/async_session.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `esbuild` is minor version(s) behind (0.19.12 -> 0.28.0)"}, "properties": {"repobilityId": 145826, "scanner": "repobility-dependency-currency", "fingerprint": "e3ae045fd6c25300743eba6c51327aa493c41be2011397cc743367aea39d0e2d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "esbuild", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.28.0", "correlation_key": "fp|e3ae045fd6c25300743eba6c51327aa493c41be2011397cc743367aea39d0e2d", "current_version": "0.19.12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `autoprefixer` is minor version(s) behind (10.4.24 -> 10.5.0)"}, "properties": {"repobilityId": 145823, "scanner": "repobility-dependency-currency", "fingerprint": "1889ac1b524b5f1cd766ef24f56ada06c1506185993793be3ea9f5541fa695fc", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "autoprefixer", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.5.0", "correlation_key": "fp|1889ac1b524b5f1cd766ef24f56ada06c1506185993793be3ea9f5541fa695fc", "current_version": "10.4.24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `terser` is minor version(s) behind (5.46.0 -> 5.48.0)"}, "properties": {"repobilityId": 145817, "scanner": "repobility-dependency-currency", "fingerprint": "9bc3879f2e75d0d8cf3d78619d703a40f02606028ce087c3cb1958bc5c9c86b2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "terser", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.48.0", "correlation_key": "fp|9bc3879f2e75d0d8cf3d78619d703a40f02606028ce087c3cb1958bc5c9c86b2", "current_version": "5.46.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `javascript-obfuscator` is minor version(s) behind (5.1.0 -> 5.4.3)"}, "properties": {"repobilityId": 145816, "scanner": "repobility-dependency-currency", "fingerprint": "05170def6961edaa2848ee3bbbe459f8e082f971841fef324da03cb21b8fb1c5", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "javascript-obfuscator", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.4.3", "correlation_key": "fp|05170def6961edaa2848ee3bbbe459f8e082f971841fef324da03cb21b8fb1c5", "current_version": "5.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@neondatabase/serverless` is minor version(s) behind (1.0.2 -> 1.1.0)"}, "properties": {"repobilityId": 145815, "scanner": "repobility-dependency-currency", "fingerprint": "a1a268635513388d782d64fa3b7568d11952bffd249ce820f65f9ca5921e2f60", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@neondatabase/serverless", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.1.0", "correlation_key": "fp|a1a268635513388d782d64fa3b7568d11952bffd249ce820f65f9ca5921e2f60", "current_version": "1.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145750, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d545f6259d7b9d68e3ebd3acc0c0fd795e52af2d0e666bc0e681121fa3c507fd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cfspider/workers/\u7834\u76ae\u7248workers_\u660e\u6587.js", "duplicate_line": 83, "correlation_key": "fp|d545f6259d7b9d68e3ebd3acc0c0fd795e52af2d0e666bc0e681121fa3c507fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/\u7834\u76ae\u7248workers_\u8d85\u660e\u6587.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145749, "scanner": "repobility-ai-code-hygiene", "fingerprint": "842fa0c79dd126c33cf1e5e6ff7126228e4d805975f7887103fc5fb3bd83cb76", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cfspider/workers/\u7834\u76ae\u7248workers_\u8d85\u660e\u6587.js", "duplicate_line": 1, "correlation_key": "fp|842fa0c79dd126c33cf1e5e6ff7126228e4d805975f7887103fc5fb3bd83cb76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/\u7834\u76ae\u7248workers_\u8d85\u660e\u6587.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145748, "scanner": "repobility-ai-code-hygiene", "fingerprint": "099983cf40e711454d0488bff7d02d796ebd812cafe391ae8608c134e0cedcbc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cfspider/workers/\u7834\u76ae\u7248workers_\u660e\u6587.js", "duplicate_line": 1, "correlation_key": "fp|099983cf40e711454d0488bff7d02d796ebd812cafe391ae8608c134e0cedcbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/\u7834\u76ae\u7248workers_\u660e\u6587.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145747, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e19788dd9e89031345dfa49895e11dee934d006f0bc637decbca27878de5a497", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cfspider/workers/\u722c\u697c\u68afworkers.js", "duplicate_line": 1, "correlation_key": "fp|e19788dd9e89031345dfa49895e11dee934d006f0bc637decbca27878de5a497"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/\u722c\u697c\u68afworkers.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145746, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d91143f92abecdd66ccf4ffdd9143735d988da6464931b378cb5c5feaed0c86f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cfspider/workers/\u7834\u76ae\u7248workers_\u660e\u6587.js", "duplicate_line": 83, "correlation_key": "fp|d91143f92abecdd66ccf4ffdd9143735d988da6464931b378cb5c5feaed0c86f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/workers/\u7834\u76ae\u7248workers_\u8d85\u660e\u6587.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145745, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7e213cc563bc861a26ee3728da108862846c636ea01566b0b188f3995ed6ef50", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cfspider/async_api.py", "duplicate_line": 57, "correlation_key": "fp|7e213cc563bc861a26ee3728da108862846c636ea01566b0b188f3995ed6ef50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/impersonate.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145744, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d21c5c17f8d2fe71f88565ee6625229383b759566b9392545f9c5102e13b77d0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cfspider/api.py", "duplicate_line": 128, "correlation_key": "fp|d21c5c17f8d2fe71f88565ee6625229383b759566b9392545f9c5102e13b77d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/extract.py"}, "region": {"startLine": 278}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145743, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0e75c92dd4480fe0445245113828c37ac3ee3a43fb311fc1486c03699510b05d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cfspider/__init__.py", "duplicate_line": 120, "correlation_key": "fp|0e75c92dd4480fe0445245113828c37ac3ee3a43fb311fc1486c03699510b05d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/browser.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145742, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f9a853495ab6b482e87c78f3c7901a8a28674f70deab74e231ae6af27f131425", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cfspider/api.py", "duplicate_line": 114, "correlation_key": "fp|f9a853495ab6b482e87c78f3c7901a8a28674f70deab74e231ae6af27f131425"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/async_api.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 145862, "scanner": "repobility-threat-engine", "fingerprint": "58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "aggregated_count": 2}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 145851, "scanner": "repobility-threat-engine", "fingerprint": "77c6c839e3d15e6868a981640348ff83ed699acf23819d7eaf9cee4a446a7fe9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "request", "breakdown": {"if": 7, "or": 3, "for": 1, "recursion": 1}, "aggregated": true, "complexity": 12, "correlation_key": "fp|77c6c839e3d15e6868a981640348ff83ed699acf23819d7eaf9cee4a446a7fe9", "aggregated_count": 16}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 145847, "scanner": "repobility-threat-engine", "fingerprint": "de54daf2ab7de84ec6af89b84cb54e7bfad0f53f21d7e086a244289447a211e7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de54daf2ab7de84ec6af89b84cb54e7bfad0f53f21d7e086a244289447a211e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/proxy_server.py"}, "region": {"startLine": 259}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 145846, "scanner": "repobility-threat-engine", "fingerprint": "572d6bd6d2496941bc56491e0f51ee27fdf9ad4e109400488d199eeeac49e1d0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|572d6bd6d2496941bc56491e0f51ee27fdf9ad4e109400488d199eeeac49e1d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/__init__.py"}, "region": {"startLine": 227}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 145845, "scanner": "repobility-threat-engine", "fingerprint": "62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "aggregated_count": 2}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 145844, "scanner": "repobility-threat-engine", "fingerprint": "6569d9a2856e05a3430e985bf3db6f2d373bcbc758a91ac17106794aa485d21f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6569d9a2856e05a3430e985bf3db6f2d373bcbc758a91ac17106794aa485d21f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/data/io.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 145843, "scanner": "repobility-threat-engine", "fingerprint": "fedb8ba4769a601a81e80ced798eab5b5bee0619db4859da04819b65ca4e7822", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fedb8ba4769a601a81e80ced798eab5b5bee0619db4859da04819b65ca4e7822"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/async_session.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 145842, "scanner": "repobility-threat-engine", "fingerprint": "8812e2625f31cf392a5dd61728a38cdf1e44d15975a4b870bada48577f2d49fe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8812e2625f31cf392a5dd61728a38cdf1e44d15975a4b870bada48577f2d49fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/__init__.py"}, "region": {"startLine": 161}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 145841, "scanner": "repobility-threat-engine", "fingerprint": "8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 145836, "scanner": "repobility-threat-engine", "fingerprint": "67a27f5cf85eac044eca73e20fc23fb9d6a1a9f74728d143ec989b8f7cbb925d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|67a27f5cf85eac044eca73e20fc23fb9d6a1a9f74728d143ec989b8f7cbb925d", "aggregated_count": 4}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 145835, "scanner": "repobility-threat-engine", "fingerprint": "0aeeaad17d18870fc8b83de3ea7a3010d99475b87fcf73e8c0e436037602c647", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0aeeaad17d18870fc8b83de3ea7a3010d99475b87fcf73e8c0e436037602c647"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/src/services/extractor.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 145834, "scanner": "repobility-threat-engine", "fingerprint": "3ac3c3fa6bc48d62aa5e14bbbace856780c8a49bcceda3d73616a9526649beae", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3ac3c3fa6bc48d62aa5e14bbbace856780c8a49bcceda3d73616a9526649beae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build_encrypted.js"}, "region": {"startLine": 213}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 145833, "scanner": "repobility-threat-engine", "fingerprint": "5d6e1af15a9931b74daf11ac2e0915d215ab7bf6efb3314c39118f23470dd61a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d6e1af15a9931b74daf11ac2e0915d215ab7bf6efb3314c39118f23470dd61a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "add_encryption.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `postcss` is patch version(s) behind (8.5.6 -> 8.5.15)"}, "properties": {"repobilityId": 145827, "scanner": "repobility-dependency-currency", "fingerprint": "603597f6e351e9c589528f37a3583431208c8f3fc3940c34ffdac36771afb152", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "postcss", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.5.15", "correlation_key": "fp|603597f6e351e9c589528f37a3583431208c8f3fc3940c34ffdac36771afb152", "current_version": "8.5.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `zustand` is patch version(s) behind (5.0.10 -> 5.0.14)"}, "properties": {"repobilityId": 145820, "scanner": "repobility-dependency-currency", "fingerprint": "749cbe68789a76129c0ab5109065839f64e09e5d88820eca3486259ee253a55d", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "zustand", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.14", "correlation_key": "fp|749cbe68789a76129c0ab5109065839f64e09e5d88820eca3486259ee253a55d", "current_version": "5.0.10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `react-syntax-highlighter` is patch version(s) behind (16.1.0 -> 16.1.1)"}, "properties": {"repobilityId": 145819, "scanner": "repobility-dependency-currency", "fingerprint": "a4d7840434c064c5a34d7ef7899d4b991d7b72942f4991b56cd3f249b4bf5d4d", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-syntax-highlighter", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "16.1.1", "correlation_key": "fp|a4d7840434c064c5a34d7ef7899d4b991d7b72942f4991b56cd3f249b4bf5d4d", "current_version": "16.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 145952, "scanner": "repobility-journey-contract", "fingerprint": "c194b7f9a8f873d14d04ba91cc922397e79084d826d0eedf5278a519a1e4596e", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|351|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/src/components/Settings/SettingsModal.tsx"}, "region": {"startLine": 351}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 145949, "scanner": "osv-scanner", "fingerprint": "eefef250e5a6e239df447b5946f207cdb0dd68151255b2332fb8ba8f476755c1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 145948, "scanner": "osv-scanner", "fingerprint": "51db4fe99f02113d5057e54849a1514660f72202efa765a619a8195e282ff31f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 145947, "scanner": "osv-scanner", "fingerprint": "f4f398661d95064420cba5942b7bc163815b09d09751c05f0247afa0ed407b54", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v39h-62p7-jpjc", "level": "error", "message": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "properties": {"repobilityId": 145946, "scanner": "osv-scanner", "fingerprint": "d9e8ef847898100d4370c43984678fe5fed930d5324ab88248c2d2156d522d84", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6322"], "package": "fast-uri", "rule_id": "GHSA-v39h-62p7-jpjc", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6322|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q3j6-qgpj-74h6", "level": "error", "message": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "properties": {"repobilityId": 145945, "scanner": "osv-scanner", "fingerprint": "bbadb454e2f0de5491c967e3dd8f97119c293cd0aafbefed77d3b3e72652865f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6321"], "package": "fast-uri", "rule_id": "GHSA-q3j6-qgpj-74h6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6321|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5pgg-2g8v-p4x9", "level": "error", "message": {"text": "xlsx: GHSA-5pgg-2g8v-p4x9"}, "properties": {"repobilityId": 145942, "scanner": "osv-scanner", "fingerprint": "a3b63b4621e8001526b2c4cee18607b034b8b247c3639ae65283cef240b7196c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-22363"], "package": "xlsx", "rule_id": "GHSA-5pgg-2g8v-p4x9", "scanner": "osv-scanner", "correlation_key": "vuln|xlsx|CVE-2024-22363|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4r6h-8v6p-xvw6", "level": "error", "message": {"text": "xlsx: GHSA-4r6h-8v6p-xvw6"}, "properties": {"repobilityId": 145941, "scanner": "osv-scanner", "fingerprint": "43b07b310b899f4c70c9095fc1f20ccf821a7f4f0437de57533966b3a99caf26", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-30533"], "package": "xlsx", "rule_id": "GHSA-4r6h-8v6p-xvw6", "scanner": "osv-scanner", "correlation_key": "vuln|xlsx|CVE-2023-30533|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ph9p-34f9-6g65", "level": "error", "message": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "properties": {"repobilityId": 145939, "scanner": "osv-scanner", "fingerprint": "58be5ca1c710b9f782138ee0cdc2ce88d8ccfb2e950ffc24f595579a88197637", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44705"], "package": "tmp", "rule_id": "GHSA-ph9p-34f9-6g65", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2026-44705|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r6q2-hw4h-h46w", "level": "error", "message": {"text": "tar: GHSA-r6q2-hw4h-h46w"}, "properties": {"repobilityId": 145938, "scanner": "osv-scanner", "fingerprint": "917050e43bc3ad86844356d7cc7ef9cb1abe01180fb96f753a3b90f7504fdb1c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23950"], "package": "tar", "rule_id": "GHSA-r6q2-hw4h-h46w", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-23950|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qffp-2rhf-9h96", "level": "error", "message": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "properties": {"repobilityId": 145937, "scanner": "osv-scanner", "fingerprint": "23dfc911e6cd42797855c31da5f8b3f8bddc0f9d7703914e69c847d1d4948f68", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-29786"], "package": "tar", "rule_id": "GHSA-qffp-2rhf-9h96", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-29786|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9ppj-qmqm-q256", "level": "error", "message": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "properties": {"repobilityId": 145936, "scanner": "osv-scanner", "fingerprint": "c5850981b4972fdea37725141a14846fa24566140c52daa942366a8dbb5f6008", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-31802"], "package": "tar", "rule_id": "GHSA-9ppj-qmqm-q256", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-31802|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8qq5-rm4j-mr97", "level": "error", "message": {"text": "tar: GHSA-8qq5-rm4j-mr97"}, "properties": {"repobilityId": 145935, "scanner": "osv-scanner", "fingerprint": "a5663934d39996bb95e8e6c382b85cd3726332b514a7253e9534189d89f9fe86", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23745"], "package": "tar", "rule_id": "GHSA-8qq5-rm4j-mr97", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-23745|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-83g3-92jg-28cx", "level": "error", "message": {"text": "tar: GHSA-83g3-92jg-28cx"}, "properties": {"repobilityId": 145934, "scanner": "osv-scanner", "fingerprint": "57345ef7aea5bf6cef7a7b03846a4bfc342ab040870c6c243d5eeb4e26fba323", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26960"], "package": "tar", "rule_id": "GHSA-83g3-92jg-28cx", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-26960|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-34x7-hfp2-rc4v", "level": "error", "message": {"text": "tar: GHSA-34x7-hfp2-rc4v"}, "properties": {"repobilityId": 145933, "scanner": "osv-scanner", "fingerprint": "028913aa5988a714542deda6e1717d0c8652c854a6ca1bc021f2e02735280620", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24842"], "package": "tar", "rule_id": "GHSA-34x7-hfp2-rc4v", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-24842|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mw96-cpmx-2vgc", "level": "error", "message": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "properties": {"repobilityId": 145932, "scanner": "osv-scanner", "fingerprint": "47ed51d5ea0229b0fdd2f9792f8cb4b414b42f4870ae00b05dcfdf58b3e04e34", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27606"], "package": "rollup", "rule_id": "GHSA-mw96-cpmx-2vgc", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2026-27606|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 145930, "scanner": "osv-scanner", "fingerprint": "a179140eb868280bb28a10239ae639e744ff8642b27493a6e34d236255251028", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 145928, "scanner": "osv-scanner", "fingerprint": "21f5f25e3d2c2d192fcdcb6c83e2dacffebe2c3070e8ea648d2264547b6fbbdb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 145927, "scanner": "osv-scanner", "fingerprint": "2a2057891a265b11329a2975872f488b5dd471294239da66b91bd3524ef7f51a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 145926, "scanner": "osv-scanner", "fingerprint": "4ce01b2f4811ac41f92e9920a6a58ca36888698fcb306ad25bfae7656d430403", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 145925, "scanner": "osv-scanner", "fingerprint": "477d9e659af563af79e4fb0367e9c9028c7e0658cd1dfcf64c138182c7fbe73a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jjp3-mq3x-295m", "level": "error", "message": {"text": "electron: GHSA-jjp3-mq3x-295m"}, "properties": {"repobilityId": 145916, "scanner": "osv-scanner", "fingerprint": "c27839b51b6dcdefe25121cf5e7b2227abe8ef530dc088b110056659826bd06f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34770"], "package": "electron", "rule_id": "GHSA-jjp3-mq3x-295m", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34770|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9wfr-w7mm-pc7f", "level": "error", "message": {"text": "electron: GHSA-9wfr-w7mm-pc7f"}, "properties": {"repobilityId": 145912, "scanner": "osv-scanner", "fingerprint": "cc35fb49ac240d0574b10ef96313562fb0ffadc7bea13063ac3ec71285e9af1f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34769"], "package": "electron", "rule_id": "GHSA-9wfr-w7mm-pc7f", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34769|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8337-3p73-46f4", "level": "error", "message": {"text": "electron: GHSA-8337-3p73-46f4"}, "properties": {"repobilityId": 145909, "scanner": "osv-scanner", "fingerprint": "4b5894d36e200c0e9ef061ffaa1f473925e99aff3ead68ee5222e766b5c49b8b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34771"], "package": "electron", "rule_id": "GHSA-8337-3p73-46f4", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34771|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-532v-xpq5-8h95", "level": "error", "message": {"text": "electron: GHSA-532v-xpq5-8h95"}, "properties": {"repobilityId": 145907, "scanner": "osv-scanner", "fingerprint": "13b03506a90a8495b0927334fe1a7c9c6a1ae84c484e6a0a6f084d447632962f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34774"], "package": "electron", "rule_id": "GHSA-532v-xpq5-8h95", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34774|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8qp-cvcw-x6jj", "level": "error", "message": {"text": "axios: GHSA-q8qp-cvcw-x6jj"}, "properties": {"repobilityId": 145899, "scanner": "osv-scanner", "fingerprint": "1dbf765e01fd51c5a08109a1ea3f72ee63eaeb4f7eacc1cb4863008eb30fdaf7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42264"], "package": "axios", "rule_id": "GHSA-q8qp-cvcw-x6jj", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42264|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pf86-5x62-jrwf", "level": "error", "message": {"text": "axios: GHSA-pf86-5x62-jrwf"}, "properties": {"repobilityId": 145898, "scanner": "osv-scanner", "fingerprint": "b944bc63790f347632965e77c5891f1b3353d1921c88b688858dfbc22fd61eca", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42033"], "package": "axios", "rule_id": "GHSA-pf86-5x62-jrwf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42033|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p92q-9vqr-4j8v", "level": "error", "message": {"text": "axios: GHSA-p92q-9vqr-4j8v"}, "properties": {"repobilityId": 145897, "scanner": "osv-scanner", "fingerprint": "e764dd7061d21fc2f416d5f3bc90c8a53d9954a9670116570eccd303608892e9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44487"], "package": "axios", "rule_id": "GHSA-p92q-9vqr-4j8v", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44487|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j5f8-grm9-p9fc", "level": "error", "message": {"text": "axios: GHSA-j5f8-grm9-p9fc"}, "properties": {"repobilityId": 145895, "scanner": "osv-scanner", "fingerprint": "d10c539ae4321516906dfd5c0025b935ce9bca5dec6f175603abda33a6578d3f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44486"], "package": "axios", "rule_id": "GHSA-j5f8-grm9-p9fc", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44486|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hfxv-24rg-xrqf", "level": "error", "message": {"text": "axios: GHSA-hfxv-24rg-xrqf"}, "properties": {"repobilityId": 145894, "scanner": "osv-scanner", "fingerprint": "572edd993f1608aadb44ec3bd602e7573f2d6757f98a27dae5d31d7811ad15e7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44496"], "package": "axios", "rule_id": "GHSA-hfxv-24rg-xrqf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44496|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-777c-7fjr-54vf", "level": "error", "message": {"text": "axios: GHSA-777c-7fjr-54vf"}, "properties": {"repobilityId": 145891, "scanner": "osv-scanner", "fingerprint": "01a504083e24d3218991da17df1d7b56e3a39d650925f8e4f9e5eee6b214cff6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44488"], "package": "axios", "rule_id": "GHSA-777c-7fjr-54vf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44488|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6chq-wfr3-2hj9", "level": "error", "message": {"text": "axios: GHSA-6chq-wfr3-2hj9"}, "properties": {"repobilityId": 145890, "scanner": "osv-scanner", "fingerprint": "234e422a83112092c41b1a64f621fd57e78d7181694b8eb6437e0e7e72071639", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42035"], "package": "axios", "rule_id": "GHSA-6chq-wfr3-2hj9", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42035|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-43fc-jf86-j433", "level": "error", "message": {"text": "axios: GHSA-43fc-jf86-j433"}, "properties": {"repobilityId": 145886, "scanner": "osv-scanner", "fingerprint": "8b9eca8141480f19f60317ca8a4ded73eacb4e941860489c86c02a28aa21e197", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25639"], "package": "axios", "rule_id": "GHSA-43fc-jf86-j433", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-25639|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pjwm-pj3p-43mv", "level": "error", "message": {"text": "axios: GHSA-pjwm-pj3p-43mv"}, "properties": {"repobilityId": 145884, "scanner": "osv-scanner", "fingerprint": "79858841d894e4d1e14a6c3bfa24892e91ddd0326c9cca1a84a0ffdb3461b400", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44492"], "package": "axios", "rule_id": "GHSA-pjwm-pj3p-43mv", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2025-62718|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-3p68-rc4w-qgx5", "GHSA-pjwm-pj3p-43mv", "GHSA-pmwg-cvhr-8vh7"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["33ecdf1d675e7c34b90b674fafcdabf2ae1834606bdc5cac0feb084828ef9bf3", "79858841d894e4d1e14a6c3bfa24892e91ddd0326c9cca1a84a0ffdb3461b400", "96acaf2b3179a5d33738c22be319d246df042c5cbedf3de7ad7a38d9b133378d"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3g43-6gmg-66jw", "level": "error", "message": {"text": "axios: GHSA-3g43-6gmg-66jw"}, "properties": {"repobilityId": 145883, "scanner": "osv-scanner", "fingerprint": "b3bd348d02af822160b8a46b327daff86fcf720c02a290c0b9d6dd6816beb581", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44495"], "package": "axios", "rule_id": "GHSA-3g43-6gmg-66jw", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44495|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-35jp-ww65-95wh", "level": "error", "message": {"text": "axios: GHSA-35jp-ww65-95wh"}, "properties": {"repobilityId": 145882, "scanner": "osv-scanner", "fingerprint": "7182f85ebade0492792ea2a5749b0b83799d9671ca44c2f2700cc38b19bcd722", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44494"], "package": "axios", "rule_id": "GHSA-35jp-ww65-95wh", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44494|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x6wf-f3px-wcqx", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx"}, "properties": {"repobilityId": 145880, "scanner": "osv-scanner", "fingerprint": "d0bda9ccbf65aeb94490049724c661002e06c55ca23216d9d735260d4ebebc20", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41675"], "package": "@xmldom/xmldom", "rule_id": "GHSA-x6wf-f3px-wcqx", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41675|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wh4c-j3r5-mjhp", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-wh4c-j3r5-mjhp"}, "properties": {"repobilityId": 145879, "scanner": "osv-scanner", "fingerprint": "9c06f3c07f5a3857283429cc05d3dbc3ccd8d4e14ba2f559ea0df514ae1341fe", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34601"], "package": "@xmldom/xmldom", "rule_id": "GHSA-wh4c-j3r5-mjhp", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-34601|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j759-j44w-7fr8", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-j759-j44w-7fr8"}, "properties": {"repobilityId": 145878, "scanner": "osv-scanner", "fingerprint": "dba62611b7b67dd15304a97bbd0353401be479809738f7a031af3c123a37e37d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41672"], "package": "@xmldom/xmldom", "rule_id": "GHSA-j759-j44w-7fr8", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41672|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f6ww-3ggp-fr8h", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h"}, "properties": {"repobilityId": 145877, "scanner": "osv-scanner", "fingerprint": "0669db68a67d0364690d6a9cbd457daae9cce9685b381ff1202d0b19fd31d1a0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41674"], "package": "@xmldom/xmldom", "rule_id": "GHSA-f6ww-3ggp-fr8h", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41674|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2v35-w6hq-6mfw", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw"}, "properties": {"repobilityId": 145876, "scanner": "osv-scanner", "fingerprint": "008200759cf2fcdfb7feec1968e38912c384ebb1dd5c0dde1ac7162e128d604b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41673"], "package": "@xmldom/xmldom", "rule_id": "GHSA-2v35-w6hq-6mfw", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41673|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 145873, "scanner": "repobility-threat-engine", "fingerprint": "8254bf4dc9ba89f2e56aa11ca1073890a17464eafc4597227cc6875143b7f52b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(_e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8254bf4dc9ba89f2e56aa11ca1073890a17464eafc4597227cc6875143b7f52b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x27cn/x27cn/obfuscate.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 145866, "scanner": "repobility-threat-engine", "fingerprint": "f6683b6e759a21b6cde3346d1fecec05582ad2fdd59c8210df2f57dcd11e62f2", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|x27cn/x27cn/obfuscate.py|127|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x27cn/x27cn/obfuscate.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 145865, "scanner": "repobility-threat-engine", "fingerprint": "57a583f4d33433e2067d1844bd0fc93b611e0dc2adad01a94cbb9d37c94d1ca1", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(args.input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|x27cn/x27cn/cli.py|137|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x27cn/x27cn/cli.py"}, "region": {"startLine": 137}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 145864, "scanner": "repobility-threat-engine", "fingerprint": "71d1b3bfb0043386aa32a6ec1356002b3270bab85a737ca9f952ecaf2c9fb49f", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|x27cn/x27cn/advanced.py|411|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x27cn/x27cn/advanced.py"}, "region": {"startLine": 411}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp() \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 145863, "scanner": "repobility-threat-engine", "fingerprint": "915efc8c87dd1563d8531c14ed8e274ad841b78ba1a5bc13c5dce64e1935e986", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(cn", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|915efc8c87dd1563d8531c14ed8e274ad841b78ba1a5bc13c5dce64e1935e986"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "obfuscate.js"}, "region": {"startLine": 267}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 145861, "scanner": "repobility-threat-engine", "fingerprint": "320363d15e9d39aa0f52b8a4ba6b57170cccae1da3f84bc87720eb8f6b33ab2d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|320363d15e9d39aa0f52b8a4ba6b57170cccae1da3f84bc87720eb8f6b33ab2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x27cn/x27cn/__init__.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 145860, "scanner": "repobility-threat-engine", "fingerprint": "dcc9f9665c0c41603f9600a7af6b9510afd7f7bca62b608242e05ebc7488f80d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dcc9f9665c0c41603f9600a7af6b9510afd7f7bca62b608242e05ebc7488f80d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/\u7834\u76ae\u7248workers_\u8d85\u660e\u6587.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 145859, "scanner": "repobility-threat-engine", "fingerprint": "d80674d1b83b16e6dd7165a80691dabee128a1ea6653ae305bd891d6308ff165", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d80674d1b83b16e6dd7165a80691dabee128a1ea6653ae305bd891d6308ff165"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/workers/\u7834\u76ae\u7248workers_\u8d85\u660e\u6587.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 145857, "scanner": "repobility-threat-engine", "fingerprint": "2411d1d7fe52fdb7e14857601326370c6830749a43d0a892ffe63709535ef93d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2411d1d7fe52fdb7e14857601326370c6830749a43d0a892ffe63709535ef93d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/proxy_server.py"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 145856, "scanner": "repobility-threat-engine", "fingerprint": "317e229bcca104beba9aa3efe0b7157791cd5648ff88e65b8798e26ab470e795", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|317e229bcca104beba9aa3efe0b7157791cd5648ff88e65b8798e26ab470e795"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/proxy_server.py"}, "region": {"startLine": 258}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 145854, "scanner": "repobility-threat-engine", "fingerprint": "94c5003450fc0b726766362844d5779756775afbafdc9da6d05ea5122c3cde92", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "wb.save(filepath)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|94c5003450fc0b726766362844d5779756775afbafdc9da6d05ea5122c3cde92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/export.py"}, "region": {"startLine": 240}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 145852, "scanner": "repobility-threat-engine", "fingerprint": "978039f0f694e58ed4408b7d7c6587cfe217ebb67c9cbb932b4692828859c88e", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": ".execute(f\"SELECT", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|cfspider/export.py|326|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/export.py"}, "region": {"startLine": 326}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `_read_urls` has cognitive complexity 40 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=4, except=4, for=2, if=7, nested_bonus=22, ternary=1."}, "properties": {"repobilityId": 145850, "scanner": "repobility-threat-engine", "fingerprint": "a1a193820441bdc9147e6f1d44009c25e120f7a7694de7659a452b8fe143db11", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 40 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_read_urls", "breakdown": {"if": 7, "for": 2, "else": 4, "except": 4, "ternary": 1, "nested_bonus": 22}, "complexity": 40, "correlation_key": "fp|a1a193820441bdc9147e6f1d44009c25e120f7a7694de7659a452b8fe143db11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/data/io.py"}, "region": {"startLine": 254}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 145840, "scanner": "repobility-threat-engine", "fingerprint": "0e87c8f6c28f1ff96f69995e4ddee212eb8e7230985f19198430ccbc8f1eb9b8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0e87c8f6c28f1ff96f69995e4ddee212eb8e7230985f19198430ccbc8f1eb9b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/workers/\u7834\u76ae\u7248workers_\u8d85\u660e\u6587.js"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 145839, "scanner": "repobility-threat-engine", "fingerprint": "c3f450053a20cf189a5bbde7d3fa9dfdbe5deaf86d45dd424f779ceac4fc3aaa", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c3f450053a20cf189a5bbde7d3fa9dfdbe5deaf86d45dd424f779ceac4fc3aaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/data/io.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 145838, "scanner": "repobility-threat-engine", "fingerprint": "45c4777404e71a970e12a00d189826a671b57ee25e0e5eeacdd9670489455373", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|45c4777404e71a970e12a00d189826a671b57ee25e0e5eeacdd9670489455373"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider-browser/src/services/rules.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 145832, "scanner": "repobility-threat-engine", "fingerprint": "79c68f62eefd408a43592acb0b85f1f451f09b58ecefd8dc9ae99d70b07433bd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|79c68f62eefd408a43592acb0b85f1f451f09b58ecefd8dc9ae99d70b07433bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/\u7834\u76ae\u7248workers_\u8d85\u660e\u6587.js"}, "region": {"startLine": 167}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 145831, "scanner": "repobility-threat-engine", "fingerprint": "16cde83f1a398396ca7719fe4836ad575679aeb8d275957cf334b3ece1c214df", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|16cde83f1a398396ca7719fe4836ad575679aeb8d275957cf334b3ece1c214df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/workers/\u7834\u76ae\u7248workers_\u8d85\u660e\u6587.js"}, "region": {"startLine": 167}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 145830, "scanner": "repobility-threat-engine", "fingerprint": "bcf70e0eb6825df29edc37a40543debcebbffa6867a2e55b0a3bf15a2d5f19b7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bcf70e0eb6825df29edc37a40543debcebbffa6867a2e55b0a3bf15a2d5f19b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "add_encryption.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 145814, "scanner": "repobility-supply-chain", "fingerprint": "8eb8ac5c22b2e69e2d264c3c04472fd84eb2ecc5136aad52701501f4c4339b9e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8eb8ac5c22b2e69e2d264c3c04472fd84eb2ecc5136aad52701501f4c4339b9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-vless-configs.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `softprops/action-gh-release` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 145813, "scanner": "repobility-supply-chain", "fingerprint": "8c3c857e989b5cde76dadda471c7ac17e022a63ce98e57e768b68bece778795f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8c3c857e989b5cde76dadda471c7ac17e022a63ce98e57e768b68bece778795f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-browser.yml"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 145812, "scanner": "repobility-supply-chain", "fingerprint": "fe0b159dec743673d0a09e4306daacf6cf91fdb74a62f5d4801362f6624d1415", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe0b159dec743673d0a09e4306daacf6cf91fdb74a62f5d4801362f6624d1415"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-browser.yml"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 145811, "scanner": "repobility-supply-chain", "fingerprint": "5d634b71a04691217911e8ee53c61eb26e49b1d3244454e03e750eb2c4a9daa2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5d634b71a04691217911e8ee53c61eb26e49b1d3244454e03e750eb2c4a9daa2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-browser.yml"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 145810, "scanner": "repobility-supply-chain", "fingerprint": "15b12ad60f112fc7bba7646e9a09b3edcc5a0cfe5a833aec98fa7275ce5ec2e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|15b12ad60f112fc7bba7646e9a09b3edcc5a0cfe5a833aec98fa7275ce5ec2e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-browser.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 145809, "scanner": "repobility-supply-chain", "fingerprint": "78b46af2d68c7c2379009d3fcebe6dbaced6ae2670e684c8582558a1be9717aa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|78b46af2d68c7c2379009d3fcebe6dbaced6ae2670e684c8582558a1be9717aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-browser.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 145808, "scanner": "repobility-supply-chain", "fingerprint": "15e61e7984116196b695734fa890832307633ceb165e08089beed134822ac44f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|15e61e7984116196b695734fa890832307633ceb165e08089beed134822ac44f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-browser.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 145807, "scanner": "repobility-supply-chain", "fingerprint": "52c313986f00e3d45808d01b2108d6e86901b768c6f5e5b56d780f2b6c888e4c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|52c313986f00e3d45808d01b2108d6e86901b768c6f5e5b56d780f2b6c888e4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-browser.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 145806, "scanner": "repobility-supply-chain", "fingerprint": "3473a9eec2484fa089eed7c304e17952371fbca19ccd93534136c65e45036dc9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3473a9eec2484fa089eed7c304e17952371fbca19ccd93534136c65e45036dc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-browser.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 145805, "scanner": "repobility-supply-chain", "fingerprint": "0e5c9be048ce32c0ad853fbe88b8855a550866c9d6d915a9e86212c0d11c18ed", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0e5c9be048ce32c0ad853fbe88b8855a550866c9d6d915a9e86212c0d11c18ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-browser.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 145804, "scanner": "repobility-supply-chain", "fingerprint": "407be97621d5676fe170e7ca7e84c79c6eadcde7422c7e824e1d26ecfaf7ea12", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|407be97621d5676fe170e7ca7e84c79c6eadcde7422c7e824e1d26ecfaf7ea12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-browser.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 145803, "scanner": "repobility-supply-chain", "fingerprint": "93897247c7dcf67d51d6cc706a5030dd314067fd2b4bbd007cd4b8f5de8b2be6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93897247c7dcf67d51d6cc706a5030dd314067fd2b4bbd007cd4b8f5de8b2be6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-browser.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED130", "level": "error", "message": {"text": "Lockfile pulls package from off-canonical host `registry.npmmirror.com`"}, "properties": {"repobilityId": 145802, "scanner": "repobility-supply-chain", "fingerprint": "0f4ffb72b685731d97bc398962e11d1e5faff14970286ab6ef30e0fc3adb7d71", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-lockfile-off-registry", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f4ffb72b685731d97bc398962e11d1e5faff14970286ab6ef30e0fc3adb7d71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.close` used but never assigned in __init__"}, "properties": {"repobilityId": 145795, "scanner": "repobility-ast-engine", "fingerprint": "3746f0954676f5c27d9f4ca0c60f46c69d68809b6d6e64aab5dbdd6b323b4e7c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3746f0954676f5c27d9f4ca0c60f46c69d68809b6d6e64aab5dbdd6b323b4e7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/stealth.py"}, "region": {"startLine": 490}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_request` used but never assigned in __init__"}, "properties": {"repobilityId": 145794, "scanner": "repobility-ast-engine", "fingerprint": "c231f144ef1f080311e14d3cd98c7b2fbf5c2348578bdfe9295f61dbb00a2def", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c231f144ef1f080311e14d3cd98c7b2fbf5c2348578bdfe9295f61dbb00a2def"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/stealth.py"}, "region": {"startLine": 453}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_request` used but never assigned in __init__"}, "properties": {"repobilityId": 145793, "scanner": "repobility-ast-engine", "fingerprint": "dd3c5e9e294c2bb8a7618853a825b28609fba4ad34c3f2d073c8d319f2419d64", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dd3c5e9e294c2bb8a7618853a825b28609fba4ad34c3f2d073c8d319f2419d64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/stealth.py"}, "region": {"startLine": 450}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_request` used but never assigned in __init__"}, "properties": {"repobilityId": 145792, "scanner": "repobility-ast-engine", "fingerprint": "cf62c46452f93e27fc2a601076ae012e68aedf71c13e46f57e55c03ad8223a16", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cf62c46452f93e27fc2a601076ae012e68aedf71c13e46f57e55c03ad8223a16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/stealth.py"}, "region": {"startLine": 447}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_request` used but never assigned in __init__"}, "properties": {"repobilityId": 145791, "scanner": "repobility-ast-engine", "fingerprint": "f6f31ce4cdfef2614c9c7cdf6f4ecae20a2baea6e4c7d9fffde633081d70fc4e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f6f31ce4cdfef2614c9c7cdf6f4ecae20a2baea6e4c7d9fffde633081d70fc4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/stealth.py"}, "region": {"startLine": 444}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._make_request` used but never assigned in __init__"}, "properties": {"repobilityId": 145790, "scanner": "repobility-ast-engine", "fingerprint": "6b2b1ec4037b459afd5f29322a20ea2ccef1ed39f476eff8fad4a1166d1484b2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6b2b1ec4037b459afd5f29322a20ea2ccef1ed39f476eff8fad4a1166d1484b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/stealth.py"}, "region": {"startLine": 441}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._apply_delay` used but never assigned in __init__"}, "properties": {"repobilityId": 145789, "scanner": "repobility-ast-engine", "fingerprint": "b2cc48e2e8399bc544562fe70759f42a38fb991eaabedad1ebebab69365675d8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b2cc48e2e8399bc544562fe70759f42a38fb991eaabedad1ebebab69365675d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/stealth.py"}, "region": {"startLine": 397}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._ensure_browser` used but never assigned in __init__"}, "properties": {"repobilityId": 145788, "scanner": "repobility-ast-engine", "fingerprint": "70c5b65039d51b8b73ce87e7b45ce9e1d42776a125505476f24ef3ddbc2a150e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|70c5b65039d51b8b73ce87e7b45ce9e1d42776a125505476f24ef3ddbc2a150e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/stealth.py"}, "region": {"startLine": 396}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._resolve_proxy` used but never assigned in __init__"}, "properties": {"repobilityId": 145787, "scanner": "repobility-ast-engine", "fingerprint": "2d1092301ee8c82283eb20a37c25b95ea2529d8d240447370ed9bf1693fd94b4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2d1092301ee8c82283eb20a37c25b95ea2529d8d240447370ed9bf1693fd94b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/stealth.py"}, "region": {"startLine": 370}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.status_code` used but never assigned in __init__"}, "properties": {"repobilityId": 145786, "scanner": "repobility-ast-engine", "fingerprint": "eb2b66b4edff7b421e6b84b2f21cf7bba6be7c3c4512560ee1347b0bb66e5d5c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eb2b66b4edff7b421e6b84b2f21cf7bba6be7c3c4512560ee1347b0bb66e5d5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/stealth.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.url` used but never assigned in __init__"}, "properties": {"repobilityId": 145785, "scanner": "repobility-ast-engine", "fingerprint": "bf92dc387293aee0f5c7ee1ba585b1028b351eb586eac70ba7bef54b02a2c859", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bf92dc387293aee0f5c7ee1ba585b1028b351eb586eac70ba7bef54b02a2c859"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/stealth.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.status_code` used but never assigned in __init__"}, "properties": {"repobilityId": 145784, "scanner": "repobility-ast-engine", "fingerprint": "09cf132e1473c419f04a4034228eeb31858c7a58a6022fe4b4b21337e1e4e212", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|09cf132e1473c419f04a4034228eeb31858c7a58a6022fe4b4b21337e1e4e212"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/stealth.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.text` used but never assigned in __init__"}, "properties": {"repobilityId": 145783, "scanner": "repobility-ast-engine", "fingerprint": "d8d77a9e65789a3239b1a2b9d3f12f868ba6d7e938a589b5f1ccd0bce6b22d61", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d8d77a9e65789a3239b1a2b9d3f12f868ba6d7e938a589b5f1ccd0bce6b22d61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/stealth.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._recv_ws_frame_safe` used but never assigned in __init__"}, "properties": {"repobilityId": 145776, "scanner": "repobility-ast-engine", "fingerprint": "5df10c359b971a6c74e86cbf5a3a0f9fd22a99f315b7b430335b4bb346049ef4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5df10c359b971a6c74e86cbf5a3a0f9fd22a99f315b7b430335b4bb346049ef4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/vless_client.py"}, "region": {"startLine": 554}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._relay_response` used but never assigned in __init__"}, "properties": {"repobilityId": 145775, "scanner": "repobility-ast-engine", "fingerprint": "73431ad9a2f87f23bbf3cfd6fbc0fee581fb5c4ca4dd1f494f93c84753849864", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|73431ad9a2f87f23bbf3cfd6fbc0fee581fb5c4ca4dd1f494f93c84753849864"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/vless_client.py"}, "region": {"startLine": 521}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._relay_bidirectional` used but never assigned in __init__"}, "properties": {"repobilityId": 145774, "scanner": "repobility-ast-engine", "fingerprint": "87a9ab36f0a07585016c876b5bd28df5d1ee3df26d4acb4038eabe8e3c3020fb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|87a9ab36f0a07585016c876b5bd28df5d1ee3df26d4acb4038eabe8e3c3020fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/vless_client.py"}, "region": {"startLine": 443}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._handle_http` used but never assigned in __init__"}, "properties": {"repobilityId": 145773, "scanner": "repobility-ast-engine", "fingerprint": "8b1ac9c75eeb61640e77a75aef46c88f1d48735b8a4b23c5c2cad1e8c0d89052", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8b1ac9c75eeb61640e77a75aef46c88f1d48735b8a4b23c5c2cad1e8c0d89052"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/vless_client.py"}, "region": {"startLine": 390}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._handle_connect` used but never assigned in __init__"}, "properties": {"repobilityId": 145772, "scanner": "repobility-ast-engine", "fingerprint": "8f5fde289929341283eede4134100498474f1e7b18af21e77af102d81e415483", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8f5fde289929341283eede4134100498474f1e7b18af21e77af102d81e415483"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/vless_client.py"}, "region": {"startLine": 386}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._handle_client` used but never assigned in __init__"}, "properties": {"repobilityId": 145771, "scanner": "repobility-ast-engine", "fingerprint": "4b0214a81d602a8130c61b4eb1540f6faa6f2b3feb49a509178bea10f94e361f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4b0214a81d602a8130c61b4eb1540f6faa6f2b3feb49a509178bea10f94e361f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/vless_client.py"}, "region": {"startLine": 343}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._serve` used but never assigned in __init__"}, "properties": {"repobilityId": 145770, "scanner": "repobility-ast-engine", "fingerprint": "b7b18424992c153cd8f00ed1924b793bceb55e89607064f2537857da039c6ab2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b7b18424992c153cd8f00ed1924b793bceb55e89607064f2537857da039c6ab2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/vless_client.py"}, "region": {"startLine": 329}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._create_vless_header` used but never assigned in __init__"}, "properties": {"repobilityId": 145769, "scanner": "repobility-ast-engine", "fingerprint": "e29275fb7701ff57f95e934073a400ec3ac7710e7ee20831f815e8ac1763e439", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e29275fb7701ff57f95e934073a400ec3ac7710e7ee20831f815e8ac1763e439"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/vless_client.py"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._websocket_handshake` used but never assigned in __init__"}, "properties": {"repobilityId": 145768, "scanner": "repobility-ast-engine", "fingerprint": "409d0f20d06072618165bc8ac7257e228ffb4f539410ec39a94ca33cb802bf89", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|409d0f20d06072618165bc8ac7257e228ffb4f539410ec39a94ca33cb802bf89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/vless_client.py"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._handle_client` used but never assigned in __init__"}, "properties": {"repobilityId": 145765, "scanner": "repobility-ast-engine", "fingerprint": "46c33f4a287643956d0f930f5e2301fb243249722435f40eb35a8703ab7f3dea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|46c33f4a287643956d0f930f5e2301fb243249722435f40eb35a8703ab7f3dea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/proxy_server.py"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.stop` used but never assigned in __init__"}, "properties": {"repobilityId": 145764, "scanner": "repobility-ast-engine", "fingerprint": "caa2d84b35c4bfdbd50e1d2a1a3e027d6fff646d4c6d22bc6876251da3227400", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|caa2d84b35c4bfdbd50e1d2a1a3e027d6fff646d4c6d22bc6876251da3227400"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/proxy_server.py"}, "region": {"startLine": 226}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._ensure_vless_proxy` used but never assigned in __init__"}, "properties": {"repobilityId": 145763, "scanner": "repobility-ast-engine", "fingerprint": "3a59d876b210dc2a3012752c4dae384ccb91561849da2af1eafd53c3e34de9d5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3a59d876b210dc2a3012752c4dae384ccb91561849da2af1eafd53c3e34de9d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/proxy_server.py"}, "region": {"startLine": 188}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 145874, "scanner": "gitleaks", "fingerprint": "85f05b85e619583a2142f306579896027e935726dab78b25eb0dc3d760acad33", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "ENCRYPTION_KEY = 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|cfspider_obfuscate.js|1|encryption_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider_obfuscate.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED007", "level": "error", "message": {"text": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection."}, "properties": {"repobilityId": 145855, "scanner": "repobility-threat-engine", "fingerprint": "951c2d76374ff4c01693328b3196848538807a676e90880e0f34a8b4c1b36e98", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "sql-string-concat", "owasp": "A03:2021", "cwe_ids": ["CWE-89"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347914+00:00", "triaged_in_corpus": 20, "observations_count": 210457, "ai_coder_pattern_id": 12}, "scanner": "repobility-threat-engine", "correlation_key": "fp|951c2d76374ff4c01693328b3196848538807a676e90880e0f34a8b4c1b36e98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cfspider/export.py"}, "region": {"startLine": 324}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `html` used but not imported"}, "properties": {"repobilityId": 145801, "scanner": "repobility-ast-engine", "fingerprint": "cee923d464bda8d40b19ef79aaeb2bdbd8cc213479502562e69bbd60f99767ae", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cee923d464bda8d40b19ef79aaeb2bdbd8cc213479502562e69bbd60f99767ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x27cn/x27cn/minify.py"}, "region": {"startLine": 270}}}]}]}]}