{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC089", "name": "[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces \u2014 exposes service beyond intended ", "shortDescription": {"text": "[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces \u2014 exposes service beyond intended scope. Ported from gosec G102 (Apache-2.0)."}, "fullDescription": {"text": "Bind to `127.0.0.1:PORT` and front with a reverse proxy."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 18 more): Same pattern found in 18 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 23 more): Same pattern found in 23 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 14 more): Same pattern found in 14 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder` unpinned: `container/services image: qu", "shortDescription": {"text": "[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder` unpinned: `container/services image: quay.io/prometheus/golang-builder` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow containe"}, "fullDescription": {"text": "Replace with `quay.io/prometheus/golang-builder@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `quay.io/prometheus/busybox- (no tag)` not pinned by digest: `FROM quay.io/prometheus/busybox", "shortDescription": {"text": "[MINED118] Dockerfile FROM `quay.io/prometheus/busybox- (no tag)` not pinned by digest: `FROM quay.io/prometheus/busybox- (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build "}, "fullDescription": {"text": "Replace with: `FROM quay.io/prometheus/busybox- (no tag)@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.NPM_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, whic", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.NPM_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NPM_TOKEN }` lets a PR from any fork exfiltrate the secret (modify"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/570"}, "properties": {"repository": "prometheus/prometheus", "repoUrl": "https://github.com/prometheus/prometheus", "branch": "main"}, "results": [{"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 39714, "scanner": "repobility-agent-runtime", "fingerprint": "2eedb705577d6890f60037f43348da387c4b762709bd44e6fbbc5b17e527ef99", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|2eedb705577d6890f60037f43348da387c4b762709bd44e6fbbc5b17e527ef99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/api/v1/testdata/openapi_3.2_golden.yaml"}, "region": {"startLine": 573}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 39713, "scanner": "repobility-agent-runtime", "fingerprint": "2c618e4b4521b2ed7d4b871e5f073e83a54ed714f5cd2b58859874d586ef8a98", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|2c618e4b4521b2ed7d4b871e5f073e83a54ed714f5cd2b58859874d586ef8a98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/api/v1/testdata/openapi_3.1_golden.yaml"}, "region": {"startLine": 573}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 39712, "scanner": "repobility-agent-runtime", "fingerprint": "0ed71435e3797da2b158bc037db252cd87667a736cb3460e9583043293991289", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|0ed71435e3797da2b158bc037db252cd87667a736cb3460e9583043293991289"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/moby/testdata/swarmprom/tasks.json"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 39669, "scanner": "repobility-threat-engine", "fingerprint": "bd26d44de818ee2cd3038ea7d292b52b8569a28ec299519d15b0add375414ff7", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(\n                `${pathPrefix}/query?g0.expr=${encodeURIComponent(rule.query)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|60|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/mantine-ui/src/components/RuleDefinition.tsx"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 39653, "scanner": "repobility-threat-engine", "fingerprint": "dda1c7dbfd4d61294d7d5c516f63527a3207fdbe63b9769229aece019ed013d0", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|rules/rule.go|43|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rules/rule.go"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 39652, "scanner": "repobility-threat-engine", "fingerprint": "8570a1965b87dab491dad9e81c7503b43eb611b01ff20691d53d4f58a9165723", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|rules/recording.go|85|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rules/recording.go"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 39645, "scanner": "repobility-threat-engine", "fingerprint": "183e2a0a1be226a69442235443ff9e0bc5b5845523cea5da8409b5d21cfbade0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.ListenAndServe(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|183e2a0a1be226a69442235443ff9e0bc5b5845523cea5da8409b5d21cfbade0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/examples/remote_storage/remote_storage_adapter/main.go"}, "region": {"startLine": 280}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 39644, "scanner": "repobility-threat-engine", "fingerprint": "53ca403348b7f68d28895d6ab8cd244c2b8df81b0144a36d708674fc6ac233ac", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.ListenAndServe(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|53ca403348b7f68d28895d6ab8cd244c2b8df81b0144a36d708674fc6ac233ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/examples/remote_storage/example_write_adapter/server.go"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC089", "level": "warning", "message": {"text": "[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces \u2014 exposes service beyond intended scope. Ported from gosec G102 (Apache-2.0)."}, "properties": {"repobilityId": 39643, "scanner": "repobility-threat-engine", "fingerprint": "b47865f3435df45bf892b99b7059904e4d8e3b6d81326c1dcd7ca809bd0d89e4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Listen(\"tcp\", \":0\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC089", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b47865f3435df45bf892b99b7059904e4d8e3b6d81326c1dcd7ca809bd0d89e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "util/testutil/port.go"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC089", "level": "warning", "message": {"text": "[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces \u2014 exposes service beyond intended scope. Ported from gosec G102 (Apache-2.0)."}, "properties": {"repobilityId": 39642, "scanner": "repobility-threat-engine", "fingerprint": "34b037556002bb9cb89906da07df2464c791818f976c57973204cbee31bbbbee", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".ListenAndServe(\":1234\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC089", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|34b037556002bb9cb89906da07df2464c791818f976c57973204cbee31bbbbee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/examples/remote_storage/example_write_adapter/server.go"}, "region": {"startLine": 73}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 39716, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39711, "scanner": "repobility-ai-code-hygiene", "fingerprint": "974ec7df04a315fc1df12bffb72af2e72e38dd6eabd74ef8b969dc9f0afc367a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tsdb/fileutil/flock_aix.go", "duplicate_line": 1, "correlation_key": "fp|974ec7df04a315fc1df12bffb72af2e72e38dd6eabd74ef8b969dc9f0afc367a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tsdb/fileutil/flock_unix.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39710, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ba1968c9f46badc86e90db17c30ae38cfa695763225e439fb9a93ea2f3efbc25", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tsdb/fileutil/flock_aix.go", "duplicate_line": 1, "correlation_key": "fp|ba1968c9f46badc86e90db17c30ae38cfa695763225e439fb9a93ea2f3efbc25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tsdb/fileutil/flock_solaris.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39709, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b9cc6aa5ddba50cbbca810f2987a4d3a8de080d60ca8e8385f1c14ef21caf6d7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/promtool/unittest.go", "duplicate_line": 497, "correlation_key": "fp|b9cc6aa5ddba50cbbca810f2987a4d3a8de080d60ca8e8385f1c14ef21caf6d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rules/manager.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39708, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2cfca7cff6f37407aee54ca650c4fcdfe21dbc9c9bb15e51ca9a4293058dfc1a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "prompb/codec.go", "duplicate_line": 40, "correlation_key": "fp|2cfca7cff6f37407aee54ca650c4fcdfe21dbc9c9bb15e51ca9a4293058dfc1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "prompb/io/prometheus/write/v2/codec.go"}, "region": {"startLine": 62}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39707, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d9cd817fe000f4f30c37eb7004109e617f63e492e7e8dc2b097f27d6d452e05c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "model/textparse/openmetricsparse.go", "duplicate_line": 134, "correlation_key": "fp|d9cd817fe000f4f30c37eb7004109e617f63e492e7e8dc2b097f27d6d452e05c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/textparse/promparse.go"}, "region": {"startLine": 169}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39706, "scanner": "repobility-ai-code-hygiene", "fingerprint": "165e68f0a04fafbb04d0339b73f0beeda30e208d4183e36e9fd88f7c9cb9f7f7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "model/textparse/openmetricslex.l.go", "duplicate_line": 6, "correlation_key": "fp|165e68f0a04fafbb04d0339b73f0beeda30e208d4183e36e9fd88f7c9cb9f7f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/textparse/promlex.l.go"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39705, "scanner": "repobility-ai-code-hygiene", "fingerprint": "844d68fc9b2e2616eaf4b55d091d6f39de2ca8620b0f9f9a76d2b2eba694c825", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "model/labels/labels_dedupelabels.go", "duplicate_line": 124, "correlation_key": "fp|844d68fc9b2e2616eaf4b55d091d6f39de2ca8620b0f9f9a76d2b2eba694c825"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/labels/sharding_dedupelabels.go"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39704, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f6273a9c181f06e5ebd182e6c07fa831cd5a2da7efcf2297896eb285c29bcf98", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "model/labels/labels_slicelabels.go", "duplicate_line": 42, "correlation_key": "fp|f6273a9c181f06e5ebd182e6c07fa831cd5a2da7efcf2297896eb285c29bcf98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/labels/sharding.go"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39703, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8e0d444caadc9efa5fc027bdc6981e8339de4762e3d89c9f5d4d0427f001b031", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "model/labels/labels_slicelabels.go", "duplicate_line": 288, "correlation_key": "fp|8e0d444caadc9efa5fc027bdc6981e8339de4762e3d89c9f5d4d0427f001b031"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/labels/labels_stringlabels.go"}, "region": {"startLine": 342}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39702, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cd2380067dcf069cfd7d99ce3881e5ae5ea97c320a849ff9aa689db7b0afb8c6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "model/labels/labels_dedupelabels.go", "duplicate_line": 109, "correlation_key": "fp|cd2380067dcf069cfd7d99ce3881e5ae5ea97c320a849ff9aa689db7b0afb8c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/labels/labels_stringlabels.go"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39701, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e5f9a673a88175fbca00522cc442740b3ac82e4f62a8f6dfb90bd9fb1cb2ca23", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/hetzner/hetzner.go", "duplicate_line": 25, "correlation_key": "fp|e5f9a673a88175fbca00522cc442740b3ac82e4f62a8f6dfb90bd9fb1cb2ca23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/vultr/vultr.go"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39700, "scanner": "repobility-ai-code-hygiene", "fingerprint": "24828b5dfd29b9b8e1684b260fefe4c065b99bef4b56d327a69d7057628952e5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/eureka/eureka.go", "duplicate_line": 59, "correlation_key": "fp|24828b5dfd29b9b8e1684b260fefe4c065b99bef4b56d327a69d7057628952e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/uyuni/uyuni.go"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39699, "scanner": "repobility-ai-code-hygiene", "fingerprint": "41796b6f4218550bc813d99866826aea9eb672355b9bd37dc5b5ed060ddc444b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/digitalocean/digitalocean.go", "duplicate_line": 77, "correlation_key": "fp|41796b6f4218550bc813d99866826aea9eb672355b9bd37dc5b5ed060ddc444b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/uyuni/uyuni.go"}, "region": {"startLine": 90}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39698, "scanner": "repobility-ai-code-hygiene", "fingerprint": "949dc0d2a6c51e93a7c6a80c044bf411a61e2f87a0bb447ff57e0166595ab822", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/marathon/marathon.go", "duplicate_line": 136, "correlation_key": "fp|949dc0d2a6c51e93a7c6a80c044bf411a61e2f87a0bb447ff57e0166595ab822"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/scaleway/scaleway.go"}, "region": {"startLine": 174}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39697, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d0bfe83a62b9e20d9e171d9d8fa20222490306908862338c5e81435547758923", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/scaleway/baremetal.go", "duplicate_line": 46, "correlation_key": "fp|d0bfe83a62b9e20d9e171d9d8fa20222490306908862338c5e81435547758923"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/scaleway/instance.go"}, "region": {"startLine": 59}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39696, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bcce23f9ba6c2de632602ad44223529945e3d5393a6fe971a1775bde58120422", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/digitalocean/digitalocean.go", "duplicate_line": 77, "correlation_key": "fp|bcce23f9ba6c2de632602ad44223529945e3d5393a6fe971a1775bde58120422"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/puppetdb/puppetdb.go"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39695, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e520e0b09ac372e77d79c224abf4372995b5f97a302ee0ca8ffe6b44325cc77", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/http/http.go", "duplicate_line": 10, "correlation_key": "fp|5e520e0b09ac372e77d79c224abf4372995b5f97a302ee0ca8ffe6b44325cc77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/puppetdb/puppetdb.go"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39694, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2c61858010e5d500423d91193b93ed6cd3872da59198c72f7cc95bd2a8f2b6b6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/ovhcloud/dedicated_server.go", "duplicate_line": 1, "correlation_key": "fp|2c61858010e5d500423d91193b93ed6cd3872da59198c72f7cc95bd2a8f2b6b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/ovhcloud/vps.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39693, "scanner": "repobility-ai-code-hygiene", "fingerprint": "82e6695d2b1d45e36740c57a4befb188a9fbf472015858fe6273782a9c4b79c1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/digitalocean/digitalocean.go", "duplicate_line": 77, "correlation_key": "fp|82e6695d2b1d45e36740c57a4befb188a9fbf472015858fe6273782a9c4b79c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/nomad/nomad.go"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39692, "scanner": "repobility-ai-code-hygiene", "fingerprint": "934c074885ab9695e974dd9e7f142fb32df91afd3cbfb79c61e4a70b8d9d45f9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/moby/docker.go", "duplicate_line": 100, "correlation_key": "fp|934c074885ab9695e974dd9e7f142fb32df91afd3cbfb79c61e4a70b8d9d45f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/moby/dockerswarm.go"}, "region": {"startLine": 89}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39691, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3d69ce8ba4e7d0f34252912fe3576793dfc6b7cb831274012198ceed0f750408", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/digitalocean/digitalocean.go", "duplicate_line": 77, "correlation_key": "fp|3d69ce8ba4e7d0f34252912fe3576793dfc6b7cb831274012198ceed0f750408"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/linode/linode.go"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39690, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac1f6a89a915f07afc9be77da51450c5841422b3e16c79cc79adc148689f67ec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/kubernetes/ingress.go", "duplicate_line": 54, "correlation_key": "fp|ac1f6a89a915f07afc9be77da51450c5841422b3e16c79cc79adc148689f67ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/kubernetes/service.go"}, "region": {"startLine": 58}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39689, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6ba35b31de96c22e371a00573a6f92e7d99c8bab3215f5a71b087f3b16f4f87e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/kubernetes/endpoints.go", "duplicate_line": 1, "correlation_key": "fp|6ba35b31de96c22e371a00573a6f92e7d99c8bab3215f5a71b087f3b16f4f87e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/kubernetes/service.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39688, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a4589a6cd60cd9a75f40e613b0efcc90fbb1db0cd144ec8d800752f1f69ffba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/kubernetes/node.go", "duplicate_line": 1, "correlation_key": "fp|6a4589a6cd60cd9a75f40e613b0efcc90fbb1db0cd144ec8d800752f1f69ffba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/kubernetes/pod.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39687, "scanner": "repobility-ai-code-hygiene", "fingerprint": "be84e862d0f03eb9646546345e1d3e46e6f029642d55410ae13550e459622663", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/kubernetes/endpoints.go", "duplicate_line": 20, "correlation_key": "fp|be84e862d0f03eb9646546345e1d3e46e6f029642d55410ae13550e459622663"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/kubernetes/endpointslice.go"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39686, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e21acfa595264c1e8d2cfb4933b635355cf099e21889cb65ce4db46b1bd02f6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/digitalocean/digitalocean.go", "duplicate_line": 77, "correlation_key": "fp|5e21acfa595264c1e8d2cfb4933b635355cf099e21889cb65ce4db46b1bd02f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/http/http.go"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39685, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d05bc6b998e4f967cc29863424715dd642e8e0b27905fa9e2a61bba3d60e4798", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/digitalocean/digitalocean.go", "duplicate_line": 77, "correlation_key": "fp|d05bc6b998e4f967cc29863424715dd642e8e0b27905fa9e2a61bba3d60e4798"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/eureka/eureka.go"}, "region": {"startLine": 58}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39684, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a8e68c761bc27b3cd768495696e4094d5788624f2dfd714ad2998067413fafad", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/aws/ecs.go", "duplicate_line": 74, "correlation_key": "fp|a8e68c761bc27b3cd768495696e4094d5788624f2dfd714ad2998067413fafad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/aws/msk.go"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39683, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fc0d36761e13a6f64e86e14ad439f2e0bfded70a9337cd0aa7838609cd22711b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/aws/ec2.go", "duplicate_line": 17, "correlation_key": "fp|fc0d36761e13a6f64e86e14ad439f2e0bfded70a9337cd0aa7838609cd22711b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/aws/lightsail.go"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 39682, "scanner": "repobility-ai-code-hygiene", "fingerprint": "994920d391df877aab0ede7b15246b1544ca88a6e89727f5a88fbabf20a7eeca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discovery/aws/ecs.go", "duplicate_line": 20, "correlation_key": "fp|994920d391df877aab0ede7b15246b1544ca88a6e89727f5a88fbabf20a7eeca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/aws/elasticache.go"}, "region": {"startLine": 19}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 39648, "scanner": "repobility-threat-engine", "fingerprint": "ab3db42eb3fd4e8c79542b676a4b2decac394d156cc6e43ebfd7722bea8c51f1", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = h.Write(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ab3db42eb3fd4e8c79542b676a4b2decac394d156cc6e43ebfd7722bea8c51f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/labels/sharding_stringlabels.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 39647, "scanner": "repobility-threat-engine", "fingerprint": "97c60bca53915fb24d5c06367cc3a094b0fa10fe7ab6281cf9e03220477eacfe", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = h.Write(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|97c60bca53915fb24d5c06367cc3a094b0fa10fe7ab6281cf9e03220477eacfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/labels/sharding_dedupelabels.go"}, "region": {"startLine": 33}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 39646, "scanner": "repobility-threat-engine", "fingerprint": "73d5adb81db385e0a0ac2c51c000e2b25c45ccd78d2fe0c9374726adf269357b", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = h.Write(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|73d5adb81db385e0a0ac2c51c000e2b25c45ccd78d2fe0c9374726adf269357b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/labels/sharding.go"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 39717, "scanner": "repobility-docker", "fingerprint": "7dda8221c36ae96eba7fde6a75a6859f00c393ba9246839b12ace970e90e20d2", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "gcr.io/distroless/static-debian13:nonroot-${DISTROLESS_ARCH}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|7dda8221c36ae96eba7fde6a75a6859f00c393ba9246839b12ace970e90e20d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.distroless"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 39715, "scanner": "repobility-docker", "fingerprint": "07ac07aaad9b7cd6ea2baf16093cbc8300bab87f1dd1fa6eaf1ff8573df8b045", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "quay.io/prometheus/busybox-${OS}-${ARCH}:latest", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|07ac07aaad9b7cd6ea2baf16093cbc8300bab87f1dd1fa6eaf1ff8573df8b045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 39681, "scanner": "repobility-threat-engine", "fingerprint": "57a66d8089dbb0f16c0fbc2c99bff20835ea29c668391e3ba302d34ec078a586", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|57a66d8089dbb0f16c0fbc2c99bff20835ea29c668391e3ba302d34ec078a586", "aggregated_count": 2}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 39680, "scanner": "repobility-threat-engine", "fingerprint": "f1238d8ae03c705b7427f57f7d92be1067b67a96be8d01712e06ca92941bdfcf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f1238d8ae03c705b7427f57f7d92be1067b67a96be8d01712e06ca92941bdfcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/react-app/src/pages/graph/TimeInput.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 39679, "scanner": "repobility-threat-engine", "fingerprint": "37980f373b3233d25d9a04a2948c6e99972e7620e8aa6dcf0305221d76695f22", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|37980f373b3233d25d9a04a2948c6e99972e7620e8aa6dcf0305221d76695f22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/react-app/src/pages/graph/GraphTabContent.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 39678, "scanner": "repobility-threat-engine", "fingerprint": "27ea35aaa67253732b47996fbf75bbd011d53c0cf1ce6bedc3621e6fd0cde8d7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|27ea35aaa67253732b47996fbf75bbd011d53c0cf1ce6bedc3621e6fd0cde8d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/react-app/src/pages/graph/Graph.tsx"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 39677, "scanner": "repobility-threat-engine", "fingerprint": "e4de8a3e56f4d368357c73f71c8440dd843498fb03ecee8c076b54a2931fdb22", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e4de8a3e56f4d368357c73f71c8440dd843498fb03ecee8c076b54a2931fdb22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/react-app/src/hooks/useFetch.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 39672, "scanner": "repobility-threat-engine", "fingerprint": "29e875456b3f8aecdd5e324ed7fc2f91ae4df0da16d0b60c6ee943bb2d1719b6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|29e875456b3f8aecdd5e324ed7fc2f91ae4df0da16d0b60c6ee943bb2d1719b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/react-app/src/pages/graph/MetricsExplorer.tsx"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 39671, "scanner": "repobility-threat-engine", "fingerprint": "989780f37f2cf5227096d8fed378c0f37b1e30a4e3d0a8f22a56047bed11dba2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|989780f37f2cf5227096d8fed378c0f37b1e30a4e3d0a8f22a56047bed11dba2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/react-app/src/pages/flags/Flags.tsx"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 39670, "scanner": "repobility-threat-engine", "fingerprint": "d84d8a6fe79175b2c16d9b8f0796f8626351e83974cc036f3e9e19fb93dd35b1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d84d8a6fe79175b2c16d9b8f0796f8626351e83974cc036f3e9e19fb93dd35b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/mantine-ui/src/pages/query/MetricsExplorer/MetricsExplorer.tsx"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 39668, "scanner": "repobility-threat-engine", "fingerprint": "6faababe47c10eb2d2e90656cb5b77d5d842a1ecb758e761f309546c06fe3100", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6faababe47c10eb2d2e90656cb5b77d5d842a1ecb758e761f309546c06fe3100", "aggregated_count": 18}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 39667, "scanner": "repobility-threat-engine", "fingerprint": "070598eccf99e955f82f3037c72da8ad7db87169fd28375c04a3fd4cb0406a5d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|070598eccf99e955f82f3037c72da8ad7db87169fd28375c04a3fd4cb0406a5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/mantine-ui/src/pages/query/ExplainViews/BinaryExpr/VectorScalar.tsx"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 39666, "scanner": "repobility-threat-engine", "fingerprint": "8b10ecced8f172caec50e70df9c5ee45cdbf9af7dd0938b7883d3b01315e8bb7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8b10ecced8f172caec50e70df9c5ee45cdbf9af7dd0938b7883d3b01315e8bb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/mantine-ui/src/pages/query/DataTable.tsx"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 39665, "scanner": "repobility-threat-engine", "fingerprint": "2f30f0355ee26daffcb401e7d6aaf11f3e551a24ca489dfa04f0f5c0a6f2aa54", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2f30f0355ee26daffcb401e7d6aaf11f3e551a24ca489dfa04f0f5c0a6f2aa54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/mantine-ui/src/components/NotificationsIcon.tsx"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 39664, "scanner": "repobility-threat-engine", "fingerprint": "f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "aggregated_count": 2}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 39663, "scanner": "repobility-threat-engine", "fingerprint": "61a03195437747a24a31426cbb8e0a0a95d336e58d1191bbe1707f89417c24c6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|61a03195437747a24a31426cbb8e0a0a95d336e58d1191bbe1707f89417c24c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/mantine-ui/src/pages/query/urlStateEncoding.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 39662, "scanner": "repobility-threat-engine", "fingerprint": "75d51ff915883c14ed895ba06a0d32208cf2bb81e7d7e07cd7c98c3b1e72f24a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|75d51ff915883c14ed895ba06a0d32208cf2bb81e7d7e07cd7c98c3b1e72f24a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/mantine-ui/src/pages/query/HistogramHelpers.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 39661, "scanner": "repobility-threat-engine", "fingerprint": "f42aff3f832962ad5eff0033fa36361a15c70b4e5d80f7d995b874d2dab1c436", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f42aff3f832962ad5eff0033fa36361a15c70b4e5d80f7d995b874d2dab1c436"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/mantine-ui/src/components/ErrorBoundary.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 39660, "scanner": "repobility-threat-engine", "fingerprint": "3a22ac02b2baf370d83ba17a8bec43c4e714d3f46e5467e1b51a8599f7854e5a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3a22ac02b2baf370d83ba17a8bec43c4e714d3f46e5467e1b51a8599f7854e5a", "aggregated_count": 1}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 39659, "scanner": "repobility-threat-engine", "fingerprint": "986601db2481163b6eaeb66bbfff637022ae83cd2d3fec6c0a6b3630e185fc6d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|986601db2481163b6eaeb66bbfff637022ae83cd2d3fec6c0a6b3630e185fc6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/mantine-ui/src/promql/format.tsx"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 39658, "scanner": "repobility-threat-engine", "fingerprint": "d1eae6011882e81cdafb63f8ddf6daa5a2810fa9a139dcfb105678eba7946616", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d1eae6011882e81cdafb63f8ddf6daa5a2810fa9a139dcfb105678eba7946616"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/mantine-ui/src/pages/query/ExplainViews/Selector.tsx"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 39657, "scanner": "repobility-threat-engine", "fingerprint": "0a80f1c2415817b1c3412e00804d0127f481e4820fd06da8175f2cdc3d1ff0ed", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0a80f1c2415817b1c3412e00804d0127f481e4820fd06da8175f2cdc3d1ff0ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/mantine-ui/src/api/api.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 39654, "scanner": "repobility-threat-engine", "fingerprint": "2825919e3752e321609f5d7586f86fda123b3729325038383a5c7ddf07427843", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2825919e3752e321609f5d7586f86fda123b3729325038383a5c7ddf07427843"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/npm-deps.sh"}, "region": {"startLine": 22}}}]}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 39649, "scanner": "repobility-threat-engine", "fingerprint": "c2ef8a4052cc43168cf34ed503af47b61b5036cea675cb573b7c2d5e610896e8", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c2ef8a4052cc43168cf34ed503af47b61b5036cea675cb573b7c2d5e610896e8"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 39641, "scanner": "repobility-threat-engine", "fingerprint": "65dc7d08e212758306b56b9f7ff3d6a341f4738ff842f306b6584228c82d1531", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|65dc7d08e212758306b56b9f7ff3d6a341f4738ff842f306b6584228c82d1531"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/react-app/src/pages/targets/__testdata__/testdata.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 39640, "scanner": "repobility-threat-engine", "fingerprint": "976e785a742905527a49e570546044571fb993106585c0cdbd062501b767f09c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|976e785a742905527a49e570546044571fb993106585c0cdbd062501b767f09c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/examples/custom-sd/adapter-usage/main.go"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 39639, "scanner": "repobility-threat-engine", "fingerprint": "797ac08af64cfd8951f5264be2adbb203467dff3226e02e5b405517ebcfe2257", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|797ac08af64cfd8951f5264be2adbb203467dff3226e02e5b405517ebcfe2257", "aggregated_count": 23}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 39638, "scanner": "repobility-threat-engine", "fingerprint": "23105e51022c9266f677f2946a92e04cd4604cffcc01b26802ced39b8495ca55", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|23105e51022c9266f677f2946a92e04cd4604cffcc01b26802ced39b8495ca55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/registry.go"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 39637, "scanner": "repobility-threat-engine", "fingerprint": "d7e91dae2b1bfd510a29ac23df0b3e92710da04f04adc8e2f830f697b5cb9dbb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d7e91dae2b1bfd510a29ac23df0b3e92710da04f04adc8e2f830f697b5cb9dbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/moby/dockerswarm.go"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 39636, "scanner": "repobility-threat-engine", "fingerprint": "b88422f51f88466ec0f4062e6c3ec89168cb16b75712ce6e8923f276d94a915c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b88422f51f88466ec0f4062e6c3ec89168cb16b75712ce6e8923f276d94a915c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/file/file.go"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 39635, "scanner": "repobility-threat-engine", "fingerprint": "a9f7434b2f69947e6180a6b2a757bdbb37b931d7cae2cfec8a602169b850530a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a9f7434b2f69947e6180a6b2a757bdbb37b931d7cae2cfec8a602169b850530a", "aggregated_count": 11}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 39631, "scanner": "repobility-threat-engine", "fingerprint": "4a4f0807e4b2a602904c2c23d95abb6f9e09448ebf29c9e0a18b9da6a89476f2", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4a4f0807e4b2a602904c2c23d95abb6f9e09448ebf29c9e0a18b9da6a89476f2"}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 39627, "scanner": "repobility-threat-engine", "fingerprint": "185c4b255d471aca81dfa517df322f9662cd13f873d2a8d018869153defa25fa", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|185c4b255d471aca81dfa517df322f9662cd13f873d2a8d018869153defa25fa", "aggregated_count": 14}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 39626, "scanner": "repobility-threat-engine", "fingerprint": "2ec6a5e6fe02b15843bc4abe2f5e8a6fc129548f2b5c5d7f45bd044d4c4cbf50", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ec6a5e6fe02b15843bc4abe2f5e8a6fc129548f2b5c5d7f45bd044d4c4cbf50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/promtool/metrics.go"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 39625, "scanner": "repobility-threat-engine", "fingerprint": "e587d8a6c0779620e3ff74a443a62518f1f700f4867b3887a404b244214678ac", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e587d8a6c0779620e3ff74a443a62518f1f700f4867b3887a404b244214678ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/promtool/backfill.go"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 39624, "scanner": "repobility-threat-engine", "fingerprint": "384a82062e70fd67bbbe04818148a04473fa9f8b7f5f43f4e83c65e570b314fe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|384a82062e70fd67bbbe04818148a04473fa9f8b7f5f43f4e83c65e570b314fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/promtool/analyze.go"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder` unpinned: `container/services image: quay.io/prometheus/golang-builder` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 39731, "scanner": "repobility-supply-chain", "fingerprint": "d4a3071e9a2c57c1ad4b1bc2fc61d063825437a18f196c34b866dbc79a219b16", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d4a3071e9a2c57c1ad4b1bc2fc61d063825437a18f196c34b866dbc79a219b16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/repo_sync.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.26-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.26-base` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 39730, "scanner": "repobility-supply-chain", "fingerprint": "c8b800f9fd450a32bde5a6301ff7f71bcbfcc5509d7407a3cbb008188c830faf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c8b800f9fd450a32bde5a6301ff7f71bcbfcc5509d7407a3cbb008188c830faf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 245}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.26-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.26-base` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 39729, "scanner": "repobility-supply-chain", "fingerprint": "2ca658dbf066471c07bb480733f7e68aec5bdf402fb7321b3d54cb395c469dab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ca658dbf066471c07bb480733f7e68aec5bdf402fb7321b3d54cb395c469dab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.26-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.26-base` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 39728, "scanner": "repobility-supply-chain", "fingerprint": "4e0507c221e964d9a8ffb5ffd8b94fa5fddec020709ceed0eb4e6579a22efc33", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e0507c221e964d9a8ffb5ffd8b94fa5fddec020709ceed0eb4e6579a22efc33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.26-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.26-base` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 39727, "scanner": "repobility-supply-chain", "fingerprint": "1b160387bb2c3a6df3b9e4a656a4f311e960edcb19721c6ffe3d9fbde2002828", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b160387bb2c3a6df3b9e4a656a4f311e960edcb19721c6ffe3d9fbde2002828"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.25-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.25-base` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 39726, "scanner": "repobility-supply-chain", "fingerprint": "bf053c503524b797cfbae73bca93011ec257ba3d0bf264d46afc2c20614aa580", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf053c503524b797cfbae73bca93011ec257ba3d0bf264d46afc2c20614aa580"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.26-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.26-base` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 39725, "scanner": "repobility-supply-chain", "fingerprint": "40a7110552dfbd4620fde76af177d04011b61124c09653226d4aa10faccff055", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|40a7110552dfbd4620fde76af177d04011b61124c09653226d4aa10faccff055"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.26-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.26-base` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 39724, "scanner": "repobility-supply-chain", "fingerprint": "d10d75562e1c3a804312d40a28a8fd73be2f7685f70c0a458d379f09bb5d5a0d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d10d75562e1c3a804312d40a28a8fd73be2f7685f70c0a458d379f09bb5d5a0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.26-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.26-base` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 39723, "scanner": "repobility-supply-chain", "fingerprint": "421ebfd1371e96e3bdb8a920f1c1df9c4c3a3bc45b02120e99a444d1baf91695", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|421ebfd1371e96e3bdb8a920f1c1df9c4c3a3bc45b02120e99a444d1baf91695"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.26-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.26-base` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 39722, "scanner": "repobility-supply-chain", "fingerprint": "47a38d076fae56bd17ec3488082dc6499b1a48c053f6c59ad42ac590705510d2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47a38d076fae56bd17ec3488082dc6499b1a48c053f6c59ad42ac590705510d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `quay.io/prometheus/busybox- (no tag)` not pinned by digest: `FROM quay.io/prometheus/busybox- (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 39719, "scanner": "repobility-supply-chain", "fingerprint": "1c76858a97908b44ab349b141e09e506031b35da440c885f950587f5e5d3576e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1c76858a97908b44ab349b141e09e506031b35da440c885f950587f5e5d3576e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `gcr.io/distroless/static-debian13:nonroot-` not pinned by digest: `FROM gcr.io/distroless/static-debian13:nonroot-` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 39718, "scanner": "repobility-supply-chain", "fingerprint": "d28e424a93b0cbb3d6de87dd4d802ee7bfa4a8f6160c260c333cf1224a4b70f1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d28e424a93b0cbb3d6de87dd4d802ee7bfa4a8f6160c260c333cf1224a4b70f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.distroless"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 39676, "scanner": "repobility-threat-engine", "fingerprint": "0c956284bd773e136ee6ae7731a3a5a3e35d9d61024ee4fc2028d665bc2543b8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0c956284bd773e136ee6ae7731a3a5a3e35d9d61024ee4fc2028d665bc2543b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/mantine-ui/src/state/queryPageSlice.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 39675, "scanner": "repobility-threat-engine", "fingerprint": "ea6ea6c7ca9a7bc6c6b1b588db36a4d700aed0cbb3230ae55dc54fdacbc5ad25", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((k) => `<div class=\"mb-1\"><strong>${escapeHTML(k)}</strong>: ${escapeHTML(labels[k])}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ea6ea6c7ca9a7bc6c6b1b588db36a4d700aed0cbb3230ae55dc54fdacbc5ad25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/react-app/src/pages/graph/GraphHelpers.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 39674, "scanner": "repobility-threat-engine", "fingerprint": "75a34054b18d71cee8165980e22d31a3395ae8fdffc6587e984d9cec316c08c7", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([flag, value]) => `--${flag}${flagSeparator}${value}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|75a34054b18d71cee8165980e22d31a3395ae8fdffc6587e984d9cec316c08c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/react-app/src/pages/flags/Flags.tsx"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 39673, "scanner": "repobility-threat-engine", "fingerprint": "d064092821094c56771532438dca5ba1774e9dc36156496e6f42750d25263dce", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n      (m) => `${maybeQuoteLabelName(m.name)}${m.type}\"${escapeString(m.value)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d064092821094c56771532438dca5ba1774e9dc36156496e6f42750d25263dce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/mantine-ui/src/promql/serialize.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 39656, "scanner": "repobility-threat-engine", "fingerprint": "0efd6a355cee96d96ef77953362bc4e6777e9cba9a626b97c3fe0fef24b24dde", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\", \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0efd6a355cee96d96ef77953362bc4e6777e9cba9a626b97c3fe0fef24b24dde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "util/httputil/cors.go"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 39651, "scanner": "repobility-threat-engine", "fingerprint": "da5db8bc95a5f0b489f6ece12b4d12cd4f6211f69a8bf34e7f8f2a5c91e030ca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|da5db8bc95a5f0b489f6ece12b4d12cd4f6211f69a8bf34e7f8f2a5c91e030ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "storage/remote/storage.go"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 39650, "scanner": "repobility-threat-engine", "fingerprint": "c29b8246cd05482ed1b493e1084eab75e943aad49ab6956fe0458c7ef9059253", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c29b8246cd05482ed1b493e1084eab75e943aad49ab6956fe0458c7ef9059253"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "notifier/alertmanagerset.go"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 39634, "scanner": "repobility-threat-engine", "fingerprint": "756e0958621b3691e4268be8653c800c056ed369e9a98649118a14ad5632d402", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|756e0958621b3691e4268be8653c800c056ed369e9a98649118a14ad5632d402"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/kubernetes/ingress.go"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 39633, "scanner": "repobility-threat-engine", "fingerprint": "0192bc482cffe1bff50528895e10794e3990ea8691c9f132b63061150b5c062d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0192bc482cffe1bff50528895e10794e3990ea8691c9f132b63061150b5c062d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/ionos/server.go"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 39632, "scanner": "repobility-threat-engine", "fingerprint": "ab05fbab0d0b35e285360b6ebe846e1c089b8c75c5d719cea539bb2280a6fd5d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ab05fbab0d0b35e285360b6ebe846e1c089b8c75c5d719cea539bb2280a6fd5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/promtool/query.go"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 39630, "scanner": "repobility-threat-engine", "fingerprint": "d08bd5030462752de95c158d0e0ad3f50d830a29cd2c1a1d1d288da740db3e25", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Get(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d08bd5030462752de95c158d0e0ad3f50d830a29cd2c1a1d1d288da740db3e25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/examples/custom-sd/adapter-usage/main.go"}, "region": {"startLine": 165}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 39629, "scanner": "repobility-threat-engine", "fingerprint": "15b09a938965c6632949c81cf58b9fb474985f0aa383a0f68aba19982ec50282", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|15b09a938965c6632949c81cf58b9fb474985f0aa383a0f68aba19982ec50282"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discovery/xds/client.go"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 39628, "scanner": "repobility-threat-engine", "fingerprint": "5b65c234997e0c54cf9804e096200bb873ecbe907e223f928abd2c7ddd79ee9c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Get(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5b65c234997e0c54cf9804e096200bb873ecbe907e223f928abd2c7ddd79ee9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/promtool/debug.go"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 39623, "scanner": "repobility-threat-engine", "fingerprint": "a2ab32f0a058da412a651a39dd2c9094195cf36a53b625be88e74f7fa0f33e75", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "view.state.update({\n        changes: { from, to, insert: value },\n      })", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a2ab32f0a058da412a651a39dd2c9094195cf36a53b625be88e74f7fa0f33e75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/react-app/src/pages/graph/ExpressionInput.tsx"}, "region": {"startLine": 220}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 39622, "scanner": "repobility-threat-engine", "fingerprint": "1b384f471db29f581b7fa3a788ec3c32d7cc5bd52a2712c35547c01e0051b0e8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "view.state.update({\n                      changes: {\n                        fro", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1b384f471db29f581b7fa3a788ec3c32d7cc5bd52a2712c35547c01e0051b0e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/ui/mantine-ui/src/pages/query/ExpressionInput.tsx"}, "region": {"startLine": 320}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 39621, "scanner": "repobility-threat-engine", "fingerprint": "707ffe89fb0c271d94c781c9d3bce2b5f8d399f7e185c148bcb8b1d0c9080e0c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "metastatsNative.update(stats)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|707ffe89fb0c271d94c781c9d3bce2b5f8d399f7e185c148bcb8b1d0c9080e0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/promtool/analyze.go"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NPM_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NPM_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 39721, "scanner": "repobility-supply-chain", "fingerprint": "980503b99119e6af440f3d0de7b5b4bcbd37d24dda011ed0a23dd90ab2d201e1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|980503b99119e6af440f3d0de7b5b4bcbd37d24dda011ed0a23dd90ab2d201e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 391}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PROMBOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PROMBOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 39720, "scanner": "repobility-supply-chain", "fingerprint": "3122a41aba36ee1710e82d1dd1f297fb8a7945073c3deebc6af854d363bf5f06", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3122a41aba36ee1710e82d1dd1f297fb8a7945073c3deebc6af854d363bf5f06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 343}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 39655, "scanner": "repobility-threat-engine", "fingerprint": "6dcfb4e42e70309fa99e4839bdaf42b90b3bc361f38a40485e14ce91eab7a3a4", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6dcfb4e42e70309fa99e4839bdaf42b90b3bc361f38a40485e14ce91eab7a3a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/sync_repo_files.sh"}, "region": {"startLine": 86}}}]}]}]}