{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qj8w-gfj5-8c6v", "name": "serialize-javascript: GHSA-qj8w-gfj5-8c6v", "shortDescription": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "fullDescription": {"text": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6rw7-vpxm-498p", "name": "qs: GHSA-6rw7-vpxm-498p", "shortDescription": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "fullDescription": {"text": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xxjr-mmjv-4gpg", "name": "lodash: GHSA-xxjr-mmjv-4gpg", "shortDescription": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "fullDescription": {"text": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mh29-5h37-fv8m", "name": "js-yaml: GHSA-mh29-5h37-fv8m", "shortDescription": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "fullDescription": {"text": "js-yaml has prototype pollution in merge (<<)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r4q5-vmmm-2653", "name": "follow-redirects: GHSA-r4q5-vmmm-2653", "shortDescription": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "fullDescription": {"text": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jchw-25xp-jwwc", "name": "follow-redirects: GHSA-jchw-25xp-jwwc", "shortDescription": {"text": "follow-redirects: GHSA-jchw-25xp-jwwc"}, "fullDescription": {"text": "Follow Redirects improperly handles URLs in the url.parse() function"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cxjh-pqwp-8mfp", "name": "follow-redirects: GHSA-cxjh-pqwp-8mfp", "shortDescription": {"text": "follow-redirects: GHSA-cxjh-pqwp-8mfp"}, "fullDescription": {"text": "follow-redirects' Proxy-Authorization header kept across hosts"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g4f-4pwh-qvx6", "name": "ajv: GHSA-2g4f-4pwh-qvx6", "shortDescription": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "fullDescription": {"text": "ajv has ReDoS when using `$data` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8fgc-7cc6-rx7x", "name": "webpack: GHSA-8fgc-7cc6-rx7x", "shortDescription": {"text": "webpack: GHSA-8fgc-7cc6-rx7x"}, "fullDescription": {"text": "webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38r7-794h-5758", "name": "webpack: GHSA-38r7-794h-5758", "shortDescription": {"text": "webpack: GHSA-38r7-794h-5758"}, "fullDescription": {"text": "webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects \u2192 SSRF + cache persistence"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-52f5-9888-hmc6", "name": "tmp: GHSA-52f5-9888-hmc6", "shortDescription": {"text": "tmp: GHSA-52f5-9888-hmc6"}, "fullDescription": {"text": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w7fw-mjwx-w883", "name": "qs: GHSA-w7fw-mjwx-w883", "shortDescription": {"text": "qs: GHSA-w7fw-mjwx-w883"}, "fullDescription": {"text": "qs's arrayLimit bypass in comma parsing allows denial of service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-73rr-hh4g-fpgx", "name": "diff: GHSA-73rr-hh4g-fpgx", "shortDescription": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "fullDescription": {"text": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pxg6-pf52-xh8x", "name": "cookie: GHSA-pxg6-pf52-xh8x", "shortDescription": {"text": "cookie: GHSA-pxg6-pf52-xh8x"}, "fullDescription": {"text": "cookie accepts cookie name, path, and domain with out of bounds characters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v6h2-p8h4-qcjw", "name": "brace-expansion: GHSA-v6h2-p8h4-qcjw", "shortDescription": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "fullDescription": {"text": "brace-expansion Regular Expression Denial of Service vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "GHSA-3h5v-q93c-6h6q", "name": "ws: GHSA-3h5v-q93c-6h6q", "shortDescription": {"text": "ws: GHSA-3h5v-q93c-6h6q"}, "fullDescription": {"text": "ws affected by a DoS when handling a request with many HTTP headers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fhg7-m89q-25r3", "name": "ua-parser-js: GHSA-fhg7-m89q-25r3", "shortDescription": {"text": "ua-parser-js: GHSA-fhg7-m89q-25r3"}, "fullDescription": {"text": "ReDoS Vulnerability in ua-parser-js version"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ph9p-34f9-6g65", "name": "tmp: GHSA-ph9p-34f9-6g65", "shortDescription": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "fullDescription": {"text": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-677m-j7p3-52f9", "name": "socket.io-parser: GHSA-677m-j7p3-52f9", "shortDescription": {"text": "socket.io-parser: GHSA-677m-j7p3-52f9"}, "fullDescription": {"text": "socket.io allows an unbounded number of binary attachments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c6j-r48x-rmvq", "name": "serialize-javascript: GHSA-5c6j-r48x-rmvq", "shortDescription": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "fullDescription": {"text": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5j98-mcp5-4vw2", "name": "glob: GHSA-5j98-mcp5-4vw2", "shortDescription": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "fullDescription": {"text": "glob CLI: Command injection via -c/--cmd executes matches with shell:true"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rf6f-7fwh-wjgh", "name": "flatted: GHSA-rf6f-7fwh-wjgh", "shortDescription": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "fullDescription": {"text": "Prototype Pollution via parse() in NodeJS flatted"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-25h7-pfq9-p65f", "name": "flatted: GHSA-25h7-pfq9-p65f", "shortDescription": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "fullDescription": {"text": "flatted vulnerable to unbounded recursion DoS in parse() revive phase"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v39h-62p7-jpjc", "name": "fast-uri: GHSA-v39h-62p7-jpjc", "shortDescription": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "fullDescription": {"text": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q3j6-qgpj-74h6", "name": "fast-uri: GHSA-q3j6-qgpj-74h6", "shortDescription": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "fullDescription": {"text": "fast-uri vulnerable to path traversal via percent-encoded dot segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3xgq-45jj-v275", "name": "cross-spawn: GHSA-3xgq-45jj-v275", "shortDescription": {"text": "cross-spawn: GHSA-3xgq-45jj-v275"}, "fullDescription": {"text": "Regular Expression Denial of Service (ReDoS) in cross-spawn"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-grv7-fg5c-xmjg", "name": "braces: GHSA-grv7-fg5c-xmjg", "shortDescription": {"text": "braces: GHSA-grv7-fg5c-xmjg"}, "fullDescription": {"text": "Uncontrolled resource consumption in braces"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qwcr-r2fm-qrc7", "name": "body-parser: GHSA-qwcr-r2fm-qrc7", "shortDescription": {"text": "body-parser: GHSA-qwcr-r2fm-qrc7"}, "fullDescription": {"text": "body-parser vulnerable to denial of service when url encoding is enabled"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED029", "name": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety.", "shortDescription": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo", "shortDescription": {"text": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "fullDescription": {"text": "`gradle/wrapper/gradle-wrapper.jar` is a .jar binary (45,633 bytes) committed to a repo that otherwise has 240 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-java` pinned to mutable ref `@v5`", "shortDescription": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "fullDescription": {"text": "`uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1311"}, "properties": {"repository": "JuulLabs/kable", "repoUrl": "https://github.com/JuulLabs/kable", "branch": "main"}, "results": [{"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 133878, "scanner": "osv-scanner", "fingerprint": "03a832fab91f2798f7faa8de15038cc744bd8e4001d3d2c9ba3502d42905624d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qj8w-gfj5-8c6v", "level": "warning", "message": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "properties": {"repobilityId": 133870, "scanner": "osv-scanner", "fingerprint": "ad0ad2de93c965b8497daaaf3e6d86eb0716cccd8cceeae7665f7c35fabe32f2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34043"], "package": "serialize-javascript", "rule_id": "GHSA-qj8w-gfj5-8c6v", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2026-34043|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6rw7-vpxm-498p", "level": "warning", "message": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "properties": {"repobilityId": 133867, "scanner": "osv-scanner", "fingerprint": "622d82c1839d78b35fbbfa6f07a20ccb656f9214dd5bfab478f9d0833ea3bc6d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-15284"], "package": "qs", "rule_id": "GHSA-6rw7-vpxm-498p", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2025-15284|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 133865, "scanner": "osv-scanner", "fingerprint": "4b27079f411cceb3f2632349383af986c52a86ca95ce5a11531a92cc8e2ad772", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xxjr-mmjv-4gpg", "level": "warning", "message": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "properties": {"repobilityId": 133861, "scanner": "osv-scanner", "fingerprint": "2a4840ee36af6b5e8a2d432e4c95588d9d55f498200926e816c95693e9061930", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-13465"], "package": "lodash", "rule_id": "GHSA-xxjr-mmjv-4gpg", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2025-13465|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 133859, "scanner": "osv-scanner", "fingerprint": "6fbcd78dcccb2a18679fb23c445778b66401dea8e064f04d67025285af4f89b4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mh29-5h37-fv8m", "level": "warning", "message": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "properties": {"repobilityId": 133858, "scanner": "osv-scanner", "fingerprint": "fba4b57b7661683c8ce91c24f2c21052f2722f7356fd0ffdf62abb4c1fe899e2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64718"], "package": "js-yaml", "rule_id": "GHSA-mh29-5h37-fv8m", "scanner": "osv-scanner", "correlation_key": "vuln|js-yaml|CVE-2025-64718|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r4q5-vmmm-2653", "level": "warning", "message": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "properties": {"repobilityId": 133856, "scanner": "osv-scanner", "fingerprint": "ea26a563bc7ced83160b5cc9467543425d3ff201fccffa9e9006760748c70ce6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "follow-redirects", "rule_id": "GHSA-r4q5-vmmm-2653", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|GHSA-R4Q5-VMMM-2653|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jchw-25xp-jwwc", "level": "warning", "message": {"text": "follow-redirects: GHSA-jchw-25xp-jwwc"}, "properties": {"repobilityId": 133855, "scanner": "osv-scanner", "fingerprint": "7c69a7fb0a1f521588fa4aa2fe65880a89812f3d7287b832273f0b6e7002e2c0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-26159"], "package": "follow-redirects", "rule_id": "GHSA-jchw-25xp-jwwc", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|CVE-2023-26159|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cxjh-pqwp-8mfp", "level": "warning", "message": {"text": "follow-redirects: GHSA-cxjh-pqwp-8mfp"}, "properties": {"repobilityId": 133854, "scanner": "osv-scanner", "fingerprint": "6ec62ee67d837b56603c6004bccf2f826cfd8382b0e8e9dcfd8bac807c3a687f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-28849"], "package": "follow-redirects", "rule_id": "GHSA-cxjh-pqwp-8mfp", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|CVE-2024-28849|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 133844, "scanner": "osv-scanner", "fingerprint": "ded0d2f8e872e14869699655e58f9fb2aa28b6cd69618f928a51ace277801050", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 133842, "scanner": "osv-scanner", "fingerprint": "2f51e6c2f1e7afcc0a57ee9bdbc200df3de67c3a63b3c44eb60b022210644652", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8fgc-7cc6-rx7x", "level": "note", "message": {"text": "webpack: GHSA-8fgc-7cc6-rx7x"}, "properties": {"repobilityId": 133876, "scanner": "osv-scanner", "fingerprint": "c2406046c0ea76068519cd0f0af1632170966fb6eb5be75c2f8e96f36936823c", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68458"], "package": "webpack", "rule_id": "GHSA-8fgc-7cc6-rx7x", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68458|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38r7-794h-5758", "level": "note", "message": {"text": "webpack: GHSA-38r7-794h-5758"}, "properties": {"repobilityId": 133875, "scanner": "osv-scanner", "fingerprint": "9803eca9327b45969b250619c451ca0158ba4f80707e379c4b5657f786d46f79", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68157"], "package": "webpack", "rule_id": "GHSA-38r7-794h-5758", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68157|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-52f5-9888-hmc6", "level": "note", "message": {"text": "tmp: GHSA-52f5-9888-hmc6"}, "properties": {"repobilityId": 133872, "scanner": "osv-scanner", "fingerprint": "53457c5453295373f5f6289dabd9d4488256a62455514a4a2f67076ffdf7250d", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-54798"], "package": "tmp", "rule_id": "GHSA-52f5-9888-hmc6", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2025-54798|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w7fw-mjwx-w883", "level": "note", "message": {"text": "qs: GHSA-w7fw-mjwx-w883"}, "properties": {"repobilityId": 133868, "scanner": "osv-scanner", "fingerprint": "68573bae6684357593eea65fe43a42d6dd45337fe28907321cec0af410ce39e7", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2391"], "package": "qs", "rule_id": "GHSA-w7fw-mjwx-w883", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-2391|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 133849, "scanner": "osv-scanner", "fingerprint": "9da74798e8f37cad219bf0f6593047dd905ba2bb9e37833396edc085ee52d286", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pxg6-pf52-xh8x", "level": "note", "message": {"text": "cookie: GHSA-pxg6-pf52-xh8x"}, "properties": {"repobilityId": 133847, "scanner": "osv-scanner", "fingerprint": "60b5b57df8957a44e1bd9f0fb3d0a09b68374e3f4fcb53ea8d00749c503cad81", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-47764"], "package": "cookie", "rule_id": "GHSA-pxg6-pf52-xh8x", "scanner": "osv-scanner", "correlation_key": "vuln|cookie|CVE-2024-47764|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v6h2-p8h4-qcjw", "level": "note", "message": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "properties": {"repobilityId": 133845, "scanner": "osv-scanner", "fingerprint": "db20f81f67da82cb613e29ed8813da6695223f1417c4aca23cb3cce29523e506", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-5889"], "package": "brace-expansion", "rule_id": "GHSA-v6h2-p8h4-qcjw", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2025-5889|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133802, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c84f92c532eeb312be47b03ed62148bfdc7a90c616d632bb770a01551f0001ba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "kable-core/src/jvmMain/kotlin/com/juul/kable/ScannerBuilder.kt", "duplicate_line": 3, "correlation_key": "fp|c84f92c532eeb312be47b03ed62148bfdc7a90c616d632bb770a01551f0001ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/webMain/kotlin/ScannerBuilder.kt"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133801, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e0e986d62b4b7d00a002b5ae528c43b1092d24d8bba2b7cf4aa78b02cc8714f1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "kable-core/src/appleMain/kotlin/PeripheralBuilder.kt", "duplicate_line": 27, "correlation_key": "fp|e0e986d62b4b7d00a002b5ae528c43b1092d24d8bba2b7cf4aa78b02cc8714f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/webMain/kotlin/PeripheralBuilder.kt"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133800, "scanner": "repobility-ai-code-hygiene", "fingerprint": "325d3cf9f3782d5596850a296aed0f7fd1f2ef518755b7b96e34f9a53be3eb75", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "kable-core/src/jvmMain/kotlin/com/juul/kable/PeripheralBuilder.kt", "duplicate_line": 16, "correlation_key": "fp|325d3cf9f3782d5596850a296aed0f7fd1f2ef518755b7b96e34f9a53be3eb75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/webMain/kotlin/PeripheralBuilder.kt"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133799, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69cc97d3688207bd60ade49fefab202590936bdc6f40356859630e9f00ce2d35", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "kable-core/src/androidMain/kotlin/PeripheralBuilder.kt", "duplicate_line": 17, "correlation_key": "fp|69cc97d3688207bd60ade49fefab202590936bdc6f40356859630e9f00ce2d35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/webMain/kotlin/PeripheralBuilder.kt"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133798, "scanner": "repobility-ai-code-hygiene", "fingerprint": "75332b2b9033ad1b75aa03a008ed13d36cda93d83667d104769ef1362b2f833e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "kable-core/src/androidMain/kotlin/Connection.kt", "duplicate_line": 186, "correlation_key": "fp|75332b2b9033ad1b75aa03a008ed13d36cda93d83667d104769ef1362b2f833e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/webMain/kotlin/Connection.kt"}, "region": {"startLine": 234}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133797, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2e595431076df43102111b3d012a46cc7df11ca8c387994cab49cd3f5c772c6f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "kable-core/src/androidMain/kotlin/BluetoothDeviceAndroidPeripheral.kt", "duplicate_line": 110, "correlation_key": "fp|2e595431076df43102111b3d012a46cc7df11ca8c387994cab49cd3f5c772c6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/webMain/kotlin/BluetoothDeviceWebBluetoothPeripheral.kt"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133796, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7abf06b24990bc9d38fb163512d489671371524ded820b345740fb83131af002", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "kable-core/src/appleMain/kotlin/PeripheralBuilder.kt", "duplicate_line": 40, "correlation_key": "fp|7abf06b24990bc9d38fb163512d489671371524ded820b345740fb83131af002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/jvmMain/kotlin/com/juul/kable/PeripheralBuilder.kt"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133795, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4ee75888d642e58d74a26b7ea0f34843d6a33dd0c7773d1fe6eb017b1a8084a4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "kable-core/src/androidMain/kotlin/PeripheralBuilder.kt", "duplicate_line": 17, "correlation_key": "fp|4ee75888d642e58d74a26b7ea0f34843d6a33dd0c7773d1fe6eb017b1a8084a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/jvmMain/kotlin/com/juul/kable/PeripheralBuilder.kt"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133794, "scanner": "repobility-ai-code-hygiene", "fingerprint": "67e6520808a36e1d7d155808bc828bb0e19a7c715556ae1252c369c32b2e1b3f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "kable-core/src/androidMain/kotlin/PeripheralBuilder.kt", "duplicate_line": 40, "correlation_key": "fp|67e6520808a36e1d7d155808bc828bb0e19a7c715556ae1252c369c32b2e1b3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/appleMain/kotlin/PeripheralBuilder.kt"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133793, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2c023e921975be1e52ba7f8d4c73e273946e7bf8af23016a87da3de66fdffbcc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "kable-core/src/androidMain/kotlin/Connection.kt", "duplicate_line": 185, "correlation_key": "fp|2c023e921975be1e52ba7f8d4c73e273946e7bf8af23016a87da3de66fdffbcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/appleMain/kotlin/Connection.kt"}, "region": {"startLine": 186}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133792, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e7dfb5ad960e824e52b3ac078adec4c94bc1814dc7c35e4ce0ee2b6a52ad236", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "kable-core/src/androidMain/kotlin/BluetoothDeviceAndroidPeripheral.kt", "duplicate_line": 108, "correlation_key": "fp|4e7dfb5ad960e824e52b3ac078adec4c94bc1814dc7c35e4ce0ee2b6a52ad236"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/appleMain/kotlin/CBPeripheralCoreBluetoothPeripheral.kt"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 133836, "scanner": "repobility-threat-engine", "fingerprint": "db5a3969efd1f564c658b639398a7810f75a9d2a7be3d6b7257cb40be934fa0e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|db5a3969efd1f564c658b639398a7810f75a9d2a7be3d6b7257cb40be934fa0e"}}}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 133832, "scanner": "repobility-threat-engine", "fingerprint": "aca87ac170a0086928a99f3259a65e7dc9f4a245fac4fc4acf126652fd81143b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|aca87ac170a0086928a99f3259a65e7dc9f4a245fac4fc4acf126652fd81143b", "aggregated_count": 3}}}, {"ruleId": "GHSA-3h5v-q93c-6h6q", "level": "error", "message": {"text": "ws: GHSA-3h5v-q93c-6h6q"}, "properties": {"repobilityId": 133877, "scanner": "osv-scanner", "fingerprint": "997fea7e5d57f86b3de021e99238eca5f4acea2d145a9a0882de32869f26584d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-37890"], "package": "ws", "rule_id": "GHSA-3h5v-q93c-6h6q", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2024-37890|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fhg7-m89q-25r3", "level": "error", "message": {"text": "ua-parser-js: GHSA-fhg7-m89q-25r3"}, "properties": {"repobilityId": 133874, "scanner": "osv-scanner", "fingerprint": "ee741bba76993e10bb8ed10204ccad65ce5e6c98eac873cdbb410a0836b0a3a0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-25927"], "package": "ua-parser-js", "rule_id": "GHSA-fhg7-m89q-25r3", "scanner": "osv-scanner", "correlation_key": "vuln|ua-parser-js|CVE-2022-25927|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ph9p-34f9-6g65", "level": "error", "message": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "properties": {"repobilityId": 133873, "scanner": "osv-scanner", "fingerprint": "7be122c814ac99c583df5e921579d761941b0e39ab3d1673664569e53b3787e2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44705"], "package": "tmp", "rule_id": "GHSA-ph9p-34f9-6g65", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2026-44705|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-677m-j7p3-52f9", "level": "error", "message": {"text": "socket.io-parser: GHSA-677m-j7p3-52f9"}, "properties": {"repobilityId": 133871, "scanner": "osv-scanner", "fingerprint": "e1256ab4cc6a961e3e5f96458dc7efeddc5892abfc328c06c8887018a3e7cd70", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33151"], "package": "socket.io-parser", "rule_id": "GHSA-677m-j7p3-52f9", "scanner": "osv-scanner", "correlation_key": "vuln|socket.io-parser|CVE-2026-33151|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c6j-r48x-rmvq", "level": "error", "message": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "properties": {"repobilityId": 133869, "scanner": "osv-scanner", "fingerprint": "28b948876b030e1fab8d332d8ecaa6396c12a1b2bdf817459cf4c4c5ce5282c0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "serialize-javascript", "rule_id": "GHSA-5c6j-r48x-rmvq", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|GHSA-5C6J-R48X-RMVQ|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 133866, "scanner": "osv-scanner", "fingerprint": "024e0870e55c0a86348de0ed12050cea713731de9b75e27360476a366d942d0f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 133864, "scanner": "osv-scanner", "fingerprint": "25ae4cad3643e0dcbc48be72782a386c02445b947406d2a37b5b26132a04e787", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 133863, "scanner": "osv-scanner", "fingerprint": "82bb1c74ee50455b2cea181da94874c20e3f6c44dd7d7236768ec7513ec311e8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 133862, "scanner": "osv-scanner", "fingerprint": "fc3c43be58db86e602ccbe0691e7050d351117210d50335fc7e68536503bbe3c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 133860, "scanner": "osv-scanner", "fingerprint": "ddafe1e70e969b01a562fcd18b4263932ea5887d873d910b0138a88349bd731d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5j98-mcp5-4vw2", "level": "error", "message": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "properties": {"repobilityId": 133857, "scanner": "osv-scanner", "fingerprint": "e363e4eee91293944740aff72c19d9b68e5112712aecace1f86221e856241675", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64756"], "package": "glob", "rule_id": "GHSA-5j98-mcp5-4vw2", "scanner": "osv-scanner", "correlation_key": "vuln|glob|CVE-2025-64756|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rf6f-7fwh-wjgh", "level": "error", "message": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "properties": {"repobilityId": 133853, "scanner": "osv-scanner", "fingerprint": "51248674519c4050d5eee86339ac81748d2f87868743914a0ed214923881ad2a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33228"], "package": "flatted", "rule_id": "GHSA-rf6f-7fwh-wjgh", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-33228|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-25h7-pfq9-p65f", "level": "error", "message": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "properties": {"repobilityId": 133852, "scanner": "osv-scanner", "fingerprint": "f2366501e68002368aff4046fb1fc215189ad4ecfa238518e791c2ca3c29f867", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-32141"], "package": "flatted", "rule_id": "GHSA-25h7-pfq9-p65f", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-32141|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v39h-62p7-jpjc", "level": "error", "message": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "properties": {"repobilityId": 133851, "scanner": "osv-scanner", "fingerprint": "62593a7f087f770d895512eeabe4b31f2aecfb76d52c70b300b09ec4ae718566", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6322"], "package": "fast-uri", "rule_id": "GHSA-v39h-62p7-jpjc", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6322|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q3j6-qgpj-74h6", "level": "error", "message": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "properties": {"repobilityId": 133850, "scanner": "osv-scanner", "fingerprint": "8b6a8c1ef203c2fe42b6913f146ae343c2db1a256cf44619c14745fec797c483", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6321"], "package": "fast-uri", "rule_id": "GHSA-q3j6-qgpj-74h6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6321|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3xgq-45jj-v275", "level": "error", "message": {"text": "cross-spawn: GHSA-3xgq-45jj-v275"}, "properties": {"repobilityId": 133848, "scanner": "osv-scanner", "fingerprint": "2071e7959c54ed3e48942e36ea4467bcab5cba624db906e76fa9f35000fc8b64", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-21538"], "package": "cross-spawn", "rule_id": "GHSA-3xgq-45jj-v275", "scanner": "osv-scanner", "correlation_key": "vuln|cross-spawn|CVE-2024-21538|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-grv7-fg5c-xmjg", "level": "error", "message": {"text": "braces: GHSA-grv7-fg5c-xmjg"}, "properties": {"repobilityId": 133846, "scanner": "osv-scanner", "fingerprint": "5e29eaa0178836ab50c679dd8a8d4b1970ab20e9e706feabaac5a4017947c297", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-4068"], "package": "braces", "rule_id": "GHSA-grv7-fg5c-xmjg", "scanner": "osv-scanner", "correlation_key": "vuln|braces|CVE-2024-4068|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qwcr-r2fm-qrc7", "level": "error", "message": {"text": "body-parser: GHSA-qwcr-r2fm-qrc7"}, "properties": {"repobilityId": 133843, "scanner": "osv-scanner", "fingerprint": "3cad4c96f3c67273379077536ede653613fd26b09a4f2793cca3dc954f2cae64", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-45590"], "package": "body-parser", "rule_id": "GHSA-qwcr-r2fm-qrc7", "scanner": "osv-scanner", "correlation_key": "vuln|body-parser|CVE-2024-45590|kotlin-js-store/yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kotlin-js-store/yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 133841, "scanner": "repobility-threat-engine", "fingerprint": "c9e59de5953123b9c41d282520060b2db774d6506765cd494dcd4ef3e7a30a86", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "project.extensions.create(\"uniffiKotlin\", UniffiKotlinExtension::class.java)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c9e59de5953123b9c41d282520060b2db774d6506765cd494dcd4ef3e7a30a86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uniffi-plugin/src/main/kotlin/UniffiKotlinPlugin.kt"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 133840, "scanner": "repobility-threat-engine", "fingerprint": "536588c500a1b4e8ead0c00cc7fa076aa30b73cc79c2956f42938911bfead3e3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "handle.destroy()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|536588c500a1b4e8ead0c00cc7fa076aa30b73cc79c2956f42938911bfead3e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/jvmMain/kotlin/com/juul/kable/btleplug/BtleplugScanner.kt"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 133839, "scanner": "repobility-threat-engine", "fingerprint": "eb454bdf41f61174449b66f558925ff2b9b5dccae8f3c8316149be51193c591e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ffi.destroy()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eb454bdf41f61174449b66f558925ff2b9b5dccae8f3c8316149be51193c591e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/jvmMain/kotlin/com/juul/kable/btleplug/BtleplugPeripheral.kt"}, "region": {"startLine": 242}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 133838, "scanner": "repobility-threat-engine", "fingerprint": "2bd3900083287d89de6bd2206e9ae013c65c6cc9f7cc4d1c4d8344a1fc01af98", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2bd3900083287d89de6bd2206e9ae013c65c6cc9f7cc4d1c4d8344a1fc01af98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/appleMain/kotlin/logs/LogMessage.kt"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 133837, "scanner": "repobility-threat-engine", "fingerprint": "4d7b1aa0ee28710e90be0b8a3f216f30e2bc6ec7c148d7eeb5114987b8554e08", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4d7b1aa0ee28710e90be0b8a3f216f30e2bc6ec7c148d7eeb5114987b8554e08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/appleMain/kotlin/Profile.kt"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 133831, "scanner": "repobility-threat-engine", "fingerprint": "c28808fc82fa298d57ac542ac08fcd101a3e1d725bba8a127ef98e6ce742c01d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c28808fc82fa298d57ac542ac08fcd101a3e1d725bba8a127ef98e6ce742c01d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-btleplug-ffi/src/peripheral.rs"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 133830, "scanner": "repobility-threat-engine", "fingerprint": "513d093c7217363d0751f1159ba7503da12e4bdafc5918cc9fa11754ef819d0e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|513d093c7217363d0751f1159ba7503da12e4bdafc5918cc9fa11754ef819d0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-btleplug-ffi/src/lib.rs"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 133829, "scanner": "repobility-threat-engine", "fingerprint": "fd68e09111b7e402eeb7acd0a900196ba0c096a4d468f9fb64dedfc4a9faafbf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fd68e09111b7e402eeb7acd0a900196ba0c096a4d468f9fb64dedfc4a9faafbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-btleplug-ffi/src/characteristic.rs"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 133828, "scanner": "repobility-supply-chain", "fingerprint": "e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 133827, "scanner": "repobility-supply-chain", "fingerprint": "bff82d1585a2039b698f9b971cf3b839a0927a58f2da13e5e8b869855fb472d8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bff82d1585a2039b698f9b971cf3b839a0927a58f2da13e5e8b869855fb472d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 133826, "scanner": "repobility-supply-chain", "fingerprint": "90209750e41810cadca5a07280a099dd79dc00ee25a73717a1206f6ac7a8c8da", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|90209750e41810cadca5a07280a099dd79dc00ee25a73717a1206f6ac7a8c8da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 133825, "scanner": "repobility-supply-chain", "fingerprint": "7c4801ba697ced479714f0b3b5e2c45b467416db032e88280648c7c18006df04", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7c4801ba697ced479714f0b3b5e2c45b467416db032e88280648c7c18006df04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 133824, "scanner": "repobility-supply-chain", "fingerprint": "d720d2139c8cf0f60e27c1015b8119e56e1b9d0f4b9df02753ea6684b6f29c01", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d720d2139c8cf0f60e27c1015b8119e56e1b9d0f4b9df02753ea6684b6f29c01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `gradle/actions/setup-gradle` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 133823, "scanner": "repobility-supply-chain", "fingerprint": "e5d33a5e37f6977e17aa9bff35a2a2a8af7be331f7e0a1e2b63eaebfaece1d51", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e5d33a5e37f6977e17aa9bff35a2a2a8af7be331f7e0a1e2b63eaebfaece1d51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 133822, "scanner": "repobility-supply-chain", "fingerprint": "dbd91f3eabd22eda6bb06098a2fc35e9e7d37f45b85a11907d13e0a9297e6b9c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dbd91f3eabd22eda6bb06098a2fc35e9e7d37f45b85a11907d13e0a9297e6b9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 133821, "scanner": "repobility-supply-chain", "fingerprint": "ecbeca796d430b29b25b39f8f8bddd7f5b34f6ee7ccbd03c14ccc632b5353f95", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ecbeca796d430b29b25b39f8f8bddd7f5b34f6ee7ccbd03c14ccc632b5353f95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/deploy-pages` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 133820, "scanner": "repobility-supply-chain", "fingerprint": "d519941eb62e1adabf8b08628859ccd0c0f7ad559cef2485ee844fd7f20e9c82", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d519941eb62e1adabf8b08628859ccd0c0f7ad559cef2485ee844fd7f20e9c82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pages.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 133819, "scanner": "repobility-supply-chain", "fingerprint": "e065388cc67af4385bc8a2d9d8987ffe479ac5d18fcfd0b6e8918c4de744556c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e065388cc67af4385bc8a2d9d8987ffe479ac5d18fcfd0b6e8918c4de744556c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pages.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `gradle/actions/setup-gradle` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 133818, "scanner": "repobility-supply-chain", "fingerprint": "9531bbcc2409f2cfdf3a1647661878bb2b37209cbaa66a8bcff20a1bde23cba8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9531bbcc2409f2cfdf3a1647661878bb2b37209cbaa66a8bcff20a1bde23cba8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pages.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 133817, "scanner": "repobility-supply-chain", "fingerprint": "c176f8adf15c2278c93b38b7fdbb6c03c689f2fa4f46d8752a742f85e509c9b1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c176f8adf15c2278c93b38b7fdbb6c03c689f2fa4f46d8752a742f85e509c9b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pages.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 133816, "scanner": "repobility-supply-chain", "fingerprint": "09daf412c3257584f4197c5c3f2b5915b501ee08177b1df732092efa32384a32", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|09daf412c3257584f4197c5c3f2b5915b501ee08177b1df732092efa32384a32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pages.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `release-drafter/release-drafter` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 133815, "scanner": "repobility-supply-chain", "fingerprint": "2bd2aaa4e6ac5297968ee091438ec56cbfce8b22028b19d6911b755ad5571a89", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2bd2aaa4e6ac5297968ee091438ec56cbfce8b22028b19d6911b755ad5571a89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-drafter.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `gradle/actions/setup-gradle` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 133814, "scanner": "repobility-supply-chain", "fingerprint": "3c6fd66d39028b33ae4c0f58a0b37d3291a382c0fd0def541c4897bb30602cb9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c6fd66d39028b33ae4c0f58a0b37d3291a382c0fd0def541c4897bb30602cb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 133813, "scanner": "repobility-supply-chain", "fingerprint": "aea0c2095fab6cb52d2a2e8e858fc84f7d4ed7769669a217ef0f9f3f046ba5e7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aea0c2095fab6cb52d2a2e8e858fc84f7d4ed7769669a217ef0f9f3f046ba5e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 133812, "scanner": "repobility-supply-chain", "fingerprint": "26d9faea3baa7c7e6c976dc64c0ffb4445bf41f16ab45401edbd8dd718dcdf1e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|26d9faea3baa7c7e6c976dc64c0ffb4445bf41f16ab45401edbd8dd718dcdf1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 133811, "scanner": "repobility-supply-chain", "fingerprint": "d67029f3ed682da899f9836766c46f368f26e6d6780501a07c6d1779c2139afe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d67029f3ed682da899f9836766c46f368f26e6d6780501a07c6d1779c2139afe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 133810, "scanner": "repobility-supply-chain", "fingerprint": "71e56dcd9278bffcdf814c0c5c5fd27c39d834b797d9d9c0a67d0d12af6e908a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|71e56dcd9278bffcdf814c0c5c5fd27c39d834b797d9d9c0a67d0d12af6e908a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `gradle/actions/setup-gradle` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 133809, "scanner": "repobility-supply-chain", "fingerprint": "6bd2c82931c212b8195c8caf1a52b3296ead38f769353b5c84a18299bf43bf24", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6bd2c82931c212b8195c8caf1a52b3296ead38f769353b5c84a18299bf43bf24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 133808, "scanner": "repobility-supply-chain", "fingerprint": "ebc93d9d9797b2c1129583ac3eb3d7b39b970a324e6284b95b6bcdfd7cc97c91", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ebc93d9d9797b2c1129583ac3eb3d7b39b970a324e6284b95b6bcdfd7cc97c91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 133807, "scanner": "repobility-supply-chain", "fingerprint": "536c35be8639f670dd616df6aa0ab171fcd70716fd585199648409a93b580919", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|536c35be8639f670dd616df6aa0ab171fcd70716fd585199648409a93b580919"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `gradle/actions/setup-gradle` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 133806, "scanner": "repobility-supply-chain", "fingerprint": "bff9cee0c05e981fcc074e5410c2a53fc9b63cb91e1b5b52a64b11d63d44f1fb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bff9cee0c05e981fcc074e5410c2a53fc9b63cb91e1b5b52a64b11d63d44f1fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/signing.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 133805, "scanner": "repobility-supply-chain", "fingerprint": "30e4f3f71e9de890289e770c1e0cedeebbb7f9dd8f111440b845e69ceb4ee0eb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|30e4f3f71e9de890289e770c1e0cedeebbb7f9dd8f111440b845e69ceb4ee0eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/signing.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 133804, "scanner": "repobility-supply-chain", "fingerprint": "ae38492c725abd416960e406a5009d5b9d83efcc13613d03fe9e3e2067ce729a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae38492c725abd416960e406a5009d5b9d83efcc13613d03fe9e3e2067ce729a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/signing.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `mheap/github-action-required-labels` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 133803, "scanner": "repobility-supply-chain", "fingerprint": "95f401e37b412d7c80b2e5f4974c7d1e527f7a559c03d3886fd075e3521c0049", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|95f401e37b412d7c80b2e5f4974c7d1e527f7a559c03d3886fd075e3521c0049"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/version-labels.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 133791, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 133835, "scanner": "repobility-threat-engine", "fingerprint": "5f15e5ed4a7e843c8a6ea2a3fa85fbaad924a673a63206abdc2d03eed476bcbe", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(ZERO_MAC_ADDRESS", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5f15e5ed4a7e843c8a6ea2a3fa85fbaad924a673a63206abdc2d03eed476bcbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/androidMain/kotlin/bluetooth/CheckMacAddress.kt"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 133834, "scanner": "repobility-threat-engine", "fingerprint": "92b5608c69f4a23d1ac7143c431b7109620e90a1272a8f33fdd3564c5c26310f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(BluetoothAdapter", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|92b5608c69f4a23d1ac7143c431b7109620e90a1272a8f33fdd3564c5c26310f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/androidMain/kotlin/Identifier.kt"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 133833, "scanner": "repobility-threat-engine", "fingerprint": "22005ab9525d84203fe0731bd9c2a0b97bd391435912fa6ba431b14f34ac5b3b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(disconnectTimeout", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|22005ab9525d84203fe0731bd9c2a0b97bd391435912fa6ba431b14f34ac5b3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kable-core/src/androidMain/kotlin/Connection.kt"}, "region": {"startLine": 86}}}]}]}]}