{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC115", "name": "[SEC115] Decompression without size cap (zip/gzip bomb): Decompressing untrusted archives without a size or ratio cap \u2192 ", "shortDescription": {"text": "[SEC115] Decompression without size cap (zip/gzip bomb): Decompressing untrusted archives without a size or ratio cap \u2192 memory/disk exhaustion DoS (10kb \u2192 4GB classic 'zip bomb')."}, "fullDescription": {"text": "Wrap reader with `io.LimitReader(r, MAX_BYTES)`. In Python, iterate `ZipFile.infolist()` and check each entry's `file_size`. Cap total uncompressed bytes (e.g. 100MB)."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED092", "name": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection.", "shortDescription": {"text": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 6 more): Same pattern found in 6 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED083", "name": "[MINED083] Java Thread Start (and 21 more): Same pattern found in 21 additional files. Review if needed.", "shortDescription": {"text": "[MINED083] Java Thread Start (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-664 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC024", "name": "[SEC024] XML External Entity (XXE) \u2014 Java parser default (and 25 more): Same pattern found in 25 additional files. Revie", "shortDescription": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "fullDescription": {"text": "Disable DTDs and external entities before parsing:\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n  factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n  factory.setXIncludeAware(false);\nOr set FEATURE_SECURE_PROCESSING on the factory."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED085", "name": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM.", "shortDescription": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1075 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `plugins/generator-26.1.x/neoforge-26.1.2/workspacebase/gradle/wrapper/gradle-wrapper.jar` commit", "shortDescription": {"text": "[MINED134] Binary file `plugins/generator-26.1.x/neoforge-26.1.2/workspacebase/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `plugins/generator-26.1.x/neoforge-26.1.2/workspacebase/gradle/wrapper/gradle-wrapper.jar` is a .jar"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `gradle/actions/dependency-submission` pinned to mutable ref `@v5`: `uses: gradle/actions/dependency-s", "shortDescription": {"text": "[MINED115] Action `gradle/actions/dependency-submission` pinned to mutable ref `@v5`: `uses: gradle/actions/dependency-submission@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-ac"}, "fullDescription": {"text": "Replace with: `uses: gradle/actions/dependency-submission@<40-char-sha>  # v5` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC106", "name": "[SEC106] Block cipher in ECB mode (AES/DES/Blowfish): ECB mode leaks block-level structure \u2014 identical plaintext blocks ", "shortDescription": {"text": "[SEC106] Block cipher in ECB mode (AES/DES/Blowfish): ECB mode leaks block-level structure \u2014 identical plaintext blocks encrypt to identical ciphertext (the famous Tux image). Bare `Cipher.getInstance(\"AES\")` defaults to ECB on most JVMs."}, "fullDescription": {"text": "Use GCM (recommended): `Cipher.getInstance(\"AES/GCM/NoPadding\")`. Or CBC with HMAC. Always pass an explicit IV; never reuse it for GCM."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC101", "name": "[SEC101] Unsafe Java object deserialization (ObjectInputStream): Java ObjectInputStream deserializes untrusted bytes int", "shortDescription": {"text": "[SEC101] Unsafe Java object deserialization (ObjectInputStream): Java ObjectInputStream deserializes untrusted bytes into objects. Attacker-controlled streams trigger gadget chains (Apache Commons Collections, etc.) leading to RCE."}, "fullDescription": {"text": "Avoid native Java serialization entirely. Use JSON (Jackson with default-typing OFF) or a length-limited Protobuf. If you must, set up a SerialKiller / lookahead-deserializer with a class allowlist."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1254"}, "properties": {"repository": "MCreator/MCreator", "repoUrl": "https://github.com/MCreator/MCreator", "branch": "master"}, "results": [{"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 126355, "scanner": "repobility-threat-engine", "fingerprint": "10d652d1c2db51d3c461066cd45ccb895d1292afb2eb1e0b802ff1436dd18f94", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Pattern.compile(\"[^0-9.]+\");\n\tprivate static final Pattern cleanExcessSemVerCharactersPattern = Patt", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|10d652d1c2db51d3c461066cd45ccb895d1292afb2eb1e0b802ff1436dd18f94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/workspace/settings/WorkspaceSettings.java"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 126339, "scanner": "repobility-threat-engine", "fingerprint": "06ff5fec364216a14b09010edf42c50ea73937c31be2a1b5015e644d70d47bff", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|28|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/ui/action/impl/gradle/BuildGradleOnlyAction.java"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 126338, "scanner": "repobility-threat-engine", "fingerprint": "a76e4916b82498c7bba9486f83ed6ee5cb188c150eb0a5e457081f1fa50bcbfd", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|64|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/minecraft/BedrockUtils.java"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 126337, "scanner": "repobility-threat-engine", "fingerprint": "f65ae1d4c5d30bb87700b9d4846a9e43f04772df6ae65e48dcde6afd47f6872f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|40|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/io/WindowsProcessUtil.java"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC115", "level": "warning", "message": {"text": "[SEC115] Decompression without size cap (zip/gzip bomb): Decompressing untrusted archives without a size or ratio cap \u2192 memory/disk exhaustion DoS (10kb \u2192 4GB classic 'zip bomb')."}, "properties": {"repobilityId": 126332, "scanner": "repobility-threat-engine", "fingerprint": "d2db7c560dac6c40136ea74603ca7f5fb5b93b9857d9bf141a8cabccee51d0b9", "category": "resource_exhaustion", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ZIPInputStream gis = new GZIPInputStream(bis);\n\t\t\tByteArrayOutputStream buffer = new ByteArrayOutput", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC115", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d2db7c560dac6c40136ea74603ca7f5fb5b93b9857d9bf141a8cabccee51d0b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/io/BinaryStringIO.java"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 126330, "scanner": "repobility-threat-engine", "fingerprint": "a913149384a8b68c1f2523cc6b33ae7861f74e855ad5f5b774e5b6605a516be6", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "entry.getName()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|116|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/java/ClassFinder.java"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 126329, "scanner": "repobility-threat-engine", "fingerprint": "e2a2e781787e8087aa2f998ba9fa0525cf19034a0f5895d0e7b66b08adbb4ea4", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ZipEntry::getName", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|72|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/io/zip/ZipIO.java"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 126328, "scanner": "repobility-threat-engine", "fingerprint": "ec757202a64bc131867fa9e115bac5eb55818dbfb67de4ecc1ad43ef93f55961", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "entry.getName()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|89|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/generator/mapping/MappingLoader.java"}, "region": {"startLine": 89}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126381, "scanner": "repobility-ai-code-hygiene", "fingerprint": "66dc71aa6add02327a3c7ec21cdf83add258e954f37aaa536c91e83b322d5643", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/generator/setup/folders/Pre1193FolderStructure.java", "duplicate_line": 24, "correlation_key": "fp|66dc71aa6add02327a3c7ec21cdf83add258e954f37aaa536c91e83b322d5643"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/generator/setup/folders/Pre1210FolderStructure.java"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126380, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0e61e7aba28e45d6dd7f544d881d1b3554d9de1ee8cb75fa43f4adfd57ace281", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/element/types/Block.java", "duplicate_line": 433, "correlation_key": "fp|0e61e7aba28e45d6dd7f544d881d1b3554d9de1ee8cb75fa43f4adfd57ace281"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/element/types/bedrock/BEBlock.java"}, "region": {"startLine": 117}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126379, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4199888ee8651910ca15d8094d3aed762f9964cccac1a93795b8ddf9045b00c6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/element/types/Item.java", "duplicate_line": 127, "correlation_key": "fp|4199888ee8651910ca15d8094d3aed762f9964cccac1a93795b8ddf9045b00c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/element/types/Tool.java"}, "region": {"startLine": 130}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126378, "scanner": "repobility-ai-code-hygiene", "fingerprint": "91f1af972de64bde1cf2f7523bcb42b3707bb526f282df5ce33ee8c8325e17ce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/element/types/Block.java", "duplicate_line": 405, "correlation_key": "fp|91f1af972de64bde1cf2f7523bcb42b3707bb526f282df5ce33ee8c8325e17ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/element/types/Plant.java"}, "region": {"startLine": 196}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126377, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7ac22ff266394ef726782830ee6d96ad3831cd957026d193c8204d5cfabbd24b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/element/converter/v2024_3/WorldDependencyAdder.java", "duplicate_line": 19, "correlation_key": "fp|7ac22ff266394ef726782830ee6d96ad3831cd957026d193c8204d5cfabbd24b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/element/converter/v2025_1/WorldDependencyAdder.java"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126376, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4d70626869d095e98b9fef01e45a601c0c3c8027ba6420f667fee31fee683d34", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/element/converter/v2021_1/LegacyDimensionProcedureRemover.java", "duplicate_line": 35, "correlation_key": "fp|4d70626869d095e98b9fef01e45a601c0c3c8027ba6420f667fee31fee683d34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/element/converter/v2024_3/PlantTypeProcedureRemover.java"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126375, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fe234739822c8b4ff97bee32b9e5a5364aa63b370c9dd6f147b3bda3061b1d6e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/element/converter/v2021_1/LegacyDimensionProcedureRemover.java", "duplicate_line": 35, "correlation_key": "fp|fe234739822c8b4ff97bee32b9e5a5364aa63b370c9dd6f147b3bda3061b1d6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/element/converter/v2024_2/HarvestLevelProceduresRemover.java"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126374, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c869c4b98eb016661a1ad7a64b39c2ec7e848e38f30d97514087301a7c83d64d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/element/converter/v2023_4/BlockGenerationConditionRemover.java", "duplicate_line": 42, "correlation_key": "fp|c869c4b98eb016661a1ad7a64b39c2ec7e848e38f30d97514087301a7c83d64d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/element/converter/v2023_4/StructureToFeatureConverter.java"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126373, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f1e38eed59d8bdad64c83fe61fc82fca3f6890fa12c4538bf5e9c2136f03a79c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/element/converter/v2023_4/BlockGenerationConditionRemover.java", "duplicate_line": 33, "correlation_key": "fp|f1e38eed59d8bdad64c83fe61fc82fca3f6890fa12c4538bf5e9c2136f03a79c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/element/converter/v2023_4/PlantGenerationConditionRemover.java"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126372, "scanner": "repobility-ai-code-hygiene", "fingerprint": "31e97775991a7e3acdcc51f770993e958031697d8d72ca5f192119252a592826", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/element/converter/v2021_1/LegacyDimensionProcedureRemover.java", "duplicate_line": 38, "correlation_key": "fp|31e97775991a7e3acdcc51f770993e958031697d8d72ca5f192119252a592826"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/element/converter/v2023_3/MaterialProcedureConverter.java"}, "region": {"startLine": 96}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126371, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0fd73bbd2f7d38d07b15fe7b53b01232a35f77956e5485000497f0d3910c685f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/blockly/java/blocks/SingularMathOperationsBlock.java", "duplicate_line": 6, "correlation_key": "fp|0fd73bbd2f7d38d07b15fe7b53b01232a35f77956e5485000497f0d3910c685f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/javascript/blocks/SingularMathOperationsBlock.java"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126370, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e7e0b9a4023363ad22639c24c9786a0f54cdba44ca0d10dd024f47dc11e9fbe0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/blockly/java/blocks/NumberConstantsBlock.java", "duplicate_line": 14, "correlation_key": "fp|e7e0b9a4023363ad22639c24c9786a0f54cdba44ca0d10dd024f47dc11e9fbe0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/javascript/blocks/NumberConstantsBlock.java"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126369, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ce1c3aa5700cf79079025c7b3d3b3ce452966487e06602783477e98de3e6aa7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/blockly/datapack/blocks/NumberBlock.java", "duplicate_line": 13, "correlation_key": "fp|1ce1c3aa5700cf79079025c7b3d3b3ce452966487e06602783477e98de3e6aa7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/javascript/blocks/NumberBlock.java"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126368, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b8b2b66f7cc6cae3bc676063be9cd8c76ad4e76d2d985935b5d0ab4903a814dc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/blockly/java/blocks/LogicBinaryOperationsBlock.java", "duplicate_line": 15, "correlation_key": "fp|b8b2b66f7cc6cae3bc676063be9cd8c76ad4e76d2d985935b5d0ab4903a814dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/javascript/blocks/NumberBinaryOperationsBlock.java"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126367, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c35146f8b14d3ea2a8dae180c4a8b6355e21c7fe31cd6d39df757760c99accc9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/blockly/java/blocks/NumberBinaryOperationsBlock.java", "duplicate_line": 8, "correlation_key": "fp|c35146f8b14d3ea2a8dae180c4a8b6355e21c7fe31cd6d39df757760c99accc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/javascript/blocks/NumberBinaryOperationsBlock.java"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126366, "scanner": "repobility-ai-code-hygiene", "fingerprint": "828e6397a8041fe85ec7222e17855696397b19c3e6ab83a8cf508d7aba4c88e3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/blockly/java/blocks/LogicBinaryOperationsBlock.java", "duplicate_line": 7, "correlation_key": "fp|828e6397a8041fe85ec7222e17855696397b19c3e6ab83a8cf508d7aba4c88e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/javascript/blocks/LogicBinaryOperationsBlock.java"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126365, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4a10bdeeff766011ad3501f32d46a1e7535d6f98cdad0226a4f78ce6f37314a8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/blockly/java/blocks/TextReplace.java", "duplicate_line": 11, "correlation_key": "fp|4a10bdeeff766011ad3501f32d46a1e7535d6f98cdad0226a4f78ce6f37314a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/java/blocks/TextReplaceRegex.java"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126364, "scanner": "repobility-ai-code-hygiene", "fingerprint": "987ff6350d16ff33d519fc3f238114fd33aadd2a1cce5e324d3ab42c29b981e5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/blockly/java/blocks/TextContains.java", "duplicate_line": 11, "correlation_key": "fp|987ff6350d16ff33d519fc3f238114fd33aadd2a1cce5e324d3ab42c29b981e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/java/blocks/TextMatches.java"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126363, "scanner": "repobility-ai-code-hygiene", "fingerprint": "15ed6b0f1420dbdcdd1917fa607799940fb909788f70a1b3a6cd9aff0969aa58", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/blockly/java/blocks/GetVariableBlock.java", "duplicate_line": 52, "correlation_key": "fp|15ed6b0f1420dbdcdd1917fa607799940fb909788f70a1b3a6cd9aff0969aa58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/java/blocks/SetVariableBlock.java"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126362, "scanner": "repobility-ai-code-hygiene", "fingerprint": "12e1c0aeceed0c8cf8ffc340d9a8c4ac7faa36e6cfea8a0bd23587bd89ea80da", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/blockly/java/blocks/CancelEventBlock.java", "duplicate_line": 17, "correlation_key": "fp|12e1c0aeceed0c8cf8ffc340d9a8c4ac7faa36e6cfea8a0bd23587bd89ea80da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/java/blocks/SetEventResultBlock.java"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126361, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d9842126ded8d26890cc019ac930fea40efda42634b768564dcf160c8ef56ea9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/blockly/java/blocks/LogicBinaryOperationsBlock.java", "duplicate_line": 15, "correlation_key": "fp|d9842126ded8d26890cc019ac930fea40efda42634b768564dcf160c8ef56ea9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/java/blocks/NumberBinaryOperationsBlock.java"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126360, "scanner": "repobility-ai-code-hygiene", "fingerprint": "af9ff0d4fa3785940c4f412074502c6c40aaecb10e774300ac28457000d44c56", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/blockly/datapack/blocks/MCItemBlock.java", "duplicate_line": 10, "correlation_key": "fp|af9ff0d4fa3785940c4f412074502c6c40aaecb10e774300ac28457000d44c56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/java/blocks/MCItemBlock.java"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126359, "scanner": "repobility-ai-code-hygiene", "fingerprint": "977c4dcfbb8dd7799037515118dc41adfbc52a17d7e3046f32cfc1dd3e7b30ff", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/net/mcreator/blockly/datapack/BlocklyToEnchantmentEffects.java", "duplicate_line": 30, "correlation_key": "fp|977c4dcfbb8dd7799037515118dc41adfbc52a17d7e3046f32cfc1dd3e7b30ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/datapack/BlocklyToJSONTrigger.java"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126358, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bf0272a60ed16d6d7114dd84b3d82b4f252e5e83dd442224685b9e4428015166", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/mcreator-core/blockly/js/extensions_procedure_deps.js", "duplicate_line": 72, "correlation_key": "fp|bf0272a60ed16d6d7114dd84b3d82b4f252e5e83dd442224685b9e4428015166"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/mcreator-core/blockly/js/simple_repeating_input_mixins.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126357, "scanner": "repobility-ai-code-hygiene", "fingerprint": "53ea84714d9bb9f0c424daa82b222888bd16d1dcccb6d1d689b747c249033543", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/generator-1.21.1/resourcepack-1.21.1/workspacebase/packloader/src/main/java/net/mcreator/packloader/PackLoaderMod.java", "duplicate_line": 15, "correlation_key": "fp|53ea84714d9bb9f0c424daa82b222888bd16d1dcccb6d1d689b747c249033543"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/generator-26.1.x/resourcepack-26.1.x/workspacebase/packloader/src/main/java/net/mcreator/packloader/PackLoaderMod.java"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 126356, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a2153d1ebf22c1969e04377f19b168e269ffbbff4e7db98e9b96684cf6a266d0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/generator-1.21.1/datapack-1.21.1/workspacebase/packloader/src/main/java/net/mcreator/packloader/PackLoaderMod.java", "duplicate_line": 15, "correlation_key": "fp|a2153d1ebf22c1969e04377f19b168e269ffbbff4e7db98e9b96684cf6a266d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/generator-26.1.x/datapack-26.1.x/workspacebase/packloader/src/main/java/net/mcreator/packloader/PackLoaderMod.java"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 126318, "scanner": "repobility-threat-engine", "fingerprint": "c8879ab00de2329c799bb9d3b5e4dfecdbf68a0d6c70c270118b51882c927dad", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"gradlew \" + paramsBuilder + \" --stop\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c8879ab00de2329c799bb9d3b5e4dfecdbf68a0d6c70c270118b51882c927dad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/gradle/GradleDaemonUtils.java"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 126317, "scanner": "repobility-threat-engine", "fingerprint": "cb076853436de292911456a5864e946a637f7670dd387a453b69ebc2e687e56d", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Mod element type \" + typeName + \" is not a registered type\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cb076853436de292911456a5864e946a637f7670dd387a453b69ebc2e687e56d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/element/ModElementTypeLoader.java"}, "region": {"startLine": 113}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 126316, "scanner": "repobility-threat-engine", "fingerprint": "6790053781ea8f0859b0f6a975ae0b10e970a85c05075944f198c22b02785f95", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"blockly.category.\" + id + \".description\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6790053781ea8f0859b0f6a975ae0b10e970a85c05075944f198c22b02785f95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/data/ToolboxCategory.java"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 126351, "scanner": "repobility-threat-engine", "fingerprint": "462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29"}}}, {"ruleId": "MINED092", "level": "none", "message": {"text": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection."}, "properties": {"repobilityId": 126347, "scanner": "repobility-threat-engine", "fingerprint": "ca7dd64d11a33f1e0395624d9fae3760b6abbd5fdf44d4e36402cdbb3c1a6d72", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-runtime-exec", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348152+00:00", "triaged_in_corpus": 15, "observations_count": 250, "ai_coder_pattern_id": 125}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ca7dd64d11a33f1e0395624d9fae3760b6abbd5fdf44d4e36402cdbb3c1a6d72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/util/DesktopUtils.java"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED092", "level": "none", "message": {"text": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection."}, "properties": {"repobilityId": 126346, "scanner": "repobility-threat-engine", "fingerprint": "10334516e59ff55bbbafdc1f86acb8eb0f9fac557c426a80bf66892db9640075", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-runtime-exec", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348152+00:00", "triaged_in_corpus": 15, "observations_count": 250, "ai_coder_pattern_id": 125}, "scanner": "repobility-threat-engine", "correlation_key": "fp|10334516e59ff55bbbafdc1f86acb8eb0f9fac557c426a80bf66892db9640075"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/minecraft/BedrockUtils.java"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED092", "level": "none", "message": {"text": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection."}, "properties": {"repobilityId": 126345, "scanner": "repobility-threat-engine", "fingerprint": "cf012778bef216431c0dfc45a7ed1a8a5a90b212bc20a5ff12a8d66cfa1f2547", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-runtime-exec", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348152+00:00", "triaged_in_corpus": 15, "observations_count": 250, "ai_coder_pattern_id": 125}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cf012778bef216431c0dfc45a7ed1a8a5a90b212bc20a5ff12a8d66cfa1f2547"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/io/WindowsProcessUtil.java"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 126344, "scanner": "repobility-threat-engine", "fingerprint": "9ad9bf0c265cd321c150a08a072a8e145739f2cd1982875a84041789b62e4bac", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9ad9bf0c265cd321c150a08a072a8e145739f2cd1982875a84041789b62e4bac"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 126340, "scanner": "repobility-threat-engine", "fingerprint": "67ae2876ec2706c35f8021ea3b84b7e1c181e5b9746eca76b603a45a1bd05d45", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|67ae2876ec2706c35f8021ea3b84b7e1c181e5b9746eca76b603a45a1bd05d45"}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "properties": {"repobilityId": 126336, "scanner": "repobility-threat-engine", "fingerprint": "f338b306d144ac84aa07f18150c80a7e1bb3eb4e87f18887ec8eb608321d53c8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f338b306d144ac84aa07f18150c80a7e1bb3eb4e87f18887ec8eb608321d53c8", "aggregated_count": 21}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 126335, "scanner": "repobility-threat-engine", "fingerprint": "b865cf3b2c64ad3c3d6498cacd815b6124c4df4765b6ae55a3dce5fabab8de48", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b865cf3b2c64ad3c3d6498cacd815b6124c4df4765b6ae55a3dce5fabab8de48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/io/net/api/MCreatorNetWebAPI.java"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 126334, "scanner": "repobility-threat-engine", "fingerprint": "9a81ec2242cdc69d4a247c8d8988a4ac452385af37782c0195e756caea9dc817", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9a81ec2242cdc69d4a247c8d8988a4ac452385af37782c0195e756caea9dc817"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/io/net/analytics/GoogleAnalytics.java"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 126333, "scanner": "repobility-threat-engine", "fingerprint": "c48c357f05c1674e0f5f1f37065b39db5ad800da86c81cf1698e6ad4b9d1730d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c48c357f05c1674e0f5f1f37065b39db5ad800da86c81cf1698e6ad4b9d1730d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/io/FileWatcher.java"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC012", "level": "none", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 126331, "scanner": "repobility-threat-engine", "fingerprint": "01719e91d6b056e6f8fff9d130e21cbdd9607571fade2b12d1f6f640825fbcc5", "category": "path_traversal", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|01719e91d6b056e6f8fff9d130e21cbdd9607571fade2b12d1f6f640825fbcc5"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 126327, "scanner": "repobility-threat-engine", "fingerprint": "43b81e30ecec4542d5b7c1728a77ddf506d2c87684fdce356d7b2b0e14a44049", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|43b81e30ecec4542d5b7c1728a77ddf506d2c87684fdce356d7b2b0e14a44049"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 126323, "scanner": "repobility-threat-engine", "fingerprint": "b33b9fa30193bee8937fded79de0a89e3cbc0227353c6d1fa8988e662e74e331", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b33b9fa30193bee8937fded79de0a89e3cbc0227353c6d1fa8988e662e74e331"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 126322, "scanner": "repobility-threat-engine", "fingerprint": "7e871d0a2114c738158505de504ec460da5ef32bb933ee90f96d3b80263d0d55", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|60|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/ui/dialogs/imageeditor/ResizeDialog.java"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 126321, "scanner": "repobility-threat-engine", "fingerprint": "76335be72583d470d3c5e6cd0b54e4125355b55af1681fe779eb8cb36bccd66d", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|118|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/ui/dialogs/imageeditor/HSVNoiseDialog.java"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 126320, "scanner": "repobility-threat-engine", "fingerprint": "e0e7bfab874edb21353df86e5955f82cf99dc9f78f66d457b9873a8de6f22a92", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|67|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/element/parts/gui/GUIComponent.java"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 126319, "scanner": "repobility-threat-engine", "fingerprint": "5134ba67b8ed6497b08de31fab74f32c7fddcd1b4cdf063410937f25f8c61de3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5134ba67b8ed6497b08de31fab74f32c7fddcd1b4cdf063410937f25f8c61de3"}}}, {"ruleId": "SEC024", "level": "none", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "properties": {"repobilityId": 126315, "scanner": "repobility-threat-engine", "fingerprint": "65b9bec63cb4dcf63338869bbc114258c209fb378831a4bb9e52308b7af89a96", "category": "xxe", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|65b9bec63cb4dcf63338869bbc114258c209fb378831a4bb9e52308b7af89a96"}}}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 126311, "scanner": "repobility-threat-engine", "fingerprint": "22261aee403ea1adcb8202cfe00770c21ddc3c940393a300a575e5f428d35529", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|22261aee403ea1adcb8202cfe00770c21ddc3c940393a300a575e5f428d35529"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/Launcher.java"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 126310, "scanner": "repobility-threat-engine", "fingerprint": "deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "aggregated_count": 1}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 126309, "scanner": "repobility-threat-engine", "fingerprint": "8fe6ad25e8b2082d6443f33617c44abaf26742cf4d47315e8a2a042e96ff7cfa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8fe6ad25e8b2082d6443f33617c44abaf26742cf4d47315e8a2a042e96ff7cfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/ui/blockly/BlocklyPanel.java"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 126308, "scanner": "repobility-threat-engine", "fingerprint": "cd5e6392b0bbe73149970880c6c9a9b041fe646882f48e03a563d8f399fdb2ca", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cd5e6392b0bbe73149970880c6c9a9b041fe646882f48e03a563d8f399fdb2ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/data/Dependency.java"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 126307, "scanner": "repobility-threat-engine", "fingerprint": "220b7ca5f461ca273ec7de3f1d6e3834a2c21ff63d4571befc6c35fa34f977ad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|220b7ca5f461ca273ec7de3f1d6e3834a2c21ff63d4571befc6c35fa34f977ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/mcreator-core/blockly/js/field_mcitem_selector.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `plugins/generator-26.1.x/neoforge-26.1.2/workspacebase/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `plugins/generator-26.1.x/neoforge-26.1.2/workspacebase/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 1192 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 126414, "scanner": "repobility-supply-chain", "fingerprint": "943c613bcd5cbc641400df1eba4911f8ed88be91b8fe5735679ed8f8c10be6a4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|943c613bcd5cbc641400df1eba4911f8ed88be91b8fe5735679ed8f8c10be6a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/generator-26.1.x/neoforge-26.1.2/workspacebase/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `plugins/generator-26.1.x/resourcepack-26.1.x/workspacebase/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `plugins/generator-26.1.x/resourcepack-26.1.x/workspacebase/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 1192 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 126413, "scanner": "repobility-supply-chain", "fingerprint": "55acda49bfd908ed02737f3c50ed56e49b8cba92ebac8c38ef59452bf54c4bf0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|55acda49bfd908ed02737f3c50ed56e49b8cba92ebac8c38ef59452bf54c4bf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/generator-26.1.x/resourcepack-26.1.x/workspacebase/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `plugins/generator-26.1.x/datapack-26.1.x/workspacebase/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `plugins/generator-26.1.x/datapack-26.1.x/workspacebase/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 1192 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 126412, "scanner": "repobility-supply-chain", "fingerprint": "cbe4d0247f5f167b43ff16a826bd1204618a0b02e74ed477b24c3a5a99159885", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cbe4d0247f5f167b43ff16a826bd1204618a0b02e74ed477b24c3a5a99159885"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/generator-26.1.x/datapack-26.1.x/workspacebase/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `plugins/generator-addon-26.1x/addon-26.1x/workspacebase/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `plugins/generator-addon-26.1x/addon-26.1x/workspacebase/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 1192 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 126411, "scanner": "repobility-supply-chain", "fingerprint": "b9e84851ee4fa9ba906f4db3de1fca68c53e33f150615cf90530f06aa4b7b6bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b9e84851ee4fa9ba906f4db3de1fca68c53e33f150615cf90530f06aa4b7b6bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/generator-addon-26.1x/addon-26.1x/workspacebase/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `plugins/generator-1.21.1/resourcepack-1.21.1/workspacebase/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `plugins/generator-1.21.1/resourcepack-1.21.1/workspacebase/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 1192 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 126410, "scanner": "repobility-supply-chain", "fingerprint": "874c82450b5e6d1c287d756181854b0810935870835927698cdbdc22acc5f203", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|874c82450b5e6d1c287d756181854b0810935870835927698cdbdc22acc5f203"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/generator-1.21.1/resourcepack-1.21.1/workspacebase/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `plugins/generator-1.21.1/neoforge-1.21.1/workspacebase/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `plugins/generator-1.21.1/neoforge-1.21.1/workspacebase/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 1192 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 126409, "scanner": "repobility-supply-chain", "fingerprint": "c4c41e6d00f0900957eae8132c95586f02973e85d136302305aa16d7d6d537e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c4c41e6d00f0900957eae8132c95586f02973e85d136302305aa16d7d6d537e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/generator-1.21.1/neoforge-1.21.1/workspacebase/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `plugins/generator-1.21.1/datapack-1.21.1/workspacebase/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `plugins/generator-1.21.1/datapack-1.21.1/workspacebase/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 1192 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 126408, "scanner": "repobility-supply-chain", "fingerprint": "493f4e04b163ae75de0f7723c6459f702069eea1740d028f8a6d65dd263c8a1a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|493f4e04b163ae75de0f7723c6459f702069eea1740d028f8a6d65dd263c8a1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/generator-1.21.1/datapack-1.21.1/workspacebase/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 1192 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 126407, "scanner": "repobility-supply-chain", "fingerprint": "4085d2bc064eb8b3961977db6b0990370e5ab01cd7a2868d3966628bf1e15975", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4085d2bc064eb8b3961977db6b0990370e5ab01cd7a2868d3966628bf1e15975"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/actions/dependency-submission` pinned to mutable ref `@v5`: `uses: gradle/actions/dependency-submission@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126406, "scanner": "repobility-supply-chain", "fingerprint": "188dc18c8891de2090cabee489bc569443f7260089af29fbde6f633a7b5cd060", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|188dc18c8891de2090cabee489bc569443f7260089af29fbde6f633a7b5cd060"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dependency-submission.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126405, "scanner": "repobility-supply-chain", "fingerprint": "74ef017862aa99f0e19e02cb0755c1c31dca7a848b1c1e6b67740486531cb790", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|74ef017862aa99f0e19e02cb0755c1c31dca7a848b1c1e6b67740486531cb790"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dependency-submission.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126404, "scanner": "repobility-supply-chain", "fingerprint": "43aa209305cec475783dbbb3f925054aefb82338ec8c653b8b07ccec9d927b2e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|43aa209305cec475783dbbb3f925054aefb82338ec8c653b8b07ccec9d927b2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dependency-submission.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126403, "scanner": "repobility-supply-chain", "fingerprint": "952b918b31cc6184bb17d41b548091661918d4c768d85616619bf9757a978a2b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|952b918b31cc6184bb17d41b548091661918d4c768d85616619bf9757a978a2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/crowdin-pull.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126402, "scanner": "repobility-supply-chain", "fingerprint": "c43aa3d2b89974650a8d3506090ce5b3d23a161f8a6590b270c8e6289451d0b9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c43aa3d2b89974650a8d3506090ce5b3d23a161f8a6590b270c8e6289451d0b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/crowdin-push.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/actions/setup-gradle` pinned to mutable ref `@v5`: `uses: gradle/actions/setup-gradle@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126401, "scanner": "repobility-supply-chain", "fingerprint": "4641e40120e7c783c0484702aa8851b5906cacb7c65755391895f70f652309a1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4641e40120e7c783c0484702aa8851b5906cacb7c65755391895f70f652309a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/documentation.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126400, "scanner": "repobility-supply-chain", "fingerprint": "2fe42d9c6a8e53e44aec05cc2d8a5ebf8188bc2f56833988b85acc4f297d4dc8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2fe42d9c6a8e53e44aec05cc2d8a5ebf8188bc2f56833988b85acc4f297d4dc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/documentation.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126399, "scanner": "repobility-supply-chain", "fingerprint": "b46038fd52b44e959e205a091d3f5263cf1dfb2cdd57da690268099ad3fecfa3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b46038fd52b44e959e205a091d3f5263cf1dfb2cdd57da690268099ad3fecfa3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/documentation.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126398, "scanner": "repobility-supply-chain", "fingerprint": "204f7927fb082ea834c568c915d1fc3d2d86dfb403dadc9c7cb908c8f8ee45e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|204f7927fb082ea834c568c915d1fc3d2d86dfb403dadc9c7cb908c8f8ee45e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 253}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/actions/setup-gradle` pinned to mutable ref `@v5`: `uses: gradle/actions/setup-gradle@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126397, "scanner": "repobility-supply-chain", "fingerprint": "7d06384d10358660ff839525511e01de4b5952d5d5beaed97a14e65328a62401", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d06384d10358660ff839525511e01de4b5952d5d5beaed97a14e65328a62401"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126396, "scanner": "repobility-supply-chain", "fingerprint": "474f3bf9ae35f35a4dae27882292ac4902aaeca7cc34b1a12a55ae5ac305e3d2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|474f3bf9ae35f35a4dae27882292ac4902aaeca7cc34b1a12a55ae5ac305e3d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 186}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126395, "scanner": "repobility-supply-chain", "fingerprint": "bbcb919f3e0d1f3cff603c724b14a0920dc06ded9339ebe84324f45468117664", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bbcb919f3e0d1f3cff603c724b14a0920dc06ded9339ebe84324f45468117664"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/actions/setup-gradle` pinned to mutable ref `@v5`: `uses: gradle/actions/setup-gradle@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126394, "scanner": "repobility-supply-chain", "fingerprint": "d97a4c3c39627eebf88f27ddcfadd39f7132ad0578dda02aa581ddc206cff43d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d97a4c3c39627eebf88f27ddcfadd39f7132ad0578dda02aa581ddc206cff43d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126393, "scanner": "repobility-supply-chain", "fingerprint": "3ab748c7f3a50c12f01f2df52654cbdd02cf36da39588e8f4827f611ead2bafa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ab748c7f3a50c12f01f2df52654cbdd02cf36da39588e8f4827f611ead2bafa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126392, "scanner": "repobility-supply-chain", "fingerprint": "a60a3091525a8c3b52aad5a1f7a957f82fb0e6739bcf7a3f3acefe4ec0fafc3c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a60a3091525a8c3b52aad5a1f7a957f82fb0e6739bcf7a3f3acefe4ec0fafc3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/actions/setup-gradle` pinned to mutable ref `@v5`: `uses: gradle/actions/setup-gradle@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126391, "scanner": "repobility-supply-chain", "fingerprint": "49e844a265cec30dafaf79f254211c0fa0e3a77b8a859c21d394bdd474e43bba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|49e844a265cec30dafaf79f254211c0fa0e3a77b8a859c21d394bdd474e43bba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126390, "scanner": "repobility-supply-chain", "fingerprint": "0704820da8243d4d563a3d66764edbcdad4867caf4ecb65504fd5d081d623fca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0704820da8243d4d563a3d66764edbcdad4867caf4ecb65504fd5d081d623fca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126389, "scanner": "repobility-supply-chain", "fingerprint": "c4820dc451907807c72bae37f6aeee7d261e6d3b123903d541d48b6f4f08b070", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c4820dc451907807c72bae37f6aeee7d261e6d3b123903d541d48b6f4f08b070"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/actions/setup-gradle` pinned to mutable ref `@v5`: `uses: gradle/actions/setup-gradle@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126388, "scanner": "repobility-supply-chain", "fingerprint": "ffa0d92975d46d145d541acfa7591f7ef151325144e2ee26efa35b3b2badd756", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ffa0d92975d46d145d541acfa7591f7ef151325144e2ee26efa35b3b2badd756"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126387, "scanner": "repobility-supply-chain", "fingerprint": "8f71f129e53b23773e4f529a184973a8e2ffb585ca8ec426cdda3cce2b26ecf7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f71f129e53b23773e4f529a184973a8e2ffb585ca8ec426cdda3cce2b26ecf7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126386, "scanner": "repobility-supply-chain", "fingerprint": "f111115dabd6bb9a7f36bd84ec7b6fa8d002ee89ce66d26d392ce7e3672f1c16", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f111115dabd6bb9a7f36bd84ec7b6fa8d002ee89ce66d26d392ce7e3672f1c16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126385, "scanner": "repobility-supply-chain", "fingerprint": "5126cd4c77d91bb03b469383bee3215fedef43975af5e83c2ae5eb561caa3436", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5126cd4c77d91bb03b469383bee3215fedef43975af5e83c2ae5eb561caa3436"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/actions/setup-gradle` pinned to mutable ref `@v5`: `uses: gradle/actions/setup-gradle@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126384, "scanner": "repobility-supply-chain", "fingerprint": "b0b021378d236020f14a0b6a502d7a650bc3db1ede4b45a768e1d9d8064ed7e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0b021378d236020f14a0b6a502d7a650bc3db1ede4b45a768e1d9d8064ed7e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126383, "scanner": "repobility-supply-chain", "fingerprint": "807a81d8d51006093ee91dcdc273e6fb28988907555198a006c3f6fc19c74019", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|807a81d8d51006093ee91dcdc273e6fb28988907555198a006c3f6fc19c74019"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 126382, "scanner": "repobility-supply-chain", "fingerprint": "901c9c96728215b669d4f854026ab79b84f7d8f490e4d05ee6659006b745d65a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|901c9c96728215b669d4f854026ab79b84f7d8f490e4d05ee6659006b745d65a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC106", "level": "error", "message": {"text": "[SEC106] Block cipher in ECB mode (AES/DES/Blowfish): ECB mode leaks block-level structure \u2014 identical plaintext blocks encrypt to identical ciphertext (the famous Tux image). Bare `Cipher.getInstance(\"AES\")` defaults to ECB on most JVMs."}, "properties": {"repobilityId": 126353, "scanner": "repobility-threat-engine", "fingerprint": "da3b348b7293bd72951a5f33b7f9af74d09f630a69dc43d5f67472bd6a745350", "category": "crypto", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Cipher.getInstance(\"AES\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC106", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|29|sec106"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/util/EncryptUtils.java"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 126352, "scanner": "repobility-threat-engine", "fingerprint": "126bde178bd5b3db17a39ef6c88eddc2d9b7a39e62e2740b22b43c6f39ac7d7c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|126bde178bd5b3db17a39ef6c88eddc2d9b7a39e62e2740b22b43c6f39ac7d7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/ui/views/editor/image/metadata/MetadataManager.java"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 126350, "scanner": "repobility-threat-engine", "fingerprint": "59e0e29b61c6fd6492318e9b84c8e3b0cfe9975c90bc66d54f38968e14c76264", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|59e0e29b61c6fd6492318e9b84c8e3b0cfe9975c90bc66d54f38968e14c76264"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/io/net/api/IWebAPI.java"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 126349, "scanner": "repobility-threat-engine", "fingerprint": "d450030912b3d5b8cc271d0df7a9fcfb86e18e084bdfc00886d947549af8ca1e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(M", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d450030912b3d5b8cc271d0df7a9fcfb86e18e084bdfc00886d947549af8ca1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/io/net/analytics/GoogleAnalytics.java"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 126348, "scanner": "repobility-threat-engine", "fingerprint": "0d8574abbc3d0779cd7bfe945ea08e124c50e8c2c6cc6ddeb05b63067ad84134", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0d8574abbc3d0779cd7bfe945ea08e124c50e8c2c6cc6ddeb05b63067ad84134"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/io/net/WebIO.java"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 126343, "scanner": "repobility-threat-engine", "fingerprint": "fd93093e107040acf4a4aeff96bec087400e66883be6488fa40d2a5b1e2566d6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(GradleConsole", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fd93093e107040acf4a4aeff96bec087400e66883be6488fa40d2a5b1e2566d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/ui/action/impl/gradle/ClearAllGradleCachesAction.java"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 126342, "scanner": "repobility-threat-engine", "fingerprint": "d8dbbfe4f0fc6a3219a4a4c02dc1ae0a6a009b8962af2db335e3d4c0a11f9b6f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(new", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d8dbbfe4f0fc6a3219a4a4c02dc1ae0a6a009b8962af2db335e3d4c0a11f9b6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/minecraft/BedrockUtils.java"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 126341, "scanner": "repobility-threat-engine", "fingerprint": "17f02fb317c05a93474c1408c3833abe8357c3ba00fdcf49a20390d4cb742b4c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(new", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|17f02fb317c05a93474c1408c3833abe8357c3ba00fdcf49a20390d4cb742b4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/io/WindowsProcessUtil.java"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 126326, "scanner": "repobility-threat-engine", "fingerprint": "4b911d1b0085a8b0051350d9de20192c350b2d0ca265b5660dfc43ab31ad0698", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "initScript.delete();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4b911d1b0085a8b0051350d9de20192c350b2d0ca265b5660dfc43ab31ad0698"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/gradle/GradleToolchainUtil.java"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 126325, "scanner": "repobility-threat-engine", "fingerprint": "68d0b6eb8427f321581f7e03bd7c0c91be6c405f9861ab6dd599ba562abde8c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "generatorFile.delete();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|68d0b6eb8427f321581f7e03bd7c0c91be6c405f9861ab6dd599ba562abde8c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/generator/setup/WorkspaceGeneratorSetup.java"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 126324, "scanner": "repobility-threat-engine", "fingerprint": "80be711f15980521f4d1b1635a2a0de9f1b25762b460bf173c8ea95023ef0c30", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.delete();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|80be711f15980521f4d1b1635a2a0de9f1b25762b460bf173c8ea95023ef0c30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/generator/io/GradleTrackingFileIO.java"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 126314, "scanner": "repobility-threat-engine", "fingerprint": "c26b9638c1f9ede1395c9ce65cbc7edbd916e7364bade9fdf508ea2a5e163968", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c26b9638c1f9ede1395c9ce65cbc7edbd916e7364bade9fdf508ea2a5e163968"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/datapack/BlocklyToJSONTrigger.java"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 126313, "scanner": "repobility-threat-engine", "fingerprint": "1689fa381eef2b3a353fa6b1472bd7df6b23116bea3ead8a6eb911cb0d1e57fc", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1689fa381eef2b3a353fa6b1472bd7df6b23116bea3ead8a6eb911cb0d1e57fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/datapack/BlocklyToEnchantmentEffects.java"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 126312, "scanner": "repobility-threat-engine", "fingerprint": "bf1652d933aa181e8867d9f87d3d16f219b8aaacdc386aecdd80339165baaef2", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bf1652d933aa181e8867d9f87d3d16f219b8aaacdc386aecdd80339165baaef2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/blockly/BlocklyTemplateIO.java"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC101", "level": "error", "message": {"text": "[SEC101] Unsafe Java object deserialization (ObjectInputStream): Java ObjectInputStream deserializes untrusted bytes into objects. Attacker-controlled streams trigger gadget chains (Apache Commons Collections, etc.) leading to RCE."}, "properties": {"repobilityId": 126354, "scanner": "repobility-threat-engine", "fingerprint": "0741c1f6a6aa671ea08b8d4e607d2d14b767c2e37a09e4f95afb360cd0b57f48", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new ObjectInputStream(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC101", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|68|sec101"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/net/mcreator/util/SingleAppHandler.java"}, "region": {"startLine": 68}}}]}]}]}