{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC130", "name": "[SEC130] Hallucinated package name \u2014 looks like a real package but isn't: Import of a package name that closely resemble", "shortDescription": {"text": "[SEC130] Hallucinated package name \u2014 looks like a real package but isn't: Import of a package name that closely resembles a popular one but isn't published \u2014 a classic AI hallucination. Two risks: (1) the code crashes on install in fresh en"}, "fullDescription": {"text": "Verify the import resolves to a real, maintained package: check pypi.org / npmjs.com directly. If the package doesn't exist, the AI invented it \u2014 find the real package the AI was thinking of and swap. Pin all deps to known-good versions and require a registry allowlist in CI."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED075", "name": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL.", "shortDescription": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-690 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress (and 52 more): Same pattern found in 52 additional files. Review if needed.", "shortDescription": {"text": "[MINED048] Php Error Suppress (and 52 more): Same pattern found in 52 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 27 more): Same pattern found in 27 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED098] Global Scope Pollution (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 19 more): Same pattern found in 19 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 35 more): Same pattern found in 35 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED086", "name": "[MINED086] Kotlin Runtime Exception (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED086] Kotlin Runtime Exception (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 8 more): Same pattern found in 8 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 63 more): Same pattern found in 63 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 63 more): Same pattern found in 63 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `packages/gradle-plugin/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/gr", "shortDescription": {"text": "[MINED134] Binary file `packages/gradle-plugin/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/gradle-plugin/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,966 bytes) committed to a repo that otherwise has 51"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `reactnativecommunity/react-native-android:latest` unpinned: `container/ser", "shortDescription": {"text": "[MINED126] Workflow container/services image `reactnativecommunity/react-native-android:latest` unpinned: `container/services image: reactnativecommunity/react-native-android:latest` without `@sha256:...` pulls a mutable tag at workflow-run"}, "fullDescription": {"text": "Replace with `reactnativecommunity/react-native-android:latest@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/stale` pinned to mutable ref `@v10`: `uses: actions/stale@v10` resolves at workflow-run time.", "shortDescription": {"text": "[MINED115] Action `actions/stale` pinned to mutable ref `@v10`: `uses: actions/stale@v10` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instan"}, "fullDescription": {"text": "Replace with: `uses: actions/stale@<40-char-sha>  # v10` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_empty_variant_definitions` of class `Tes", "shortDescription": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_empty_variant_definitions` of class `TestParseConfig` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This r"}, "fullDescription": {"text": "Initialize `self.assertEqual = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED011", "name": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match.", "shortDescription": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC024", "name": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default.", "shortDescription": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of servic"}, "fullDescription": {"text": "Disable DTDs and external entities before parsing:\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n  factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n  factory.setXIncludeAware(false);\nOr set FEATURE_SECURE_PROCESSING on the factory."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.GRADLE_CACHE_ENCRYPTION_KEY` on a `pull_request` trigger: This workflow triggers on `p", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.GRADLE_CACHE_ENCRYPTION_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GRADLE_CACHE_ENCRYPTION_KEY }` lets a PR from an"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED005", "name": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection.", "shortDescription": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/737"}, "properties": {"repository": "facebook/react-native", "repoUrl": "https://github.com/facebook/react-native", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 60232, "scanner": "repobility-ast-engine", "fingerprint": "4c66b74d712173692152c38f535e7a88a8a3637765b45698a26b29f13ff8353f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4c66b74d712173692152c38f535e7a88a8a3637765b45698a26b29f13ff8353f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/parser/input_filters/main.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 60213, "scanner": "repobility-ast-engine", "fingerprint": "2a77d97a1f0dc69039505483bc38f9461adaa10da4700ba2a7845ff536790c6a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2a77d97a1f0dc69039505483bc38f9461adaa10da4700ba2a7845ff536790c6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/parser/__main__.py"}, "region": {"startLine": 206}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 60205, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 60204, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 60199, "scanner": "repobility-agent-runtime", "fingerprint": "fad68ebfae8f624eaa42d1bfc2e1f6f362e087ffb542cbe03c519c2910f57617", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|fad68ebfae8f624eaa42d1bfc2e1f6f362e087ffb542cbe03c519c2910f57617"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dev-middleware/src/inspector-proxy/InspectorProxy.js"}, "region": {"startLine": 38}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 60198, "scanner": "repobility-agent-runtime", "fingerprint": "934d78d796f4f9b12b3d2fe437f77c798d3571d678d58fc58beba7158fa012eb", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|934d78d796f4f9b12b3d2fe437f77c798d3571d678d58fc58beba7158fa012eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/maestro-ios/action.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 60197, "scanner": "repobility-agent-runtime", "fingerprint": "bf47d4ceb1699b91906e3252ed54ab165617fddbee845f6929a9f8bf2ad6ae52", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|bf47d4ceb1699b91906e3252ed54ab165617fddbee845f6929a9f8bf2ad6ae52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/maestro-android/action.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 60166, "scanner": "repobility-ai-code-hygiene", "fingerprint": "679d843ee0891aa608aa34ca7cc5f912564ab3879997155cc97f327968f7a1ba", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "clean", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|679d843ee0891aa608aa34ca7cc5f912564ab3879997155cc97f327968f7a1ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release-testing/test-release-local-clean.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 60165, "scanner": "repobility-ai-code-hygiene", "fingerprint": "029ce7f2d8a389a5539cb7aed1202f24776ef38ca838e7d7a759abde0b8369da", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "clean", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "scripts/release-testing/test-release-local.js", "correlation_key": "fp|029ce7f2d8a389a5539cb7aed1202f24776ef38ca838e7d7a759abde0b8369da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release-testing/test-release-local-clean.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 60158, "scanner": "repobility-threat-engine", "fingerprint": "94c4119ca51e603cca7fd0615596ba45c773bdad73ef17b522a3f6cd54478b50", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (...) {\n  }", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|94c4119ca51e603cca7fd0615596ba45c773bdad73ef17b522a3f6cd54478b50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/React/CxxModule/RCTCxxUtils.mm"}, "region": {"startLine": 35}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 60157, "scanner": "repobility-threat-engine", "fingerprint": "a24fec2060e522d746dcb2a2b484f5fda814a768b478ed864ff70c62a92d65e8", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (NSException *) {\n    }", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a24fec2060e522d746dcb2a2b484f5fda814a768b478ed864ff70c62a92d65e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/React/Base/RCTAssert.m"}, "region": {"startLine": 149}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 60102, "scanner": "repobility-threat-engine", "fingerprint": "4c824721601a4f5049df75ebb46a52225463fb1dcff68ba4ffb10cbf8e04ebc8", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|27|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gradle-plugin/react-native-gradle-plugin/src/main/kotlin/com/facebook/react/tasks/GenerateCodegenArtifactsTask.kt"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 60101, "scanner": "repobility-threat-engine", "fingerprint": "07f70a96b37b16ead88017a137170a7a85755638660298ff5bc0f23fff9e312f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|33|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflow-scripts/publishTemplate.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 60100, "scanner": "repobility-threat-engine", "fingerprint": "7f7dea4b9dd46a36cbd5d24dd2e6e9c18513588c5a22a88b65c92ed55abe27f4", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|108|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflow-scripts/maestro-android.js"}, "region": {"startLine": 108}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 60203, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 60202, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 60201, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 60200, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60196, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d67fd7346d85bf50cc6bc6ba6e885c0d9436ced932d4919e00089184ee668673", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/parsers/flow/components/componentsUtils.js", "duplicate_line": 207, "correlation_key": "fp|d67fd7346d85bf50cc6bc6ba6e885c0d9436ced932d4919e00089184ee668673"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/parsers/typescript/components/componentsUtils.js"}, "region": {"startLine": 106}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60195, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0c0900fb9764d0c134e1dc3d9a9388d6756c4d6cfdcb02b45da82308a07a4f3d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/parsers/flow/components/commands.js", "duplicate_line": 104, "correlation_key": "fp|0c0900fb9764d0c134e1dc3d9a9388d6756c4d6cfdcb02b45da82308a07a4f3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/parsers/typescript/components/commands.js"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60194, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d88b3d691050adcfb5a6e63d1412126bc097e9500d848ea53c24280d535d69bc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/parsers/flow/components/__test_fixtures__/failures.js", "duplicate_line": 282, "correlation_key": "fp|d88b3d691050adcfb5a6e63d1412126bc097e9500d848ea53c24280d535d69bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/parsers/typescript/components/__test_fixtures__/failures.js"}, "region": {"startLine": 245}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60193, "scanner": "repobility-ai-code-hygiene", "fingerprint": "abece8184c0600e13ab7967641871528f7759970bc7fd270d2a9ebd1aa327b52", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/parsers/parser.js", "duplicate_line": 3, "correlation_key": "fp|abece8184c0600e13ab7967641871528f7759970bc7fd270d2a9ebd1aa327b52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/parsers/parserMock.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60192, "scanner": "repobility-ai-code-hygiene", "fingerprint": "792643d052310f7066016ab6a7564818bc306ea3ae092cb42ade4a5af40a1317", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/parsers/flow/parser.js", "duplicate_line": 1, "correlation_key": "fp|792643d052310f7066016ab6a7564818bc306ea3ae092cb42ade4a5af40a1317"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/parsers/parserMock.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60191, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a5b381a92e076d036c48d4bfb804a9e0fe732570189c3fb37d1de89b8975fc84", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/parsers/flow/parser.js", "duplicate_line": 1, "correlation_key": "fp|a5b381a92e076d036c48d4bfb804a9e0fe732570189c3fb37d1de89b8975fc84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/parsers/parser.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60190, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0cb12947fc8207c698817c67cc54b1632051b257328ffb989f33eb82d180a2d8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/modules/GenerateModuleJavaSpec.js", "duplicate_line": 135, "correlation_key": "fp|0cb12947fc8207c698817c67cc54b1632051b257328ffb989f33eb82d180a2d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/modules/GenerateModuleObjCpp/serializeEventEmitter.js"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60189, "scanner": "repobility-ai-code-hygiene", "fingerprint": "092b7fbb4ceb152863487d0a803a5eb70855f202096046b88fa7c05945366175", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/modules/GenerateModuleObjCpp/header/serializeConstantsStruct.js", "duplicate_line": 105, "correlation_key": "fp|092b7fbb4ceb152863487d0a803a5eb70855f202096046b88fa7c05945366175"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/modules/GenerateModuleObjCpp/header/serializeRegularStruct.js"}, "region": {"startLine": 103}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60188, "scanner": "repobility-ai-code-hygiene", "fingerprint": "435c64c7f841ecd27deb08a9135255145d2cc64e2176c185323dfe5209f203ec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/modules/GenerateModuleJniCpp.js", "duplicate_line": 417, "correlation_key": "fp|435c64c7f841ecd27deb08a9135255145d2cc64e2176c185323dfe5209f203ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/modules/GenerateModuleJniH.js"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60187, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e18314af3bcff519ab2555dc9d26846721054b3eadd5de36f9284a3be40a98c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/modules/GenerateModuleJavaSpec.js", "duplicate_line": 1, "correlation_key": "fp|4e18314af3bcff519ab2555dc9d26846721054b3eadd5de36f9284a3be40a98c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/modules/GenerateModuleJniCpp.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60186, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cd4397d8ef4e70a0749819055f20e143099aec53956a693ae7332f3322b1a5f8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/modules/GenerateModuleH.js", "duplicate_line": 198, "correlation_key": "fp|cd4397d8ef4e70a0749819055f20e143099aec53956a693ae7332f3322b1a5f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/modules/GenerateModuleJavaSpec.js"}, "region": {"startLine": 162}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60185, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e5b6ab3174cdfedf094a74be1f6e3c1ac736ada3156cc5df7c99c6f7b8f75f9d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/components/GenerateThirdPartyFabricComponentsProviderH.js", "duplicate_line": 30, "correlation_key": "fp|e5b6ab3174cdfedf094a74be1f6e3c1ac736ada3156cc5df7c99c6f7b8f75f9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/components/GenerateThirdPartyFabricComponentsProviderObjCpp.js"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60184, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9cefc479621d4e3cfb4446e8c4f7e8c65a9e34bea14bf44c0de412890b3401fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/components/GenerateComponentHObjCpp.js", "duplicate_line": 322, "correlation_key": "fp|9cefc479621d4e3cfb4446e8c4f7e8c65a9e34bea14bf44c0de412890b3401fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/components/GenerateThirdPartyFabricComponentsProviderH.js"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60183, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32b7edbfe0634f24e0aa3c188a1d3925e82754880d7037df862a452fbf3de30d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/components/GeneratePropsCpp.js", "duplicate_line": 280, "correlation_key": "fp|32b7edbfe0634f24e0aa3c188a1d3925e82754880d7037df862a452fbf3de30d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/components/GenerateTests.js"}, "region": {"startLine": 144}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60182, "scanner": "repobility-ai-code-hygiene", "fingerprint": "07b679b493ad078c4de3e508668e5a3682f20f39d324ad0418df302095e55be2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/components/GenerateShadowNodeH.js", "duplicate_line": 45, "correlation_key": "fp|07b679b493ad078c4de3e508668e5a3682f20f39d324ad0418df302095e55be2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/components/GenerateStateH.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60181, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7d7dfb7d76290a5a53baf1a5d145ad9e55cf50267d6a263a3a1387ab22a0634c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/components/GeneratePropsCpp.js", "duplicate_line": 280, "correlation_key": "fp|7d7dfb7d76290a5a53baf1a5d145ad9e55cf50267d6a263a3a1387ab22a0634c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/components/GenerateStateH.js"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60180, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e4647de29a8f70fbf1c1cc6cc844987417de2ec63b28f0f13ca048dc3fd9bc8d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/components/GenerateStateCpp.js", "duplicate_line": 28, "correlation_key": "fp|e4647de29a8f70fbf1c1cc6cc844987417de2ec63b28f0f13ca048dc3fd9bc8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/components/GenerateStateH.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60179, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c792b3abb52298b51008c582a2dd67c72f0f31fb0f9b6a5df0331fd986f62c40", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/components/GenerateShadowNodeH.js", "duplicate_line": 45, "correlation_key": "fp|c792b3abb52298b51008c582a2dd67c72f0f31fb0f9b6a5df0331fd986f62c40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/components/GenerateStateCpp.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60178, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69ff0d4d6e37b23b99ae8bb760d2a2b62d963a7d49344741719703a7ebbcc53d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/components/GeneratePropsCpp.js", "duplicate_line": 280, "correlation_key": "fp|69ff0d4d6e37b23b99ae8bb760d2a2b62d963a7d49344741719703a7ebbcc53d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/components/GenerateStateCpp.js"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60177, "scanner": "repobility-ai-code-hygiene", "fingerprint": "98492040195a136469a91ef0d0b7986f186820fdb36db316edc57ae7e60081b9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/components/GeneratePropsCpp.js", "duplicate_line": 280, "correlation_key": "fp|98492040195a136469a91ef0d0b7986f186820fdb36db316edc57ae7e60081b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/components/GenerateShadowNodeH.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60176, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5eacac53013dea28da1fb80374f30b2fa901e081532d013d7d4783cc471b7a25", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/components/GenerateComponentDescriptorCpp.js", "duplicate_line": 37, "correlation_key": "fp|5eacac53013dea28da1fb80374f30b2fa901e081532d013d7d4783cc471b7a25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/components/GenerateShadowNodeCpp.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60175, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b695ed0465e2537da395a9add1bb77f83cce5cebdcb4ac702fe0b179922b6661", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/CodegenSchema.js", "duplicate_line": 147, "correlation_key": "fp|b695ed0465e2537da395a9add1bb77f83cce5cebdcb4ac702fe0b179922b6661"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/components/GeneratePropsJavaPojo/PojoCollector.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60174, "scanner": "repobility-ai-code-hygiene", "fingerprint": "14f990215d84bd2f0b5bab646405e244e82584da3876e2d799346b94e3c18d46", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/components/GeneratePropsJavaDelegate.js", "duplicate_line": 206, "correlation_key": "fp|14f990215d84bd2f0b5bab646405e244e82584da3876e2d799346b94e3c18d46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/components/GeneratePropsJavaInterface.js"}, "region": {"startLine": 175}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60173, "scanner": "repobility-ai-code-hygiene", "fingerprint": "02edebe950f9f4f053298c68516fa444dc1317a25722353291bfefcd6f27e673", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/components/GenerateComponentHObjCpp.js", "duplicate_line": 163, "correlation_key": "fp|02edebe950f9f4f053298c68516fa444dc1317a25722353291bfefcd6f27e673"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/components/GeneratePropsJavaInterface.js"}, "region": {"startLine": 123}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60172, "scanner": "repobility-ai-code-hygiene", "fingerprint": "44a858efa7628dfaf82ea889caf8028c9129ccfe687f5b35b9b7a67d647a30dd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/components/GeneratePropsCpp.js", "duplicate_line": 280, "correlation_key": "fp|44a858efa7628dfaf82ea889caf8028c9129ccfe687f5b35b9b7a67d647a30dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/components/GeneratePropsH.js"}, "region": {"startLine": 727}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60171, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ab49610e6bba175ead2ad063e36bde49b92aa7e1c5d5c3921a78eacae95d6532", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/components/GenerateEventEmitterCpp.js", "duplicate_line": 369, "correlation_key": "fp|ab49610e6bba175ead2ad063e36bde49b92aa7e1c5d5c3921a78eacae95d6532"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/components/GenerateEventEmitterH.js"}, "region": {"startLine": 282}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60170, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5c3a9578e13095735a80279706e19c270f6513022f5cd749d940e60028d25df9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-native-codegen/src/generators/components/GenerateComponentDescriptorCpp.js", "duplicate_line": 37, "correlation_key": "fp|5c3a9578e13095735a80279706e19c270f6513022f5cd749d940e60028d25df9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/components/GenerateComponentDescriptorH.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60169, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a3c9241d32702baa14de4852baf873b508654a6f28ebeab3ea17e803d85154e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/gradle-plugin/react-native-gradle-plugin/src/main/kotlin/com/facebook/react/tasks/GenerateEntryPointTask.kt", "duplicate_line": 11, "correlation_key": "fp|6a3c9241d32702baa14de4852baf873b508654a6f28ebeab3ea17e803d85154e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gradle-plugin/react-native-gradle-plugin/src/main/kotlin/com/facebook/react/tasks/GeneratePackageListTask.kt"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60168, "scanner": "repobility-ai-code-hygiene", "fingerprint": "566db2235b5b20c0ffbd93153f341a3096be08769cde6d429ddcc32fac63c3fd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/eslint-plugin-specs/postpack.js", "duplicate_line": 12, "correlation_key": "fp|566db2235b5b20c0ffbd93153f341a3096be08769cde6d429ddcc32fac63c3fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eslint-plugin-specs/prepack.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60167, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ef577159c1c61ff329c3a7103e1da6608315e08e4035aa871a8584741c70921", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "flow-typed/npm/listr2_v8.x.x.js", "duplicate_line": 2, "correlation_key": "fp|1ef577159c1c61ff329c3a7103e1da6608315e08e4035aa871a8584741c70921"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "flow-typed/npm/listr_v14.x.x.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 60122, "scanner": "repobility-threat-engine", "fingerprint": "fa814dcf18fa964a3301737850840c19f664133c8b692707b8d82406e30a3d51", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Bad mapping of event key ' +\n          key +\n          ', should be number but got '", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fa814dcf18fa964a3301737850840c19f664133c8b692707b8d82406e30a3d51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/Libraries/Animated/AnimatedEvent.js"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 60121, "scanner": "repobility-threat-engine", "fingerprint": "4067bc7c4d9a0f20a996e3f91f890d019f18b6dd48c382ff357fc72f91192f2a", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Using custom debugger frontend path from ' +\n      ANSI_WHITE +\n      'process.env.REACT_NATIVE_DEB", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4067bc7c4d9a0f20a996e3f91f890d019f18b6dd48c382ff357fc72f91192f2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/debugger-frontend/index.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 60120, "scanner": "repobility-threat-engine", "fingerprint": "b43cc98708b6a75deaa5579f0f7a54a00adf1058b6e46f35cf1bfff5eb141f71", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'t know which android drawable suffix to use for scale: \" +\n        scale +\n        '\\nAsset: '", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b43cc98708b6a75deaa5579f0f7a54a00adf1058b6e46f35cf1bfff5eb141f71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/assets-registry/path-support.js"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 60164, "scanner": "repobility-threat-engine", "fingerprint": "e4056212a3ab0c4f57ea8e598541b39a089458eca5053aea9c818fba3fdd31e8", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|146|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/ReactAndroid/src/main/java/com/facebook/react/modules/blob/BlobModule.kt"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 60160, "scanner": "repobility-threat-engine", "fingerprint": "af122ab82161f2f0eabf774d72dc42e198191e4fccf86b61cbd1b75cf78f365f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|af122ab82161f2f0eabf774d72dc42e198191e4fccf86b61cbd1b75cf78f365f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/React/Runtime/RCTHermesInstanceFactory.mm"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 60159, "scanner": "repobility-threat-engine", "fingerprint": "424d39acc9f50608ea40cd67b292f758d8424ed407e7a8b2ce9cf8dd6239cc16", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|424d39acc9f50608ea40cd67b292f758d8424ed407e7a8b2ce9cf8dd6239cc16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/React/Base/RCTManagedPointer.h"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC130", "level": "none", "message": {"text": "[SEC130] Hallucinated package name \u2014 looks like a real package but isn't: Import of a package name that closely resembles a popular one but isn't published \u2014 a classic AI hallucination. Two risks: (1) the code crashes on install in fresh environments, and (2) supply-chain attackers publish typosquat packages targeting exactly these AI-hallucinated names, so installing succeeds and ships malware ('slopsquatting'). CWE-1357 (dependency on an unmaintained / unverified component). CVE-2024-class sup"}, "properties": {"repobilityId": 60156, "scanner": "repobility-threat-engine", "fingerprint": "d110d9aca625afb13f81fe5c29af797a2e71914b48970b575225fe32f52b7011", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b|mock|fixture|spec\\b' detected on same line", "evidence": {"match": "import ReactT", "reason": "Safe pattern 'test\\b|mock|fixture|spec\\b' detected on same line", "rule_id": "SEC130", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|d110d9aca625afb13f81fe5c29af797a2e71914b48970b575225fe32f52b7011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/Libraries/Utilities/ReactNativeTestTools.js"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 60153, "scanner": "repobility-threat-engine", "fingerprint": "256c230a98f852cceffeebe2dbb65aa6541e56b6cfcea95da5f21206f9325948", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|256c230a98f852cceffeebe2dbb65aa6541e56b6cfcea95da5f21206f9325948"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/ReactAndroid/src/main/jni/first-party/jni-lib-merge/jni_lib_merge.c"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 60152, "scanner": "repobility-threat-engine", "fingerprint": "eb35b7624e9111efda05b4266346693b1bd6fcc75da94f3c1879fae599ba761e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eb35b7624e9111efda05b4266346693b1bd6fcc75da94f3c1879fae599ba761e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/Libraries/Image/RCTImageBlurUtils.mm"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress (and 52 more): Same pattern found in 52 additional files. Review if needed."}, "properties": {"repobilityId": 60150, "scanner": "repobility-threat-engine", "fingerprint": "ca416650f877042ed0093f503968cca7cbebae0070be4c3c488fa4d5bb99ca74", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 52 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ca416650f877042ed0093f503968cca7cbebae0070be4c3c488fa4d5bb99ca74", "aggregated_count": 52}}}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 60149, "scanner": "repobility-threat-engine", "fingerprint": "55d061d4b94540c7ed897ddf9eadbae4399721bccce211199da4095ca24cbbb0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|55d061d4b94540c7ed897ddf9eadbae4399721bccce211199da4095ca24cbbb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/Libraries/AppDelegate/RCTRootViewFactory.mm"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 60148, "scanner": "repobility-threat-engine", "fingerprint": "e113c5b635d42f0c77671be5f2aa5e5d366e2e313b5eeb2f75a2a7304f5923dd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e113c5b635d42f0c77671be5f2aa5e5d366e2e313b5eeb2f75a2a7304f5923dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/Libraries/AppDelegate/RCTReactNativeFactory.mm"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 60147, "scanner": "repobility-threat-engine", "fingerprint": "ff40888a707997081ca6c7d00857e0974fc3c6d3f2ec7ea814e8b2640ef02067", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ff40888a707997081ca6c7d00857e0974fc3c6d3f2ec7ea814e8b2640ef02067"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/Libraries/AppDelegate/RCTAppSetupUtils.mm"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "properties": {"repobilityId": 60146, "scanner": "repobility-threat-engine", "fingerprint": "002ed18f0cc5b966c0e1016096182df7b33bfb6f2d7e2335f53c8bbed01ecaf8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|002ed18f0cc5b966c0e1016096182df7b33bfb6f2d7e2335f53c8bbed01ecaf8", "aggregated_count": 27}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 60145, "scanner": "repobility-threat-engine", "fingerprint": "18421cb08e725bd4dea6b6ddf11332333cc08a8de719012c99bef6361538e240", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|18421cb08e725bd4dea6b6ddf11332333cc08a8de719012c99bef6361538e240"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/Libraries/Blob/RCTBlobManager.mm"}, "region": {"startLine": 318}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 60144, "scanner": "repobility-threat-engine", "fingerprint": "d4fb939233751aae13c73494d5f488611c8221c12b7e39def38d697beaf093bd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d4fb939233751aae13c73494d5f488611c8221c12b7e39def38d697beaf093bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/Libraries/AppDelegate/RCTReactNativeFactory.mm"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 60143, "scanner": "repobility-threat-engine", "fingerprint": "925d93b5901a7ef897283af01adc4bfb98fe2e2b7c41a4a3f759c465ef4fa035", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|925d93b5901a7ef897283af01adc4bfb98fe2e2b7c41a4a3f759c465ef4fa035"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/Libraries/AppDelegate/RCTAppSetupUtils.mm"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 60142, "scanner": "repobility-threat-engine", "fingerprint": "046c37193ae09c5e8a100a9025671591bdc22eb7b5b86b8d2b2c60d84c2ce506", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|046c37193ae09c5e8a100a9025671591bdc22eb7b5b86b8d2b2c60d84c2ce506", "aggregated_count": 2}}}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 60141, "scanner": "repobility-threat-engine", "fingerprint": "172c8740fe34b767778a35dcee781b75ca68c15995dd4cd9ea1752406aa63656", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|172c8740fe34b767778a35dcee781b75ca68c15995dd4cd9ea1752406aa63656"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/React/CoreModules/RCTAlertController.mm"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 60140, "scanner": "repobility-threat-engine", "fingerprint": "15c87ac58e6871ae02eab9bfb0f47519c8f66518b4eb0a063308614f50f5c54c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15c87ac58e6871ae02eab9bfb0f47519c8f66518b4eb0a063308614f50f5c54c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/Libraries/AppDelegate/RCTReactNativeFactory.mm"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 60139, "scanner": "repobility-threat-engine", "fingerprint": "d3c83f01df7f5d501d26da40decae37c03d4b7d2661f2d0ba3184539102b8b2e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d3c83f01df7f5d501d26da40decae37c03d4b7d2661f2d0ba3184539102b8b2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/Libraries/AppDelegate/RCTAppDelegate.mm"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 60132, "scanner": "repobility-threat-engine", "fingerprint": "5fe2cf04427df05fc0aef7cf138aa979c1fc3f2cedae48cbd068d6e07c3f09f1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5fe2cf04427df05fc0aef7cf138aa979c1fc3f2cedae48cbd068d6e07c3f09f1", "aggregated_count": 2}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 60131, "scanner": "repobility-threat-engine", "fingerprint": "252fd3926773d535efc7f8c9f09edb1fa61592bcbac4f9b6b52011584462b94b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|252fd3926773d535efc7f8c9f09edb1fa61592bcbac4f9b6b52011584462b94b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/Libraries/LogBox/UI/LogBoxInspectorCodeFrame.js"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 60130, "scanner": "repobility-threat-engine", "fingerprint": "a3f56b41aefe1e64aa3589f9547ad8af1dbcfb9fd66b142fb880ea79659e9155", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a3f56b41aefe1e64aa3589f9547ad8af1dbcfb9fd66b142fb880ea79659e9155"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/Libraries/LogBox/UI/AnsiHighlight.js"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 60129, "scanner": "repobility-threat-engine", "fingerprint": "0675b22d27c99bc49a0aec32268de08daef9ae76c5c0d98efe3855ab0b336c93", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0675b22d27c99bc49a0aec32268de08daef9ae76c5c0d98efe3855ab0b336c93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/new-app-screen/src/NewAppScreen.js"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 60127, "scanner": "repobility-threat-engine", "fingerprint": "bd54825b370df96cfa928aef9dad2eaa620fcffcb67884d1a0ca6a60cfaa3cb7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bd54825b370df96cfa928aef9dad2eaa620fcffcb67884d1a0ca6a60cfaa3cb7"}}}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 60123, "scanner": "repobility-threat-engine", "fingerprint": "097d27b2deaca55861bf7fc2fde9b3c1ab45a5a98b541bd572ee8991d2ed26b1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|097d27b2deaca55861bf7fc2fde9b3c1ab45a5a98b541bd572ee8991d2ed26b1"}}}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 60119, "scanner": "repobility-threat-engine", "fingerprint": "ffb782f290bab3ad7da1b5e49009c4adffa6a90b0b1bcde792522e13c033d188", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ffb782f290bab3ad7da1b5e49009c4adffa6a90b0b1bcde792522e13c033d188"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "properties": {"repobilityId": 60115, "scanner": "repobility-threat-engine", "fingerprint": "5e2766527e20fac411476d2b862dd1b322ae22e55a50062e6a0b3444674f119d", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5e2766527e20fac411476d2b862dd1b322ae22e55a50062e6a0b3444674f119d"}}}, {"ruleId": "MINED086", "level": "none", "message": {"text": "[MINED086] Kotlin Runtime Exception (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 60111, "scanner": "repobility-threat-engine", "fingerprint": "121632e8b8cfdea7e6b35934891afdb3be7684a619bd9d5c8619ad7f9e7dbfa3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "kotlin-runtime-exception", "owasp": null, "cwe_ids": [], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348138+00:00", "triaged_in_corpus": 12, "observations_count": 751, "ai_coder_pattern_id": 156}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|121632e8b8cfdea7e6b35934891afdb3be7684a619bd9d5c8619ad7f9e7dbfa3", "aggregated_count": 8}}}, {"ruleId": "MINED086", "level": "none", "message": {"text": "[MINED086] Kotlin Runtime Exception: Throwing bare RuntimeException loses type info."}, "properties": {"repobilityId": 60110, "scanner": "repobility-threat-engine", "fingerprint": "a41b175027727625249bbd127af5067dba38e47fc3e532e13952fe8b47f7ca75", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-runtime-exception", "owasp": null, "cwe_ids": [], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348138+00:00", "triaged_in_corpus": 12, "observations_count": 751, "ai_coder_pattern_id": 156}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a41b175027727625249bbd127af5067dba38e47fc3e532e13952fe8b47f7ca75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/ReactAndroid/src/main/java/com/facebook/react/bridge/queue/MessageQueueThreadImpl.kt"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED086", "level": "none", "message": {"text": "[MINED086] Kotlin Runtime Exception: Throwing bare RuntimeException loses type info."}, "properties": {"repobilityId": 60109, "scanner": "repobility-threat-engine", "fingerprint": "216fbb39f6a3c45283329b91ab7785ca50c3448364cea1b4d2d9475521f927b1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-runtime-exception", "owasp": null, "cwe_ids": [], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348138+00:00", "triaged_in_corpus": 12, "observations_count": 751, "ai_coder_pattern_id": 156}, "scanner": "repobility-threat-engine", "correlation_key": "fp|216fbb39f6a3c45283329b91ab7785ca50c3448364cea1b4d2d9475521f927b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/ReactAndroid/src/main/java/com/facebook/react/ReactApplication.kt"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED086", "level": "none", "message": {"text": "[MINED086] Kotlin Runtime Exception: Throwing bare RuntimeException loses type info."}, "properties": {"repobilityId": 60108, "scanner": "repobility-threat-engine", "fingerprint": "3a5db925875a6879f30caefec017678dd331debdd38438ab20b97b5b8695e764", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-runtime-exception", "owasp": null, "cwe_ids": [], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348138+00:00", "triaged_in_corpus": 12, "observations_count": 751, "ai_coder_pattern_id": 156}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3a5db925875a6879f30caefec017678dd331debdd38438ab20b97b5b8695e764"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build.gradle.kts"}, "region": {"startLine": 135}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 60107, "scanner": "repobility-threat-engine", "fingerprint": "b25ca6c2b6e8056e9e2c805b4ff75b5230249c907e2c0475c7bb8fc214cf24b0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b25ca6c2b6e8056e9e2c805b4ff75b5230249c907e2c0475c7bb8fc214cf24b0"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 60103, "scanner": "repobility-threat-engine", "fingerprint": "67ae2876ec2706c35f8021ea3b84b7e1c181e5b9746eca76b603a45a1bd05d45", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|67ae2876ec2706c35f8021ea3b84b7e1c181e5b9746eca76b603a45a1bd05d45"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 63 more): Same pattern found in 63 additional files. Review if needed."}, "properties": {"repobilityId": 60099, "scanner": "repobility-threat-engine", "fingerprint": "1f43cf3e55324c09886c45fd1ab520f5e1bf0722f34ea53718cfe24c5cc726a7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 63 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1f43cf3e55324c09886c45fd1ab520f5e1bf0722f34ea53718cfe24c5cc726a7", "aggregated_count": 63}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 60098, "scanner": "repobility-threat-engine", "fingerprint": "6616bd18f76da5eaf255ca9ad05111412ba9b89f41e02ed188ee7c1344934ff5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6616bd18f76da5eaf255ca9ad05111412ba9b89f41e02ed188ee7c1344934ff5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflow-scripts/maestro-ios.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 60097, "scanner": "repobility-threat-engine", "fingerprint": "c6d38b3896dee35a115f10715a924ab18dae102d9c6308dfd523fd30e754054b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c6d38b3896dee35a115f10715a924ab18dae102d9c6308dfd523fd30e754054b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflow-scripts/maestro-android.js"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 60096, "scanner": "repobility-threat-engine", "fingerprint": "bba966246493656c5bd2c8598fee88189625624e94c94bb43b42b7ea639157cc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bba966246493656c5bd2c8598fee88189625624e94c94bb43b42b7ea639157cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflow-scripts/extractIssueOncalls.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 60093, "scanner": "repobility-threat-engine", "fingerprint": "a11d84a9a6d4052ce0b8994f3a21a1e10fa0700e6dbd32d975f5ae33a89d61ba", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a11d84a9a6d4052ce0b8994f3a21a1e10fa0700e6dbd32d975f5ae33a89d61ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflow-scripts/actOnLabel.js"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `packages/gradle-plugin/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/gradle-plugin/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,966 bytes) committed to a repo that otherwise has 5183 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 60276, "scanner": "repobility-supply-chain", "fingerprint": "a29867adf33c2e125f61eeecf728bf1edcfbdc856e1b0b6d7cfa7c0b6c9f9b13", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a29867adf33c2e125f61eeecf728bf1edcfbdc856e1b0b6d7cfa7c0b6c9f9b13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gradle-plugin/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,966 bytes) committed to a repo that otherwise has 5183 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 60275, "scanner": "repobility-supply-chain", "fingerprint": "8a52df577170ce6923c4ffe9200a614782563e1936767851bf92630a7a402f6d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8a52df577170ce6923c4ffe9200a614782563e1936767851bf92630a7a402f6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `private/helloworld/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `private/helloworld/android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (46,175 bytes) committed to a repo that otherwise has 5183 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 60274, "scanner": "repobility-supply-chain", "fingerprint": "483c4ea35b3b8db73c83a4838c6c9ceff79dae986d8891f553c1bd759da4b2dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|483c4ea35b3b8db73c83a4838c6c9ceff79dae986d8891f553c1bd759da4b2dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "private/helloworld/android/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `reactnativecommunity/react-native-android:latest` unpinned: `container/services image: reactnativecommunity/react-native-android:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 60273, "scanner": "repobility-supply-chain", "fingerprint": "fd94bdf00763223854bcf752f17dedec7a8bca9678cc588ac266b58ff3f117ae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fd94bdf00763223854bcf752f17dedec7a8bca9678cc588ac266b58ff3f117ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-all.yml"}, "region": {"startLine": 349}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `reactnativecommunity/react-native-android:latest` unpinned: `container/services image: reactnativecommunity/react-native-android:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 60272, "scanner": "repobility-supply-chain", "fingerprint": "b03a7caec334af72ecc90e3abe1278ed2d1b8bff2e8ab5291e07ce94d58dbd6e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b03a7caec334af72ecc90e3abe1278ed2d1b8bff2e8ab5291e07ce94d58dbd6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-all.yml"}, "region": {"startLine": 326}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `reactnativecommunity/react-native-android:latest` unpinned: `container/services image: reactnativecommunity/react-native-android:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 60271, "scanner": "repobility-supply-chain", "fingerprint": "a0112e4efc94388f831a8bcf6ec9fce4870f9161fbcf2e877fe64ead9e5b48b0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a0112e4efc94388f831a8bcf6ec9fce4870f9161fbcf2e877fe64ead9e5b48b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-all.yml"}, "region": {"startLine": 272}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `reactnativecommunity/react-native-android:latest` unpinned: `container/services image: reactnativecommunity/react-native-android:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 60270, "scanner": "repobility-supply-chain", "fingerprint": "c5eba6613592e32fa15e0b6d72a3ba06d12f43215926be5a9b6c60bdbb26c63f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c5eba6613592e32fa15e0b6d72a3ba06d12f43215926be5a9b6c60bdbb26c63f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-all.yml"}, "region": {"startLine": 227}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `reactnativecommunity/react-native-android:latest` unpinned: `container/services image: reactnativecommunity/react-native-android:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 60261, "scanner": "repobility-supply-chain", "fingerprint": "37a95cbb3a249f436ab9827f38ae21580341591ad3d8e6be16417117bdb30a70", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|37a95cbb3a249f436ab9827f38ae21580341591ad3d8e6be16417117bdb30a70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `reactnativecommunity/react-native-android:latest` unpinned: `container/services image: reactnativecommunity/react-native-android:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 60260, "scanner": "repobility-supply-chain", "fingerprint": "ec356d8bce4edeee02f027839e048c8116b095296d2e19ee92fea64ca3b6bfb3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ec356d8bce4edeee02f027839e048c8116b095296d2e19ee92fea64ca3b6bfb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/stale` pinned to mutable ref `@v10`: `uses: actions/stale@v10` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60259, "scanner": "repobility-supply-chain", "fingerprint": "9fb8a43e4bc6a4f6df3ea1c42e665d8d07c4d126d3282c1057e0a77fb7b8ea8f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9fb8a43e4bc6a4f6df3ea1c42e665d8d07c4d126d3282c1057e0a77fb7b8ea8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/stale-bot.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/stale` pinned to mutable ref `@v10`: `uses: actions/stale@v10` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60258, "scanner": "repobility-supply-chain", "fingerprint": "c2d9c9959105e89287ebcea2f75a3edd7a699834acf8f551ffd0e02dd5b70823", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c2d9c9959105e89287ebcea2f75a3edd7a699834acf8f551ffd0e02dd5b70823"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/stale-bot.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60257, "scanner": "repobility-supply-chain", "fingerprint": "a21eabca9cadecaebca47e57309c8cb2d368944232444e61cf6943986da6109b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a21eabca9cadecaebca47e57309c8cb2d368944232444e61cf6943986da6109b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-bumped-packages.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60256, "scanner": "repobility-supply-chain", "fingerprint": "46004f448d2120d53794dc0812b41542fc963d78ed4a0335b07e6147ff8b4ecd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|46004f448d2120d53794dc0812b41542fc963d78ed4a0335b07e6147ff8b4ecd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/on-issue-labeled.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60255, "scanner": "repobility-supply-chain", "fingerprint": "b0d3914f59ef6ca90679d6cdd10861c6dc4bf3bb2167a13a2b4cd1a93fa3235e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0d3914f59ef6ca90679d6cdd10861c6dc4bf3bb2167a13a2b4cd1a93fa3235e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/on-issue-labeled.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60254, "scanner": "repobility-supply-chain", "fingerprint": "73b96a3019cbebfd6292aa3b88fd925942b5d4f14225430d1d2cb430b10b46be", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|73b96a3019cbebfd6292aa3b88fd925942b5d4f14225430d1d2cb430b10b46be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/on-issue-labeled.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60253, "scanner": "repobility-supply-chain", "fingerprint": "3b09a9b312477fd42d74b274baadc139d6d838fc068f409e5bcb6538aa55ba14", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3b09a9b312477fd42d74b274baadc139d6d838fc068f409e5bcb6538aa55ba14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/on-issue-labeled.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60252, "scanner": "repobility-supply-chain", "fingerprint": "c4c1b42053338512bd242b858dfaca8f2936c77a7725e67960a0215bac8f4f30", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c4c1b42053338512bd242b858dfaca8f2936c77a7725e67960a0215bac8f4f30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/on-issue-labeled.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60251, "scanner": "repobility-supply-chain", "fingerprint": "3c9835e4d6cb1517baf0f94af052286ea74b0d7403c1b088a9951e145b15ae6e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c9835e4d6cb1517baf0f94af052286ea74b0d7403c1b088a9951e145b15ae6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bump-podfile-lock.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `react-native-community/needs-attention` pinned to mutable ref `@v2.0.0`: `uses: react-native-community/needs-attention@v2.0.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60250, "scanner": "repobility-supply-chain", "fingerprint": "6155d850dddc97080b6303559edb7e465bf25d671ddd604f7933a4e633110d0b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6155d850dddc97080b6303559edb7e465bf25d671ddd604f7933a4e633110d0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/needs-attention.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60249, "scanner": "repobility-supply-chain", "fingerprint": "5331eadfd113b1aa7f44c2deea603818a47e70af0cf70ca993e4a2b841995b8c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5331eadfd113b1aa7f44c2deea603818a47e70af0cf70ca993e4a2b841995b8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/needs-attention.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60248, "scanner": "repobility-supply-chain", "fingerprint": "7289e7914e869599e4638431e2430887ea31eea001dcbee758f16b80bd9b5230", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7289e7914e869599e4638431e2430887ea31eea001dcbee758f16b80bd9b5230"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/create-draft-release.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60247, "scanner": "repobility-supply-chain", "fingerprint": "cabe761ae5cc5ee2ec2e4e203cb4e51335239f67bd93c03596f4223fac643464", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cabe761ae5cc5ee2ec2e4e203cb4e51335239f67bd93c03596f4223fac643464"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/create-draft-release.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60246, "scanner": "repobility-supply-chain", "fingerprint": "9e7a56d5e88e8162827d396a8d0b495c1fac65e767d3e0cedd5e55913b35b166", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9e7a56d5e88e8162827d396a8d0b495c1fac65e767d3e0cedd5e55913b35b166"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/create-draft-release.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `reactnativecommunity/react-native-android:latest` unpinned: `container/services image: reactnativecommunity/react-native-android:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 60245, "scanner": "repobility-supply-chain", "fingerprint": "3643b9cf0d4a0ece63363b297c8bd2d2816889d67c62ea55dbf0768ab8b35809", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3643b9cf0d4a0ece63363b297c8bd2d2816889d67c62ea55dbf0768ab8b35809"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-release.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60244, "scanner": "repobility-supply-chain", "fingerprint": "82267010ee9a6ce3a72aff98c652eb99a7e3f83067dfc3788c7d00171064cdc0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|82267010ee9a6ce3a72aff98c652eb99a7e3f83067dfc3788c7d00171064cdc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-release.yml"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60243, "scanner": "repobility-supply-chain", "fingerprint": "008ed8fbc6862d99eca050d320c645ad9671e7f4fd50c7e07c544e62abe27e51", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|008ed8fbc6862d99eca050d320c645ad9671e7f4fd50c7e07c544e62abe27e51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-release.yml"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60242, "scanner": "repobility-supply-chain", "fingerprint": "019a30941084e2ead742ad14946173469ff594a94b00edd4bb03a5a1bc739954", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|019a30941084e2ead742ad14946173469ff594a94b00edd4bb03a5a1bc739954"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-release.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60241, "scanner": "repobility-supply-chain", "fingerprint": "1b64a6459bc499396b5fc76750e7ba98765070e2fc0c57ecab084300d1998f8c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b64a6459bc499396b5fc76750e7ba98765070e2fc0c57ecab084300d1998f8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-release.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60240, "scanner": "repobility-supply-chain", "fingerprint": "e24e5de27485c14800cde3672a4bc1b5647dd5a73b9b5d055bcc8dd5d048653f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e24e5de27485c14800cde3672a4bc1b5647dd5a73b9b5d055bcc8dd5d048653f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-release.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60239, "scanner": "repobility-supply-chain", "fingerprint": "9b3ccc41c8eb3442966066851706f00c4058bf061f4d1b16bc24ad52f646815c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b3ccc41c8eb3442966066851706f00c4058bf061f4d1b16bc24ad52f646815c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-release.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60238, "scanner": "repobility-supply-chain", "fingerprint": "482950c0ecb7ee24f4e9718930e02de4ffcfcb253b1c103b07202f1e20ff2e02", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|482950c0ecb7ee24f4e9718930e02de4ffcfcb253b1c103b07202f1e20ff2e02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/generate-changelog.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60237, "scanner": "repobility-supply-chain", "fingerprint": "a3593e55aaf329379eef162606ffbf70523d125a56bb88d235061d0ffdb6e1ca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a3593e55aaf329379eef162606ffbf70523d125a56bb88d235061d0ffdb6e1ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/generate-changelog.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60236, "scanner": "repobility-supply-chain", "fingerprint": "b0955a84532c121691ef1a8bf9567574a86ae78b4ff99c7f6970fc7279ef1b75", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0955a84532c121691ef1a8bf9567574a86ae78b4ff99c7f6970fc7279ef1b75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/close-pr.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `reactnativecommunity/react-native-android:latest` unpinned: `container/services image: reactnativecommunity/react-native-android:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 60235, "scanner": "repobility-supply-chain", "fingerprint": "71dd4defdb26e3b52eac80906bceea37254e66f34216234b79e5411264eececa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|71dd4defdb26e3b52eac80906bceea37254e66f34216234b79e5411264eececa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fantom-tests.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60234, "scanner": "repobility-supply-chain", "fingerprint": "6c96a496e4ffc8ab54590edc8c1ef2ce3c32db9759054c4f26cedb597541e391", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c96a496e4ffc8ab54590edc8c1ef2ce3c32db9759054c4f26cedb597541e391"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fantom-tests.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60233, "scanner": "repobility-supply-chain", "fingerprint": "2d3adbdaa3a8da78579321b2e1d0262d070a466258a930c0dfbb6cc444a965e8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2d3adbdaa3a8da78579321b2e1d0262d070a466258a930c0dfbb6cc444a965e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/create-release.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_empty_variant_definitions` of class `TestParseConfig` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60231, "scanner": "repobility-ast-engine", "fingerprint": "f4729000234f3855f3a19adcf7bcb9435b6ecf83ee328b2638cb89dac265d41c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f4729000234f3855f3a19adcf7bcb9435b6ecf83ee328b2638cb89dac265d41c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_empty_variant_definitions` of class `TestParseConfig` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60230, "scanner": "repobility-ast-engine", "fingerprint": "f8f907f3dc2a4c63c0311a0e6a6bd3e4b503a92e22d3d373c8917585084aa649", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f8f907f3dc2a4c63c0311a0e6a6bd3e4b503a92e22d3d373c8917585084aa649"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_variant_definitions_override_base` of class `TestParseConfig` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60229, "scanner": "repobility-ast-engine", "fingerprint": "b6f99d2e101d7e29246b31776a91509a7be8f6e04636c6d39c97f48a8a0ba892", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b6f99d2e101d7e29246b31776a91509a7be8f6e04636c6d39c97f48a8a0ba892"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_variant_definitions_override_base` of class `TestParseConfig` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60228, "scanner": "repobility-ast-engine", "fingerprint": "43f97ede529db5b2e70d3918e1e1c4560e4ffe10d81f395d939650fde35dfce0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|43f97ede529db5b2e70d3918e1e1c4560e4ffe10d81f395d939650fde35dfce0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_base_definitions_merged_with_variant` of class `TestParseConfig` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60227, "scanner": "repobility-ast-engine", "fingerprint": "f35606066b4b9f6d491e2d8195c4d32fd57b676ed7d7fc25140b5aefe2df2ca3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f35606066b4b9f6d491e2d8195c4d32fd57b676ed7d7fc25140b5aefe2df2ca3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_base_definitions_merged_with_variant` of class `TestParseConfig` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60226, "scanner": "repobility-ast-engine", "fingerprint": "57d546f6050edd3cc641fda9dbee9a89a23c04395964fdad7be649c3632734dc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|57d546f6050edd3cc641fda9dbee9a89a23c04395964fdad7be649c3632734dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_base_definitions_merged_with_variant` of class `TestParseConfig` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60225, "scanner": "repobility-ast-engine", "fingerprint": "aa0b66931e8fd5cf52fd54fb41ca88d47f7437abffd70ff53c38e8217422dea0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aa0b66931e8fd5cf52fd54fb41ca88d47f7437abffd70ff53c38e8217422dea0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_single_view_with_variants` of class `TestParseConfig` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60224, "scanner": "repobility-ast-engine", "fingerprint": "45d65eacadbb1b0cb1599c0627a850bed3f1323400d11da9ae25d04a2d1694b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|45d65eacadbb1b0cb1599c0627a850bed3f1323400d11da9ae25d04a2d1694b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_single_view_with_variants` of class `TestParseConfig` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60223, "scanner": "repobility-ast-engine", "fingerprint": "33120adbe8d4df04f800210f4722da1456f4ad5a27d018c3da69d1d303560a8c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|33120adbe8d4df04f800210f4722da1456f4ad5a27d018c3da69d1d303560a8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIn` used but never assigned in __init__: Method `test_single_view_with_variants` of class `TestParseConfig` reads `self.assertIn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60222, "scanner": "repobility-ast-engine", "fingerprint": "bacf15e09ab050c50c61cef1fa7990bb31e12d75a3f47908432b30bc6612aeda", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bacf15e09ab050c50c61cef1fa7990bb31e12d75a3f47908432b30bc6612aeda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIn` used but never assigned in __init__: Method `test_single_view_with_variants` of class `TestParseConfig` reads `self.assertIn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60221, "scanner": "repobility-ast-engine", "fingerprint": "de93399a304b83258a1f2ff52b42df92ecd9e09cf0d5e57f9b26e3f87f7a154a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|de93399a304b83258a1f2ff52b42df92ecd9e09cf0d5e57f9b26e3f87f7a154a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_single_view_with_variants` of class `TestParseConfig` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60220, "scanner": "repobility-ast-engine", "fingerprint": "c6e5f1dd4f7bce65b045b72cda367c3303ac7596539207419bd843a351bace53", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c6e5f1dd4f7bce65b045b72cda367c3303ac7596539207419bd843a351bace53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_single_view_no_variants` of class `TestParseConfig` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60219, "scanner": "repobility-ast-engine", "fingerprint": "473f1679376a927911ada750f8fcb9d5d7351e7b049f66c2f47441b4d4f21483", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|473f1679376a927911ada750f8fcb9d5d7351e7b049f66c2f47441b4d4f21483"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_single_view_no_variants` of class `TestParseConfig` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60218, "scanner": "repobility-ast-engine", "fingerprint": "e9ed530a944032f9f913fbe078e03649dc492534846940f549929eb391e2c7b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e9ed530a944032f9f913fbe078e03649dc492534846940f549929eb391e2c7b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_single_view_no_variants` of class `TestParseConfig` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60217, "scanner": "repobility-ast-engine", "fingerprint": "ee9075611930c544ce275e8e7e762aea6202b9909d73ddfecdf6eef6eff2e141", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ee9075611930c544ce275e8e7e762aea6202b9909d73ddfecdf6eef6eff2e141"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_single_view_no_variants` of class `TestParseConfig` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60216, "scanner": "repobility-ast-engine", "fingerprint": "4f977e1e8cb4608bcb05b3e305f2dbcdec4a0fdab5b6dd1602d136669fc2a0a4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4f977e1e8cb4608bcb05b3e305f2dbcdec4a0fdab5b6dd1602d136669fc2a0a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_single_view_no_variants` of class `TestParseConfig` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60215, "scanner": "repobility-ast-engine", "fingerprint": "72f404965dc62917214d0dfc040c06924086ba1a82b2d90d0cd55acd7a93bd72", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|72f404965dc62917214d0dfc040c06924086ba1a82b2d90d0cd55acd7a93bd72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_empty_config` of class `TestParseConfig` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60214, "scanner": "repobility-ast-engine", "fingerprint": "fe7765f4f1823aed320808e3212c7774f5f6ede67d906a8f211d67ae71b55ab7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fe7765f4f1823aed320808e3212c7774f5f6ede67d906a8f211d67ae71b55ab7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/tests/test_config.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._ensure_scope_is_defined` used but never assigned in __init__: Method `finish` of class `Snapshot` reads `self._ensure_scope_is_defined`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60212, "scanner": "repobility-ast-engine", "fingerprint": "9214d3f9d6ca049ccaa612033f340409a8b210399b1b6feb86fcbd1b4409be5b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9214d3f9d6ca049ccaa612033f340409a8b210399b1b6feb86fcbd1b4409be5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/parser/snapshot.py"}, "region": {"startLine": 212}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._ensure_scope_is_defined` used but never assigned in __init__: Method `_ensure_scope_is_defined` of class `Snapshot` reads `self._ensure_scope_is_defined`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60211, "scanner": "repobility-ast-engine", "fingerprint": "3baa90fef848998c0579a7058e986f072ff8dcd1aba095f650e30e340ee7a96f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3baa90fef848998c0579a7058e986f072ff8dcd1aba095f650e30e340ee7a96f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/parser/snapshot.py"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.ensure_scope` used but never assigned in __init__: Method `create_enum` of class `Snapshot` reads `self.ensure_scope`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60210, "scanner": "repobility-ast-engine", "fingerprint": "eee9047173cc03609a6e58bf079cb901f234a4bcd4c2e278f08fb7b26b7ffeea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eee9047173cc03609a6e58bf079cb901f234a4bcd4c2e278f08fb7b26b7ffeea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/parser/snapshot.py"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.ensure_scope` used but never assigned in __init__: Method `create_interface` of class `Snapshot` reads `self.ensure_scope`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60209, "scanner": "repobility-ast-engine", "fingerprint": "18a16bc8f57e029202972372694b8517eadf98167bd8b689e89ba5c9ba6dcb61", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|18a16bc8f57e029202972372694b8517eadf98167bd8b689e89ba5c9ba6dcb61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/parser/snapshot.py"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.ensure_scope` used but never assigned in __init__: Method `create_protocol` of class `Snapshot` reads `self.ensure_scope`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60208, "scanner": "repobility-ast-engine", "fingerprint": "16eb4123f0ceda773969678e2b521e1e7477f520d248398c5c37a25aca4214c2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|16eb4123f0ceda773969678e2b521e1e7477f520d248398c5c37a25aca4214c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/parser/snapshot.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.ensure_scope` used but never assigned in __init__: Method `create_or_get_namespace` of class `Snapshot` reads `self.ensure_scope`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60207, "scanner": "repobility-ast-engine", "fingerprint": "ad4b94dea1ba26ec5f00aea771a1f8b15e8d0afe9c4ce3a4f88a65cac4f8662c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ad4b94dea1ba26ec5f00aea771a1f8b15e8d0afe9c4ce3a4f88a65cac4f8662c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/parser/snapshot.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.ensure_scope` used but never assigned in __init__: Method `create_struct_like` of class `Snapshot` reads `self.ensure_scope`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60206, "scanner": "repobility-ast-engine", "fingerprint": "ab522a15a0d9e2a1e7719d998c188aefca6b75dd02134dbc9ccd1fc3fd9313c6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ab522a15a0d9e2a1e7719d998c188aefca6b75dd02134dbc9ccd1fc3fd9313c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cxx-api/parser/snapshot.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 60163, "scanner": "repobility-threat-engine", "fingerprint": "b6cbc15d5dbd038b7cf861a9684cb51e7ada862b663fe582bba854217d180a35", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(args.input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|69|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/ReactAndroid/src/main/java/com/facebook/react/internal/featureflags/rewrite_feature_flag_defaults.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 60162, "scanner": "repobility-threat-engine", "fingerprint": "40658f972bd4e5708e3c927a0d8e821ade99800cd0bcba3b9127d3add5f76997", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|40658f972bd4e5708e3c927a0d8e821ade99800cd0bcba3b9127d3add5f76997"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/React/Fabric/RCTScheduler.mm"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 60161, "scanner": "repobility-threat-engine", "fingerprint": "b763dc607d95ab474644429ca99c319c23c5bfcbc99d01f497458d87150bea81", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b763dc607d95ab474644429ca99c319c23c5bfcbc99d01f497458d87150bea81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/React/Base/RCTManagedPointer.mm"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 60137, "scanner": "repobility-threat-engine", "fingerprint": "c77f933c3b0f77c0fe83a88b301df9e3f6ae41b3ae558cce53069e994877668d", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((option, index) => `${toSafeCppString(option)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c77f933c3b0f77c0fe83a88b301df9e3f6ae41b3ae558cce53069e994877668d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/components/GenerateEventEmitterH.js"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 60136, "scanner": "repobility-threat-engine", "fingerprint": "f9a1f266ef8e225adaf5f15f6dd78150c7505ad7abbce80ed14d5a9732ee32a4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f9a1f266ef8e225adaf5f15f6dd78150c7505ad7abbce80ed14d5a9732ee32a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-babel-preset/src/plugin-warn-on-deep-imports.js"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 60135, "scanner": "repobility-threat-engine", "fingerprint": "de529027b94d1b991440696e248cd1cf3fb1dd8e23ffc50ee15024747221ba14", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de529027b94d1b991440696e248cd1cf3fb1dd8e23ffc50ee15024747221ba14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/ReactAndroid/src/main/java/com/facebook/react/views/scroll/generate-nested-scroll-view.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 60134, "scanner": "repobility-threat-engine", "fingerprint": "3fdb333c6614de090a7be40d0b174a02d79ebee29964354adfa578a5e4aa6b66", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3fdb333c6614de090a7be40d0b174a02d79ebee29964354adfa578a5e4aa6b66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-babel-transformer/src/index.js"}, "region": {"startLine": 235}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 60133, "scanner": "repobility-threat-engine", "fingerprint": "f5be9db3ea5bea60c8ca11b6813732bafd6ccb721f4d83341b3ef572411ce730", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f5be9db3ea5bea60c8ca11b6813732bafd6ccb721f4d83341b3ef572411ce730"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-babel-preset/src/index.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 60128, "scanner": "repobility-threat-engine", "fingerprint": "c7fe151b33738d975ec8d0dd422316e17db53a26ce359c26742b73de5093eee4", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c7fe151b33738d975ec8d0dd422316e17db53a26ce359c26742b73de5093eee4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gradle-plugin/react-native-gradle-plugin/src/main/kotlin/com/facebook/react/utils/AgpConfiguratorUtils.kt"}, "region": {"startLine": 141}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 60126, "scanner": "repobility-threat-engine", "fingerprint": "328bebc1cfea8560a7c08ac60d20ca8f4fdfa69b642f837e2c156d1d355a28a7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "reporter.update({\n      type: 'unstable_server_log',\n      level,\n      data,\n    });", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|328bebc1cfea8560a7c08ac60d20ca8f4fdfa69b642f837e2c156d1d355a28a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/community-cli-plugin/src/utils/createDevMiddlewareLogger.js"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 60125, "scanner": "repobility-threat-engine", "fingerprint": "5f04fa35914e10905d110a77854aa577c5026f82d32b9f9f99c46593a07c64a7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "terminalReporter.update(event);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5f04fa35914e10905d110a77854aa577c5026f82d32b9f9f99c46593a07c64a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/community-cli-plugin/src/commands/start/runServer.js"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 60124, "scanner": "repobility-threat-engine", "fingerprint": "e5cdea863746236cef0037a1d2e2a5325f9aa42c807d8fb84cc1063b32acb61e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "reporter.update({\n      type: 'unstable_server_log',\n      level: 'info',\n      data: 'Interacti", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e5cdea863746236cef0037a1d2e2a5325f9aa42c807d8fb84cc1063b32acb61e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/community-cli-plugin/src/commands/start/attachKeyHandlers.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 60114, "scanner": "repobility-threat-engine", "fingerprint": "1d495139255cab61842cfb1dd91ce2f4fe60a8954f87d33d95c7a8865f7a237c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d495139255cab61842cfb1dd91ce2f4fe60a8954f87d33d95c7a8865f7a237c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/community-cli-plugin/src/utils/version.js"}, "region": {"startLine": 133}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 60113, "scanner": "repobility-threat-engine", "fingerprint": "9af286d3e0eb0b0b7031ee7bef8c73ac75075f87b51265c8a17421d30c73ed96", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9af286d3e0eb0b0b7031ee7bef8c73ac75075f87b51265c8a17421d30c73ed96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/community-cli-plugin/src/utils/isDevServerRunning.js"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 60112, "scanner": "repobility-threat-engine", "fingerprint": "d6da538256ce399d8ad5914f56a946300501b6835f7fe647c3c52de31cc2f51c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d6da538256ce399d8ad5914f56a946300501b6835f7fe647c3c52de31cc2f51c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "flow-typed/npm/actual-request-url_v1.x.x.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 60106, "scanner": "repobility-threat-engine", "fingerprint": "de831c4e275f0893393d0ef20856de524eaf189122039604144df11997fdce39", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|de831c4e275f0893393d0ef20856de524eaf189122039604144df11997fdce39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflow-scripts/utils.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 60105, "scanner": "repobility-threat-engine", "fingerprint": "b0b603f17ff6bf813bba5034f2cb82efcd8d2ebe322abe1a754d481b8d0f4e80", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(version", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b0b603f17ff6bf813bba5034f2cb82efcd8d2ebe322abe1a754d481b8d0f4e80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflow-scripts/publishTemplate.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 60104, "scanner": "repobility-threat-engine", "fingerprint": "1dc997e4fa8af389940346145f9654ebbaa2abf489f9aace54bed25669f45f8a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1dc997e4fa8af389940346145f9654ebbaa2abf489f9aace54bed25669f45f8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflow-scripts/maestro-ios.js"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 60095, "scanner": "repobility-threat-engine", "fingerprint": "a9300aaf2ca593730b9d5b6e57a5a8cd0e0a0286a223a07ccb2cedf45b4dedfd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(exclude", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a9300aaf2ca593730b9d5b6e57a5a8cd0e0a0286a223a07ccb2cedf45b4dedfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/cli/combine/combine-js-to-schema-cli.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 60094, "scanner": "repobility-threat-engine", "fingerprint": "fbf77eb89bbae7eee84396b153db554df75718b2074721e9aab59d4aa2ac5d79", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fbf77eb89bbae7eee84396b153db554df75718b2074721e9aab59d4aa2ac5d79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflow-scripts/checkForReproducer.js"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GRADLE_CACHE_ENCRYPTION_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GRADLE_CACHE_ENCRYPTION_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 60269, "scanner": "repobility-supply-chain", "fingerprint": "9575daa26f413b86ef2225b892f439a82747a623c8c4eada017fedbc27911c29", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9575daa26f413b86ef2225b892f439a82747a623c8c4eada017fedbc27911c29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-all.yml"}, "region": {"startLine": 382}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GRADLE_CACHE_ENCRYPTION_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GRADLE_CACHE_ENCRYPTION_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 60268, "scanner": "repobility-supply-chain", "fingerprint": "d17746a4ee3085ec82e64e8843e844bef76c79eaf493fe7cd5d119ef279de960", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d17746a4ee3085ec82e64e8843e844bef76c79eaf493fe7cd5d119ef279de960"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-all.yml"}, "region": {"startLine": 341}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GRADLE_CACHE_ENCRYPTION_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GRADLE_CACHE_ENCRYPTION_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 60267, "scanner": "repobility-supply-chain", "fingerprint": "d3e1c5456d79dd6c8aa801586fddb807396857d01ae0eacf890bf54e722b3071", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d3e1c5456d79dd6c8aa801586fddb807396857d01ae0eacf890bf54e722b3071"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-all.yml"}, "region": {"startLine": 289}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ORG_GRADLE_PROJECT_SIGNING_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ORG_GRADLE_PROJECT_SIGNING_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 60266, "scanner": "repobility-supply-chain", "fingerprint": "e656072ea216289fee71071a41698b301945fa9d109eb6bbe775151f9a048063", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e656072ea216289fee71071a41698b301945fa9d109eb6bbe775151f9a048063"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-all.yml"}, "region": {"startLine": 280}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ORG_GRADLE_PROJECT_SIGNING_PWD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ORG_GRADLE_PROJECT_SIGNING_PWD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 60265, "scanner": "repobility-supply-chain", "fingerprint": "8d7a2782daade07e0be34228fcf63dbe0503c93695af25b2b2d6f7989d39c3b1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8d7a2782daade07e0be34228fcf63dbe0503c93695af25b2b2d6f7989d39c3b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-all.yml"}, "region": {"startLine": 279}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GRADLE_CACHE_ENCRYPTION_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GRADLE_CACHE_ENCRYPTION_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 60264, "scanner": "repobility-supply-chain", "fingerprint": "a4cd5ad566dcff22fb63e94e421f05d259f0d838ddbc9a070b40639556f39cc7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a4cd5ad566dcff22fb63e94e421f05d259f0d838ddbc9a070b40639556f39cc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-all.yml"}, "region": {"startLine": 244}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ORG_GRADLE_PROJECT_SIGNING_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ORG_GRADLE_PROJECT_SIGNING_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 60263, "scanner": "repobility-supply-chain", "fingerprint": "a6019fa4fedd3ca8c5d31180ec39daf6666fee55cb158fe13893f6d58957f053", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a6019fa4fedd3ca8c5d31180ec39daf6666fee55cb158fe13893f6d58957f053"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-all.yml"}, "region": {"startLine": 235}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ORG_GRADLE_PROJECT_SIGNING_PWD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ORG_GRADLE_PROJECT_SIGNING_PWD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 60262, "scanner": "repobility-supply-chain", "fingerprint": "05933f1979a300aec228d472cc60a3c2b0284a53cd292d56be17c925fa427a5b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05933f1979a300aec228d472cc60a3c2b0284a53cd292d56be17c925fa427a5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-all.yml"}, "region": {"startLine": 234}}}]}, {"ruleId": "MINED005", "level": "error", "message": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "properties": {"repobilityId": 60155, "scanner": "repobility-threat-engine", "fingerprint": "de5a5e0d77007314d882f77b866670fd4f618e4c4cc1d3c3610edf1fa09d0f68", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "lua-loadstring", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["lua"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347908+00:00", "triaged_in_corpus": 20, "observations_count": 291730, "ai_coder_pattern_id": 169}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de5a5e0d77007314d882f77b866670fd4f618e4c4cc1d3c3610edf1fa09d0f68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/React/DevSupport/RCTFrameTimingsObserver.mm"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED005", "level": "error", "message": {"text": "[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection."}, "properties": {"repobilityId": 60154, "scanner": "repobility-threat-engine", "fingerprint": "3e823d6bb4dd2dd4908b96926b0223f1bbe73a6d4be2c09b5bbf774766e29417", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "lua-loadstring", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["lua"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347908+00:00", "triaged_in_corpus": 20, "observations_count": 291730, "ai_coder_pattern_id": 169}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e823d6bb4dd2dd4908b96926b0223f1bbe73a6d4be2c09b5bbf774766e29417"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/Libraries/Image/RCTImageStoreManager.mm"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 60151, "scanner": "repobility-threat-engine", "fingerprint": "04e01c18caafd873ccc6075421068943a649d589bbd7ab353abf5a15d9ef6f06", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|04e01c18caafd873ccc6075421068943a649d589bbd7ab353abf5a15d9ef6f06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native/Libraries/Core/Devtools/loadBundleFromServer.js"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 60138, "scanner": "repobility-threat-engine", "fingerprint": "54e48c18a4afba72f5c9c49ea699c5d546dc77898eff1f30293eff8f125b5f90", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|54e48c18a4afba72f5c9c49ea699c5d546dc77898eff1f30293eff8f125b5f90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-codegen/src/generators/modules/GenerateModuleObjCpp/header/serializeConstantsStruct.js"}, "region": {"startLine": 181}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 60118, "scanner": "repobility-threat-engine", "fingerprint": "b251faaf52938d5852c37a943bdd72a701f0a9adc47588ea7e3eeef824f71598", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(customLogReporterPath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b251faaf52938d5852c37a943bdd72a701f0a9adc47588ea7e3eeef824f71598"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/community-cli-plugin/src/commands/start/runServer.js"}, "region": {"startLine": 178}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 60117, "scanner": "repobility-threat-engine", "fingerprint": "d0369539fc0982b6f52d2919838ff75be1b465c0b8c49687a17d1478c79357f1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(\n    communityCliServerApiPath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d0369539fc0982b6f52d2919838ff75be1b465c0b8c49687a17d1478c79357f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/community-cli-plugin/src/commands/start/middleware.js"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 60116, "scanner": "repobility-threat-engine", "fingerprint": "4edb93b153c726ba165871b679c6835054fafb857a04303a8cdb1523d0be69e1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(key", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4edb93b153c726ba165871b679c6835054fafb857a04303a8cdb1523d0be69e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "flow-typed/npm/yargs_v17.x.x.js"}, "region": {"startLine": 304}}}]}]}]}