{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4w7w-66w2-5vf9", "name": "vite: GHSA-4w7w-66w2-5vf9", "shortDescription": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "fullDescription": {"text": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xcj9-5m2h-648r", "name": "mermaid: GHSA-xcj9-5m2h-648r", "shortDescription": {"text": "mermaid: GHSA-xcj9-5m2h-648r"}, "fullDescription": {"text": "Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ghcm-xqfw-q4vr", "name": "mermaid: GHSA-ghcm-xqfw-q4vr", "shortDescription": {"text": "mermaid: GHSA-ghcm-xqfw-q4vr"}, "fullDescription": {"text": "Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-87f9-hvmw-gh4p", "name": "mermaid: GHSA-87f9-hvmw-gh4p", "shortDescription": {"text": "mermaid: GHSA-87f9-hvmw-gh4p"}, "fullDescription": {"text": "Mermaid: Improper sanitization of configuration leads to CSS injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6m6c-36f7-fhxh", "name": "mermaid: GHSA-6m6c-36f7-fhxh", "shortDescription": {"text": "mermaid: GHSA-6m6c-36f7-fhxh"}, "fullDescription": {"text": "Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash-es: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash-es: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v9jr-rg53-9pgp", "name": "dompurify: GHSA-v9jr-rg53-9pgp", "shortDescription": {"text": "dompurify: GHSA-v9jr-rg53-9pgp"}, "fullDescription": {"text": "DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-h7mw-gpvr-xq4m", "name": "dompurify: GHSA-h7mw-gpvr-xq4m", "shortDescription": {"text": "dompurify: GHSA-h7mw-gpvr-xq4m"}, "fullDescription": {"text": "DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-crv5-9vww-q3g8", "name": "dompurify: GHSA-crv5-9vww-q3g8", "shortDescription": {"text": "dompurify: GHSA-crv5-9vww-q3g8"}, "fullDescription": {"text": "DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-39q2-94rc-95cp", "name": "dompurify: GHSA-39q2-94rc-95cp", "shortDescription": {"text": "dompurify: GHSA-39q2-94rc-95cp"}, "fullDescription": {"text": "DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `mermaid` is minor version(s) behind (11.13.0 -> 11.15.0)", "shortDescription": {"text": "npm package `mermaid` is minor version(s) behind (11.13.0 -> 11.15.0)"}, "fullDescription": {"text": "`mermaid` is pinned/resolved at 11.13.0 but the latest stable release on the npm registry is 11.15.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "low", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED029", "name": "[MINED029] Kotlin Null Bang (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED029] Kotlin Null Bang (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `gradle/actions/dependency-submission` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `gradle/actions/dependency-submission` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: gradle/actions/dependency-submission@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2wj-q39q-566r", "name": "vite: GHSA-v2wj-q39q-566r", "shortDescription": {"text": "vite: GHSA-v2wj-q39q-566r"}, "fullDescription": {"text": "Vite: `server.fs.deny` bypassed with queries"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p9ff-h696-f583", "name": "vite: GHSA-p9ff-h696-f583", "shortDescription": {"text": "vite: GHSA-p9ff-h696-f583"}, "fullDescription": {"text": "Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash-es: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash-es: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo", "shortDescription": {"text": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "fullDescription": {"text": "`gradle/wrapper/gradle-wrapper.jar` is a .jar binary (59,821 bytes) committed to a repo that otherwise has 1026 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `ghcr.io/puppeteer/puppeteer:24.15.0` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `ghcr.io/puppeteer/puppeteer:24.15.0` not pinned by digest"}, "fullDescription": {"text": "`FROM ghcr.io/puppeteer/puppeteer:24.15.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/130"}, "properties": {"repository": "iamgio/quarkdown", "repoUrl": "https://github.com/iamgio/quarkdown.git", "branch": "main"}, "results": [{"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 52043, "scanner": "osv-scanner", "fingerprint": "20bb884958435127cca470e14d3dd9e8a80080ecda7de59541f0f53562f72c02", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 52040, "scanner": "osv-scanner", "fingerprint": "cd1904d15723924415df052244cb90d1bc3607a6daebc9dd080ae57af5f7a2db", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 52039, "scanner": "osv-scanner", "fingerprint": "2b3108ae253655d13752f92d4a3e3c626afa1e1b591c339e840f5703437b897c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 52038, "scanner": "osv-scanner", "fingerprint": "3f35563ea324a99ba2b5010dbf13e199d60990bc2a378fa95d562120a125fdc7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xcj9-5m2h-648r", "level": "warning", "message": {"text": "mermaid: GHSA-xcj9-5m2h-648r"}, "properties": {"repobilityId": 52037, "scanner": "osv-scanner", "fingerprint": "1288ccc6358fcdce29a527305750699c50dcf0c377ad314768bc1c97cf2ba4ce", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41148"], "package": "mermaid", "rule_id": "GHSA-xcj9-5m2h-648r", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41148|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ghcm-xqfw-q4vr", "level": "warning", "message": {"text": "mermaid: GHSA-ghcm-xqfw-q4vr"}, "properties": {"repobilityId": 52036, "scanner": "osv-scanner", "fingerprint": "df6b9d58ad95c961058510bb576c100560a27fb1323cb4266b58e4bc0b25fa5e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41149"], "package": "mermaid", "rule_id": "GHSA-ghcm-xqfw-q4vr", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41149|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-87f9-hvmw-gh4p", "level": "warning", "message": {"text": "mermaid: GHSA-87f9-hvmw-gh4p"}, "properties": {"repobilityId": 52035, "scanner": "osv-scanner", "fingerprint": "7b85cd2ab700eabbc33fc0556d9fb8f403325b2046fa6546aafa14d9f385464f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41159"], "package": "mermaid", "rule_id": "GHSA-87f9-hvmw-gh4p", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41159|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6m6c-36f7-fhxh", "level": "warning", "message": {"text": "mermaid: GHSA-6m6c-36f7-fhxh"}, "properties": {"repobilityId": 52034, "scanner": "osv-scanner", "fingerprint": "a6809815ac442345c482a5ed8b793a96ec2e48368d5960b82b89dd7b2ad03bb1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41150"], "package": "mermaid", "rule_id": "GHSA-6m6c-36f7-fhxh", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41150|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash-es: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 52032, "scanner": "osv-scanner", "fingerprint": "5203592f295241a998bb7c4788f10ba0c00ee18b182fd9674941f796b96b2e2c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash-es", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash-es|CVE-2026-2950|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v9jr-rg53-9pgp", "level": "warning", "message": {"text": "dompurify: GHSA-v9jr-rg53-9pgp"}, "properties": {"repobilityId": 52031, "scanner": "osv-scanner", "fingerprint": "5548f8fbdfe86972204a87ef4db08bc8f77913dc3f926b37b95b608587b5df44", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41238"], "package": "dompurify", "rule_id": "GHSA-v9jr-rg53-9pgp", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|CVE-2026-41238|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-h7mw-gpvr-xq4m", "level": "warning", "message": {"text": "dompurify: GHSA-h7mw-gpvr-xq4m"}, "properties": {"repobilityId": 52030, "scanner": "osv-scanner", "fingerprint": "c902a9a92a58ee6db38bc6c777a77436a9c2452176bf57fbd8457dedce4865ef", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41240"], "package": "dompurify", "rule_id": "GHSA-h7mw-gpvr-xq4m", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|CVE-2026-41240|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-crv5-9vww-q3g8", "level": "warning", "message": {"text": "dompurify: GHSA-crv5-9vww-q3g8"}, "properties": {"repobilityId": 52029, "scanner": "osv-scanner", "fingerprint": "5ed75b9c51b702471e7a58e2817cff5b84af8c061b207ef59ad87abffa969ec7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41239"], "package": "dompurify", "rule_id": "GHSA-crv5-9vww-q3g8", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|CVE-2026-41239|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-39q2-94rc-95cp", "level": "warning", "message": {"text": "dompurify: GHSA-39q2-94rc-95cp"}, "properties": {"repobilityId": 52028, "scanner": "osv-scanner", "fingerprint": "d5d3c83adea97c6f8541162c96d6c7721884c056282b4162bac454549a1422cd", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "dompurify", "rule_id": "GHSA-39q2-94rc-95cp", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|GHSA-39Q2-94RC-95CP|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 29931, "scanner": "repobility-threat-engine", "fingerprint": "46ae8c3b1f159b5d993ed6e016c82e476dd9e648d66e843f132fa4a27beab8f8", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|40|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-server/src/main/kotlin/com/quarkdown/server/browser/EnvBrowserLauncher.kt"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 29930, "scanner": "repobility-threat-engine", "fingerprint": "14ea7cc2298b3e5712802e01c5de47921c6a3d3e48762c67b8ed5d1d4d26b3af", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|17|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-interaction/src/main/kotlin/com/quarkdown/interaction/executable/NodeJsWrapper.kt"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 29929, "scanner": "repobility-threat-engine", "fingerprint": "385960112d3f14cb54c0b83747cd9449605696fc7a54d9fb73aa13741d0b64f6", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|313|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-core/src/main/kotlin/com/quarkdown/core/function/value/factory/ValueFactory.kt"}, "region": {"startLine": 313}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 3161, "scanner": "repobility-docker", "fingerprint": "8d96a8720df6ff3371ada3609e8a4cdc0299734c753ccb5d1621ad974e89f1e5", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|8d96a8720df6ff3371ada3609e8a4cdc0299734c753ccb5d1621ad974e89f1e5", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `mermaid` is minor version(s) behind (11.13.0 -> 11.15.0)"}, "properties": {"repobilityId": 52026, "scanner": "repobility-dependency-currency", "fingerprint": "60abe0eacc3eccd4d69700b5a5c06ef48ead1c407060a4cb40838d6ab4987044", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "mermaid", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.15.0", "correlation_key": "fp|60abe0eacc3eccd4d69700b5a5c06ef48ead1c407060a4cb40838d6ab4987044", "current_version": "11.13.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `katex` is minor version(s) behind (0.16.44 -> 0.17.0)"}, "properties": {"repobilityId": 52025, "scanner": "repobility-dependency-currency", "fingerprint": "e7de96799621b46677d6a81f21535b72782e6cc27a4fc77fcce5592b1a36e568", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "katex", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.17.0", "correlation_key": "fp|e7de96799621b46677d6a81f21535b72782e6cc27a4fc77fcce5592b1a36e568", "current_version": "0.16.44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `esbuild` is minor version(s) behind (0.27.4 -> 0.28.0)"}, "properties": {"repobilityId": 52023, "scanner": "repobility-dependency-currency", "fingerprint": "8015aede9295134c4362a765dd368a4615d3cc24321fded11661d8098697b565", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "esbuild", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.28.0", "correlation_key": "fp|8015aede9295134c4362a765dd368a4615d3cc24321fded11661d8098697b565", "current_version": "0.27.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 29935, "scanner": "repobility-threat-engine", "fingerprint": "d1365604fa4e52556d1c7765459c9f4676b8ca599c04a4338c5acf86aff64217", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = r", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|118|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/src/main/typescript/document/handlers/docs/search-field.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 29934, "scanner": "repobility-threat-engine", "fingerprint": "aabe00b62b66d626ce655472fbe0c00abbe8f3484be0daebe1eff7cae0972404", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = c", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|49|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/src/main/typescript/document/handlers/capabilities/mermaid-renderer.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 29933, "scanner": "repobility-threat-engine", "fingerprint": "ad71876c61d1e94682bc4463a4d2a9adaec7a5c1a0497d81fe6056769d89addd", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = k", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|38|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/src/main/typescript/document/handlers/capabilities/math-renderer.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 23153, "scanner": "repobility-threat-engine", "fingerprint": "ee1593233262e76318a3adb1c4a2251c9fc50e7deec75b56f518a8c980a766af", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = i", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|66|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/src/main/typescript/document/handlers/paged/split-code-blocks-fix-paged.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 23152, "scanner": "repobility-threat-engine", "fingerprint": "cac3936e2bb56964ec2bc830212c0804433d12125c746e73f273ef5700349af6", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = c", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|31|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/src/main/typescript/document/handlers/inline-collapsibles.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 23151, "scanner": "repobility-threat-engine", "fingerprint": "d5d181268d351263eebdfc1d62b4e5618c54e103f594f06973c199f7ead8ea0e", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = t", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|59|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/src/main/typescript/document/handlers/persistent-headings.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 3162, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 154654, "scanner": "repobility-threat-engine", "fingerprint": "68baaf2109453d90d7d8aaf256762624c95fde599655bfe7f86bc3420433dbc8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|68baaf2109453d90d7d8aaf256762624c95fde599655bfe7f86bc3420433dbc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-server/src/main/kotlin/com/quarkdown/server/reload/ReloadTrigger.kt"}, "region": {"startLine": 47}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `reveal.js` is patch version(s) behind (6.0.0 -> 6.0.1)"}, "properties": {"repobilityId": 52024, "scanner": "repobility-dependency-currency", "fingerprint": "6e6c6a6f106a3e0427df299145c1a3ab4e07583714d6dbb017b5c5bd1d621bf5", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "reveal.js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.1", "correlation_key": "fp|6e6c6a6f106a3e0427df299145c1a3ab4e07583714d6dbb017b5c5bd1d621bf5", "current_version": "6.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 42518, "scanner": "repobility-threat-engine", "fingerprint": "7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea"}}}, {"ruleId": "MINED029", "level": "none", "message": {"text": "[MINED029] Kotlin Null Bang (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 42473, "scanner": "repobility-threat-engine", "fingerprint": "fdf2cc92321a5bb0109250e8263f1ad530f46d08526634305ccaa51cd9d0e53c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fdf2cc92321a5bb0109250e8263f1ad530f46d08526634305ccaa51cd9d0e53c", "aggregated_count": 1}}}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 36703, "scanner": "repobility-threat-engine", "fingerprint": "42fc4030f57c04d8ace60c0c7e321d52477b44af5460a2f3247591bde9511d4d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|42fc4030f57c04d8ace60c0c7e321d52477b44af5460a2f3247591bde9511d4d"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 36701, "scanner": "repobility-threat-engine", "fingerprint": "729b643e6bca2592aa4fc4944c630a8412fcea5fbfca0cb8905d71a0efec47d6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|729b643e6bca2592aa4fc4944c630a8412fcea5fbfca0cb8905d71a0efec47d6", "aggregated_count": 1}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 36700, "scanner": "repobility-threat-engine", "fingerprint": "2c2ea05111ae2cef3f4e9ac3530ab617c81d9dfe3d6bcd2085f45c3da4d590b3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c2ea05111ae2cef3f4e9ac3530ab617c81d9dfe3d6bcd2085f45c3da4d590b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/src/main/typescript/index.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 36699, "scanner": "repobility-threat-engine", "fingerprint": "057c5a23dc5f22cd1af6481acd203962802572cf749c69d5d72a211f52fdbf2b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|057c5a23dc5f22cd1af6481acd203962802572cf749c69d5d72a211f52fdbf2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/src/main/typescript/document/type/slides-document.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 36698, "scanner": "repobility-threat-engine", "fingerprint": "cef780f3117e02814af59b050490a014484177d82237aef1eb4c5574eacfb3a5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cef780f3117e02814af59b050490a014484177d82237aef1eb4c5574eacfb3a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/src/main/typescript/document/type/paged-document.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 36697, "scanner": "repobility-threat-engine", "fingerprint": "6a893a738a7f9446fa6ea301592aeb44b12954d4722a969b6027774fa0bbe463", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a893a738a7f9446fa6ea301592aeb44b12954d4722a969b6027774fa0bbe463"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/src/main/typescript/document/handlers/docs/util/page-list-analyzer.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 36696, "scanner": "repobility-threat-engine", "fingerprint": "e2227b3cb59b6d059b4cd452543c7ce83a8815d6aa9a1095ed08f9ce7d550db8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e2227b3cb59b6d059b4cd452543c7ce83a8815d6aa9a1095ed08f9ce7d550db8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/src/main/typescript/document/handlers/docs/search-field.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 36695, "scanner": "repobility-threat-engine", "fingerprint": "b740525e415a3e36a5ab297ad7017cbe14ac4f623277e07012ba474dd7c8ab40", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b740525e415a3e36a5ab297ad7017cbe14ac4f623277e07012ba474dd7c8ab40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/src/main/typescript/document/document-handler.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 36694, "scanner": "repobility-threat-engine", "fingerprint": "13fbd9f6cc6f6caaead1784a4383a6f0a1faa3107ffd21811c75bfce2116429f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|13fbd9f6cc6f6caaead1784a4383a6f0a1faa3107ffd21811c75bfce2116429f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-server/src/main/kotlin/com/quarkdown/server/browser/BrowserLauncher.kt"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 36693, "scanner": "repobility-threat-engine", "fingerprint": "b254461098c10a675aee03a37d27e28b60b27724a8635950d980e4de60eb657a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b254461098c10a675aee03a37d27e28b60b27724a8635950d980e4de60eb657a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/src/main/kotlin/com/quarkdown/rendering/html/post/resources/SitemapPostRendererResource.kt"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 36690, "scanner": "repobility-threat-engine", "fingerprint": "c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 36689, "scanner": "repobility-threat-engine", "fingerprint": "a675c729d01c8283aa9717c57cc3995edf8b67702bfd669eef55ad6070af0b22", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line", "evidence": {"match": ".eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|21|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-core/src/main/kotlin/com/quarkdown/core/function/call/FunctionCallArgument.kt"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 36688, "scanner": "repobility-threat-engine", "fingerprint": "ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee"}}}, {"ruleId": "MINED029", "level": "none", "message": {"text": "[MINED029] Kotlin Null Bang (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 36687, "scanner": "repobility-threat-engine", "fingerprint": "7126a6b089599369028fc59009719671c05c758a810bac071472cbd88da90269", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7126a6b089599369028fc59009719671c05c758a810bac071472cbd88da90269", "aggregated_count": 3}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 36683, "scanner": "repobility-threat-engine", "fingerprint": "f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "aggregated_count": 2}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 36682, "scanner": "repobility-threat-engine", "fingerprint": "d6d7721fb06b8728194a01388a29481b2ddac8d57e3a66b722412bcc9e09e79e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d6d7721fb06b8728194a01388a29481b2ddac8d57e3a66b722412bcc9e09e79e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/src/main/typescript/document/handlers/capabilities/mermaid-renderer.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 36681, "scanner": "repobility-threat-engine", "fingerprint": "9d13f5175cd056208b4a523d038dce8aa5757a1d0e4e83fc90b49a46bbb52afa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9d13f5175cd056208b4a523d038dce8aa5757a1d0e4e83fc90b49a46bbb52afa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/src/main/resources/pdf/pdf.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 36680, "scanner": "repobility-threat-engine", "fingerprint": "0024fd023880f97e3851c31638356f8295172f7f78d0cc54b2ae8f25b37fec94", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0024fd023880f97e3851c31638356f8295172f7f78d0cc54b2ae8f25b37fec94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/generate-pdf/generate-theme-combinations.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 29939, "scanner": "repobility-threat-engine", "fingerprint": "1ab24bd4307ac28d8fe949cb2ba0d619298592370da5c4874409946d0caac342", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1ab24bd4307ac28d8fe949cb2ba0d619298592370da5c4874409946d0caac342"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 29932, "scanner": "repobility-threat-engine", "fingerprint": "59f8fe45fc5615482b4e48d4864d7b6d9fcdf063056f99acf47e7fe5acde521f", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|59f8fe45fc5615482b4e48d4864d7b6d9fcdf063056f99acf47e7fe5acde521f"}}}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 23154, "scanner": "repobility-threat-engine", "fingerprint": "0b64731a0bb5e20f30de0a1dfe2e49fd944d3f8dfdb7ade4b5ab034f93f3f633", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0b64731a0bb5e20f30de0a1dfe2e49fd944d3f8dfdb7ade4b5ab034f93f3f633"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 23150, "scanner": "repobility-threat-engine", "fingerprint": "649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a"}}}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 154655, "scanner": "repobility-threat-engine", "fingerprint": "564ba16171f646d4c142308bf4dc75e80b30b62b131afb785bcc6826f0361b70", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(didOpenTextDocumentParams: DidOpenTextDocumentParams", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|115|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-lsp/src/main/kotlin/com/quarkdown/lsp/QuarkdownTextDocumentService.kt"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 153153, "scanner": "repobility-threat-engine", "fingerprint": "b5ec7b93486f06ac6421b9403e0110a1721dd0788626d9353c3eaf8b89205c8b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.previewStrategy.update(pipelineOptions, outcome)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b5ec7b93486f06ac6421b9403e0110a1721dd0788626d9353c3eaf8b89205c8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-cli/src/main/kotlin/com/quarkdown/cli/exec/CompileCommand.kt"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `gradle/actions/dependency-submission` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 53720, "scanner": "repobility-supply-chain", "fingerprint": "148bdb982a4022a429cbddebf1923675cf69228dc940cd6f8d4fe853b8f86472", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|148bdb982a4022a429cbddebf1923675cf69228dc940cd6f8d4fe853b8f86472"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 53719, "scanner": "repobility-supply-chain", "fingerprint": "db0e8aefb017923d85cc8b1b1aa19fbc24d590670747432afe01a2f2e1b26448", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db0e8aefb017923d85cc8b1b1aa19fbc24d590670747432afe01a2f2e1b26448"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 53718, "scanner": "repobility-supply-chain", "fingerprint": "6a43c8ba899d8be4f43520d0b496c44381fac7c9ab244a5a9a7c8f2e4f2d658a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6a43c8ba899d8be4f43520d0b496c44381fac7c9ab244a5a9a7c8f2e4f2d658a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `iamgio/quarkdown/.github/actions/bump-scoop` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 53717, "scanner": "repobility-supply-chain", "fingerprint": "83ee427589c426ff4f4cb7e0828d44803c94b4d41fde3cffb28115b1edd3cab7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|83ee427589c426ff4f4cb7e0828d44803c94b4d41fde3cffb28115b1edd3cab7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `iamgio/quarkdown/.github/actions/bump-homebrew` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 53716, "scanner": "repobility-supply-chain", "fingerprint": "f839947f27d01bb9671525937492017ea34c0487e2c6c009e54e9316b0d7c499", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f839947f27d01bb9671525937492017ea34c0487e2c6c009e54e9316b0d7c499"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `peaceiris/actions-gh-pages` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 53715, "scanner": "repobility-supply-chain", "fingerprint": "6758602dfb3b4eb80e43ed234ad39bf97ad9c290043a885506aec9600b4a3bac", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6758602dfb3b4eb80e43ed234ad39bf97ad9c290043a885506aec9600b4a3bac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `peaceiris/actions-gh-pages` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 53714, "scanner": "repobility-supply-chain", "fingerprint": "e73accaca3e8553c963850ba21c05a865f44f3c1a8006b9e79f829c712edcdbf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e73accaca3e8553c963850ba21c05a865f44f3c1a8006b9e79f829c712edcdbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `burrunan/gradle-cache-action` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 53713, "scanner": "repobility-supply-chain", "fingerprint": "42392e422742f483d7b885b29e16b98de3887513b38f0181a5c0411d1fe8ac2e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|42392e422742f483d7b885b29e16b98de3887513b38f0181a5c0411d1fe8ac2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `softprops/action-gh-release` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 53712, "scanner": "repobility-supply-chain", "fingerprint": "61bd198f8d7f6e148014fad0fac0e23288773cfcca3d2aca4c11741ce6f8e265", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|61bd198f8d7f6e148014fad0fac0e23288773cfcca3d2aca4c11741ce6f8e265"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `softprops/action-gh-release` pinned to mutable ref `@v2.2.2`"}, "properties": {"repobilityId": 53711, "scanner": "repobility-supply-chain", "fingerprint": "1cecd6d956982004ab26a46d936779f4d5f77bf2fe15e9b8c6c93d67743420a2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1cecd6d956982004ab26a46d936779f4d5f77bf2fe15e9b8c6c93d67743420a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 53710, "scanner": "repobility-supply-chain", "fingerprint": "a8168ef6dc46dd648a64c1178bebb897d5e67b7c34f65e4075a9f61c7855d195", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8168ef6dc46dd648a64c1178bebb897d5e67b7c34f65e4075a9f61c7855d195"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `iamgio/quarkdown/.github/actions/deploy-wiki` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 53709, "scanner": "repobility-supply-chain", "fingerprint": "d69a7daa50938adcb7d455e5eeaa448aa76ec20faae80f15dba4e3a11959d73f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d69a7daa50938adcb7d455e5eeaa448aa76ec20faae80f15dba4e3a11959d73f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `burrunan/gradle-cache-action` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 53708, "scanner": "repobility-supply-chain", "fingerprint": "5e1f404a678482188f80cced8b69fe2dd8369fec70e4fdc19d3e5e038c50ff21", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e1f404a678482188f80cced8b69fe2dd8369fec70e4fdc19d3e5e038c50ff21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `stefanzweifel/git-auto-commit-action` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 53707, "scanner": "repobility-supply-chain", "fingerprint": "d37331e801e80bb32c6440861e1dd0fe706ba484cf6c04d6d8467466f082d63d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d37331e801e80bb32c6440861e1dd0fe706ba484cf6c04d6d8467466f082d63d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "GHSA-v2wj-q39q-566r", "level": "error", "message": {"text": "vite: GHSA-v2wj-q39q-566r"}, "properties": {"repobilityId": 52042, "scanner": "osv-scanner", "fingerprint": "5bf71d12c948f9d2ff213c26338f91e3b608f3ba94261b51379f26b51d76d3dd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39364"], "package": "vite", "rule_id": "GHSA-v2wj-q39q-566r", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39364|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p9ff-h696-f583", "level": "error", "message": {"text": "vite: GHSA-p9ff-h696-f583"}, "properties": {"repobilityId": 52041, "scanner": "osv-scanner", "fingerprint": "672c60cdb6f35d8c0e30246cdd5580e39cde7f7b578c2d79fb86f24a538780f5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39363"], "package": "vite", "rule_id": "GHSA-p9ff-h696-f583", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39363|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash-es: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 52033, "scanner": "osv-scanner", "fingerprint": "1dc7a3e23ac3a922bee66bb8732d6ba43b8d6592d6bf8f0456a976db130b0784", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash-es", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash-es|CVE-2026-4800|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 42472, "scanner": "repobility-threat-engine", "fingerprint": "afc97db326d0e8d1299d106c1e3f55ab6059d4c976b1e04a0c42decea0bbaa47", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|afc97db326d0e8d1299d106c1e3f55ab6059d4c976b1e04a0c42decea0bbaa47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-stdlib/src/main/kotlin/com/quarkdown/stdlib/Stdlib.kt"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `iamgio/quarkdown/.github/actions/bump-homebrew` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 39499, "scanner": "repobility-supply-chain", "fingerprint": "9f6b4361adcab5e01c0006e8a5f34b23f3ba9e3ffc8d40cd8e5b1a6b1d60fb6b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9f6b4361adcab5e01c0006e8a5f34b23f3ba9e3ffc8d40cd8e5b1a6b1d60fb6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 39498, "scanner": "repobility-supply-chain", "fingerprint": "97029f48d78ed4306e54c21de64fa44c75e742b8d412886577811f9693c1db25", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|97029f48d78ed4306e54c21de64fa44c75e742b8d412886577811f9693c1db25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-distribution-verify.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 39497, "scanner": "repobility-supply-chain", "fingerprint": "013bfa28d5c6deab8f5448843e5dba763788e01ad4d6f682bde19f70d81aeb37", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|013bfa28d5c6deab8f5448843e5dba763788e01ad4d6f682bde19f70d81aeb37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-distribution-verify.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `burrunan/gradle-cache-action` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 39496, "scanner": "repobility-supply-chain", "fingerprint": "f16e10e33eb05fe806d33f684f56b0ccae04f18526056ebde2584b2d156a7da5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f16e10e33eb05fe806d33f684f56b0ccae04f18526056ebde2584b2d156a7da5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-distribution-verify.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `iamgio/quarkdown/.github/actions/setup-environment` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 39495, "scanner": "repobility-supply-chain", "fingerprint": "affb486c7ca6a8a15d429a45e80e764ffa80c61c3e9378a7f1887dde219d34df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|affb486c7ca6a8a15d429a45e80e764ffa80c61c3e9378a7f1887dde219d34df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-distribution-verify.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 36692, "scanner": "repobility-threat-engine", "fingerprint": "f19728f272e6b6bcca116014044626428ccbb8bc8c7c49e790c3186eabe1c3cd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "visibleHeadings.delete(id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f19728f272e6b6bcca116014044626428ccbb8bc8c7c49e790c3186eabe1c3cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/src/main/typescript/navigation/active-tracking.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 36691, "scanner": "repobility-threat-engine", "fingerprint": "60c929093ebf48d59c0e8e5e383a839652d9f687bc2d1b71aac8a098cd96ac53", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "digest.update(0)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|60c929093ebf48d59c0e8e5e383a839652d9f687bc2d1b71aac8a098cd96ac53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-core/src/main/kotlin/com/quarkdown/core/util/IOUtils.kt"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 36686, "scanner": "repobility-threat-engine", "fingerprint": "2b7594e01235f0b1aa938ff654eaa3d75398662234e08d63f89f09445249040d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2b7594e01235f0b1aa938ff654eaa3d75398662234e08d63f89f09445249040d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-lsp/src/main/kotlin/com/quarkdown/lsp/diagnostics/cause/UnallowedValueDiagnosticCause.kt"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 36685, "scanner": "repobility-threat-engine", "fingerprint": "6604b7ebac0f02e63973d6af2d831321e628d37a2c7abc495f27fd2499607787", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6604b7ebac0f02e63973d6af2d831321e628d37a2c7abc495f27fd2499607787"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-html/src/main/kotlin/com/quarkdown/rendering/html/post/resources/SitemapPostRendererResource.kt"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 36684, "scanner": "repobility-threat-engine", "fingerprint": "6fc395543ec995027272ad9f73f42f477eeca57189a80d38d4a90fb1ecc12eb7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6fc395543ec995027272ad9f73f42f477eeca57189a80d38d4a90fb1ecc12eb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-cli/src/main/kotlin/com/quarkdown/cli/creator/content/DefaultProjectCreatorInitialContentSupplier.kt"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 36679, "scanner": "repobility-supply-chain", "fingerprint": "e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 36678, "scanner": "repobility-supply-chain", "fingerprint": "1a1167e8fb75a549d56f6142fa3daf214da13a54bd68c0b8c0cf085aec6228ee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1a1167e8fb75a549d56f6142fa3daf214da13a54bd68c0b8c0cf085aec6228ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-test.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 36677, "scanner": "repobility-supply-chain", "fingerprint": "8bed73e88fa9dedd53df72fc6e7163ba44fa5cdee3e623af6ff6232a8df348b3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8bed73e88fa9dedd53df72fc6e7163ba44fa5cdee3e623af6ff6232a8df348b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-test.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `iamgio/quarkdown/.github/actions/setup-environment` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 36676, "scanner": "repobility-supply-chain", "fingerprint": "8d92418c83330c7cee580ecdfac610406448110a373557bb780704ac6579778c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8d92418c83330c7cee580ecdfac610406448110a373557bb780704ac6579778c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-test.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 36675, "scanner": "repobility-supply-chain", "fingerprint": "db450a13ff1ed97e3b2c888ee351ee6073e4428369745782e4e4f622f7a49281", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db450a13ff1ed97e3b2c888ee351ee6073e4428369745782e4e4f622f7a49281"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-image-test.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `iamgio/quarkdown/.github/actions/deploy-wiki` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 36674, "scanner": "repobility-supply-chain", "fingerprint": "51b13b5f48294501daac47442daf435ebea91127f6b8e5cafbe7a15be186c08f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|51b13b5f48294501daac47442daf435ebea91127f6b8e5cafbe7a15be186c08f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-wiki.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `burrunan/gradle-cache-action` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 36673, "scanner": "repobility-supply-chain", "fingerprint": "29eb2d250d1e481d2c9ef33429ce93336f6bb59147e60278a3a00e5ff5f0cfe0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|29eb2d250d1e481d2c9ef33429ce93336f6bb59147e60278a3a00e5ff5f0cfe0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-wiki.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `iamgio/quarkdown/.github/actions/setup-environment` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 36672, "scanner": "repobility-supply-chain", "fingerprint": "d4babccb1e2e5e696ad92a88cd2f7b1817c5af9889f90b155676c307cd3b89af", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d4babccb1e2e5e696ad92a88cd2f7b1817c5af9889f90b155676c307cd3b89af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-wiki.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `gradle/actions/dependency-submission` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 36671, "scanner": "repobility-supply-chain", "fingerprint": "07dff5164dff0a0f5e22bd14a225533ccda5b58076edeead40568293713c2846", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|07dff5164dff0a0f5e22bd14a225533ccda5b58076edeead40568293713c2846"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 36670, "scanner": "repobility-supply-chain", "fingerprint": "9496ae19ba62f89255a2ffe245bf4bf4d47bc4320623c1a0fc4129219d5aa303", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9496ae19ba62f89255a2ffe245bf4bf4d47bc4320623c1a0fc4129219d5aa303"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 36669, "scanner": "repobility-supply-chain", "fingerprint": "23661696f32aee3065ffa08f0c2da36ec7550065a7da20d9fa02c0762a16614a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|23661696f32aee3065ffa08f0c2da36ec7550065a7da20d9fa02c0762a16614a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `iamgio/quarkdown/.github/actions/bump-scoop` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 36668, "scanner": "repobility-supply-chain", "fingerprint": "6bc7cf3ca64aa4a51f2fe1e9e04115cdb8ba3007994537b4111cc32b1fb4e3d0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6bc7cf3ca64aa4a51f2fe1e9e04115cdb8ba3007994537b4111cc32b1fb4e3d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `mislav/bump-homebrew-formula-action` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 36667, "scanner": "repobility-supply-chain", "fingerprint": "80835aa3deddc14d479d60616c5d383dc760beee2082ed035cc8ff57529d75b8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|80835aa3deddc14d479d60616c5d383dc760beee2082ed035cc8ff57529d75b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `peaceiris/actions-gh-pages` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 36666, "scanner": "repobility-supply-chain", "fingerprint": "abf00b9aee4a09f86ed3d71ac0938739ab43913a3ee637fccb07072e0de429a3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|abf00b9aee4a09f86ed3d71ac0938739ab43913a3ee637fccb07072e0de429a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `peaceiris/actions-gh-pages` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 36665, "scanner": "repobility-supply-chain", "fingerprint": "ea741fc7b1b59ad0b4284b8fba205e7a4909ecd45d9695f2ad007073f46be054", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ea741fc7b1b59ad0b4284b8fba205e7a4909ecd45d9695f2ad007073f46be054"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `burrunan/gradle-cache-action` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 36664, "scanner": "repobility-supply-chain", "fingerprint": "380fdd1fe90793b4729b7be6a8aaf669b51ad9a961ea37791a34777f2c8d4a7d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|380fdd1fe90793b4729b7be6a8aaf669b51ad9a961ea37791a34777f2c8d4a7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `softprops/action-gh-release` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 36663, "scanner": "repobility-supply-chain", "fingerprint": "72c67b61663fa7c9f37ce18831cfa1d11563708324a36beb562155bc85a6d242", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|72c67b61663fa7c9f37ce18831cfa1d11563708324a36beb562155bc85a6d242"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `softprops/action-gh-release` pinned to mutable ref `@v2.2.2`"}, "properties": {"repobilityId": 36662, "scanner": "repobility-supply-chain", "fingerprint": "656a6322d5e3411f76e89702fdf980693f639687dfc0ef8280697494baa3d10c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|656a6322d5e3411f76e89702fdf980693f639687dfc0ef8280697494baa3d10c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 36661, "scanner": "repobility-supply-chain", "fingerprint": "4a528b9e989de136a0036b401cac100f72abeb9d2764da7408cf729f3436dca0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4a528b9e989de136a0036b401cac100f72abeb9d2764da7408cf729f3436dca0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `iamgio/quarkdown/.github/actions/deploy-wiki` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 36660, "scanner": "repobility-supply-chain", "fingerprint": "c44cf2a4e9ac7053811a536bd99655eb9b62de204726f98e6640f57558bcb2ce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c44cf2a4e9ac7053811a536bd99655eb9b62de204726f98e6640f57558bcb2ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `burrunan/gradle-cache-action` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 36659, "scanner": "repobility-supply-chain", "fingerprint": "865ec64084900904b9c043b2038cf241d1396ba2f7d8432b0aec1625d1316f82", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|865ec64084900904b9c043b2038cf241d1396ba2f7d8432b0aec1625d1316f82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `stefanzweifel/git-auto-commit-action` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 36658, "scanner": "repobility-supply-chain", "fingerprint": "f3a725cf8fe605fc4653e8050f5416cc73a60f50b324e9d5ecc0b0e2aa2d39fe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f3a725cf8fe605fc4653e8050f5416cc73a60f50b324e9d5ecc0b0e2aa2d39fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ffurrer2/extract-release-notes` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 36657, "scanner": "repobility-supply-chain", "fingerprint": "49382a9283734acb86559969c8435044384ebc5768c56c99c8ef87f4390ea836", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|49382a9283734acb86559969c8435044384ebc5768c56c99c8ef87f4390ea836"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `thomaseizinger/keep-a-changelog-new-release` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 36656, "scanner": "repobility-supply-chain", "fingerprint": "9941c60d0695dc7c86b1cbe6c0a6c86f3f02135e43694fd76d68e8c120e20480", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9941c60d0695dc7c86b1cbe6c0a6c86f3f02135e43694fd76d68e8c120e20480"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `iamgio/quarkdown/.github/actions/setup-environment` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 36655, "scanner": "repobility-supply-chain", "fingerprint": "e2ccf903cccdb6fdf885cd2534074ff0a00429b7bb7c324da48282d3272d8fde", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2ccf903cccdb6fdf885cd2534074ff0a00429b7bb7c324da48282d3272d8fde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `iamgio/quarkdown/.github/workflows/gradle-test.yml` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 36654, "scanner": "repobility-supply-chain", "fingerprint": "ac05040f6218edd20e71658606fe8955bf2869d988a800936e5604fb1f276233", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ac05040f6218edd20e71658606fe8955bf2869d988a800936e5604fb1f276233"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle-deploy.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ghcr.io/puppeteer/puppeteer:24.15.0` not pinned by digest"}, "properties": {"repobilityId": 36653, "scanner": "repobility-supply-chain", "fingerprint": "053100380ec8ee9f6feed2b99780344a96eac08fc795cebd1b37de07801636cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|053100380ec8ee9f6feed2b99780344a96eac08fc795cebd1b37de07801636cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `gradle:8.14.3-jdk17` not pinned by digest"}, "properties": {"repobilityId": 36652, "scanner": "repobility-supply-chain", "fingerprint": "54b4b2d4bf96789566a506e2cbee07e0785a05aa53fc268f7ce1363ebeca1c57", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54b4b2d4bf96789566a506e2cbee07e0785a05aa53fc268f7ce1363ebeca1c57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 29940, "scanner": "repobility-threat-engine", "fingerprint": "be61b9acd285396f2aaf5e4975e511fb2f33433cbe47c6b5d668ddf7b465e4d4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|be61b9acd285396f2aaf5e4975e511fb2f33433cbe47c6b5d668ddf7b465e4d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-server/src/main/kotlin/com/quarkdown/server/browser/EnvBrowserLauncher.kt"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 29928, "scanner": "repobility-threat-engine", "fingerprint": "e9e1067d9e99ce59883755cbd9fb657666a3362a9e32e104dae3a23767f383a8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e9e1067d9e99ce59883755cbd9fb657666a3362a9e32e104dae3a23767f383a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-core/src/main/kotlin/com/quarkdown/core/context/hooks/LinkUrlResolverHook.kt"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 29927, "scanner": "repobility-threat-engine", "fingerprint": "6f2489d735c9a6967ca98365df50f9deb7a3af8d2ed03f343d59c1b681e5f37d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6f2489d735c9a6967ca98365df50f9deb7a3af8d2ed03f343d59c1b681e5f37d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-core/src/main/kotlin/com/quarkdown/core/bibliography/style/csl/QuarkdownCslFormat.kt"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 29926, "scanner": "repobility-threat-engine", "fingerprint": "c441df140cfff9143f083735065ba2118681152c07da7a8618c16c2f62a1fc13", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c441df140cfff9143f083735065ba2118681152c07da7a8618c16c2f62a1fc13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-core/src/main/kotlin/com/quarkdown/core/ast/attributes/link/ResolvedLinkUrlProperty.kt"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 23149, "scanner": "repobility-threat-engine", "fingerprint": "189a1ef01aaeb5302e1ed5030e545d92fbb6baee57bf8e7b1f95aa946246d404", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|189a1ef01aaeb5302e1ed5030e545d92fbb6baee57bf8e7b1f95aa946246d404"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-core/src/main/kotlin/com/quarkdown/core/rendering/NodeRenderer.kt"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 23148, "scanner": "repobility-threat-engine", "fingerprint": "782cf1092a409b22ccd420b61a870de14c564c2ba7fa8bfc791844e4975e5d73", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|782cf1092a409b22ccd420b61a870de14c564c2ba7fa8bfc791844e4975e5d73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-core/src/main/kotlin/com/quarkdown/core/util/URLUtils.kt"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 23147, "scanner": "repobility-threat-engine", "fingerprint": "ca0bafd37cb4cf0d754d57eeed4321fab73fabf08b9a766d4cd6bf331a3cfeab", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ca0bafd37cb4cf0d754d57eeed4321fab73fabf08b9a766d4cd6bf331a3cfeab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-core/src/main/kotlin/com/quarkdown/core/parser/InlineTokenParser.kt"}, "region": {"startLine": 185}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 3160, "scanner": "repobility-threat-engine", "fingerprint": "e5047869b09ca1bcdb81d51e242e669968d6677289ab533d7abf890cbc3befdb", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(didOpenTextDocumentParams: DidOpenTextDocumentParams", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|107|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-lsp/src/main/kotlin/com/quarkdown/lsp/QuarkdownTextDocumentService.kt"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 52027, "scanner": "repobility-threat-engine", "fingerprint": "5012c88108de53873b54e1aa067bcb711ddf1a931322ce2e81772f92c1e06de8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(keys", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5012c88108de53873b54e1aa067bcb711ddf1a931322ce2e81772f92c1e06de8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-stdlib/src/main/kotlin/com/quarkdown/stdlib/MiscElements.kt"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 36702, "scanner": "repobility-threat-engine", "fingerprint": "ba5bd4cf62332d4cabfb10598bb8f1f508858b0498b19eeb5c65b258ca984e0a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(keys", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ba5bd4cf62332d4cabfb10598bb8f1f508858b0498b19eeb5c65b258ca984e0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-stdlib/src/main/kotlin/com/quarkdown/stdlib/MiscElements.kt"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 29938, "scanner": "repobility-threat-engine", "fingerprint": "a405fc23dc79c49f4201d33fc0df4e426fdf727d6ff850df8a041c14cbf5cb9a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(it", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a405fc23dc79c49f4201d33fc0df4e426fdf727d6ff850df8a041c14cbf5cb9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-stdlib/src/main/kotlin/com/quarkdown/stdlib/Document.kt"}, "region": {"startLine": 183}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 29937, "scanner": "repobility-threat-engine", "fingerprint": "9070be0d481516ce8cefb1f6380009baa1eee0b562f1098c55e9f1fe9cf3b482", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(keys", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9070be0d481516ce8cefb1f6380009baa1eee0b562f1098c55e9f1fe9cf3b482"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-stdlib/src/main/kotlin/com/quarkdown/stdlib/Bibliography.kt"}, "region": {"startLine": 151}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 29936, "scanner": "repobility-threat-engine", "fingerprint": "003a9fdd05bb65e92fff12f832568c114bc837d20dc4fcbcbfda3f1155608f4c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|003a9fdd05bb65e92fff12f832568c114bc837d20dc4fcbcbfda3f1155608f4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "quarkdown-interaction/src/main/kotlin/com/quarkdown/interaction/executable/ExecutableWrapper.kt"}, "region": {"startLine": 31}}}]}]}]}