{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `update_translations` has cognitive complexity 16 (SonarSource scale). Cog", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `update_translations` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and rec"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 16."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED077", "name": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.", "shortDescription": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-772 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.", "shortDescription": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED086", "name": "[MINED086] Kotlin Runtime Exception: Throwing bare RuntimeException loses type info.", "shortDescription": {"text": "[MINED086] Kotlin Runtime Exception: Throwing bare RuntimeException loses type info."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED083", "name": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool.", "shortDescription": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-664 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 11 more): Same pattern found in 11 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED029", "name": "[MINED029] Kotlin Null Bang (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED029] Kotlin Null Bang (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `tools/__pycache__/release.cpython-313.pyc` committed in source repo: `tools/__pycache__/release.", "shortDescription": {"text": "[MINED134] Binary file `tools/__pycache__/release.cpython-313.pyc` committed in source repo: `tools/__pycache__/release.cpython-313.pyc` is a .pyc binary (7,737 bytes) committed to a repo that otherwise has 619 source files. Trojan binaries"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at ", "shortDescription": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compro"}, "fullDescription": {"text": "Replace with: `uses: actions/upload-artifact@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED009", "name": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.", "shortDescription": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `locale` used but not imported: The file uses `locale.something(...)` but never imports `loca", "shortDescription": {"text": "[MINED107] Missing import: `locale` used but not imported: The file uses `locale.something(...)` but never imports `locale`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import locale` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1101"}, "properties": {"repository": "LeanBitLab/LeanType", "repoUrl": "https://github.com/LeanBitLab/LeanType", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 108379, "scanner": "repobility-ast-engine", "fingerprint": "ffd0ea11abbb2847602582a9772edd909eef2962dab86e79dc655d48c8aa9f2b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ffd0ea11abbb2847602582a9772edd909eef2962dab86e79dc655d48c8aa9f2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/diacritics.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `update_translations` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=3, for=3, if=4, nested_bonus=6."}, "properties": {"repobilityId": 108365, "scanner": "repobility-threat-engine", "fingerprint": "07e1dbd891aa2c362659722ab6f4b277df1e5ca75c71edbbb5ca16ce2269b597", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 16 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "update_translations", "breakdown": {"if": 4, "for": 3, "continue": 3, "nested_bonus": 6}, "complexity": 16, "correlation_key": "fp|07e1dbd891aa2c362659722ab6f4b277df1e5ca75c71edbbb5ca16ce2269b597"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/release.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `update_dict_list` has cognitive complexity 18 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, elif=1, else=1, for=2, if=5, nested_bonus=8."}, "properties": {"repobilityId": 108364, "scanner": "repobility-threat-engine", "fingerprint": "20d481a4c22605eef3cf2aea6fcc666fe5a360a1383d139aa8653e44ab128bf0", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 18 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "update_dict_list", "breakdown": {"if": 5, "for": 2, "elif": 1, "else": 1, "continue": 1, "nested_bonus": 8}, "complexity": 18, "correlation_key": "fp|20d481a4c22605eef3cf2aea6fcc666fe5a360a1383d139aa8653e44ab128bf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/release.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108378, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8af1299127dd7fc6f7db768bc19ad743d69abe4c0aebb86050d65f370cbd06f6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/jni/src/dictionary/structure/backward/v402/shortcut/ver4_shortcut_list_policy.h", "duplicate_line": 4, "correlation_key": "fp|8af1299127dd7fc6f7db768bc19ad743d69abe4c0aebb86050d65f370cbd06f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/jni/src/dictionary/structure/v4/shortcut/ver4_shortcut_list_policy.h"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108377, "scanner": "repobility-ai-code-hygiene", "fingerprint": "242d0e81d03dd37d5c0d71e0447f25dac0f5cb490ab015104553f71b36daf8ba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/jni/src/dictionary/structure/backward/v402/content/terminal_position_lookup_table.cpp", "duplicate_line": 4, "correlation_key": "fp|242d0e81d03dd37d5c0d71e0447f25dac0f5cb490ab015104553f71b36daf8ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/jni/src/dictionary/structure/v4/content/terminal_position_lookup_table.cpp"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108376, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5076cbdf216a1a911e208db62dd58b84c3bf35c8856ea02fba28cbc48cca1747", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/jni/src/dictionary/structure/backward/v402/content/sparse_table_dict_content.h", "duplicate_line": 42, "correlation_key": "fp|5076cbdf216a1a911e208db62dd58b84c3bf35c8856ea02fba28cbc48cca1747"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/jni/src/dictionary/structure/v4/content/sparse_table_dict_content.h"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108375, "scanner": "repobility-ai-code-hygiene", "fingerprint": "61c4692d445ea825e67b757853a9b9cbc34d8e8ff75af56bb493489fcb3bee5e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/jni/src/dictionary/structure/backward/v402/content/shortcut_dict_content.h", "duplicate_line": 12, "correlation_key": "fp|61c4692d445ea825e67b757853a9b9cbc34d8e8ff75af56bb493489fcb3bee5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/jni/src/dictionary/structure/v4/content/shortcut_dict_content.h"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108374, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bf55d57f1730709b34156ca34f6cec07c06a24f0497dd6afe3ea3c881287f34f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/jni/src/dictionary/structure/backward/v402/content/shortcut_dict_content.cpp", "duplicate_line": 4, "correlation_key": "fp|bf55d57f1730709b34156ca34f6cec07c06a24f0497dd6afe3ea3c881287f34f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/jni/src/dictionary/structure/v4/content/shortcut_dict_content.cpp"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108373, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bca35179b632aa07dea1d7a0674d585d73c827dbbd0b1eed3f9ad913acb1afca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/jni/src/dictionary/structure/backward/v402/ver4_patricia_trie_policy.h", "duplicate_line": 32, "correlation_key": "fp|bca35179b632aa07dea1d7a0674d585d73c827dbbd0b1eed3f9ad913acb1afca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/jni/src/dictionary/structure/v2/patricia_trie_policy.h"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108372, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9b82607a678dca464b073427a149d337b1988a72494bd0145d686ad354b72b86", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/jni/src/dictionary/structure/backward/v402/ver4_patricia_trie_policy.cpp", "duplicate_line": 548, "correlation_key": "fp|9b82607a678dca464b073427a149d337b1988a72494bd0145d686ad354b72b86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/jni/src/dictionary/structure/v2/patricia_trie_policy.cpp"}, "region": {"startLine": 362}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108371, "scanner": "repobility-ai-code-hygiene", "fingerprint": "edfeed9069d4828f3cad5723c1e256fa9c664560c23c64e1d113ff10e0de400d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/jni/com_android_inputmethod_latin_BinaryDictionary.cpp", "duplicate_line": 30, "correlation_key": "fp|edfeed9069d4828f3cad5723c1e256fa9c664560c23c64e1d113ff10e0de400d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/jni/com_android_inputmethod_latin_BinaryDictionaryUtils.cpp"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108370, "scanner": "repobility-ai-code-hygiene", "fingerprint": "28b6f57aedfe06ec1e98fd83d7bd677032b457b242b3e8f398d9aa6d3ddbe2d9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/helium314/keyboard/settings/preferences/LoadEmojiLibPreference.kt", "duplicate_line": 119, "correlation_key": "fp|28b6f57aedfe06ec1e98fd83d7bd677032b457b242b3e8f398d9aa6d3ddbe2d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/settings/preferences/LoadGestureLibPreference.kt"}, "region": {"startLine": 109}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108369, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d3832030f1f41580db1500ffea3b23d981c02e5cabcd4d9ef9efce34046e5b5b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/helium314/keyboard/settings/dialogs/ListPickerDialog.kt", "duplicate_line": 51, "correlation_key": "fp|d3832030f1f41580db1500ffea3b23d981c02e5cabcd4d9ef9efce34046e5b5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/settings/dialogs/MultiListPickerDialog.kt"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108368, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a93f0e8d0d7d91eed8508d11aa3778fb2f2f23ef39979fedd88f0c7319bc85e9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/helium314/keyboard/keyboard/MainKeyboardView.java", "duplicate_line": 271, "correlation_key": "fp|a93f0e8d0d7d91eed8508d11aa3778fb2f2f23ef39979fedd88f0c7319bc85e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/keyboard/emoji/EmojiPageKeyboardView.java"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 108345, "scanner": "repobility-threat-engine", "fingerprint": "7fe757ac61e4d4a8cc2f7491de2c4d0f48ccba44df4d09f553907afff5744681", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Unknown touch panel behavior: pointer count is \"\n                + pointerCount + \" (previously \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7fe757ac61e4d4a8cc2f7491de2c4d0f48ccba44df4d09f553907afff5744681"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/keyboard/internal/NonDistinctMultitouchHelper.java"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 108344, "scanner": "repobility-threat-engine", "fingerprint": "2790c75eb4315777153d19317c290c8a6bd075542d87a2fbc2b87764d2261db4", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"needsProximateBogusDownMoveUpEventHack=\" + needsTheHack\n                    + \" smallestScreenWidth", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2790c75eb4315777153d19317c290c8a6bd075542d87a2fbc2b87764d2261db4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/keyboard/internal/BogusMoveEventDetector.java"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 108343, "scanner": "repobility-threat-engine", "fingerprint": "1cf55593a8ea9d2a96cc0058a22f89326d2cbdd27b32acdc832622b1ad3fba15", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"performClickOn: key=\" + key\n                    + \" inIgnoreBounds=\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1cf55593a8ea9d2a96cc0058a22f89326d2cbdd27b32acdc832622b1ad3fba15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/accessibility/MainKeyboardAccessibilityDelegate.kt"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 108367, "scanner": "repobility-threat-engine", "fingerprint": "34850fc1cb7f2cac1f8ca1cbccec005db7e128ab2122187169ec33c286a42dc4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|34850fc1cb7f2cac1f8ca1cbccec005db7e128ab2122187169ec33c286a42dc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/release.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 108366, "scanner": "repobility-threat-engine", "fingerprint": "68c01de05ce2bb0e1112b8fa45089d8cb1f66855b27ffd86617dd3dc5caaec50", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|68c01de05ce2bb0e1112b8fa45089d8cb1f66855b27ffd86617dd3dc5caaec50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/release.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 108362, "scanner": "repobility-threat-engine", "fingerprint": "90c67a18124d7f5cc18e76dfe7eca04bcc77ac250587d6d1963de4a5eea3cee6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|90c67a18124d7f5cc18e76dfe7eca04bcc77ac250587d6d1963de4a5eea3cee6", "aggregated_count": 6}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 108361, "scanner": "repobility-threat-engine", "fingerprint": "bf6a7df23bbdbc267f41024cf915ae609467c4710e56fc86e638e23af47b9efb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bf6a7df23bbdbc267f41024cf915ae609467c4710e56fc86e638e23af47b9efb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/jni/src/dictionary/structure/backward/v402/ver4_dict_buffers.h"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 108360, "scanner": "repobility-threat-engine", "fingerprint": "a9d1e4aa93979121590f9494a65bd2bc0ae745bfb3a529a75222eb35d147c91a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a9d1e4aa93979121590f9494a65bd2bc0ae745bfb3a529a75222eb35d147c91a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/jni/src/dictionary/structure/backward/v402/ver4_dict_buffers.cpp"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 108359, "scanner": "repobility-threat-engine", "fingerprint": "98f2e682e8be8108ee9b342d8e5b1dcd27027bd00b71a31578fc5b8990fde905", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|98f2e682e8be8108ee9b342d8e5b1dcd27027bd00b71a31578fc5b8990fde905"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/jni/com_android_inputmethod_keyboard_ProximityInfo.cpp"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED086", "level": "none", "message": {"text": "[MINED086] Kotlin Runtime Exception: Throwing bare RuntimeException loses type info."}, "properties": {"repobilityId": 108358, "scanner": "repobility-threat-engine", "fingerprint": "4e4172a3a56ca2ada16cc8fb16b0643e86da5d5466274c5fa27cb94ff36f6ac0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-runtime-exception", "owasp": null, "cwe_ids": [], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348138+00:00", "triaged_in_corpus": 12, "observations_count": 751, "ai_coder_pattern_id": 156}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4e4172a3a56ca2ada16cc8fb16b0643e86da5d5466274c5fa27cb94ff36f6ac0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/make-emoji-keys/src/main/kotlin/com/majeur/inputmethod/tools/emoji/JarUtils.kt"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED086", "level": "none", "message": {"text": "[MINED086] Kotlin Runtime Exception: Throwing bare RuntimeException loses type info."}, "properties": {"repobilityId": 108357, "scanner": "repobility-threat-engine", "fingerprint": "51975ef70d59ef0f2bd3b41b9d3ba23c0ccfc6ee5b5a7b6ac3d92939b65b26e4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-runtime-exception", "owasp": null, "cwe_ids": [], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348138+00:00", "triaged_in_corpus": 12, "observations_count": 751, "ai_coder_pattern_id": 156}, "scanner": "repobility-threat-engine", "correlation_key": "fp|51975ef70d59ef0f2bd3b41b9d3ba23c0ccfc6ee5b5a7b6ac3d92939b65b26e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/latin/utils/ScriptUtils.kt"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 108353, "scanner": "repobility-threat-engine", "fingerprint": "769862c21b896be7b71601e6014847cb4a671de2d6b612c020f4ef12cf8adfbf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|769862c21b896be7b71601e6014847cb4a671de2d6b612c020f4ef12cf8adfbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/latin/utils/ExecutorUtils.java"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 108351, "scanner": "repobility-threat-engine", "fingerprint": "2a90f201efe0fa0c5dec20cc574f41ea779c24e8a2731e92a392ebdb37082c00", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2a90f201efe0fa0c5dec20cc574f41ea779c24e8a2731e92a392ebdb37082c00"}}}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 108347, "scanner": "repobility-threat-engine", "fingerprint": "42435ccfb35f094e3e9303a4557fdd19287ca7aada94fb9e6f00fab0dba29d6b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|42435ccfb35f094e3e9303a4557fdd19287ca7aada94fb9e6f00fab0dba29d6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/latin/ContactsDictionaryConstants.java"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 108346, "scanner": "repobility-threat-engine", "fingerprint": "097d27b2deaca55861bf7fc2fde9b3c1ab45a5a98b541bd572ee8991d2ed26b1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|097d27b2deaca55861bf7fc2fde9b3c1ab45a5a98b541bd572ee8991d2ed26b1"}}}, {"ruleId": "MINED029", "level": "none", "message": {"text": "[MINED029] Kotlin Null Bang (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 108342, "scanner": "repobility-threat-engine", "fingerprint": "be3826a7b8a709a7b6c257e699fbca0ec1af4c9f8b38566d3e1a479777b206f1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|be3826a7b8a709a7b6c257e699fbca0ec1af4c9f8b38566d3e1a479777b206f1", "aggregated_count": 10}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `tools/__pycache__/release.cpython-313.pyc` committed in source repo: `tools/__pycache__/release.cpython-313.pyc` is a .pyc binary (7,737 bytes) committed to a repo that otherwise has 619 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 108392, "scanner": "repobility-supply-chain", "fingerprint": "943f7adf959193548a30823cf3e88105d068bdd92bbca821f7355de9de3d4e60", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|943f7adf959193548a30823cf3e88105d068bdd92bbca821f7355de9de3d4e60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/__pycache__/release.cpython-313.pyc"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,583 bytes) committed to a repo that otherwise has 619 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 108391, "scanner": "repobility-supply-chain", "fingerprint": "389b5cb501d430406cdd7a99f3bf4ea47aa6ba6ff426344faf737f6db39eebaf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|389b5cb501d430406cdd7a99f3bf4ea47aa6ba6ff426344faf737f6db39eebaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108390, "scanner": "repobility-supply-chain", "fingerprint": "0735edb3ed25f80f4b63c2f3439caa494f26e0fa7c4480dce78182c8247ff77b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0735edb3ed25f80f4b63c2f3439caa494f26e0fa7c4480dce78182c8247ff77b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-debug-apk.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108389, "scanner": "repobility-supply-chain", "fingerprint": "c888a3ae0bf5bea7f3edc55e1eb3c6042fa99a86b58f8345c520c4ec077ca2b2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c888a3ae0bf5bea7f3edc55e1eb3c6042fa99a86b58f8345c520c4ec077ca2b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-debug-apk.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/actions/setup-gradle` pinned to mutable ref `@v3`: `uses: gradle/actions/setup-gradle@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108388, "scanner": "repobility-supply-chain", "fingerprint": "0a8b490646a1f1e344fb926fc1f8b5865883c8a5f954b41f4734786f93ba8e4e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a8b490646a1f1e344fb926fc1f8b5865883c8a5f954b41f4734786f93ba8e4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-debug-apk.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108387, "scanner": "repobility-supply-chain", "fingerprint": "a387e58fe07392db424b2083f727a4c8317392d8faa5374b013e2edac6b848ca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a387e58fe07392db424b2083f727a4c8317392d8faa5374b013e2edac6b848ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-debug-apk.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108386, "scanner": "repobility-supply-chain", "fingerprint": "c52b9f28f20f30394669c3bc65e33af883de1fac64cc714a05640d2744ddfa51", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c52b9f28f20f30394669c3bc65e33af883de1fac64cc714a05640d2744ddfa51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-debug-apk.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108385, "scanner": "repobility-supply-chain", "fingerprint": "cc4a85924d899fdaaf31886b901231028060bee3f437e0ec8af8aeca701cc0f4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc4a85924d899fdaaf31886b901231028060bee3f437e0ec8af8aeca701cc0f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test-auto.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/actions/setup-gradle` pinned to mutable ref `@v3`: `uses: gradle/actions/setup-gradle@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108384, "scanner": "repobility-supply-chain", "fingerprint": "cbbd46ec105188071dece687515212da76fd46fb0106c5e0e6d396e168f51951", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cbbd46ec105188071dece687515212da76fd46fb0106c5e0e6d396e168f51951"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test-auto.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108383, "scanner": "repobility-supply-chain", "fingerprint": "2ed005adc36fcf10443e11713d4aa2a9c943e3c7428ba2957f185326ac43edc7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ed005adc36fcf10443e11713d4aa2a9c943e3c7428ba2957f185326ac43edc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test-auto.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108382, "scanner": "repobility-supply-chain", "fingerprint": "3ebf00f44fcea7803fe2cda80f8be688420f27501c5f855bc91ab87d66fb43ff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ebf00f44fcea7803fe2cda80f8be688420f27501c5f855bc91ab87d66fb43ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test-auto.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108381, "scanner": "repobility-supply-chain", "fingerprint": "86737231f28313900cbaabd26a4711d28aceb8affbcaefed1daff531ba35007f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86737231f28313900cbaabd26a4711d28aceb8affbcaefed1daff531ba35007f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-badges.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `check_diacritics` has cognitive complexity 26 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, except=1, for=5, if=4, nested_bonus=15."}, "properties": {"repobilityId": 108363, "scanner": "repobility-threat-engine", "fingerprint": "bc03075217f08a6dc74159d9c74f2a92a6293333b3b40d8009ff6434d9de5ac8", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 26 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "check_diacritics", "breakdown": {"if": 4, "for": 5, "else": 1, "except": 1, "nested_bonus": 15}, "complexity": 26, "correlation_key": "fp|bc03075217f08a6dc74159d9c74f2a92a6293333b3b40d8009ff6434d9de5ac8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/diacritics.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 108356, "scanner": "repobility-threat-engine", "fingerprint": "e6eed307210eaeeba8b0952f68fec23c6d136710a795c362f8cacb407ea654bb", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "urllib.request.urlopen(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e6eed307210eaeeba8b0952f68fec23c6d136710a795c362f8cacb407ea654bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/release.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 108355, "scanner": "repobility-threat-engine", "fingerprint": "451e880b029186756a993f7b9a5c0bb6cc076f4531b57764d8626fdcf5ae1a32", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|451e880b029186756a993f7b9a5c0bb6cc076f4531b57764d8626fdcf5ae1a32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/settings/preferences/LoadEmojiLibPreference.kt"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 108354, "scanner": "repobility-threat-engine", "fingerprint": "8bfca7442060fe0cae5c7f80b43183b868dcf2d25f60b6863aa087f7bc1dd3d2", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8bfca7442060fe0cae5c7f80b43183b868dcf2d25f60b6863aa087f7bc1dd3d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/latin/utils/GestureLibraryDownloader.kt"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 108352, "scanner": "repobility-threat-engine", "fingerprint": "876735e023bd60531a802eb9d875f13fbb0e2acdac7e3e014ee15e46d508d24e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|876735e023bd60531a802eb9d875f13fbb0e2acdac7e3e014ee15e46d508d24e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/latin/utils/ColorUtil.kt"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 108350, "scanner": "repobility-threat-engine", "fingerprint": "09ff89dc2169c1d2a8d4ebe3a8ebad216c7c059fa2c1f03ec1a00267d721b505", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "file.delete()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|09ff89dc2169c1d2a8d4ebe3a8ebad216c7c059fa2c1f03ec1a00267d721b505"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/latin/dictionary/DictionaryFactory.kt"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 108349, "scanner": "repobility-threat-engine", "fingerprint": "b3087d1fab6e7db9a5de1576ce6d03f55ee1ccb97b1351536902b83ca2c97fa5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "file.delete()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b3087d1fab6e7db9a5de1576ce6d03f55ee1ccb97b1351536902b83ca2c97fa5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/latin/database/Database.kt"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 108348, "scanner": "repobility-threat-engine", "fingerprint": "c7d1403a52a1a5df5b1ab61829e313df7d57295070c3e29cbb79a56c290feb05", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "db.writableDatabase.update(TABLE, cv, \"$COLUMN_ID = ${entry.id}\", null)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c7d1403a52a1a5df5b1ab61829e313df7d57295070c3e29cbb79a56c290feb05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/latin/database/ClipboardDao.kt"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 108341, "scanner": "repobility-threat-engine", "fingerprint": "3cb684e29dcf81a90c570ecc0a14743db7cc9aee7595cfba0c9361bd08611b3e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3cb684e29dcf81a90c570ecc0a14743db7cc9aee7595cfba0c9361bd08611b3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/keyboard/clipboard/ClipboardHistoryRecyclerView.kt"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 108340, "scanner": "repobility-threat-engine", "fingerprint": "7e1c58dcbddb771b9f9d65252a7dbaebee6cfba98159b6d0b50f2ed823b275dc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7e1c58dcbddb771b9f9d65252a7dbaebee6cfba98159b6d0b50f2ed823b275dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/accessibility/KeyCodeDescriptionMapper.kt"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 108339, "scanner": "repobility-threat-engine", "fingerprint": "4d20dc4624d3a904df2ba0377f0313ae8c59ac52ad1b6734c324f17663cfab89", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4d20dc4624d3a904df2ba0377f0313ae8c59ac52ad1b6734c324f17663cfab89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/helium314/keyboard/accessibility/AccessibilityUtils.kt"}, "region": {"startLine": 198}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `locale` used but not imported: The file uses `locale.something(...)` but never imports `locale`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 108380, "scanner": "repobility-ast-engine", "fingerprint": "2feee04e16cd45188262502898e9cca72263b1a47031dd2c5db34c661cd591a0", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2feee04e16cd45188262502898e9cca72263b1a47031dd2c5db34c661cd591a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/release.py"}, "region": {"startLine": 101}}}]}]}]}