{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /a"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 15.8% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 15.8% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "SEC112", "name": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/templa", "shortDescription": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "fullDescription": {"text": "Use `html/template` (NOT `text/template`) for HTML responses. Never wrap user input with `template.HTML/JS/URL`."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC011", "name": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted", "shortDescription": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "fullDescription": {"text": "Use torch.load(..., weights_only=True) or use safetensors format."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED033", "name": "[MINED033] Go Recover Without Log (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED033] Go Recover Without Log (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED075", "name": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL.", "shortDescription": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-690 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED088", "name": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks.", "shortDescription": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 26 more): Same pattern found in 26 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.", "shortDescription": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `nvidia/cuda:13.0.0-devel-ubuntu22.04` unpinned: `container/services image:", "shortDescription": {"text": "[MINED126] Workflow container/services image `nvidia/cuda:13.0.0-devel-ubuntu22.04` unpinned: `container/services image: nvidia/cuda:13.0.0-devel-ubuntu22.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow co"}, "fullDescription": {"text": "Replace with `nvidia/cuda:13.0.0-devel-ubuntu22.04@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images shou"}, "fullDescription": {"text": "Replace with: `FROM ubuntu:24.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED022", "name": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.", "shortDescription": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-120 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/724"}, "properties": {"repository": "ollama/ollama", "repoUrl": "https://github.com/ollama/ollama", "branch": "main"}, "results": [{"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/create."}, "properties": {"repobilityId": 59014, "scanner": "repobility-access-control", "fingerprint": "2b78c2feebadeb9270c4f5f809b127dd1f20954a27db39390a093f8ab73447d1", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/create", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|server/routes.go|1851|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes.go"}, "region": {"startLine": 1851}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/user/keys/:encodedKey."}, "properties": {"repobilityId": 59013, "scanner": "repobility-access-control", "fingerprint": "360270f760154209c57347a7899a01febb58e0f879bc32065b6d8225bc1f0645", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/user/keys/:encodedKey", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|server/routes.go|1848|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes.go"}, "region": {"startLine": 1848}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/signout."}, "properties": {"repobilityId": 59012, "scanner": "repobility-access-control", "fingerprint": "cbf8ce4ce6b81380da2b64732e99dbce37938dd373faf5c781b97364c9024761", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/signout", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|server/routes.go|1846|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes.go"}, "region": {"startLine": 1846}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/me."}, "properties": {"repobilityId": 59011, "scanner": "repobility-access-control", "fingerprint": "e3536ea797d51067b8b8e460f5d8349b1172c753b8301d25f717082549cee8be", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/me", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|server/routes.go|1844|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes.go"}, "region": {"startLine": 1844}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/delete."}, "properties": {"repobilityId": 59010, "scanner": "repobility-access-control", "fingerprint": "3431e4addf3e416f38a1b0b4d5c22dfd2711cdacaf1b4eeaa1c30b7e6546e838", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/delete", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|server/routes.go|1842|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes.go"}, "region": {"startLine": 1842}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/show."}, "properties": {"repobilityId": 59009, "scanner": "repobility-access-control", "fingerprint": "08710b8ca453e02dce94eb74a25f3ad89c7ee1596c86596ab46c771e21f3b300", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/show", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|server/routes.go|1841|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes.go"}, "region": {"startLine": 1841}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/tags."}, "properties": {"repobilityId": 59008, "scanner": "repobility-access-control", "fingerprint": "6ed20266b3a417321e8b20340e0028a8feb744e6d7769bc5c75d38a5183583b1", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/tags", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|server/routes.go|1840|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes.go"}, "region": {"startLine": 1840}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/push."}, "properties": {"repobilityId": 59007, "scanner": "repobility-access-control", "fingerprint": "1d84850e73d29f26ebebd00ab81d24daef771eba520aa3300bab6477c8d9fbd7", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/push", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|server/routes.go|1838|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes.go"}, "region": {"startLine": 1838}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/pull."}, "properties": {"repobilityId": 59006, "scanner": "repobility-access-control", "fingerprint": "ed1de83b0780a87e3fb0a9f41c23ffa372b1fab754dcfbeff43c9ad1f122d933", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/pull", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|server/routes.go|1837|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes.go"}, "region": {"startLine": 1837}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /www-authenticate."}, "properties": {"repobilityId": 59005, "scanner": "repobility-access-control", "fingerprint": "2556aee00c71bf01613790c8fc35c35847e8f12d2f54ece1a9f5f6c222f4ecac", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/www-authenticate", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|server/upload.go|283|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/upload.go"}, "region": {"startLine": 283}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 15.8% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 59004, "scanner": "repobility-access-control", "fingerprint": "de92f7c8671668695d16ba43b6fa4c6e47c8bb2b00890b07ecb5c639a010bb9c", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 76, "correlation_key": "fp|de92f7c8671668695d16ba43b6fa4c6e47c8bb2b00890b07ecb5c639a010bb9c", "auth_visible_percent": 15.8}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 59003, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Gin"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 59001, "scanner": "repobility-docker", "fingerprint": "f17766e848156837e01fa100b54cbc7ce6877964c4b6e97ac356b6babc113701", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:24.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f17766e848156837e01fa100b54cbc7ce6877964c4b6e97ac356b6babc113701"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 295}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 58997, "scanner": "repobility-docker", "fingerprint": "090dc9dfb8535cf9b9a079a1bfb9cf016b1963856316225231beb536090a66a9", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|090dc9dfb8535cf9b9a079a1bfb9cf016b1963856316225231beb536090a66a9", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 247}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 58988, "scanner": "repobility-agent-runtime", "fingerprint": "c89c277919848f8567eb4e639684f07914825975377ed3ce10d32d9e535ff464", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|c89c277919848f8567eb4e639684f07914825975377ed3ce10d32d9e535ff464"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/integrations/opencode.mdx"}, "region": {"startLine": 12}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 58987, "scanner": "repobility-agent-runtime", "fingerprint": "7308c80c00303c95b69e84f9f74b2d251e2fb97d338829832f336c51c7eb973b", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|7308c80c00303c95b69e84f9f74b2d251e2fb97d338829832f336c51c7eb973b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/integrations/hermes.mdx"}, "region": {"startLine": 59}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 58986, "scanner": "repobility-agent-runtime", "fingerprint": "a65bde75c68dd294c72ee31d84df64f60f162facff4d33e2aa9331813a9dcf1e", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a65bde75c68dd294c72ee31d84df64f60f162facff4d33e2aa9331813a9dcf1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/integrations/droid.mdx"}, "region": {"startLine": 11}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 58985, "scanner": "repobility-agent-runtime", "fingerprint": "3abea6f8ceb57d443b902003a0c959806e5c187e3ece728975fd7260afea712f", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|3abea6f8ceb57d443b902003a0c959806e5c187e3ece728975fd7260afea712f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/integrations/copilot-cli.mdx"}, "region": {"startLine": 24}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 58984, "scanner": "repobility-agent-runtime", "fingerprint": "7b02783d2aea1f7ffc6c78ec887c864f2a5dbddbeafa34f35a122827aaea4960", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|7b02783d2aea1f7ffc6c78ec887c864f2a5dbddbeafa34f35a122827aaea4960"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/integrations/claude-code.mdx"}, "region": {"startLine": 18}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 58983, "scanner": "repobility-agent-runtime", "fingerprint": "839a5d47b88247a443eddb1a8145eaee8ba722bd953b5f33fe883ea15378182a", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|839a5d47b88247a443eddb1a8145eaee8ba722bd953b5f33fe883ea15378182a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/faq.mdx"}, "region": {"startLine": 12}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 58982, "scanner": "repobility-agent-runtime", "fingerprint": "ebe4ea206b0e40b2977b517857e62e4852ab4b0de0d564d1b7076f225426a3a0", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ebe4ea206b0e40b2977b517857e62e4852ab4b0de0d564d1b7076f225426a3a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 58952, "scanner": "repobility-threat-engine", "fingerprint": "ad48a7305817027dc7c0fcd961981218a03766861a9a85526512097424ad0012", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.ListenAndServe(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ad48a7305817027dc7c0fcd961981218a03766861a9a85526512097424ad0012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x/mlxrunner/runner.go"}, "region": {"startLine": 195}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 58951, "scanner": "repobility-threat-engine", "fingerprint": "440581088b92679cd3d7f35baccf27d02e641b24fdbc302afa2fa1680eb4e8f1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\tAddr:    fmt.Sprintf(\"127.0.0.1:%d\", *port),\n\t\tHandler: mux,\n\t}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|440581088b92679cd3d7f35baccf27d02e641b24fdbc302afa2fa1680eb4e8f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x/imagegen/runner.go"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 58950, "scanner": "repobility-threat-engine", "fingerprint": "77ecb19f6ca9823202bf6d175f208d57e49e2804e663524a0a43ab7974af354d", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "Eval(input", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|x/imagegen/mlx/compile.go|115|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x/imagegen/mlx/compile.go"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC112", "level": "warning", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "properties": {"repobilityId": 58944, "scanner": "repobility-threat-engine", "fingerprint": "c9b7826ca7ba0a57f30691e7adf6dd2e7b66de41043671be2599d7d7b80cf791", "category": "xss", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fmt.Fprintln(buf, line)\n\t}\n\tbuf.Flush()\n\tf.Close()\n\n\tif err = os.Rename(tmpFile, h.Filename)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c9b7826ca7ba0a57f30691e7adf6dd2e7b66de41043671be2599d7d7b80cf791"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "readline/history.go"}, "region": {"startLine": 141}}}]}, {"ruleId": "SEC011", "level": "warning", "message": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "properties": {"repobilityId": 58938, "scanner": "repobility-threat-engine", "fingerprint": "4761258cbd14629f5d090bc8e2585179bef1ab2ce48ae58ff8a5b15c473067f0", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "torch.Load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC011", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|convert/reader_torch.go|15|sec011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convert/reader_torch.go"}, "region": {"startLine": 15}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 58924, "scanner": "repobility-threat-engine", "fingerprint": "ea84f37bd6b0b4dd573f4fd7bc1e6e9251b4556a7b5f5785e4648ec0c05e3141", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => { })", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ea84f37bd6b0b4dd573f4fd7bc1e6e9251b4556a7b5f5785e4648ec0c05e3141"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ui/app/src/components/LaunchCommands.tsx"}, "region": {"startLine": 129}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 58919, "scanner": "repobility-threat-engine", "fingerprint": "259fae37932d88cf2fa1cdb848395c16b57d87b44e05509a1f1300af18bc08a8", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|app/webview/webview.go|132|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/webview/webview.go"}, "region": {"startLine": 132}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 58918, "scanner": "repobility-threat-engine", "fingerprint": "415c4f7837b382725c6e4129d5ee3c1934474c5034875efba22cc7567e573567", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|16|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ui/app/src/utils/remarkCitationParser.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 58917, "scanner": "repobility-threat-engine", "fingerprint": "5bfc83c2c127bb6d14a7e0d2286f14efe27f475790fa50c75759fb016066313f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|13|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ui/app/src/components/ErrorMessage.tsx"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 58916, "scanner": "repobility-threat-engine", "fingerprint": "2d1194a24c88f6669b5c3f1c64ee704f5419cc8add9b46163cdec6e713bc3155", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(connectUrl, \"_blank\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|53|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ui/app/src/components/DisplayLogin.tsx"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 59002, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 59000, "scanner": "repobility-docker", "fingerprint": "f30a444409263a58834496fb24643e256c4ffc99ca311627b0c0251c68e42844", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f30a444409263a58834496fb24643e256c4ffc99ca311627b0c0251c68e42844"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 298}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 58996, "scanner": "repobility-docker", "fingerprint": "867ef15193ab479a9462334bb85b5d0f398c9ee1ddbd9aad4d493d033809de47", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|867ef15193ab479a9462334bb85b5d0f398c9ee1ddbd9aad4d493d033809de47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 179}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 58995, "scanner": "repobility-docker", "fingerprint": "0282f82155e4dbbc09d2ff32653c4e336bd80d883f484947020faa6ef5d31631", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|0282f82155e4dbbc09d2ff32653c4e336bd80d883f484947020faa6ef5d31631"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 179}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 58993, "scanner": "repobility-docker", "fingerprint": "eb001e9db9ee44ff066161c4e8111149995ad82931f211ef6d28b9d36471f132", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|eb001e9db9ee44ff066161c4e8111149995ad82931f211ef6d28b9d36471f132"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 159}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 58992, "scanner": "repobility-docker", "fingerprint": "df1e5b2abef28f5e892070657ea4439b5e545b50fef51beec5a7c7a022b22638", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|df1e5b2abef28f5e892070657ea4439b5e545b50fef51beec5a7c7a022b22638"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 159}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58981, "scanner": "repobility-ai-code-hygiene", "fingerprint": "73f2dbc877514af08dff7be12bdb1f4bdb0ea46c5834415c84447af51dcea961", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "x/imagegen/models/flux2/flux2.go", "duplicate_line": 37, "correlation_key": "fp|73f2dbc877514af08dff7be12bdb1f4bdb0ea46c5834415c84447af51dcea961"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x/imagegen/models/zimage/zimage.go"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58980, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cc09e30d612fd782199c9e1ba845b02ab1dda507e1d8ef9ac11b4603353e8a52", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "x/imagegen/models/flux2/vae.go", "duplicate_line": 82, "correlation_key": "fp|cc09e30d612fd782199c9e1ba845b02ab1dda507e1d8ef9ac11b4603353e8a52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x/imagegen/models/zimage/vae.go"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58979, "scanner": "repobility-ai-code-hygiene", "fingerprint": "608911784a3dcdcbf0f5a610eb08917a48c21615e157ea94f8bd61d670ea1418", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "x/imagegen/cmd/engine/image.go", "duplicate_line": 37, "correlation_key": "fp|608911784a3dcdcbf0f5a610eb08917a48c21615e157ea94f8bd61d670ea1418"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x/imagegen/image.go"}, "region": {"startLine": 51}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58978, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3e5c56ddaf8fba6221e1f4ba00c1996b1bb714d84c927e4c7915907bb96a5ab2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/interactive.go", "duplicate_line": 614, "correlation_key": "fp|3e5c56ddaf8fba6221e1f4ba00c1996b1bb714d84c927e4c7915907bb96a5ab2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x/imagegen/cli.go"}, "region": {"startLine": 431}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58977, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d5e5a868a8d5394ff71d169df49bd4ff3ddd4c0d922cbaa8fa3cd345ea31999d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/internal/internal/names/name.go", "duplicate_line": 85, "correlation_key": "fp|d5e5a868a8d5394ff71d169df49bd4ff3ddd4c0d922cbaa8fa3cd345ea31999d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/model/name.go"}, "region": {"startLine": 210}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58976, "scanner": "repobility-ai-code-hygiene", "fingerprint": "25921f36bb48cdd00cfbaece0225fbc3971cd95db33a9d20982a05b2cd75bcc5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tokenizer/bytepairencoding.go", "duplicate_line": 103, "correlation_key": "fp|25921f36bb48cdd00cfbaece0225fbc3971cd95db33a9d20982a05b2cd75bcc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tokenizer/sentencepiece.go"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58975, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bfd0c29e359d336535e6f4d369ee62d1e95d6022f9e1a52d72b3d95f64fe2ca2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/internal/client/ollama/registry.go", "duplicate_line": 792, "correlation_key": "fp|bfd0c29e359d336535e6f4d369ee62d1e95d6022f9e1a52d72b3d95f64fe2ca2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/internal/internal/names/name.go"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58974, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5d691beb1b09dd460b7975f0750a7c4166bca4317ee8ab4570b7924e028f17f3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "model/renderers/glm47.go", "duplicate_line": 13, "correlation_key": "fp|5d691beb1b09dd460b7975f0750a7c4166bca4317ee8ab4570b7924e028f17f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/renderers/glmocr.go"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58973, "scanner": "repobility-ai-code-hygiene", "fingerprint": "454b083806d1a99c241d734f6dddab4f78482d75a91c80cbe8e7cd3ecd325323", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "model/renderers/functiongemma.go", "duplicate_line": 116, "correlation_key": "fp|454b083806d1a99c241d734f6dddab4f78482d75a91c80cbe8e7cd3ecd325323"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/renderers/gemma4.go"}, "region": {"startLine": 181}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58972, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2e929bef51c1d084277b710e9a6e445f68141f3d9f4be70e7ac30fc60fc98195", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "model/parsers/glm46.go", "duplicate_line": 437, "correlation_key": "fp|2e929bef51c1d084277b710e9a6e445f68141f3d9f4be70e7ac30fc60fc98195"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/parsers/laguna.go"}, "region": {"startLine": 492}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58971, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ba5465b62d3c725560014442189b9df8d8792659ca967bc11b029b44bc4bf131", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "llm/llama_binary.go", "duplicate_line": 93, "correlation_key": "fp|ba5465b62d3c725560014442189b9df8d8792659ca967bc11b029b44bc4bf131"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ml/path.go"}, "region": {"startLine": 90}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58970, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6176a9ac13e8ad945c5648b29f1758acedbac8ebbe035adf5e84c486c1293f77", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convert/convert.go", "duplicate_line": 58, "correlation_key": "fp|6176a9ac13e8ad945c5648b29f1758acedbac8ebbe035adf5e84c486c1293f77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fs/ggml/ggml.go"}, "region": {"startLine": 152}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58969, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e937300f7c3ad82bfcd5628f3763bbc35e50cefff6473e8549f153d920ff0ded", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "discover/native_probe_linux.go", "duplicate_line": 114, "correlation_key": "fp|e937300f7c3ad82bfcd5628f3763bbc35e50cefff6473e8549f153d920ff0ded"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "discover/native_probe_windows.go"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58968, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9bb4d49dbcda3670ed5da7453dcd4c854354b615914ba4dfc0de2b7b74476de3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convert/convert_bert.go", "duplicate_line": 36, "correlation_key": "fp|9bb4d49dbcda3670ed5da7453dcd4c854354b615914ba4dfc0de2b7b74476de3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convert/convert_nomicbert.go"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58967, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f66de0fa4558a5eba0d2f0f0cbf1d79710c89307a804e08a4dbe856ea027cc9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convert/convert_gemma2_adapter.go", "duplicate_line": 57, "correlation_key": "fp|3f66de0fa4558a5eba0d2f0f0cbf1d79710c89307a804e08a4dbe856ea027cc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convert/convert_mistral_causal.go"}, "region": {"startLine": 133}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58966, "scanner": "repobility-ai-code-hygiene", "fingerprint": "698864d51901b205ce3f83b6f278f66071333b33cf399525f4764462ac2efdc9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convert/convert_llama.go", "duplicate_line": 99, "correlation_key": "fp|698864d51901b205ce3f83b6f278f66071333b33cf399525f4764462ac2efdc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convert/convert_mistral_causal.go"}, "region": {"startLine": 72}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58965, "scanner": "repobility-ai-code-hygiene", "fingerprint": "27d73ba7cba80bc3ac3e09d18b306699f7bb97a702ef26e860e74b8383237a47", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convert/convert_mistral.go", "duplicate_line": 16, "correlation_key": "fp|27d73ba7cba80bc3ac3e09d18b306699f7bb97a702ef26e860e74b8383237a47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convert/convert_mistral_causal.go"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58964, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1d9e3dcda341bb9168166547c06a32aaf9e69c3353e91adf83c81c727f0f4b18", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convert/convert_gemma2_adapter.go", "duplicate_line": 57, "correlation_key": "fp|1d9e3dcda341bb9168166547c06a32aaf9e69c3353e91adf83c81c727f0f4b18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convert/convert_mistral.go"}, "region": {"startLine": 171}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58963, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2e2dd63f0ff33f34692de9a4e779c3eea65b3e0f54ddaa3e55239dd3df56b043", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convert/convert_llama.go", "duplicate_line": 99, "correlation_key": "fp|2e2dd63f0ff33f34692de9a4e779c3eea65b3e0f54ddaa3e55239dd3df56b043"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convert/convert_mistral.go"}, "region": {"startLine": 109}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58962, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3e5498c162301e4adfc870ab2cca8e924edb4e111b1fe2886987f07c86ea2361", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convert/convert_llama.go", "duplicate_line": 168, "correlation_key": "fp|3e5498c162301e4adfc870ab2cca8e924edb4e111b1fe2886987f07c86ea2361"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convert/convert_llama_adapter.go"}, "region": {"startLine": 70}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58961, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bc6485647631ab73bb9b950c39e6b7ac130e591ddb59d0146699836ead7718fb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convert/convert_gemma2_adapter.go", "duplicate_line": 37, "correlation_key": "fp|bc6485647631ab73bb9b950c39e6b7ac130e591ddb59d0146699836ead7718fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convert/convert_llama_adapter.go"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58960, "scanner": "repobility-ai-code-hygiene", "fingerprint": "322f0e5160b77150a15f60157d555280df5977848d4c8d93befe58b7f7d774aa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convert/convert_gemma2_adapter.go", "duplicate_line": 57, "correlation_key": "fp|322f0e5160b77150a15f60157d555280df5977848d4c8d93befe58b7f7d774aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convert/convert_llama.go"}, "region": {"startLine": 174}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58959, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f1e05db4d8a759f76ba360a4cb9cf683fc91ffbfd8c15c2048a121859eb7f75f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convert/convert_gemma.go", "duplicate_line": 55, "correlation_key": "fp|f1e05db4d8a759f76ba360a4cb9cf683fc91ffbfd8c15c2048a121859eb7f75f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convert/convert_llama.go"}, "region": {"startLine": 142}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58958, "scanner": "repobility-ai-code-hygiene", "fingerprint": "663be309c40d46c3a0d00773859fd90434f63b43f27d4c707ccedbdc78f0bbb4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convert/convert_bert.go", "duplicate_line": 12, "correlation_key": "fp|663be309c40d46c3a0d00773859fd90434f63b43f27d4c707ccedbdc78f0bbb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convert/convert_llama.go"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58957, "scanner": "repobility-ai-code-hygiene", "fingerprint": "51280c9c20410daa36f3a50362a98628d111ea21ed446d90a76f32961e58756c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convert/convert_deepseek2.go", "duplicate_line": 12, "correlation_key": "fp|51280c9c20410daa36f3a50362a98628d111ea21ed446d90a76f32961e58756c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convert/convert_glm4moelite.go"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58956, "scanner": "repobility-ai-code-hygiene", "fingerprint": "275dcc0c590e5f5abcce7eb782d0676d1811b7cb91a1ba14fdcd30cb73cfee49", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convert/convert_gemma.go", "duplicate_line": 54, "correlation_key": "fp|275dcc0c590e5f5abcce7eb782d0676d1811b7cb91a1ba14fdcd30cb73cfee49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convert/convert_gemma2.go"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58955, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5d0d34a1f7884a4f5aea8d17fe38c7d645d8c48bde63dbdafa5b26e2dabbad4a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convert/convert_deepseek2.go", "duplicate_line": 111, "correlation_key": "fp|5d0d34a1f7884a4f5aea8d17fe38c7d645d8c48bde63dbdafa5b26e2dabbad4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convert/convert_deepseekocr.go"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58954, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cea7ddd1930a7d365750d44ff999bb890c8c0e272ffa583db447d511436aa10b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/updater/updater_windows.go", "duplicate_line": 320, "correlation_key": "fp|cea7ddd1930a7d365750d44ff999bb890c8c0e272ffa583db447d511436aa10b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/start_windows.go"}, "region": {"startLine": 74}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 58953, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f50e502871e3a1c09c7c3144e1af325ca6dcf7aacb20af8655b99109cd70acda", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/tools/web_fetch.go", "duplicate_line": 1, "correlation_key": "fp|f50e502871e3a1c09c7c3144e1af325ca6dcf7aacb20af8655b99109cd70acda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/tools/web_search.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 58942, "scanner": "repobility-threat-engine", "fingerprint": "723a869a326b6be201f6df7ff4215472d0c1aafe9a90280c9df54ecb4f42be52", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"<arg_key>\" + key + \"</arg_key>\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|723a869a326b6be201f6df7ff4215472d0c1aafe9a90280c9df54ecb4f42be52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/renderers/glm47.go"}, "region": {"startLine": 119}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 58941, "scanner": "repobility-threat-engine", "fingerprint": "71f6915fabcfc9c260e7a61924e07113c47e387b9d2b7598dfafab0d82ead05b", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"<arg_key>\" + key + \"</arg_key>\\n\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|71f6915fabcfc9c260e7a61924e07113c47e387b9d2b7598dfafab0d82ead05b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/renderers/glm46.go"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 58940, "scanner": "repobility-threat-engine", "fingerprint": "b6801f1b5446f0468c8239988617df1c8b684dfb8c2c35c5f4c3b6b5042bb5b8", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"<escape>\" + req + \"<escape>\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b6801f1b5446f0468c8239988617df1c8b684dfb8c2c35c5f4c3b6b5042bb5b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/renderers/functiongemma.go"}, "region": {"startLine": 159}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 58905, "scanner": "repobility-threat-engine", "fingerprint": "063a4cde888d11b1fcb18d8b29e890f845f6fa1bc35820b8c6be431b525465aa", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = pDefWindowProc.Call(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|063a4cde888d11b1fcb18d8b29e890f845f6fa1bc35820b8c6be431b525465aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/wintray/eventloop.go"}, "region": {"startLine": 91}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 58904, "scanner": "repobility-threat-engine", "fingerprint": "a1868c638d3026afaf9e3b9a3677da856ae7b98947aae3ef24c56d4d9e9d82fe", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = fp.Close(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a1868c638d3026afaf9e3b9a3677da856ae7b98947aae3ef24c56d4d9e9d82fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/updater/updater.go"}, "region": {"startLine": 230}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 58903, "scanner": "repobility-threat-engine", "fingerprint": "eef55935a30ff8cc1cf79f4db27a96b434f01c8933a0f65c1390552e094321b1", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = syscall.UTF16PtrFromString(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eef55935a30ff8cc1cf79f4db27a96b434f01c8933a0f65c1390552e094321b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/dialog/dlgs_windows.go"}, "region": {"startLine": 171}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 58999, "scanner": "repobility-docker", "fingerprint": "d14f79c6fdebd9056d5e0e96e6e6ec101aa51a8fd187b1a6a2d0ad4b6098837f", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${FLAVOR}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d14f79c6fdebd9056d5e0e96e6e6ec101aa51a8fd187b1a6a2d0ad4b6098837f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 292}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 58998, "scanner": "repobility-docker", "fingerprint": "a12db720a036b37b3bf6eadd2b2f8447df86be9926ad326efe71c540da2db277", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${TARGETARCH}-archive", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a12db720a036b37b3bf6eadd2b2f8447df86be9926ad326efe71c540da2db277"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 289}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 58994, "scanner": "repobility-docker", "fingerprint": "04618390bf3c41663b77211bdee9b450d06f058781e226fabe34ce761123c6b2", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvcr.io/nvidia/l4t-jetpack:${JETPACK6VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|04618390bf3c41663b77211bdee9b450d06f058781e226fabe34ce761123c6b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 176}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 58991, "scanner": "repobility-docker", "fingerprint": "ea47787572d74db09626e51168cb29016680ba19f09aa6bbb1619b2db7b5811e", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvcr.io/nvidia/l4t-jetpack:${JETPACK5VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ea47787572d74db09626e51168cb29016680ba19f09aa6bbb1619b2db7b5811e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 156}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 58990, "scanner": "repobility-docker", "fingerprint": "86006d7404e96a270744f62ce568925949cc4a669aa83470a34606762de7bbc7", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "base-${TARGETARCH}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|86006d7404e96a270744f62ce568925949cc4a669aa83470a34606762de7bbc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 58989, "scanner": "repobility-docker", "fingerprint": "8cdf7f3d8cd430812885fc79271f97c21b3efdfd82e38246f16a5add148d9696", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "rocm/dev-almalinux-8:${ROCMVERSION}-complete", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|8cdf7f3d8cd430812885fc79271f97c21b3efdfd82e38246f16a5add148d9696"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED033", "level": "none", "message": {"text": "[MINED033] Go Recover Without Log (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 58948, "scanner": "repobility-threat-engine", "fingerprint": "fbb07e72cc11e3b4572ea89c723fe2134675efa8683fd803c2aec97628259c34", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fbb07e72cc11e3b4572ea89c723fe2134675efa8683fd803c2aec97628259c34", "aggregated_count": 1}}}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 58943, "scanner": "repobility-threat-engine", "fingerprint": "097d27b2deaca55861bf7fc2fde9b3c1ab45a5a98b541bd572ee8991d2ed26b1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|097d27b2deaca55861bf7fc2fde9b3c1ab45a5a98b541bd572ee8991d2ed26b1"}}}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 58936, "scanner": "repobility-threat-engine", "fingerprint": "af7a39a6eb4078f369e35c27fca5e81b0bd35031c5a8cba1210fb31a0c6bb088", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|af7a39a6eb4078f369e35c27fca5e81b0bd35031c5a8cba1210fb31a0c6bb088"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/webview/glue.c"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 58935, "scanner": "repobility-threat-engine", "fingerprint": "5e23217b651c49f45c32cc9b2ecde26dd5ab6db76389723bae1964e1112d4945", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5e23217b651c49f45c32cc9b2ecde26dd5ab6db76389723bae1964e1112d4945"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/updater/updater_darwin.m"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 58934, "scanner": "repobility-threat-engine", "fingerprint": "7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 58930, "scanner": "repobility-threat-engine", "fingerprint": "9538f1e64abc06611cb760d4cf74131bb8d1179208b0f6494ae6336a088ba74b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9538f1e64abc06611cb760d4cf74131bb8d1179208b0f6494ae6336a088ba74b", "aggregated_count": 2}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 58929, "scanner": "repobility-threat-engine", "fingerprint": "e24a4224f3fee256e5a63992d58606061bbd4c521d77d980810d723cd7ebb115", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e24a4224f3fee256e5a63992d58606061bbd4c521d77d980810d723cd7ebb115"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ui/app/src/components/ThinkButton.tsx"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 58928, "scanner": "repobility-threat-engine", "fingerprint": "90bfc93101d95dc31efd92c80cf8d2678edd32591edd27f924b2f0092257f965", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|90bfc93101d95dc31efd92c80cf8d2678edd32591edd27f924b2f0092257f965"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ui/app/src/components/ModelPicker.tsx"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 58927, "scanner": "repobility-threat-engine", "fingerprint": "6a73e25d90abae2d7980e1c8b77526a06eba77380a1838c86780c4cef3f1bcf1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a73e25d90abae2d7980e1c8b77526a06eba77380a1838c86780c4cef3f1bcf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ui/app/src/components/MessageList.tsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 58926, "scanner": "repobility-threat-engine", "fingerprint": "d6dd4fdcc6a3533e75913ca072ad35d5b25a571a401da9dad80ae5ced8a1b2a3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d6dd4fdcc6a3533e75913ca072ad35d5b25a571a401da9dad80ae5ced8a1b2a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ui/app/src/components/MessageList.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED088", "level": "none", "message": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "properties": {"repobilityId": 58925, "scanner": "repobility-threat-engine", "fingerprint": "53cc64020e48142590a028aef8357f27bfdc64665924a4e6815ce7c59894facd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-conditional-hook", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348143+00:00", "triaged_in_corpus": 20, "observations_count": 600, "ai_coder_pattern_id": 139}, "scanner": "repobility-threat-engine", "correlation_key": "fp|53cc64020e48142590a028aef8357f27bfdc64665924a4e6815ce7c59894facd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ui/app/src/components/Message.stories.tsx"}, "region": {"startLine": 228}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 58923, "scanner": "repobility-threat-engine", "fingerprint": "bcd5ecc4d886378accebaf17fdba6567a96846ea4a0357d43444e62637a9b0cb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bcd5ecc4d886378accebaf17fdba6567a96846ea4a0357d43444e62637a9b0cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ui/app/src/components/ErrorMessage.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 58920, "scanner": "repobility-threat-engine", "fingerprint": "11c1ac2c2701254762d74bbeb51c35ad880c4c72ab240f29dfc4a34dd68295d0", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|11c1ac2c2701254762d74bbeb51c35ad880c4c72ab240f29dfc4a34dd68295d0"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 58915, "scanner": "repobility-threat-engine", "fingerprint": "f1e161962fe043d40b0b62354f7238946ffae30e19da416a3889d752e32876be", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f1e161962fe043d40b0b62354f7238946ffae30e19da416a3889d752e32876be", "aggregated_count": 8}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 58914, "scanner": "repobility-threat-engine", "fingerprint": "7af6038ff80b4b8102d1247ddcb8bbd16963ed8e1f38fedf18e4999733c4420d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7af6038ff80b4b8102d1247ddcb8bbd16963ed8e1f38fedf18e4999733c4420d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ui/app/src/components/DisplayStale.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 58913, "scanner": "repobility-threat-engine", "fingerprint": "eba7c70f495b7aed2ed7d6c923cfb2858ff8ac93262745e49c3507d09c2e85a7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eba7c70f495b7aed2ed7d6c923cfb2858ff8ac93262745e49c3507d09c2e85a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ui/app/src/components/DisplayLogin.tsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 58912, "scanner": "repobility-threat-engine", "fingerprint": "a0d3444087d751528554a062dfba024241ea2acdca64b0e40b3fa6367d2a8e93", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a0d3444087d751528554a062dfba024241ea2acdca64b0e40b3fa6367d2a8e93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ui/app/src/components/CopyButton.tsx"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 58911, "scanner": "repobility-threat-engine", "fingerprint": "0f0cf7f42aa49332d7f0ddd592da08be2c096ef030534d3a1a712421d6c5c16c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0f0cf7f42aa49332d7f0ddd592da08be2c096ef030534d3a1a712421d6c5c16c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/tools/url_policy.go"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 58910, "scanner": "repobility-threat-engine", "fingerprint": "4b6d8eee8856ae8cfc81502c27b15ed14dd19ef02fea0b0ed9c59fe7c378cead", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4b6d8eee8856ae8cfc81502c27b15ed14dd19ef02fea0b0ed9c59fe7c378cead", "aggregated_count": 7}}}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 58906, "scanner": "repobility-threat-engine", "fingerprint": "296bdc85bc97d457035986a9b3b7d2be5d919b23084449cf69240410280ba8ef", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|296bdc85bc97d457035986a9b3b7d2be5d919b23084449cf69240410280ba8ef"}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "properties": {"repobilityId": 58902, "scanner": "repobility-threat-engine", "fingerprint": "eae724d2a5d8a504f296ccb1174c8673988005b69354d6c96c2f8447a9fb1f23", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|eae724d2a5d8a504f296ccb1174c8673988005b69354d6c96c2f8447a9fb1f23", "aggregated_count": 26}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 58901, "scanner": "repobility-threat-engine", "fingerprint": "c41b5080ac24baf9a4d838860d3763a980c21e88d89e5b350ea02aae88fb1541", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c41b5080ac24baf9a4d838860d3763a980c21e88d89e5b350ea02aae88fb1541"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convert/convert_phi3.go"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 58900, "scanner": "repobility-threat-engine", "fingerprint": "37641d9a171701d45cd046c72e520f3847579fcc3bbcb399b236f7a94b993e0d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|37641d9a171701d45cd046c72e520f3847579fcc3bbcb399b236f7a94b993e0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/dialog/dlgs_windows.go"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 58899, "scanner": "repobility-threat-engine", "fingerprint": "47fc37473f2a9b8d4b90c3692858575ffdaaccabdf7d493bd8647bdbad67635e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|47fc37473f2a9b8d4b90c3692858575ffdaaccabdf7d493bd8647bdbad67635e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/dialog/cocoa/dlg_darwin.go"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 58898, "scanner": "repobility-threat-engine", "fingerprint": "4be6635976cb2898d0199da44a70e1d765b8b3c80f372c4e3ae2c250f784602f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4be6635976cb2898d0199da44a70e1d765b8b3c80f372c4e3ae2c250f784602f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/dialog/cocoa/dlg.m"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 58897, "scanner": "repobility-threat-engine", "fingerprint": "9b5e37036d9b219401ea46f444581cc53cd7ceb481791042a1da8088273c3b51", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9b5e37036d9b219401ea46f444581cc53cd7ceb481791042a1da8088273c3b51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ui/app/src/components/FileUpload.tsx"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 58896, "scanner": "repobility-threat-engine", "fingerprint": "8d1206c471fd728d979f4d78df08d827da80147dd2114d6bb0032f12eb8f3cb6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8d1206c471fd728d979f4d78df08d827da80147dd2114d6bb0032f12eb8f3cb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/dialog/cocoa/dlg.m"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC093", "level": "none", "message": {"text": "[SEC093] Go: exec.Command with non-literal (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 58894, "scanner": "repobility-threat-engine", "fingerprint": "8bade660580b1b67bf2321287739cc7dbb9ba7469ceec530e7c4f4bbc383e796", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8bade660580b1b67bf2321287739cc7dbb9ba7469ceec530e7c4f4bbc383e796"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 58890, "scanner": "repobility-threat-engine", "fingerprint": "29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc"}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 58886, "scanner": "repobility-threat-engine", "fingerprint": "651eeaeb3f30cb2788eb7d34578bb476787cc2d5f03c41e1c54c1af75fcf1e00", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|651eeaeb3f30cb2788eb7d34578bb476787cc2d5f03c41e1c54c1af75fcf1e00", "aggregated_count": 16}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 58885, "scanner": "repobility-threat-engine", "fingerprint": "d06ebad359e8fbee0a3bb454ba851225780098c7026e951b56926e14b618ad42", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d06ebad359e8fbee0a3bb454ba851225780098c7026e951b56926e14b618ad42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/examples/generate/main.go"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 58884, "scanner": "repobility-threat-engine", "fingerprint": "be796fa266ce78cf956b5a04e056250ca7d76e2e9d5f4c24e97e88535cd7e6dc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|be796fa266ce78cf956b5a04e056250ca7d76e2e9d5f4c24e97e88535cd7e6dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/examples/generate-streaming/main.go"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 58883, "scanner": "repobility-threat-engine", "fingerprint": "fb3ad011f1670a04cccd1958178a6e76842ba8fde994ebc4033ecfe7048f3150", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fb3ad011f1670a04cccd1958178a6e76842ba8fde994ebc4033ecfe7048f3150"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/examples/chat/main.go"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59044, "scanner": "repobility-supply-chain", "fingerprint": "6a095bc174c1f91c8bf33fe83b17c7c44bbdb0e49e985b15aeacdf56b40e9d0c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6a095bc174c1f91c8bf33fe83b17c7c44bbdb0e49e985b15aeacdf56b40e9d0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yaml"}, "region": {"startLine": 304}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59043, "scanner": "repobility-supply-chain", "fingerprint": "884b7753b78538de37f40925dfae3ba6a4a7c2cf44790706c942aed12bce9488", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|884b7753b78538de37f40925dfae3ba6a4a7c2cf44790706c942aed12bce9488"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yaml"}, "region": {"startLine": 280}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59042, "scanner": "repobility-supply-chain", "fingerprint": "d7acdf1b969ff7217311a3dcaf0e7a0178b4f785dc9fdfd5844f37d102c75274", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d7acdf1b969ff7217311a3dcaf0e7a0178b4f785dc9fdfd5844f37d102c75274"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yaml"}, "region": {"startLine": 252}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59041, "scanner": "repobility-supply-chain", "fingerprint": "5385d2dc8c862803103e1d3d0b688f5e89a4b3a372a072e9fd0aa27af9fcade0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5385d2dc8c862803103e1d3d0b688f5e89a4b3a372a072e9fd0aa27af9fcade0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yaml"}, "region": {"startLine": 251}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/save` pinned to mutable ref `@v4`: `uses: actions/cache/save@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59040, "scanner": "repobility-supply-chain", "fingerprint": "0c8ff3b953b87857db22f2fde535ae60449656d43df7f473f070784cf3f12af6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0c8ff3b953b87857db22f2fde535ae60449656d43df7f473f070784cf3f12af6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yaml"}, "region": {"startLine": 243}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/restore` pinned to mutable ref `@v4`: `uses: actions/cache/restore@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59039, "scanner": "repobility-supply-chain", "fingerprint": "13dfafdf2ee6392b206af2775ecfba90dec2b0454150e073989655bc26204a5c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|13dfafdf2ee6392b206af2775ecfba90dec2b0454150e073989655bc26204a5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yaml"}, "region": {"startLine": 173}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `al-cheb/configure-pagefile-action` pinned to mutable ref `@v1.5`: `uses: al-cheb/configure-pagefile-action@v1.5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59038, "scanner": "repobility-supply-chain", "fingerprint": "5aa24f908e5fb9fe1b7366310356317ea309d5fd1b818bc37cd8fd75e84d5a05", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5aa24f908e5fb9fe1b7366310356317ea309d5fd1b818bc37cd8fd75e84d5a05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yaml"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59037, "scanner": "repobility-supply-chain", "fingerprint": "2fbcea7483f4146c147a79ff92c15fe2f34b2ae6df292d20737c069f3429afbb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2fbcea7483f4146c147a79ff92c15fe2f34b2ae6df292d20737c069f3429afbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yaml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59036, "scanner": "repobility-supply-chain", "fingerprint": "900af9a697556bdd719ad74361415d7c4de5d394f44126afba8805798e973d63", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|900af9a697556bdd719ad74361415d7c4de5d394f44126afba8805798e973d63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yaml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59035, "scanner": "repobility-supply-chain", "fingerprint": "390965222712a428c7749124df908f33384e9cf30bdbc232f0058c1c32934fc7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|390965222712a428c7749124df908f33384e9cf30bdbc232f0058c1c32934fc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yaml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59034, "scanner": "repobility-supply-chain", "fingerprint": "a43b0965a97471850daef49845906ab03374e13f87e81d169a644c5b0d773594", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a43b0965a97471850daef49845906ab03374e13f87e81d169a644c5b0d773594"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yaml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `nvidia/cuda:13.0.0-devel-ubuntu22.04` unpinned: `container/services image: nvidia/cuda:13.0.0-devel-ubuntu22.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 59033, "scanner": "repobility-supply-chain", "fingerprint": "d8887f4085ece81c2133ffcd0ef3a6c04121f3381d0727eefe414fdc42a17483", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d8887f4085ece81c2133ffcd0ef3a6c04121f3381d0727eefe414fdc42a17483"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ubuntu:22.04` unpinned: `container/services image: ubuntu:22.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 59032, "scanner": "repobility-supply-chain", "fingerprint": "945189296f6d85f4cc0627df4c397ca2db7e7e191274e0acdf1a781f9173f2dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|945189296f6d85f4cc0627df4c397ca2db7e7e191274e0acdf1a781f9173f2dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `rocm/dev-ubuntu-22.04:7.2.1` unpinned: `container/services image: rocm/dev-ubuntu-22.04:7.2.1` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 59031, "scanner": "repobility-supply-chain", "fingerprint": "09cd7b0544aa5874af897a2b447de9852cbcc151dcb316bfc62aaeb01aeabe73", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|09cd7b0544aa5874af897a2b447de9852cbcc151dcb316bfc62aaeb01aeabe73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `nvidia/cuda:13.0.0-devel-ubuntu22.04` unpinned: `container/services image: nvidia/cuda:13.0.0-devel-ubuntu22.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 59030, "scanner": "repobility-supply-chain", "fingerprint": "76264e3b706b26f3950784b279f5b3107320c93f9b622129701c457da3532a0f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76264e3b706b26f3950784b279f5b3107320c93f9b622129701c457da3532a0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `golangci/golangci-lint-action` pinned to mutable ref `@v9`: `uses: golangci/golangci-lint-action@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59029, "scanner": "repobility-supply-chain", "fingerprint": "aba29f0f5f3f25664940b14020ce91c8778b3756723b734371eb399df20a8ea5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aba29f0f5f3f25664940b14020ce91c8778b3756723b734371eb399df20a8ea5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 417}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59028, "scanner": "repobility-supply-chain", "fingerprint": "9f07de1ea8e7a533c55f780132603ffec87c69a531f24c34153ac6e25f36de22", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9f07de1ea8e7a533c55f780132603ffec87c69a531f24c34153ac6e25f36de22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 383}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59027, "scanner": "repobility-supply-chain", "fingerprint": "bfa9c736928491c9b347118000dc5483c96457aa740fa718d53545eb2b9a01c3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bfa9c736928491c9b347118000dc5483c96457aa740fa718d53545eb2b9a01c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 375}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59026, "scanner": "repobility-supply-chain", "fingerprint": "e2b5ef500d9a3e2ffac30935f43efa4d24141b6b519ddd682a2fea19f32983de", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2b5ef500d9a3e2ffac30935f43efa4d24141b6b519ddd682a2fea19f32983de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 374}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59025, "scanner": "repobility-supply-chain", "fingerprint": "f0f6760ce684a40f583e3d2e1de1f0fc5c09d8deaed9aa906a43cd99fb2614b0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0f6760ce684a40f583e3d2e1de1f0fc5c09d8deaed9aa906a43cd99fb2614b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 361}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59024, "scanner": "repobility-supply-chain", "fingerprint": "b2ad739c3e06b8e781eca7cb91821da0b36829b101a25c450e3ba6987b635ca8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b2ad739c3e06b8e781eca7cb91821da0b36829b101a25c450e3ba6987b635ca8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 324}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59023, "scanner": "repobility-supply-chain", "fingerprint": "dc6ade6c8eff023f6fc817387b9d178e26547bc9438ad396f2e37e746f9d5634", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dc6ade6c8eff023f6fc817387b9d178e26547bc9438ad396f2e37e746f9d5634"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 321}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59022, "scanner": "repobility-supply-chain", "fingerprint": "0722d52fdf358508802d37e71c3259327574a68e0cd67a5b9f171967f0c3c585", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0722d52fdf358508802d37e71c3259327574a68e0cd67a5b9f171967f0c3c585"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 319}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/save` pinned to mutable ref `@v4`: `uses: actions/cache/save@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59021, "scanner": "repobility-supply-chain", "fingerprint": "dea5ecf2df0d676c2d1f0b085d1c0436fd0c36a7912520b2b2af9b3289a1dc83", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dea5ecf2df0d676c2d1f0b085d1c0436fd0c36a7912520b2b2af9b3289a1dc83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 311}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/restore` pinned to mutable ref `@v4`: `uses: actions/cache/restore@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59020, "scanner": "repobility-supply-chain", "fingerprint": "5f766a42bb3ff93bb9c3547d07e6e3dfd6048c0e08a61181b05c0c47c8592496", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f766a42bb3ff93bb9c3547d07e6e3dfd6048c0e08a61181b05c0c47c8592496"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 241}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59019, "scanner": "repobility-supply-chain", "fingerprint": "4f96f8916529b8ef37ca1ddfbd1253c4cdd5fc1d7f0bba709eff466754786eea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f96f8916529b8ef37ca1ddfbd1253c4cdd5fc1d7f0bba709eff466754786eea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59018, "scanner": "repobility-supply-chain", "fingerprint": "ca338e0b120a6abd21d551485d3f21c26f9c1be03176dbf762fd03b251cec14c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca338e0b120a6abd21d551485d3f21c26f9c1be03176dbf762fd03b251cec14c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59017, "scanner": "repobility-supply-chain", "fingerprint": "502410ec750b083a80897323f0d277ba6cd5d08d45c03b3a300ccb80268f538e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|502410ec750b083a80897323f0d277ba6cd5d08d45c03b3a300ccb80268f538e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59016, "scanner": "repobility-supply-chain", "fingerprint": "fbfea35522aefcb75ecb73f911c7fe0916587b452968480b08c38e486e366d77", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fbfea35522aefcb75ecb73f911c7fe0916587b452968480b08c38e486e366d77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 59015, "scanner": "repobility-supply-chain", "fingerprint": "03a6545f10722f428e91a5ba7f8c49e25a078b022031a9fd8976077a291cc341", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03a6545f10722f428e91a5ba7f8c49e25a078b022031a9fd8976077a291cc341"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 294}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 58949, "scanner": "repobility-threat-engine", "fingerprint": "323a9eef74c1aa274043af85c8739f4e611f8f012cc4b44e3ad9691ca213ce9a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|323a9eef74c1aa274043af85c8739f4e611f8f012cc4b44e3ad9691ca213ce9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/upload.go"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 58947, "scanner": "repobility-threat-engine", "fingerprint": "42b78e18a78075b8dd61e770a5f20250fc8f7f6f4acb2a233db80019f5256a05", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|42b78e18a78075b8dd61e770a5f20250fc8f7f6f4acb2a233db80019f5256a05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x/mlxrunner/mlx/compile.go"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 58946, "scanner": "repobility-threat-engine", "fingerprint": "5b52d71505ff3aa58cbb5b583adfb7e8824833ff2360bb85f265693539fa5f38", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5b52d71505ff3aa58cbb5b583adfb7e8824833ff2360bb85f265693539fa5f38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x/internal/mlxthread/thread.go"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 58945, "scanner": "repobility-threat-engine", "fingerprint": "73f962e4e04c8257c316e286862d99ea76aed1b928e1afd5bf741979cb4a892f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|73f962e4e04c8257c316e286862d99ea76aed1b928e1afd5bf741979cb4a892f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/internal/testutil/testutil.go"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 58937, "scanner": "repobility-threat-engine", "fingerprint": "46d0daa2c64c7dcd87644b3c4703e311924ae32bb0592b4f5b8d7e916b3d54d2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|46d0daa2c64c7dcd87644b3c4703e311924ae32bb0592b4f5b8d7e916b3d54d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/launch/kimi.go"}, "region": {"startLine": 310}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 58933, "scanner": "repobility-threat-engine", "fingerprint": "8e1a57f521ccaad603c14508b8d696fe07091ecf59a52053f157f77466eb5066", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "t.Update(l, n, err)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8e1a57f521ccaad603c14508b8d696fe07091ecf59a52053f157f77466eb5066"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/internal/client/ollama/trace.go"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 58932, "scanner": "repobility-threat-engine", "fingerprint": "3368e4e446634fef1639ae06695dcdd84d34238161b49964c48863f685c45dd9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "buf.Delete()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3368e4e446634fef1639ae06695dcdd84d34238161b49964c48863f685c45dd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "readline/readline.go"}, "region": {"startLine": 190}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 58931, "scanner": "repobility-threat-engine", "fingerprint": "2e695b326b1dd897a327d3bb4ff54cc6a06e0745870ca8fd155e452e889c65e2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fallbackSessionState.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2e695b326b1dd897a327d3bb4ff54cc6a06e0745870ca8fd155e452e889c65e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ui/app/src/routes/c.$chatId.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 58922, "scanner": "repobility-threat-engine", "fingerprint": "c224770939426215b4a63a81930de18cc85b7aa83b69c199321d77ed8430af1a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(node", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c224770939426215b4a63a81930de18cc85b7aa83b69c199321d77ed8430af1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ui/app/src/utils/remarkCitationParser.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 58921, "scanner": "repobility-threat-engine", "fingerprint": "66e6b38699c74c7d80db7f20dd49bd9fce9e4ded0d1752304261f97b7b9d55a9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|66e6b38699c74c7d80db7f20dd49bd9fce9e4ded0d1752304261f97b7b9d55a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/ui/app/src/components/ErrorMessage.tsx"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 58909, "scanner": "repobility-threat-engine", "fingerprint": "41c8adb3b1c24ee9ccf8f207fa662a3cbb5e55ae93043fb92e8eaf962b6c33ac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|41c8adb3b1c24ee9ccf8f207fa662a3cbb5e55ae93043fb92e8eaf962b6c33ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/updater/updater.go"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 58908, "scanner": "repobility-threat-engine", "fingerprint": "7cd194b555e8a9377fce529c9bfcd66b4dc21b779cf4e3cc065ed037c59928f3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7cd194b555e8a9377fce529c9bfcd66b4dc21b779cf4e3cc065ed037c59928f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/store/cloud_config.go"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 58907, "scanner": "repobility-threat-engine", "fingerprint": "44072366472ad8990d20de3257b167741e72c9a85891e3d1d5d747088d7024d9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|44072366472ad8990d20de3257b167741e72c9a85891e3d1d5d747088d7024d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/server/server_windows.go"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 58893, "scanner": "repobility-threat-engine", "fingerprint": "926409d7a398ba4b77c1864d434bf665c3dddbb07deeee786a70b0b00343eb93", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|926409d7a398ba4b77c1864d434bf665c3dddbb07deeee786a70b0b00343eb93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/server/server_windows.go"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 58892, "scanner": "repobility-threat-engine", "fingerprint": "da17a90bc09a68cd4a49e241926d56f3c196d96f9644aa6ab1662049e08d303c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|da17a90bc09a68cd4a49e241926d56f3c196d96f9644aa6ab1662049e08d303c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/server/server_unix.go"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 58891, "scanner": "repobility-threat-engine", "fingerprint": "50cca092afc0e9e5077fd7ee2a18d403bf5718339b42476406556cfb34429d12", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(exe,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|50cca092afc0e9e5077fd7ee2a18d403bf5718339b42476406556cfb34429d12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/cmd/app/app_windows.go"}, "region": {"startLine": 417}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 58889, "scanner": "repobility-threat-engine", "fingerprint": "4db2c4d9672cdeda6b6f05848f8dc43d32cca09c69bd8f02245009251b691fac", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4db2c4d9672cdeda6b6f05848f8dc43d32cca09c69bd8f02245009251b691fac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/tools/web_fetch.go"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 58888, "scanner": "repobility-threat-engine", "fingerprint": "852f3b16c2b9075ae7ed7e33ad74cff2c47dd0434eaa5101f686b57fd76ea553", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|852f3b16c2b9075ae7ed7e33ad74cff2c47dd0434eaa5101f686b57fd76ea553"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/tools/url_policy.go"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 58887, "scanner": "repobility-threat-engine", "fingerprint": "d50ff9e904bcc0d225eab6e2fd5b811f70d6c58b9b5900805e654e72a56526d0", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d50ff9e904bcc0d225eab6e2fd5b811f70d6c58b9b5900805e654e72a56526d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/auth/connect.go"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 58939, "scanner": "repobility-threat-engine", "fingerprint": "d1b6c21d9e7e62abfb5b4833470d4eeffa20f0c82638dedfcdf038b46657c094", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d1b6c21d9e7e62abfb5b4833470d4eeffa20f0c82638dedfcdf038b46657c094"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llm/server.go"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 58895, "scanner": "repobility-threat-engine", "fingerprint": "577b3a8c1b3f20d44567cc5c3670d55b41a76b550225ffec6df68c6fa97ef4ad", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|577b3a8c1b3f20d44567cc5c3670d55b41a76b550225ffec6df68c6fa97ef4ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/dialog/cocoa/dlg.m"}, "region": {"startLine": 203}}}]}]}]}