[Bug]: TextReportFormatter vulnerable to String.format injection via filenames

## *AI REVIEWED*

**Module:** cli
**File:** `cli/report/TextReportFormatter.java` (~line 85)
**Severity:** Medium

## Summary
`String.format()` is used with user-supplied file names and type strings. If a filename contains `%` characters (e.g., `file%d.json`), `String.format()` throws `MissingFormatArgumentException`.

```java
return String.format("Migration: %s [%s] v%d -> v%d (%dms)",
    fileName, type, fromVersion, toVersion, duration.toMillis());
```

## Suggested Fix
Use string concatenation instead of format:
```java
return "Migration: " + fileName + " [" + type + "] v" + fromVersion
    + " -> v" + toVersion + " (" + duration.toMillis() + "ms)";
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug]: TextReportFormatter vulnerable to String.format injection via filenames #202

AI REVIEWED

Summary

Suggested Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Bug]: TextReportFormatter vulnerable to String.format injection via filenames #202

Description

AI REVIEWED

Summary

Suggested Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions