Source-Sink Flow Analysis Summary

Generated: 2026-05-28
Phase: L3 (SAST — Greppable Fallback)
Target: Kordant monorepo (web/, browser-ext/)

Scan Overview

Class	Matches	High-Score Examples	Enriched	Kept	Dropped
`raw-sql-query`	611	admin.ts, billing.ts, blog.ts (`.query()` calls)	N/A	0	0
`path-traversal-file-access`	638	blog/[slug].tsx, ext_bench.py, api.js (`.join()`)	2	1	1
`hidden-control-channel`	42	middleware.ts (CORS origin), trpc.ts (auth headers)	4	3	1
`command-execution`	55	test files, benchmarks (subprocess.Popen, exec.Command)	N/A	0	0
`dynamic-code-execution`	12	honker-bun/raw.exec(), test_sqlite_versions.py	N/A	0	0
`secret-literal`	9	billing.test.ts, auth routes (password error messages)	N/A	0	0
`unsafe-html-or-template`	17	blog/[slug].tsx (innerHTML), auth test files	1	1	0
`ssrf-capable-request`	10	billing/return.tsx (fetch), scan.engine.ts (external API)	1	1	0
`webhook-without-obvious-signature`	6	stripe/webhook.ts	1	1	0
`open-redirect`	2	blog/index.tsx, app.tsx	1	1	0
`weak-token-or-crypto`	5	PasswordInput.tsx (Math.random)	1	0	1
`public-entrypoint`	5	extensionRouter procedures	N/A	0	0

Reason: False positives — 99%+ are tRPC .query() method calls (not raw SQL), not Drizzle sql<> tag usage. The tRPC router .query() method is a framework method, not a SQL execution sink.
Exception: The one real sql<> usage in admin.ts:47 was separately assessed as p4-012 (low severity, latent risk).

Reason: All matches are in test files (test_*.py, *_test.go, *_spec.rb) or benchmark scripts. These are development-time subprocess calls, not production attack surface.

Reason: All matches are SQLite raw SQL execution methods (raw.exec(), exec()) in the honker package or test files. These are database operations, not code execution sinks.

Reason: All matches are test data (billing.test.ts, notification.service.test.ts) or password validation error messages (login.tsx, signup.tsx — "Password is required" is not a secret).

Kept (p4-005): voiceprint/storage.ts — userId not validated before path.join(), enabling arbitrary file write
Dropped: blog/[slug].tsx — false positives from .join("") string concatenation (not filesystem path joins)

Dropped: PasswordInput.tsx — Math.random() is used for generating HTML input element IDs, not for CSRF tokens or cryptographic purposes. The id is only used for <label for=...> association. Not a security issue.

DFD/CFD Slice	Covered by Findings	Notes
DFD-1: tRPC → Drizzle ORM	Partial (p4-012)	CVE-2026-39356 surface noted but no active injection found
DFD-2: VoicePrint Pipeline	Full (p4-005)	Path traversal in audio storage
DFD-3: Browser Ext → tRPC	Partial (p4-008)	superjson vulnerability in extension only
DFD-4: WebSocket Alerts	Full (p4-007, p4-011)	JWT leak + no Origin validation
DFD-5: Stripe Webhook	Full (p4-006)	Unsafe type coercion
CFD-1: Auth Flow	Partial (p4-011)	JWT in query param + no Origin check
CFD-2: Authz Flow	Full (p4-001)	Unvalidated role mutation
CFD-3: Rate Limiting	Full (p4-009)	Substring-based path matching

Target	File	Finding
CORS env var trust	`web/src/middleware.ts`	p4-003
XSS via markdown rendering	`web/src/routes/blog/[slug].tsx`	p4-004
Puppeteer SSRF	`web/src/server/services/reports/generator.ts`	p4-002
Stripe webhook type safety	`web/src/server/services/billing.service.ts`	p4-006
Return URL open redirect	`web/src/server/api/schemas/billing.ts`	p4-010
superjson CVE	`browser-ext/package.json`	p4-008
Rate limit bypass	`web/src/server/api/utils.ts`	p4-009
WebSocket Origin check	`web/src/server/websocket.ts`	p4-011
JWT in WS query param	`web/src/server/websocket.ts`	p4-007
Admin role mutation	`web/src/server/api/routers/admin.ts`	p4-001, p4-012
Audio path traversal	`web/src/server/services/voiceprint/storage.ts`	p4-005

Analyzed 2 GitHub Actions workflow files:

Result: 0 findings. Standard CI/CD workflows with no Claude Code, Gemini CLI, OpenAI Codex, or GitHub AI Inference integrations.