FARION.AI
  • Home
  • Pricing
  • About
  • Contact
Sign in

Find the 5% of vulnerabilities that actually matter.

The AI-powered ASPM platform: triages scanner alerts, prioritizes real threats, auto-fixes. Hosted in Germany.

90% fewer false positives
Built in Germany
NIS2 & CRA
​
NameExploitabilityCVEsCWEs

Get/restaurants/:id/menu

-55

Get/orders/:id/track

-1—

Post/auth/login

-77
SQL injection in user lookup query
HIGHLine 42•AI: 0.92%
Hardcoded JWT secret detected
MEDIUMLine 58•AI: 0.88%
A03:2021 – SQL injection in user lookup query
CWE-89•SAST•HIGH

User-supplied email from req.body is concatenated directly into a raw SQL string without parameterization, allowing an attacker to inject arbitrary SQL commands.

AI Analysis by Farion
True Positive

SQL injection confirmed: user input from req.body.email is concatenated into a raw SQL query without parameterization.

Key Evidence:
•String concatenation in SQL query at line 42
•Input flows from req.body.email
DATA FLOW ANALYSIS: Shows how tainted data flows from source to exploitable sink
DATA FLOW ANALYSIS: Shows how tainted data flows from source to exploitable sink
src/routes/auth.js → src/lib/db.js

DATA FLOW:

  2. →

src/lib/db.js

12
async function query(sql) {
13
  const client = await pool.connect();
14
  const result = await client.query(sql);
15
  client.release();
16
  return result;
17
}

Post/orders

-11

Get/users/api

-77

Get/search/export

-1—

Get/restaurants/feed

-52

Put/users/:id

-53

Get/restaurants/:id

-1—

Get/orders

-1—

Get/admin/dashboard

-21

Get/users/:id/profile

-21

Post/auth/reset-password

-32

Get/health

-——

Post/payments/checkout

-32

Get/config/features

-1—

Delete/users/:id

-43

Put/orders/:id/status

-11
The problem

NIS2 and the CRA require triage of every vulnerability — yet 90% aren't exploitable.

Farion AI handles the triage and auto-fixes what remains. Private security AI, hosted in Germany.

Typical triage funnel — with Farion
SBOM

420

findings in the SBOM

across 3,200+ dependencies incl. transitive packages

Reachable

180

findings on live code paths

after call-graph analysis against real runtime code

-57%
Tainted

58

reachable with tainted user input

after source-to-sink taint analysis

-68%
Exploitable

7

with an available exploit

after assessing real attack chains

-88%
Platform Capabilities

What makes Farion different

Concrete security insights — not abstract dashboards. Every feature is designed to answer one question: Is this finding a real risk?

License Compliance

License analysis that goes beyond metadata

Full license text parsing

Goes beyond npm/Maven metadata by parsing actual license files from every dependency — catching mislabeled or missing licenses.

Policy violation detection

Automatically flags dependencies whose licenses conflict with your distribution model — copyleft in a closed-source product, attribution requirements you haven't fulfilled.

Static rules + AI evaluation

Combines a rule engine for known licenses with AI for ambiguous or custom license texts that automated tools usually miss.

ANALYZED LIBRARIES (5)
node-forge1.3.1
GPL-3.0
json-schema0.4.0
AFL-2.1
moment2.29.4
MIT
lodash4.17.21
MIT
express4.18.2
MIT
LICENSE TEXTPOLICY VIOLATION
GPL-3.0

node-forge@1.3.1

GPL-3.0 requires all derivative works to be released under the same terms. Incompatible with closed-source commercial distribution.
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007

Copyright (C) 2007 Free Software Foundation, Inc.
<https://fsf.org/>

TERMS AND CONDITIONS

0. Definitions.

"The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations.

To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work.

1. Source Code. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-warranty terms apply to the code; and give all recipients a copy of this License along with the Program.
AI Exploitability

Know which findings are real threats

Data flow analysis

Traces user input through your code to determine whether it can actually reach the vulnerable function — not just whether the library is imported.

Public exploit cross-reference

Cross-references EPSS scores, Metasploit modules, and public PoC availability to estimate real-world exploitation likelihood.

AI classification with evidence

Every finding gets a verdict (true positive, false positive, or needs review) with bullet-point evidence explaining the reasoning in plain language.

AI Analysis by Farion
True Positive

This CVE-2024-38816 path traversal in spring-webmvc is reachable through the /api/v1/files/upload endpoint. The vulnerable FileSystemResource is directly instantiated with user-controlled input from the request path parameter without sanitization.

Key Evidence:
•User input flows from REST controller to FileSystemResource constructor without validation
•Public exploit available (Metasploit module since Sept 2024)
•EPSS score 0.89 — actively exploited in the wild
•No WAF or input filter detected in the request chain

End manual vulnerability analysis.

Watch the live demo — Farion automates the ASPM process in minutes.

FARION.AI
© 2026 Nexode Consulting GmbH. All rights reserved.
sales@farion.ai · Privacy · Imprint