See which vulnerabilities actually matter.
Farion evaluates vulnerabilities in the context of real application paths, data flows, and dependencies — turning scanner findings into traceable decisions, evidence, and concrete fixes.
| Name | Exploitability | CVEs | CWEs | ||
|---|---|---|---|---|---|
Get/restaurants/:id/menu | - | 5 | 5 | ||
Get/orders/:id/track | - | 1 | — | ||
Post/auth/login | - | 7 | 7 | ||
SQL injection in user lookup queryHIGHLine 42•AI: 0.92% Hardcoded JWT secret detectedMEDIUMLine 58•AI: 0.88% A03:2021 – SQL injection in user lookup queryCWE-89•SAST•HIGH User-supplied email from req.body is concatenated directly into a raw SQL string without parameterization, allowing an attacker to inject arbitrary SQL commands. AI Analysis by FarionTrue PositiveSQL injection confirmed: user input from req.body.email is concatenated into a raw SQL query without parameterization. Key Evidence: •String concatenation in SQL query at line 42 •Input flows from req.body.email DATA FLOW ANALYSIS: Shows how tainted data flows from source to exploitable sink src/routes/auth.js → Client.query Library sinkClient.query DATA FLOW: src/lib/db.js (db.js:12 query)
| |||||
Post/orders | - | 1 | 1 | ||
Get/users/api | - | 7 | 7 | ||
Get/search/export | - | 1 | — | ||
Get/restaurants/feed | - | 5 | 2 | ||
Put/users/:id | - | 5 | 3 | ||
Get/restaurants/:id | - | 1 | — | ||
Get/orders | - | 1 | — | ||
Get/admin/dashboard | - | 2 | 1 | ||
Get/users/:id/profile | - | 2 | 1 | ||
Post/auth/reset-password | - | 3 | 2 | ||
Get/health | - | — | — | ||
Post/payments/checkout | - | 3 | 2 | ||
Get/config/features | - | 1 | — | ||
Delete/users/:id | - | 4 | 3 | ||
Put/orders/:id/status | - | 1 | 1 | ||
NIS2 and CRA require triage for every vulnerability — but around 90% are not exploitable.
Farion AI handles triage and fixes the rest automatically. Private security AI, hosted in Germany.
Typical triage funnel — with Farion420
findings in the SBOM
across 3,200+ dependencies incl. transitive packages
180
findings on live code paths
after call-graph analysis against real runtime code
-57%58
reachable with tainted user input
after source-to-sink taint analysis
-68%7
with an available exploit
after assessing real attack chains
-88%What makes Farion different
Concrete security insights — not abstract dashboards. Every feature is designed to answer one question: Is this finding a real risk?
Find the most critical endpoints
Every relevant HTTP endpoint with its exploitability score, CVEs, and CWEs at a glance — ranked by real risk, not just severity.
Understand a finding in context
Expand an endpoint and its SCA, SAST, and DAST findings group by category — you instantly see which finding belongs to which route.
Trace the data flow to the vulnerability
From controllable input through functions and services to the critical sink. Reachability alone isn't enough — the real data flow is what counts.
Assess real-world exploitability
Only now does the AI weigh in — with a clear verdict and evidence: confirmed exploitable, needs review, or not exploitable.
Generate a fix straight away
Analysis becomes remediation: a concrete patch suggestion with a code diff and a prepared pull request.
Dependency triage by real exploitability
Triage by real exploitability
Every dependency ranked by reachability, KEV, and EPSS — so you act on what is actually exploitable, not just what scores high on CVSS.
Filter the noise away
Slice the full dependency tree by severity, reachability, fixability, and license — the long tail of unreachable findings collapses out of view.
Decide without leaving the table
Open any library for its CVEs, license obligations, dependency paths, and the exact fix version — every signal in one place.
Dependencies
Risk & Exploitation
Ecosystem & License
License analysis that goes beyond metadata
Full license text parsing
Goes beyond npm/Maven metadata by parsing actual license files from every dependency — catching mislabeled or missing licenses.
Policy violation detection
Automatically flags dependencies whose licenses conflict with your distribution model — copyleft in a closed-source product, attribution requirements you haven't fulfilled.
Static rules + AI evaluation
Combines a rule engine for known licenses with AI for ambiguous or custom license texts that automated tools usually miss.
node-forge@1.3.1
GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/> TERMS AND CONDITIONS 0. Definitions. "The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. 1. Source Code. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-warranty terms apply to the code; and give all recipients a copy of this License along with the Program.
Know which findings are real threats
Data flow analysis
Traces user input through your code to determine whether it can actually reach the vulnerable function — not just whether the library is imported.
Public exploit cross-reference
Cross-references EPSS scores, Metasploit modules, and public PoC availability to estimate real-world exploitation likelihood.
AI classification with evidence
Every finding gets a verdict (true positive, false positive, or needs review) with bullet-point evidence explaining the reasoning in plain language.
AI Analysis by Farion
True PositiveThis CVE-2024-38816 path traversal in spring-webmvc is reachable through the /api/v1/files/upload endpoint. The vulnerable FileSystemResource is directly instantiated with user-controlled input from the request path parameter without sanitization.
End manual vulnerability assessment
Farion shows which findings actually matter, explains why, and supports verification, remediation, and compliance.