SENATTOREULTRACON DIAMOND — SAMPLE EVIDENCE OUTPUT
========================================================================

Sample: fintech-backend-demo
Purpose: Local/offline code review evidence demonstration
Risk level: CRITICAL

Summary:
- Total findings: 8
- Critical: 4
- High: 3
- Medium: 1

Findings:

SUCD-SAMPLE-001 — Hardcoded secrets in backend source code
Severity: CRITICAL
Reference: CWE-798 / A07:2021 Identification and Authentication Failures
Location: app.js:26
Evidence: JWT_SECRET and ADMIN_API_KEY are hardcoded in the backend source.
Impact: Secrets embedded in source code can be leaked, reused, extracted from repositories or exposed through logs/debug endpoints.
Recommendation: Move secrets to protected environment variables or a secrets manager, rotate exposed keys and remove debug exposure.
------------------------------------------------------------------------
SUCD-SAMPLE-002 — SQL injection through concatenated request input
Severity: CRITICAL
Reference: CWE-89 / A03:2021 Injection
Location: app.js:56
Evidence: req.query and req.body values are concatenated directly into SQL queries.
Impact: An attacker may manipulate SQL statements to bypass authentication, extract account data or modify transfer records.
Recommendation: Use parameterized queries/prepared statements and validate all request input before database access.
------------------------------------------------------------------------
SUCD-SAMPLE-003 — Server-Side Request Forgery through user-controlled URL
Severity: HIGH
Reference: CWE-918 / A10:2021 Server-Side Request Forgery
Location: app.js:109
Evidence: The /api/statement/fetch endpoint fetches a URL fully controlled by the request.
Impact: An attacker may force the backend to reach internal services, metadata endpoints or restricted network resources.
Recommendation: Use an allowlist of trusted hosts, block internal/private IP ranges and avoid fetching arbitrary user-controlled URLs.
------------------------------------------------------------------------
SUCD-SAMPLE-004 — Command injection in report export workflow
Severity: CRITICAL
Reference: CWE-78 / A03:2021 Injection
Location: app.js:135
Evidence: format and period values from req.body are inserted into a shell command executed with child_process.exec.
Impact: An attacker may inject shell metacharacters and execute arbitrary commands on the host system.
Recommendation: Avoid shell execution with user input. Use spawn/execFile with fixed arguments, strict validation and allowlisted values.
------------------------------------------------------------------------
SUCD-SAMPLE-005 — Path traversal in report file access
Severity: HIGH
Reference: CWE-22 / A01:2021 Broken Access Control
Location: app.js:157
Evidence: Client-controlled file names are joined into filesystem paths without normalization and allowlist validation.
Impact: An attacker may attempt to read or write files outside the intended reports directory.
Recommendation: Normalize paths, reject traversal sequences, restrict file access to an allowlisted directory and enforce safe filenames.
------------------------------------------------------------------------
SUCD-SAMPLE-006 — Authorization bypass through request-controlled admin flag
Severity: HIGH
Reference: CWE-862 / A01:2021 Broken Access Control
Location: app.js:175
Evidence: Admin access can be granted when req.query.admin is set to true.
Impact: A non-admin user may access administrative user data by manipulating request parameters.
Recommendation: Use server-side authorization based on verified identity, roles and permissions. Never trust client-controlled admin flags.
------------------------------------------------------------------------
SUCD-SAMPLE-007 — Sensitive debug endpoint exposes secrets and environment
Severity: CRITICAL
Reference: CWE-200 / A05:2021 Security Misconfiguration
Location: app.js:197
Evidence: The debug endpoint returns secrets, working directory and process environment information.
Impact: Attackers may obtain credentials, tokens, environment values and internal configuration details.
Recommendation: Remove debug endpoints from production, never return secrets and enforce authenticated diagnostic access only in controlled environments.
------------------------------------------------------------------------
SUCD-SAMPLE-008 — Overly permissive CORS policy
Severity: MEDIUM
Reference: CWE-942 / A05:2021 Security Misconfiguration
Location: app.js:21
Evidence: CORS is configured with origin '*'.
Impact: Overly broad cross-origin access may increase exposure of API responses and weaken browser-side trust boundaries.
Recommendation: Restrict CORS origins to trusted frontend domains and review credential handling.
------------------------------------------------------------------------