Charon/docs/reports/qa_report.md

QA/Security Patch-Coverage Remediation Report

Date (UTC): 2026-01-02 Agent: QA_Security Scope: Verification-only for the patch-coverage remediation task (no code changes performed as part of this audit)

Branch: feature/beta-release Commit: 8f15fdd97f0e3c80afdf25436b00195d46fc92d0

Overall Status: ❌ FAIL

Reason for FAIL (minimal):

1. CodeQL Go SARIF contains CRITICAL/HIGH findings.
2. CodeQL JS SARIF contains HIGH findings, including at least one from a generated artifact present during the scan (a coverage report output).

---

Mandatory Task Results (rerun)

Task	Result	Evidence (fresh rerun)
shell: Test: Backend with Coverage	✅ PASS	Backend total coverage: 87.5% (go tool cover -func backend/coverage.txt).
shell: Lint: Pre-commit (All Files)	✅ PASS	test-results/precommit-full.log ends with: [SUCCESS] All pre-commit hooks passed.
shell: Security: CodeQL Go Scan (CI-Aligned) [~60s]	❌ FAIL	Output SARIF: codeql-results-go.sarif (contains CRITICAL/HIGH).
shell: Security: CodeQL JS Scan (CI-Aligned) [~90s]	❌ FAIL	Output SARIF: codeql-results-js.sarif (contains HIGH).
shell: Security: Trivy Scan	✅ PASS	Skill summary: [SUCCESS] Trivy scan completed - no issues found.

---

CodeQL HIGH/CRITICAL Findings — Source Classification

Classification method:

• Use SARIF locations + git diff -U0 main...HEAD hunk ranges.
• Categories:
  • A) Generated artifacts present during scan (coverage reports / built assets / SARIF outputs; may be tracked or untracked)
  • B) Pre-existing vs main (unchanged file, or finding outside patch hunks)
  • C) Introduced by this PR (finding location intersects a patch hunk)

CodeQL JS (HIGH)

• A) Generated artifacts present during scan
• js/xss-through-dom: frontend/coverage/lcov-report/sorter.js:116
• Note: frontend/coverage/ appears to be a generated output and is currently untracked in this workspace, but it was still included in the local CodeQL scan.
• C) Introduced by this PR (within patch hunks)
  • js/regex/missing-regexp-anchor: frontend/src/pages/__tests__/UsersPage.test.tsx:390, :447
• B) Pre-existing vs main (unchanged or outside patch hunks)
  • js/regex/missing-regexp-anchor: frontend/src/pages/__tests__/ProxyHosts-progress.test.tsx:138
  • js/incomplete-hostname-regexp and js/regex/missing-regexp-anchor: frontend/src/pages/__tests__/ProxyHosts-extra.test.tsx:252 (file changed in PR, but finding is outside patch hunks)

CodeQL Go (CRITICAL/HIGH)

• C) Introduced by this PR (within patch hunks)
  • go/request-forgery: backend/internal/utils/url_testing.go:276
  • go/log-injection: includes locations within patch hunks (example: backend/internal/api/handlers/docker_handler.go:59, :74)
• B) Pre-existing vs main (unchanged or outside patch hunks)
  • go/request-forgery: backend/internal/services/notification_service.go:374 (file changed in PR, but location is outside patch hunks)
  • go/email-injection: backend/internal/services/mail_service.go:222, :340, :393 (file changed in PR, but locations are outside patch hunks)
  • go/log-injection: many additional locations are outside patch hunks (e.g., backend/internal/api/handlers/backup_handler.go:77)

---

Coverage Verification

Backend Overall Coverage (project total)

• Total: 87.5% (meets threshold ≥85%)
• Profile: backend/coverage.txt

Patch-Coverage Risk (10 flagged backend files)

This repo’s patch-coverage work is scoped to the 10 files listed in docs/plans/current_spec.md. The line ranges below are the remaining uncovered, patch-adjacent spans previously extracted from local coverage inspection.

Note: These ranges are kept as-is per request (verification/report only). They should be re-validated against Codecov patch view if the PR is still failing patch coverage.

Priority Order (what to fix first)

1. P0 — External URL / SSRF surface
   • backend/internal/security/url_validator.go
   • backend/internal/network/safeclient.go
   • backend/internal/utils/url_testing.go
2. P1 — Security-relevant outbound notifications + request paths
   • backend/internal/services/notification_service.go
   • backend/internal/api/routes/routes.go
   • backend/internal/api/handlers/settings_handler.go
3. P2 — Cryptography + proxy/server config generation (broad blast radius)

• backend/internal/crypto/encryption.go
• backend/internal/caddy/config.go
• backend/internal/caddy/manager.go

4. P3 — Remaining core services
   • backend/internal/services/dns_provider_service.go

Remaining uncovered patch-adjacent spans (by file)

• backend/internal/caddy/config.go: 171-194, 249-251, 253-256, 262-264, 1458-1459
• backend/internal/services/dns_provider_service.go: 133-133, 152-154, 157-159, 175-177, 192-194, 212-214, 216-218, 233-235, 238-240, 248-250 (and additional spans)
• backend/internal/caddy/manager.go: 77-79, 100-102, 110-112, 116-118
• backend/internal/utils/url_testing.go: 24-26, 34-36, 80-80, 157-161, 178-180, 193-195, 197-199, 242-244, 256-258
• backend/internal/network/safeclient.go: 62-64, 216-218, 224-225, 236-238, 246-248, 282-283, 290-290
• backend/internal/api/routes/routes.go: 309-311, 426-426
• backend/internal/services/notification_service.go: 219-219, 221-221, 232-232, 235-236, 296-296, 310-310, 313-313, 315-315, 322-322, 344-344 (and additional spans)
• backend/internal/crypto/encryption.go: 40-42, 45-47, 51-53, 71-73, 76-78
• backend/internal/api/handlers/settings_handler.go: 243-246, 317-323
• backend/internal/security/url_validator.go: 42-43, 127-129, 160-162, 189-191, 263-263

---

Blockers to Fix Next (smallest set)

1. Exclude or clean generated artifacts before CodeQL runs (at minimum frontend/coverage/lcov-report/* if present).
2. Resolve CodeQL JS HIGH in tests introduced by this PR (UsersPage.test.tsx anchored-regex findings).
3. Resolve CodeQL Go request-forgery introduced by this PR (backend/internal/utils/url_testing.go:276).
4. Decide how to handle pre-existing HIGH/CRITICAL (findings outside patch hunks): either remediate, or establish a baseline so patch-coverage-only work is not blocked by unrelated legacy findings.