Tax is not applied to tax-exempt products
Why it matters
Charging sales tax on groceries in states like Texas or California — where food sold for home consumption is exempt — is a regulatory compliance failure that overcharges customers and exposes the store to audit liability. IRS Publication 334 and state-level tax codes define categories of exempt goods (groceries, prescription drugs, clothing in some states, medical devices). When the product schema has no is_tax_exempt flag, the tax calculation applies the full rate to every line item, making exemption enforcement impossible without a code change for each new product type added to the catalog. CWE-682 applies: the calculation is incorrect for exempt products.
Severity rationale
Critical because taxing exempt product categories violates state-specific sales tax rules, exposing the business to regulatory audit penalties and class-action refund claims from systematically overcharged customers.
Remediation
Add a tax exemption flag to the product schema and reference it in lib/tax.ts:
-- Migration
ALTER TABLE products ADD COLUMN is_tax_exempt BOOLEAN NOT NULL DEFAULT FALSE;
// lib/tax.ts
function calculateTax(
items: OrderItem[],
address: Address
): number {
const taxableSubtotal = items.reduce((sum, item) => {
return sum + (item.is_tax_exempt ? 0 : item.price * item.quantity)
}, 0)
const rate = getTaxRate(address)
return Math.round(taxableSubtotal * rate)
}
Seed exempt products with is_tax_exempt = true during data entry and verify the calculation result is lower than the full-cart total for a cart that contains exempt items. Do not rely on product name pattern-matching to determine exemption — use the schema field.
Detection
-
ID:
exempt-products -
Severity:
critical -
What to look for: Count the number of tax-exempt product indicators in the codebase: (1)
is_tax_exemptboolean in the product database schema, (2) tax category/class field on products, (3) conditional exclusion logic in the tax calculation function. Enumerate which product types are exempt if found (groceries, prescriptions, clothing). -
Pass criteria: The product schema includes at least 1 tax exemption field (boolean flag or tax category), and the tax calculation function conditionally excludes products with that flag from the taxable subtotal, reducing the tax amount when exempt items are in the cart.
-
Fail criteria: No tax exemption field exists on the product model, or the field exists but the tax calculation applies tax to all products uniformly without checking it. Do not pass when an
is_tax_exemptcolumn exists in the schema but the tax calculation never references it. -
Skip (N/A) when: All products in the catalog are taxable (search the product schema and seed data for tax exemption fields; if no exemption concept exists and all products are of a single taxable type, skip).
-
Detail on fail:
"Product schema has no tax exemption field. Tax calculated on full cart subtotal including 3 grocery items that should be exempt."or"is_tax_exempt column exists but tax calculation at lib/tax.ts:24 ignores it — taxes all items equally." -
Remediation: Add tax-exempt product support in the product schema and
lib/tax.ts:// Database schema CREATE TABLE products ( id UUID PRIMARY KEY, name TEXT, price INT, -- in cents is_tax_exempt BOOLEAN DEFAULT FALSE ) // Tax calculation function calculateTax(items: OrderItem[], address: Address): number { const taxableSubtotal = items.reduce((sum, item) => { return sum + (item.is_tax_exempt ? 0 : item.price * item.quantity) }, 0) const rate = getTaxRate(address) return Math.round(taxableSubtotal * rate) }
External references
- cwe · CWE-682 — Incorrect Calculation
- iso-25010:2011 · functional-correctness — Functional Correctness (Functional Suitability)
- external · irs-publication-334-tax-exempt-products — IRS Publication 334 and state sales tax exemption statutes — product-level tax exemptions (groceries, prescriptions, clothing)
Taxons
History
- 2026-04-18·v1.0.0·Initial import from ecommerce-shipping-tax·automated