Example implementations relate to static program analysis. For example, an apparatus includes a processor to perform static program analysis on a set of processor executable instructions associated with an object-relational mapping (ORM) framework. The first set of processor executable instructions includes an object. The processor is also to generate a propagation path of the object based on an execution flow of the object. The propagation path includes a first node and a second node. The first node corresponds to a first ORM operation to store the object in a database. The second node corresponds to a second ORM operation to retrieve the object from the database. The second node is linked to the first node based on a common attribute of the object. In response to a determination that the propagation path includes a sink, the processor is to output a security risk warning.