Support Vulnerability Reachability Analysis to Reduce False Positive

[abhisek]

How do you know if a vulnerability in method-X in library-Y is actually reachable from your application and therefore has a real impact and not just another noise generated by scanning tools

This is a real problem for most SCA tools because of how they operate based on version matching algorithms. Implementing reachability analysis will greatly reduce false positives related to vulnerability detection. However, doing this, especially in a language agnostic manner is challenging, if not impossible.

We should explore this problem in two stages:

1. Define a model for performing vulnerability reachability analysis based on OSV database specific information (symbols)
2. Implement language specific parsing and analysis infrastructure to identify control flow paths

Doing [2] is not easy as it requires having source code of all 3rd party dependencies as well to identify paths that are reachable indirectly from the target application.