Intro to Reachable Vulnerabilities
The first step of scanning apps' for open source vulnerabilities is to identify the packages used by the app. The next step is to be able to say which of the identified packages contains a vulnerability regardless if the vulnerability actually affects the apps’ code itself. Following this path can easily lead to 10s and even 100s of thousands of vulnerabilities when you look at the organization level which creates the challenge of where should I start?
When looking deeper into the vulnerabilities, not all of those vulnerabilities actually affect your code as you’re not necessarily using the vulnerable part of the package. This means that the vulnerability doesn’t have a path from your app to the vulnerability (aka not reachable) on the other hand, some vulnerabilities will have a path from the code to the vulnerable function and those vulnerabilities are reachable. By looking deeper into how the app is using the open-source dependencies and how the open-source dependencies interact with each other, we can add the needed context around the found vulnerabilities and help you understand which vulnerabilities should be prioritized higher as they are reachable and which can be de-prioritized as they are not reachable.
*Reachable Vulnerabilities is a Beta feature. We'll be more than happy to hear feedback.
How does it work?
In order to be able to provide as accurate results as possible, we are using multiple algorithms in order to build a call graph from your app to the open-source dependencies you are using. Once we have that call graph we are able to say which of the vulnerabilities has a path leading from the app’s code down to the vulnerable function or package.
We split the results into 3 buckets:
- Reachable- We see a clear path from the app’s code down to the vulnerable function. We strongly recommend that you’ll fix those vulnerabilities first.
- Potentially reachable- We found indications that you might be exposed to the vulnerability and we recommend that you will review it.
- No info- We don’t have enough information in order to decide whether the vulnerability is reachable or not.
Supported languages and prerequisites
The Reachable Vulnerabilities solution is available today for Java (Maven) apps and in the CLI only. Java Gradle is coming next and more languages will follow.
- Supported Java version 8 to 13
- Support Maven version 3.6.0 and above
- The Reachable Vuln analysis is running right after the snyk test command. In order to be able to run it, you’ll need to have the app already built (compiled) and the bytecode of the app should be available.
How to use?
Running Reachable Vulnerabilities analysis in the CLI
- In order to use the Reachable Vuln analysis in the CLI, make sure you are using the latest version of the CLI
- Navigate into the folder of your app and relevant manifest files live (alternatively you can use the --file<file_name> parameter to point to the right path)
- Run snyk <test/monitor> --reachable
When running snyk test --reachable the CLI output will include the following:
- The number of tested dependencies, the number of found vulnerabilities and how many of them are reachable
- The reachability level will be next to the relevant vulnerability and the path from the app’s code to the vulnerable function will be presented below
After running snyk monitor in the CLI, the project will be monitored by Snyk and the results of the Reachable Vulnerabilities analysis will be exposed in the Project page in the following places:
- Filters- allows you to focus on reachable vulnerabilities first by filtering based on reachability
- Reachability badge- allows to quickly understand the reachability level of vulnerabilities
- Call path- Allows you to see the path from your code to the vulnerable function in order to validate the result
The reachability information can be reviewed next to each issue under the Reports Issues tab (ungrouped view).
You can filter by reachability status in order to quickly surface the issues which are reachable