Announcing Kotlin Reachability: Expanding the reach of Semgrep’s reachability

Semgrep Supply Chain enhances vulnerability management by providing reachability analysis, which prioritizes vulnerabilities based on their actual impact on code, significantly reducing false positives by up to 98%. This is achieved through dataflow reachability, which tracks how and where vulnerable functions from dependencies are utilized within code. Recently, Kotlin reachability was added, recognizing Kotlin's growing popularity, especially in Android development, and its seamless integration with Java due to its compilation to JVM bytecode. The addition allows for precise vulnerability tracing in Kotlin projects, leveraging Semgrep's capability to perform cross-language analysis between Java and Kotlin, thus addressing security concerns in this nascent language. Semgrep covers a substantial portion of critical CVEs since 2017, and aims to support more languages, maintaining its commitment to improving reachability analysis in the Software Composition Analysis (SCA) space.