Taming the elephant: Introducing reachability analysis for PHP

Semgrep has introduced the first reachability analysis for PHP, a popular server-side language powering over 70% of websites, to enhance security by reducing noise in vulnerability alerts. This analysis, which is available for 12 programming languages including PHP, identifies not only whether a codebase includes a dependency with a known vulnerability but also if the code executes the vulnerable parts in a harmful manner. This allows security teams to notify developers or fail builds only for vulnerabilities that are truly reachable. An example is given using CVE-2016-10033, an injection vulnerability in the PHPMailer library, where the reachability analysis determines if an application executes the vulnerable mail() function. Now generally available, Semgrep Supply Chain's reachability analysis for PHP includes all critical severity issues back to 2017 and high severity issues from May 2022 onwards. Existing customers automatically receive this feature, while new users can access it by creating an account and scanning their projects.