What You Should Know About Dependency Reachability in SCA

Vulnerability alerts from Software Composition Analysis (SCA) tools often inundate developers with information, most of which is irrelevant to the actual security of applications, leading to wasted effort and tensions between security and development teams. The traditional SCA tools' approach of treating all vulnerabilities as equally critical without considering whether the affected part of the library is used contributes to this problem. Reachability analysis seeks to address this by assessing whether a vulnerability in a third-party package is actually used or reachable by the application code, thereby reducing unnecessary alerts. There are three types of reachability analysis: dependency reachability, which checks if a package is used at all; function-level reachability, which examines whether a specific vulnerable function is called; and dataflow reachability, which assesses if risky data flows into a vulnerable function call. Dataflow reachability offers deeper insights by determining if a vulnerability could lead to an exploit, depending on how data flows through the code. Effective reachability analysis helps teams focus on real, exploitable issues, minimizing alert fatigue and fostering better collaboration between developers and security teams, while some tools offer limited or slow reachability analysis in practice.