Skip to main content

Reachability Analysis with Sonatype CLI

You can now configure Sonatype CLI to perform Reachability Analysis, which can detect method signatures in your application code that contain components with potentially exploitable security vulnerabilities. These vulnerable components are labeled as Security-Reachable and can be viewed on the component details page in the resulting application report.

How Reachability Analysis Works in Sonatype CLI

Reachability Analysis leverages the Callflow feature in Sonatype CLI.

By including an additional parameter in the CLI command you can enable the Callflow feature. The scan process will then analyze all application and dependency Java (or any JVM language) binaries located in the scan target.

This allows you to detect reachable vulnerabilities, even in proprietary components within your application.

Using Reachability Analysis in Sonatype CLI

  1. On first execution, the Security-Reachable label is automatically created as a new component label and attached to the relevant components.

  2. We recommend creating a policy that includes a constraint condition with the label Security-Reachable and determining the threat level based on the priority of remediation needs. This allows subsequent calls to trigger policy violations, providing immediate visibility.