Reachability Analysis with Sonatype CLI
You can now configure Sonatype CLI to perform Reachability Analysis, which can detect method signatures in your application code that contain components with potentially exploitable security vulnerabilities. Policy violations occurring due to these vulnerable components are labeled as Reachable and can be viewed on the application report.
How Reachability Analysis Works in Sonatype CLI
Reachability Analysis leverages the Callflow feature in Sonatype CLI.
By including an additional parameter in the CLI command you can enable the Callflow feature. The scan process will then analyze all application and dependency Java (or any JVM language) binaries located in the scan target.
This allows you to detect reachable vulnerabilities, even in proprietary components within your application.
Using Reachability Analysis in Sonatype CLI
On first execution, if Reachability analysis detects a component (belonging to the Maven ecosystem) that has a vulnerable method signature, the application report will show a policy violation with Reachable status.
You can prioritize the remediation of this violation.