Skip to main content

Reachability Analysis

Sonatype CLI will scan your application code with reachability analysis. The analysis detects method signatures in the application code that contain components with potentially exploitable security vulnerabilities. Such components are labeled as Security-Reachable and can be viewed on the component details page, accessible from the resulting application report.

How reachability analysis works in Lifecycle

By including an additional parameter in the CLI command, reachability analysis will run on Java (or any JVM language) binaries located in the scan target. The scan process analyzes all application binaries and the dependency binaries. A map of which methods the application uses is generated by the tool.

When the scan detects a vulnerable component that matches methods that map, the component is labeled as Security-Reachable. Similarly, when the scan detects a vulnerable component that isn't referenced in that map, the component is not labeled.

Reachability analysis runs normally even if the scan target contains components that have been matched as proprietary components.

Application scans with reachability analysis will detect vulnerable methods even if they are not called directly by the application code.

Reachability Analysis Example:

  • Consider methods Library.a() and Library.b()

  • Library.a() is a vulnerable method and is called by Library.b() as part of its built-in functionality

  • The application code calls the method, Library.b()

  • Reachability analysis detects this call as a call to a vulnerable method Library.a() and labels the open source dependency as Security-Reachable

How to use reachability analysis with Sonatype CLI

  1. On the first execution of Reachability Analysis, the Security-Reachable label is automatically created as a new component label and attached to relevant components.

  2. We recommend creating a policy that includes a constraint condition with the label Security-Reachable and determining the threat level based on the priority of remediation needs. This allows subsequent calls to trigger policy violations and provide immediate visibility.