Reachability Analysis
Sonatype CLI will scan your application code with reachability analysis. The analysis detects method signatures in the application code that contain components with potentially exploitable security vulnerabilities. Such components are labeled as Security-Reachable
and can be viewed on the component details page, accessible from the resulting application report.
How reachability analysis works in Lifecycle
By including an additional parameter in the CLI command, reachability analysis will run on Java (or any JVM language) binaries located in the scan target. The scan process analyzes all application binaries and the dependency binaries. A map of which methods the application uses is generated by the tool.
When the scan detects a vulnerable component that matches methods that map, the component is labeled as Security-Reachable
. Similarly, when the scan detects a vulnerable component that isn't referenced in that map, the component is not labeled.
Reachability analysis runs normally even if the scan target contains components that have been matched as proprietary components.
Application scans with reachability analysis will detect vulnerable methods even if they are not called directly by the application code.
Reachability Analysis Example:
Consider methods
Library.a()
andLibrary.b()
Library.a()
is a vulnerable method and is called byLibrary.b()
as part of its built-in functionalityThe application code calls the method,
Library.b()
Reachability analysis detects this call as a call to a vulnerable method
Library.a()
and labels the open source dependency asSecurity-Reachable
How to use reachability analysis with Sonatype CLI
On the first execution of Reachability Analysis, the
Security-Reachable
label is automatically created as a new component label and attached to relevant components.We recommend creating a policy that includes a constraint condition with the label
Security-Reachable
and determining the threat level based on the priority of remediation needs. This allows subsequent calls to trigger policy violations and provide immediate visibility.