Skip to main content

Using Call Flow Analysis

Sonatype CLI will scan your application code with call flow analysis. The analysis detects method signatures in the application code that contain components with potentially exploitable security vulnerabilities. Such components are labeled as Security-Reachable and can be viewed on the component details page, accessible from the resulting application report.

How call flow analysis works in Lifecycle

By including an additional parameter in the CLI command, call flow analysis will run on Java (or any JVM language) binaries located in the scan target. The scan process analyzes all application binaries and the dependency binaries. A map of which methods the application uses is generated by the tool.

When the scan detects a vulnerable component that matches methods that map, the component is labeled as Security-Reachable. Similarly, when the scan detects a vulnerable component that isn't referenced in that map, the component is not labeled.

Call flow analysis runs normally even if the scan target contains components that have been matched as proprietary components.

Application scans with call flow analysis will detect vulnerable methods even if they are not called directly by the application code.

Call Flow Analysis Example:

  • Consider methods Library.a() and Library.b()

  • Library.a() is a vulnerable method and is called by Library.b() as part of its built-in functionality

  • The application code calls the method, Library.b()

  • Call flow analysis detects this call as a call to a vulnerable method Library.a() and labels the open source dependency as Security-Reachable

How to use call flow analysis with Sonatype CLI

  1. On the first execution of Call Flow Analysis, the Security-Reachable label is automatically created as a new component label and attached to relevant components.

  2. We recommend creating a policy that includes a constraint condition with the label Security-Reachable and determining the threat level based on the priority of remediation needs. This allows subsequent calls to trigger policy violations and provide immediate visibility.