Reachability analysis

Snyk reachability analysis allows you to analyze risk by identifying whether your application is calling a code element (e.g. functions, classes, modules, annotations, etc.) related to the vulnerability, thus raising the chances of that vulnerability being exploited in the context of your application.

Reachability analysis can be used as a standalone signal to make decisions, or as part of a broader risk-based prioritization approach using the Snyk Risk Score.

Snyk uses a combination of program analysis and various AI techniques to determine the reachability of a given vulnerability, with validation conducted by security research experts.

The following instructions explain how to set up and use reachability analysis and provide more information on how the underlying analysis works at Snyk.

Set up Reachability analysis

Follow these steps to enable Reachability analysis and begin analyzing Projects for reachable vulnerabilities:

• In the Organization Settings, navigate to the Snyk Open Source section.

• In the General section, find Reachability analysis.

• Activate Enable reachability analysis.

After Reachability analysis is enabled, the analysis is done as part of scanning Projects.

Supported languages and integrations

Reachability analysis is supported for the following languages and package managers:

Reachability analysis is supported in the following integrations:

Enabling Reachability analysis for brokered connections

If you use a brokered connection to your SCM, configure the Broker to provide access to your source files. See Clone an integration across your Snyk Organizations for configuration details for using Broker with Snyk Code.

Using Reachability analysis

Reachability status

After a vulnerability is identified, it has one of the following reachability statuses:

• REACHABLE - A direct or indirect path was found from your application to the vulnerable code.

• NO PATH FOUND - No path found from your application to the vulnerable code.

Reachability analysis status is available on the Project page, as part of the Risk Score, in the Issues Detail report, and through the API endpoint Get issues by Group ID.

Reachability analysis as shown on the Project page

After you import or test a Project using the Snyk UI, the Project is monitored by Snyk, and the results of the reachable vulnerabilities analysis appear on the Project page in the following places:

• Filters - Allow you to focus first on reachable vulnerabilities by filtering results based on reachability.

• Reachability badge - Allows you to quickly see on the issue card when a vulnerability is reachable.

• Call path - Allows you to see the path from your code to the vulnerable code element to validate the result.

Reachability analysis as part of the Risk Score

Risk Score helps you apply holistic risk-based prioritization that combines multiple factors, associated with either the vulnerability or the context of your application. Reachability analysis is such a contextual factor that will significantly increase the overall score.

Risk Score is available on the Projects page and through the API and Reports.

How Reachable vulnerability analysis works

Snyk uses a combination of security expert analysis, program analysis, and various AI techniques to determine the reachability of a vulnerability, including these steps of analysis:

1. Enriching vulnerabilities with the patches applied to fix them - as part of the Snyk vulnerability curation process, Snyk references the fix commit that the maintainer applied.

2. Related elements analysis - Based on the commit fix, Snyk uses DeepCode AI program analysis to analyze the code elements and other parameters related to the vulnerability.

3. Root Cause analysis - Snyk uses DeepCode AI and Natural language processing (NLP) techniques to automatically rank the related code elements by their chances of being the root cause of the vulnerability.

4. Reachability analysis - As issues are found in your application by a Snyk scan, the DeepCode program analysis engine is used to analyze the call graph of your application in relation to the call graph between the open-source dependencies used. A path between your application and a code element ranked as a root cause will yield a “Reachable” vulnerability.

5. Security experts supervision - Snyk security experts will manually verify and mark elements as root causes in order to make the entire analysis more accurate over time

The following considerations related to false positives and false negatives apply to Reachable vulnerability analysis.

Program analysis requires a trade-off between accurate results, minimizing false positives, and recall rates, by avoiding potentially exploitable vulnerabilities.

To facilitate this trade-off, Snyk DeepCode analysis applies real-time decision-making to determine whether to under-approximate the set of reachable elements based on analysis of the likelihood that a reachable path will be found in a specific environment.

For example, it is not always possible to give a precise answer when reflection programming is used. In such a case, neither returning a large set of false positives nor returning “Not reachable” will suffice. Snyk Deep Code analysis optimizes in order to retrieve the most accurate and complete result possible for a given code structure.

Understanding the Limits of Reachability in Static Analysis

Snyk aims to identify and demonstrate when a code element is reachable, while also addressing the challenges of indicating that a code element cannot be reached.

Static analysis techniques can show that a vulnerability or code element can be reached through at least one execution path. However, just because there is no evidence of this does not mean that the element cannot be reached.

A code element that is not marked as reachable may still be accessible under conditions that were not considered during analysis. This can occur due to incomplete information, control flow issues, potential dynamic behaviors, or overlooked edge cases.

Reachability is an important factor in assessing security risks. When evaluating these risks, consider both reachable issues and those that are not reachable. This helps you evaluate security risks as a whole, making sure you do not overlook any potential threats.