Reachable vulnerabilities

A reachable vulnerability has a path from your code to the root cause of a vulnerability. Snyk reachable vulnerability scanning allows you to gauge risk by identifying whether a function related to the vulnerability is being called by your application, raising the chances of that vulnerability being exploitable in the context of your application.

Reachable vulnerabilities can be used as a single signal to make decisions or as part of a broader risk-based prioritization approach, like the Risk Score.

The following instructions explain how to set up and use reachable vulnerabilities, as well as provide more information on how reachability analysis works at Snyk.

Setting up reachability

Enabling Reachability is done using the Organization setting:

  • In the Organization settings, navigate to the Languages section.

  • Navigate to the Reachable vulnerabilities analysis section.

  • Activate the Reachable vulnerabilities analysis and save your changes.

After it is enabled, reachability analysis is done as part of testing Projects.

To update existing Projects with the reachability analysis immediately, trigger a manual test.

Supported languages and integrations for Reachable Vulnerabilities

Reachable vulnerabilities analysis is available for Java (Maven and Gradle) Projects.

The following integrations are supported for Reachable Vulnerabilities analysis:

Release status

Reachability for all SCM providers is in Early Access and available only for Enterprise plans.

To enable the feature, see Snyk Preview.

Reachable vulnerability analysis using the Snyk CLI, other Git integrations, and other languages is not currently supported.

Enabling Reachability for brokered connections

If you use a brokered connection to your SCM, configure the Broker to provide access to your source files. See the Snyk Code - Clone capability with Broker for Docker, the Broker rules for Snyk Code, and the Snyk Broker - Code Agent documentation for configuration details when the Broker is used with Snyk Code.

Using Reachability

The Reachability status

After a vulnerability is identified, it receives one of two reachability statuses:

  • Reachable - A direct or indirect path was found from your application to the vulnerable code.

  • No path found - No path found from your application to the vulnerable code.

If a no path found status is given, do not assume that the vulnerability is totally unreachable or unexploitable.

On the Project page

After importing or testing a Project using the Snyk UI, the Project is monitored by Snyk, and the results of the reachable vulnerabilities analysis appear on the Project page in the following places:

  1. Filters - Allows you to focus on reachable vulnerabilities first by filtering results based on reachability.

  2. Reachability badge - Allows you to quickly understand the reachability level of vulnerabilities.

  3. Call path - Allows you to see the path from your code to the vulnerable function to validate the result.

Reachability status is currently not available using Reports or the API.

As part of the Risk Score

Risk Score helps you apply holistic Risk-Based prioritization that combines multiple factors, either objective to the vulnerability or the context of your application. Reachability is such a contextual factor that will significantly increase the overall score.

Risk Score is available on the Projects page, API, and Reports.

Priority score, the legacy model preceding the Risk Score, also takes reachable vulnerabilities into account.

Reachability analysis

Snyk uses a combination of security expert analysis, program analysis, and various AI techniques to determine the reachability of a vulnerability, including these steps of analysis:

  1. Enriching vulnerabilities with the patches applied to fix them - as part of our vulnerability curation process, we reference the fix commit that the maintainer applied.

  2. Related elements analysis- Based on the commit fix, Snyk uses DeepCode AI program analysis to analyze the functions and other elements related to the vulnerability.

  3. Root Cause analysis - Snyk uses DeepCode AI and NLP techniques to automatically rank the related code elements by their chances of being the root cause of the vulnerability.

  4. Reachability analysis - As issues are found in your application by the Snyk scan, the DeepCode program analysis engine is used to analyze the call graph of your application in relation to the call graph between the open-source dependencies used. A path between your application and a code element ranked as a root cause will yield a “Reachable” vulnerability.

  5. Security experts supervision - Snyk security experts will manually verify and mark elements as root causes in order to make the entire analysis more accurate over time

False Positive and False Negative considerations

Program analysis requires a trade-off between accurate results (minimizing false positives) and great recall rates (not missing on potentially exploitable vulnerabilities).

To combat this, Snyk DeepCode applies real-time decision-making on whether to under-approximate the set of reachable elements based on analysis of the likelihood of a reachable path to be found in a specific environment.

For example, it is not always possible to give a precise answer when reflection programming is used. In such a case, neither returning a large set of false positives nor returning “Not reachable” will suffice. Snyk Deep Code analysis optimizes to retrieve the most accurate and complete result possible for a given code structure.

Last updated

More information

Snyk privacy policy

© 2023 Snyk Limited | All product and company names and logos are trademarks of their respective owners.