Skip to main content

Reachability annotation

For a curated list of dependency packages, Vulkro knows which exported symbols carry the vulnerability in a given CVE. Each CVE finding is then tagged by whether your code actually calls those symbols:

  • [reachable] - vulnerable symbol(s) appear in your code.
  • [unreachable - vulnerable symbol not called from your code] - the package is in your dependency tree, but you don't touch the vulnerable surface.

This dramatically cuts CVE noise on dependency-heavy projects without hiding real risk.

Curated package list

Reachability runs on a pinned subset of high-traffic packages - adding new packages requires hand-curated symbol-to-CVE mapping, which is slow but accurate. Current coverage includes:

  • JS/TS: lodash, axios, jsonwebtoken, ws, ejs, handlebars, marked, prismjs
  • Python: requests, pyyaml, jinja2, paramiko, cryptography, lxml, pillow, urllib3
  • Rust: very limited; tracking issue.

Outside the curated list, CVE findings are emitted without [reachable] / [unreachable] tags - same conservative behaviour as Snyk / Dependabot.

Algorithm

  1. Parse the dependency manifest, get the matched (package, version, CVE) tuples.
  2. For each tuple, look up vulnerable_symbols in the CVE bundle.
  3. Walk the project's import graph + identifier-use index to determine whether any of those symbols appear in a callable position (function call, method call, member access for callables).
  4. Tag the finding accordingly.

The walk is deliberately under-precise: false-positive on [reachable] (safer for security) is preferred over false-negative.

Where this matters

A typical vulnerability heavy-tail looks like:

Without reachability:
  CVE-2024-21733 (lodash)         your project | 1 finding
  CVE-2024-29025 (netty)          your project | 1 finding
  CVE-2023-44487 (http2)          your project | 1 finding
  CVE-2024-... x 47 more

With reachability:
  CVE-2024-21733 (lodash)         [reachable]   <- needs attention
  CVE-2024-29025 (netty)          [unreachable] <- deferred
  CVE-2023-44487 (http2)          [unreachable] <- deferred
  CVE-2024-... x 47 more            mostly [unreachable]

Net effect on a typical Node monorepo: 50-80% of CVE findings move to [unreachable] and out of the High-confidence default view.

Last updated on