Reverse symbolic execution

Given any finding's file + line, Vulkro walks the call graph backward and returns every entry point that reaches it. Useful when triaging "is this real?" - the answer is usually "yes if this sink is reachable from a route handler".

Output shape

For one target (file, line):

{
  "target_file": "services/db.py",
  "target_line": 42,
  "paths": [
    {
      "origin": "endpoint_e7",
      "origin_label": "POST /api/charge",
      "hops": [
        { "file": "routes/charge.py", "function": "handle_charge", "line": 11 },
        { "file": "services/billing.py", "function": "submit", "line": 25 },
        { "file": "services/db.py", "function": "execute_q", "line": 40 }
      ]
    }
  ],
  "unreachable_targets": [],
  "truncated": false
}

When paths is empty AND unreachable_targets is populated, the finding is in code that no entry point reaches via the resolved call graph - dead code, or only reachable via dynamic dispatch the builder did not follow.

Bounds

• max_depth = 10 hops (Most real chains are < 8).
• max_paths = 64 per target (truncate flag fires when exceeded).

Adjust with VULKRO_REVERSE_REACH_DEPTH / VULKRO_REVERSE_REACH_PATHS.

Desktop console

Each finding card carries a Trace back button. Click it to render the reverse-reach report inline. The button is a one-line deep-link into the analysis API, so the entire round trip stays local and offline.

Pairs with

• Attack-path graph for the inverse direction.
• Bruteforce sinks to know which payload caused the finding.
• vulkro why <file>:<line> CLI subcommand (planned).