---
id: wiki-2026-0508-reachability-analysis
title: Reachability Analysis
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [Vulnerability Reachability, SCA Reachability, Function-level Reachability]
duplicate_of: none
source_trust_level: A
confidence_score: 0.9
verification_status: applied
tags: [security, sca, supply-chain, static-analysis]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
  language: multiple
  framework: snyk-endor-semgrep
---

# Reachability Analysis

## 매 한 줄
> **"매 vulnerable function 매 actually called 인지 — 매 noise 80%+ filter"**. 매 SCA (Software Composition Analysis) 매 evolution. Endor Labs / Snyk Reachability / Semgrep Supply Chain / Socket — 매 2026 standard for security triage.

## 매 핵심

### 매 reachability levels
- **Package-level**: 매 dependency installed? (CVE found, but unused — 매 false positive 80%+)
- **Module-level**: 매 module imported?
- **Function-level**: 매 vulnerable function in call graph from app entry?
- **Conditional reachability**: 매 reachable only under specific input?

### 매 techniques
- **Static call graph**: 매 AST + import resolution → call edges (Python: pyan, JS: madge, Java: WALA).
- **Points-to analysis**: 매 pointer/reference flow — Soot, Doop.
- **Symbolic execution**: 매 path conditions (KLEE, angr) — heavy.
- **Dynamic tracing**: 매 runtime instrumentation (Sentry, Datadog ASM).
- **Hybrid**: 매 static + runtime — 매 most accurate.

### 매 응용
1. CVE triage — 매 1000 alerts → 매 50 actually exploitable.
2. License risk — 매 GPL function actually used?
3. Dead code elimination — 매 unreachable → tree-shake.
4. Compliance — FedRAMP / SLSA evidence.
5. SBOM augmentation — VEX (Vulnerability Exploitability eXchange) generation.

## 💻 패턴

### Python — call graph with pyan/jedi
```python
import jedi
def reachable_funcs(entry_file: str, target_func: str) -> bool:
    visited, queue = set(), [entry_file]
    while queue:
        f = queue.pop()
        if f in visited: continue
        visited.add(f)
        script = jedi.Script(path=f)
        for ref in script.get_names(references=True):
            if ref.full_name and target_func in ref.full_name:
                return True
            if ref.module_path and ref.module_path != f:
                queue.append(str(ref.module_path))
    return False
```

### JavaScript — madge call graph
```bash
npx madge --json src/index.js > graph.json
```
```javascript
const graph = require('./graph.json');
function reachable(entry, target, visited = new Set()) {
  if (visited.has(entry)) return false;
  visited.add(entry);
  if (entry === target) return true;
  return (graph[entry] || []).some(d => reachable(d, target, visited));
}
```

### Semgrep Supply Chain rule
```yaml
rules:
  - id: lodash-prototype-pollution-reachable
    languages: [javascript]
    pattern: _.merge($DEST, $SRC)
    metadata:
      cve: CVE-2020-8203
      package: lodash
      vulnerable-versions: "<4.17.20"
```

### SBOM + VEX (CycloneDX)
```json
{
  "vulnerabilities": [{
    "id": "CVE-2024-12345",
    "affects": [{"ref": "pkg:npm/lodash@4.17.15"}],
    "analysis": {
      "state": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path",
      "detail": "merge() function not called from any entry point"
    }
  }]
}
```

### Java — Soot points-to
```java
// pseudocode for Soot framework
PackManager.v().getPack("wjtp").add(new Transform("wjtp.callgraph", new SceneTransformer() {
    protected void internalTransform(String phase, Map opts) {
        CallGraph cg = Scene.v().getCallGraph();
        Set<MethodOrMethodContext> reachable = new HashSet<>();
        Iterator<MethodOrMethodContext> it = cg.sourceMethods();
        while (it.hasNext()) reachable.add(it.next());
        // intersect with vulnerable methods
    }
}));
```

### Runtime reachability (Datadog ASM-style)
```python
# Instrument vulnerable function
@trace_call
def vulnerable_lib_func(*args):
    record_call_site(inspect.stack())
    return original(*args)
# After load test → know which CVEs actually hit
```

### CI gate (GitHub Actions)
```yaml
- uses: endorlabs/scan-action@v3
  with:
    namespace: my-org
    reachability: function
    fail-on: critical-reachable
```

## 매 결정 기준
| 상황 | Tool |
|---|---|
| 매 JS/TS monorepo | Socket / Snyk |
| 매 Java/Kotlin | Endor Labs / Snyk |
| 매 Python | Semgrep SC / Endor |
| 매 polyglot enterprise | Endor Labs |
| 매 OSS, free | OSV-Scanner + custom call graph |
| 매 runtime accuracy | Datadog ASM / Aikido / Oligo |

**기본값**: 매 2026 매 hybrid — static reachability gate in CI + runtime confirmation in prod.

## 🔗 Graph
- 부모: [[Software Composition Analysis]] · [[Static Analysis]] · [[Supply Chain Security]]
- 응용: [[SBOM]] · [[SLSA]]
- Adjacent: [[Semgrep]]

## 🤖 LLM 활용
**언제**: 매 vulnerability summary, 매 fix PR generation (deps upgrade + breaking change risk), 매 VEX justification drafting.
**언제 X**: 매 call graph itself — LLM 매 hallucinate edges. 매 deterministic tools (Soot, jedi).

## ❌ 안티패턴
- **All CVEs are critical**: 매 noise overwhelm — alert fatigue. 매 reachability filter 필수.
- **Static only**: 매 dynamic dispatch / reflection 매 miss. 매 runtime confirmation.
- **No transitive coverage**: 매 only direct deps — transitive vulns invisible.
- **Reachability = exploitability**: 매 reachable ≠ exploitable (auth, sandboxing). 매 still triage.

## 🧪 검증 / 중복
- Verified (Endor Labs research; Snyk reachability docs; OWASP Dependency Check).
- 신뢰도 A.

## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — full security reachability entry |