bluemsi/2nd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
22cd97698ef9352ce3ac6cd79ef9508bc9dfc09f
2nd/10_Wiki/Topics/Architecture/Reachability_Analysis.md
T
Antigravity Agent f8b21af4be Wiki cleanup: error-doc removal, dedup merge, link normalization 
10_Wiki/Topics 대규모 정리:
- 오류 캡처/미완성 stub 문서 227개 제거
- 교차폴더 중복 43클러스터 병합 (63파일 → redirect)
- 링크명 정규화: 깨진 링크 수정·redirect 직결·개념 매핑 ~2,400건
- 카테고리 MOC 6개 신규 생성
- Graph 섹션 미해결 related-keyword 링크 10,058건 제거

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-20 23:52:15 +09:00

178 lines
5.7 KiB
Markdown
Raw Blame History

---
id: wiki-2026-0508-reachability-analysis
title: Reachability Analysis
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [Vulnerability Reachability, SCA Reachability, Function-level Reachability]
duplicate_of: none
source_trust_level: A
confidence_score: 0.9
verification_status: applied
tags: [security, sca, supply-chain, static-analysis]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
language: multiple
framework: snyk-endor-semgrep
---
# Reachability Analysis
## 매 한 줄
> **"매 vulnerable function 매 actually called 인지 — 매 noise 80%+ filter"**. 매 SCA (Software Composition Analysis) 매 evolution. Endor Labs / Snyk Reachability / Semgrep Supply Chain / Socket — 매 2026 standard for security triage.
## 매 핵심
### 매 reachability levels
- **Package-level**: 매 dependency installed? (CVE found, but unused — 매 false positive 80%+)
- **Module-level**: 매 module imported?
- **Function-level**: 매 vulnerable function in call graph from app entry?
- **Conditional reachability**: 매 reachable only under specific input?
### 매 techniques
- **Static call graph**: 매 AST + import resolution → call edges (Python: pyan, JS: madge, Java: WALA).
- **Points-to analysis**: 매 pointer/reference flow — Soot, Doop.
- **Symbolic execution**: 매 path conditions (KLEE, angr) — heavy.
- **Dynamic tracing**: 매 runtime instrumentation (Sentry, Datadog ASM).
- **Hybrid**: 매 static + runtime — 매 most accurate.
### 매 응용
1. CVE triage — 매 1000 alerts → 매 50 actually exploitable.
2. License risk — 매 GPL function actually used?
3. Dead code elimination — 매 unreachable → tree-shake.
4. Compliance — FedRAMP / SLSA evidence.
5. SBOM augmentation — VEX (Vulnerability Exploitability eXchange) generation.
## 💻 패턴
### Python — call graph with pyan/jedi
```python
import jedi
def reachable_funcs(entry_file: str, target_func: str) -> bool:
visited, queue = set(), [entry_file]
while queue:
f = queue.pop()
if f in visited: continue
visited.add(f)
script = jedi.Script(path=f)
for ref in script.get_names(references=True):
if ref.full_name and target_func in ref.full_name:
return True
if ref.module_path and ref.module_path != f:
queue.append(str(ref.module_path))
return False
```
### JavaScript — madge call graph
```bash
npx madge --json src/index.js > graph.json
```
```javascript
const graph = require('./graph.json');
function reachable(entry, target, visited = new Set()) {
if (visited.has(entry)) return false;
visited.add(entry);
if (entry === target) return true;
return (graph[entry] || []).some(d => reachable(d, target, visited));
}
```
### Semgrep Supply Chain rule
```yaml
rules:
- id: lodash-prototype-pollution-reachable
languages: [javascript]
pattern: _.merge($DEST, $SRC)
metadata:
cve: CVE-2020-8203
package: lodash
vulnerable-versions: "<4.17.20"
```
### SBOM + VEX (CycloneDX)
```json
{
"vulnerabilities": [{
"id": "CVE-2024-12345",
"affects": [{"ref": "pkg:npm/lodash@4.17.15"}],
"analysis": {
"state": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"detail": "merge() function not called from any entry point"
}
}]
}
```
### Java — Soot points-to
```java
// pseudocode for Soot framework
PackManager.v().getPack("wjtp").add(new Transform("wjtp.callgraph", new SceneTransformer() {
protected void internalTransform(String phase, Map opts) {
CallGraph cg = Scene.v().getCallGraph();
Set<MethodOrMethodContext> reachable = new HashSet<>();
Iterator<MethodOrMethodContext> it = cg.sourceMethods();
while (it.hasNext()) reachable.add(it.next());
// intersect with vulnerable methods
}
}));
```
### Runtime reachability (Datadog ASM-style)
```python
# Instrument vulnerable function
@trace_call
def vulnerable_lib_func(*args):
record_call_site(inspect.stack())
return original(*args)
# After load test → know which CVEs actually hit
```
### CI gate (GitHub Actions)
```yaml
- uses: endorlabs/scan-action@v3
with:
namespace: my-org
reachability: function
fail-on: critical-reachable
```
## 매 결정 기준
| 상황 | Tool |
|---|---|
| 매 JS/TS monorepo | Socket / Snyk |
| 매 Java/Kotlin | Endor Labs / Snyk |
| 매 Python | Semgrep SC / Endor |
| 매 polyglot enterprise | Endor Labs |
| 매 OSS, free | OSV-Scanner + custom call graph |
| 매 runtime accuracy | Datadog ASM / Aikido / Oligo |
**기본값**: 매 2026 매 hybrid — static reachability gate in CI + runtime confirmation in prod.
## 🔗 Graph
- 부모: [[Software Composition Analysis]] · [[Static Analysis]] · [[Supply Chain Security]]
- 응용: [[SBOM]] · [[SLSA]]
- Adjacent: [[Semgrep]]
## 🤖 LLM 활용
**언제**: 매 vulnerability summary, 매 fix PR generation (deps upgrade + breaking change risk), 매 VEX justification drafting.
**언제 X**: 매 call graph itself — LLM 매 hallucinate edges. 매 deterministic tools (Soot, jedi).
## ❌ 안티패턴
- **All CVEs are critical**: 매 noise overwhelm — alert fatigue. 매 reachability filter 필수.
- **Static only**: 매 dynamic dispatch / reflection 매 miss. 매 runtime confirmation.
- **No transitive coverage**: 매 only direct deps — transitive vulns invisible.
- **Reachability = exploitability**: 매 reachable ≠ exploitable (auth, sandboxing). 매 still triage.
## 🧪 검증 / 중복
- Verified (Endor Labs research; Snyk reachability docs; OWASP Dependency Check).
- 신뢰도 A.
## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — full security reachability entry |
Reference in New Issue View Git Blame Copy Permalink