Files

T

Antigravity Agent f8b21af4be Wiki cleanup: error-doc removal, dedup merge, link normalization

10_Wiki/Topics 대규모 정리:
- 오류 캡처/미완성 stub 문서 227개 제거
- 교차폴더 중복 43클러스터 병합 (63파일 → redirect)
- 링크명 정규화: 깨진 링크 수정·redirect 직결·개념 매핑 ~2,400건
- 카테고리 MOC 6개 신규 생성
- Graph 섹션 미해결 related-keyword 링크 10,058건 제거

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-20 23:52:15 +09:00

5.7 KiB

Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

title

Reachability Analysis

매 한 줄

"매 vulnerable function 매 actually called 인지 — 매 noise 80%+ filter". 매 SCA (Software Composition Analysis) 매 evolution. Endor Labs / Snyk Reachability / Semgrep Supply Chain / Socket — 매 2026 standard for security triage.

매 핵심

매 reachability levels

Package-level: 매 dependency installed? (CVE found, but unused — 매 false positive 80%+)
Module-level: 매 module imported?
Function-level: 매 vulnerable function in call graph from app entry?
Conditional reachability: 매 reachable only under specific input?

매 techniques

Static call graph: 매 AST + import resolution → call edges (Python: pyan, JS: madge, Java: WALA).
Points-to analysis: 매 pointer/reference flow — Soot, Doop.
Symbolic execution: 매 path conditions (KLEE, angr) — heavy.
Dynamic tracing: 매 runtime instrumentation (Sentry, Datadog ASM).
Hybrid: 매 static + runtime — 매 most accurate.

매 응용

CVE triage — 매 1000 alerts → 매 50 actually exploitable.
License risk — 매 GPL function actually used?
Dead code elimination — 매 unreachable → tree-shake.
Compliance — FedRAMP / SLSA evidence.
SBOM augmentation — VEX (Vulnerability Exploitability eXchange) generation.

💻 패턴

Python — call graph with pyan/jedi

import jedi
def reachable_funcs(entry_file: str, target_func: str) -> bool:
    visited, queue = set(), [entry_file]
    while queue:
        f = queue.pop()
        if f in visited: continue
        visited.add(f)
        script = jedi.Script(path=f)
        for ref in script.get_names(references=True):
            if ref.full_name and target_func in ref.full_name:
                return True
            if ref.module_path and ref.module_path != f:
                queue.append(str(ref.module_path))
    return False

JavaScript — madge call graph

npx madge --json src/index.js > graph.json

const graph = require('./graph.json');
function reachable(entry, target, visited = new Set()) {
  if (visited.has(entry)) return false;
  visited.add(entry);
  if (entry === target) return true;
  return (graph[entry] || []).some(d => reachable(d, target, visited));
}

Semgrep Supply Chain rule

rules:
  - id: lodash-prototype-pollution-reachable
    languages: [javascript]
    pattern: _.merge($DEST, $SRC)
    metadata:
      cve: CVE-2020-8203
      package: lodash
      vulnerable-versions: "<4.17.20"

SBOM + VEX (CycloneDX)

{
  "vulnerabilities": [{
    "id": "CVE-2024-12345",
    "affects": [{"ref": "pkg:npm/lodash@4.17.15"}],
    "analysis": {
      "state": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path",
      "detail": "merge() function not called from any entry point"
    }
  }]
}

Java — Soot points-to

// pseudocode for Soot framework
PackManager.v().getPack("wjtp").add(new Transform("wjtp.callgraph", new SceneTransformer() {
    protected void internalTransform(String phase, Map opts) {
        CallGraph cg = Scene.v().getCallGraph();
        Set<MethodOrMethodContext> reachable = new HashSet<>();
        Iterator<MethodOrMethodContext> it = cg.sourceMethods();
        while (it.hasNext()) reachable.add(it.next());
        // intersect with vulnerable methods
    }
}));

Runtime reachability (Datadog ASM-style)

# Instrument vulnerable function
@trace_call
def vulnerable_lib_func(*args):
    record_call_site(inspect.stack())
    return original(*args)
# After load test → know which CVEs actually hit

CI gate (GitHub Actions)

- uses: endorlabs/scan-action@v3
  with:
    namespace: my-org
    reachability: function
    fail-on: critical-reachable

매 결정 기준

상황	Tool
매 JS/TS monorepo	Socket / Snyk
매 Java/Kotlin	Endor Labs / Snyk
매 Python	Semgrep SC / Endor
매 polyglot enterprise	Endor Labs
매 OSS, free	OSV-Scanner + custom call graph
매 runtime accuracy	Datadog ASM / Aikido / Oligo

기본값: 매 2026 매 hybrid — static reachability gate in CI + runtime confirmation in prod.

🔗 Graph

부모: Software Composition Analysis · Static Analysis · Supply Chain Security
응용: SBOM · SLSA
Adjacent: Semgrep

🤖 LLM 활용

언제: 매 vulnerability summary, 매 fix PR generation (deps upgrade + breaking change risk), 매 VEX justification drafting. 언제 X: 매 call graph itself — LLM 매 hallucinate edges. 매 deterministic tools (Soot, jedi).

❌ 안티패턴

All CVEs are critical: 매 noise overwhelm — alert fatigue. 매 reachability filter 필수.
Static only: 매 dynamic dispatch / reflection 매 miss. 매 runtime confirmation.
No transitive coverage: 매 only direct deps — transitive vulns invisible.
Reachability = exploitability: 매 reachable ≠ exploitable (auth, sandboxing). 매 still triage.

🧪 검증 / 중복

Verified (Endor Labs research; Snyk reachability docs; OWASP Dependency Check).
신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — full security reachability entry

5.7 KiB Raw Blame History