Summary
Add a reachability analysis engine that determines whether reported dependency vulnerabilities are actually used or reachable within the scanned codebase, helping users prioritize remediation efforts more effectively.
Motivation
PatchPilot currently reports dependency vulnerabilities discovered by OSV-Scanner and other dependency analysis tools. However, not all vulnerable dependencies are actively used by the application.
This often results in:
- Alert fatigue
- Large numbers of low-priority findings
- Developers spending time fixing vulnerabilities that are not exploitable in practice
- Difficulty prioritizing remediation efforts
By determining whether a vulnerable package is imported, referenced, or reachable through application code, PatchPilot can provide more actionable security insights.
Proposed solution
Introduce a reachability analysis stage after dependency scanning.
Analysis Flow
Dependency Vulnerability
↓
Dependency Mapping
↓
Import/Reference Analysis
↓
Reachability Classification
Reachability States
- Reachable
- Potentially Reachable
- Unreachable
- Unknown
Example Output
{
"package": "log4j-core",
"cve": "CVE-2021-44228",
"severity": "Critical",
"reachability": "Reachable",
"evidence": [
"src/logger/config.java",
"src/service/logging.java"
]
}Backend
- Build dependency graph parsing utilities.
- Analyze imports and references.
- Associate findings with reachability metadata.
- Include reachability evidence in scan results.
Frontend
Display reachability badges:
CRITICAL | Reachable
HIGH | Potentially Reachable
MEDIUM | Unreachable
Add filtering options based on reachability.
Evidence Pack Integration
Include:
reachability-analysis.json
reachability-summary.txt
in exported evidence packs.
ML tier (if applicable)
Alternatives considered
-
Display all dependency vulnerabilities equally.
- Rejected because it creates alert fatigue and poor prioritization.
-
Depend entirely on scanner severity.
- Rejected because severity alone does not indicate exploitability within a specific codebase.
-
External dependency analysis tools.
- Rejected because users would need separate workflows outside PatchPilot.
Acceptance criteria
Additional context
Modern security platforms increasingly use reachability analysis to reduce noise and focus remediation efforts on vulnerabilities that present actual risk. This feature would significantly improve finding prioritization and make PatchPilot more useful for production environments.
Summary
Add a reachability analysis engine that determines whether reported dependency vulnerabilities are actually used or reachable within the scanned codebase, helping users prioritize remediation efforts more effectively.
Motivation
PatchPilot currently reports dependency vulnerabilities discovered by OSV-Scanner and other dependency analysis tools. However, not all vulnerable dependencies are actively used by the application.
This often results in:
By determining whether a vulnerable package is imported, referenced, or reachable through application code, PatchPilot can provide more actionable security insights.
Proposed solution
Introduce a reachability analysis stage after dependency scanning.
Analysis Flow
Reachability States
Example Output
{ "package": "log4j-core", "cve": "CVE-2021-44228", "severity": "Critical", "reachability": "Reachable", "evidence": [ "src/logger/config.java", "src/service/logging.java" ] }Backend
Frontend
Display reachability badges:
Add filtering options based on reachability.
Evidence Pack Integration
Include:
in exported evidence packs.
ML tier (if applicable)
Alternatives considered
Display all dependency vulnerabilities equally.
Depend entirely on scanner severity.
External dependency analysis tools.
Acceptance criteria
Additional context
Modern security platforms increasingly use reachability analysis to reduce noise and focus remediation efforts on vulnerabilities that present actual risk. This feature would significantly improve finding prioritization and make PatchPilot more useful for production environments.