Skip to content

Feature Request: Lightweight Reachability Analysis to Reduce False Positives #2960

Description

@damaoooo

What would you like to be added:

I propose adding an optional, lightweight static analysis feature directly into Grype.

This feature would work as follows:

  1. After matching a vulnerability, Grype would identify the specific function(s) or method(s) known to be vulnerable for that CVE.
  2. It would then perform a simple, text-based search (effectively a grep) across the scanned source code to determine if these vulnerable functions are actually called.
  3. If no calls to the vulnerable functions are found, the vulnerability would be either suppressed or flagged with a specific tag like unreachable.
    This could be controlled by a new flag, for instance, --enable-reachability-analysis.

Why is this needed:

The primary goal is to drastically reduce the high number of false positive alerts generated by unreachable vulnerabilities, which is a major source of alert fatigue for developers.

My research on this topic shows that this simple, low-cost static analysis method is remarkably effective. By checking for actual function calls, it's possible to filter out approximately 60% of the vulnerabilities typically reported by SBOM-based scanners.

This provides immense value by:

  1. Dramatically improving the signal-to-noise ratio of scan results.
  2. Allowing development and security teams to focus their limited time on vulnerabilities that pose a tangible risk.
  3. Making Grype's results significantly more actionable out of the box, without requiring complex external tools or manual verification for a large portion of findings.

While this method isn't a perfect replacement for deep call-graph analysis (e.g., it may miss dynamic calls), a ~60% reduction in noise represents a massive and practical improvement for the user experience.

Additional context:

Here is a conceptual example to illustrate the feature:

  1. A Python project uses the library requests==2.25.0.
  2. Grype correctly identifies that this version is vulnerable to a CVE related to the requests.auth.HTTPDigestAuth function.
  3. However, the project's source code only ever calls requests.get() and never imports or uses the vulnerable HTTPDigestAuth function.
  4. With the proposed --enable-reachability-analysis flag, Grype would scan the source, see that HTTPDigestAuth is not called, and automatically suppress this finding or mark it as "unreachable".

This would prevent a developer from spending time investigating a vulnerability that poses no real threat to their specific application.

Thank you for considering this feature. I believe it would be a powerful enhancement to an already excellent tool. I'm happy to discuss my research findings in more detail.

Metadata

Metadata

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
In Review

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions