What would you like to be added:
I propose adding an optional, lightweight static analysis feature directly into Grype.
This feature would work as follows:
- After matching a vulnerability, Grype would identify the specific function(s) or method(s) known to be vulnerable for that CVE.
- It would then perform a simple, text-based search (effectively a grep) across the scanned source code to determine if these vulnerable functions are actually called.
- If no calls to the vulnerable functions are found, the vulnerability would be either suppressed or flagged with a specific tag like unreachable.
This could be controlled by a new flag, for instance, --enable-reachability-analysis.
Why is this needed:
The primary goal is to drastically reduce the high number of false positive alerts generated by unreachable vulnerabilities, which is a major source of alert fatigue for developers.
My research on this topic shows that this simple, low-cost static analysis method is remarkably effective. By checking for actual function calls, it's possible to filter out approximately 60% of the vulnerabilities typically reported by SBOM-based scanners.
This provides immense value by:
- Dramatically improving the signal-to-noise ratio of scan results.
- Allowing development and security teams to focus their limited time on vulnerabilities that pose a tangible risk.
- Making Grype's results significantly more actionable out of the box, without requiring complex external tools or manual verification for a large portion of findings.
While this method isn't a perfect replacement for deep call-graph analysis (e.g., it may miss dynamic calls), a ~60% reduction in noise represents a massive and practical improvement for the user experience.
Additional context:
Here is a conceptual example to illustrate the feature:
- A Python project uses the library
requests==2.25.0.
- Grype correctly identifies that this version is vulnerable to a CVE related to the
requests.auth.HTTPDigestAuth function.
- However, the project's source code only ever calls
requests.get() and never imports or uses the vulnerable HTTPDigestAuth function.
- With the proposed --enable-reachability-analysis flag, Grype would scan the source, see that HTTPDigestAuth is not called, and automatically suppress this finding or mark it as "unreachable".
This would prevent a developer from spending time investigating a vulnerability that poses no real threat to their specific application.
Thank you for considering this feature. I believe it would be a powerful enhancement to an already excellent tool. I'm happy to discuss my research findings in more detail.
What would you like to be added:
I propose adding an optional, lightweight static analysis feature directly into Grype.
This feature would work as follows:
This could be controlled by a new flag, for instance,
--enable-reachability-analysis.Why is this needed:
The primary goal is to drastically reduce the high number of false positive alerts generated by unreachable vulnerabilities, which is a major source of alert fatigue for developers.
My research on this topic shows that this simple, low-cost static analysis method is remarkably effective. By checking for actual function calls, it's possible to filter out approximately 60% of the vulnerabilities typically reported by SBOM-based scanners.
This provides immense value by:
While this method isn't a perfect replacement for deep call-graph analysis (e.g., it may miss dynamic calls), a
~60%reduction in noise represents a massive and practical improvement for the user experience.Additional context:
Here is a conceptual example to illustrate the feature:
requests==2.25.0.requests.auth.HTTPDigestAuthfunction.requests.get()and never imports or uses the vulnerable HTTPDigestAuth function.This would prevent a developer from spending time investigating a vulnerability that poses no real threat to their specific application.
Thank you for considering this feature. I believe it would be a powerful enhancement to an already excellent tool. I'm happy to discuss my research findings in more detail.