You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Determines whether each finding's vulnerable code path is actually invoked in the project's source, using static analysis (OpenGrep by default, CodeQL optionally), and escalates ambiguous cases to an LLM agent.
Why this matters
A dependency may appear in the SBOM but never be imported, let alone have its vulnerable function called. REACHABLE vs NOT_REACHABLE vs UNCERTAIN dramatically changes risk priority.
How it works
Loads all Finding rows with reachability_status == NOT_ANALYZED.
Runs the static analysis tool once against the entire source tree.
Parses output into _ScanMatch records: purl, kind ("import" or "usage"), file path, line number.
Classifies each finding:
No import match -> NOT_REACHABLE
Import + usage match -> REACHABLE
Import but no usage -> UNCERTAIN -> escalated to ReachabilityAgent
Summary
Determines whether each finding's vulnerable code path is actually invoked in the project's source, using static analysis (OpenGrep by default, CodeQL optionally), and escalates ambiguous cases to an LLM agent.
Why this matters
A dependency may appear in the SBOM but never be imported, let alone have its vulnerable function called. REACHABLE vs NOT_REACHABLE vs UNCERTAIN dramatically changes risk priority.
How it works
Findingrows withreachability_status == NOT_ANALYZED._ScanMatchrecords:purl,kind("import" or "usage"), file path, line number.NOT_REACHABLEREACHABLEUNCERTAIN-> escalated toReachabilityAgentSBOMSnapshot.status = "REACH_DONE".ReachabilityAgent
read_filetool (sandboxed to project dir, refuses path traversal).VERDICT: REACHABLE/NOT_REACHABLE+RATIONALE:. Falls back toUNCERTAINon parse failure.UNCERTAIN.Tests (27 passing)
Reachable/not-reachable/uncertain classification, agent invocation, snapshot checkpoint, skipping already-classified findings, CodeQL language detection, agent failure graceful degradation, OpenGrep JSON and CodeQL SARIF parsers.