Comparing Reachability Analysis Providers

Introduction

Any modern application security team uses SCA tools to scan for vulnerabilities in open source dependencies.

However, traditional SCA tools do not consider how open source dependencies are utilized in the application code, rendering most reported alerts irrelevant. Since there are typically an overwhelming number of alerts, security teams are forced to aggressively prioritize which ones to remediate.

To overcome this limitation, many SCA providers have introduced the concept of reachability analysis to help prioritise alerts that may actually be exploitable. Essentially, reachability analysis helps users understand if a vulnerability is likely to be exploitable in practice by determining if the vulnerable part of the open source component is used by the application.

The 2 Types of Reachability Analysis

There are two broad categories of reachability:

Type 1: Static reachability: Determines the reachability of vulnerabilities without running the code.

Type 2: Dynamic reachability: Determines the reachability of vulnerabilities based on observations extracted at runtime.

There are also hybrid approaches that use a combination of both static and dynamic analysis.

In this post, we focus on static reachability analysis providers since they come with clear advantages, such as the ability to run without code instrumentation or agents, and the ability to scan applications that are not yet deployed. To learn more about static vs dynamic reachability analyses, have a look at this post.

We also focus exclusively on SCA providers that conduct function-level reachability, which is the most precise and detailed form of reachability analysis.

1. Coana

Coana is a spinout from a leading university in static analysis research and stands out by being hyper-focused on building precise analyses for all supported languages. This means that Coana provides the only reachability analysis that is capable of handling hard-to-analyze features like dynamic property reads and writes in JavaScript and reflection in Java, offering the highest level of trust in the correctness of the reachability analysis.

Coana maintains a database of vulnerable functions for most CVEs and uses static analysis to check if these functions are reachable from the application code.

Coana’s focus on building high-quality analyses for each supported language means that its language coverage is currently limited to JavaScript, Python and JVM languages like Java, Kotlin, and Scala. While this can be a limitation for some larger enterprises with complex code bases, Coana is an ideal choice for companies with a modern tech stack that typically includes a lot of TypeScript/JavaScript and Python.

Pros

• Supports hard-to-analyze features in untyped dynamic languages such as JavaScript and Python.
• Reachability analysis of indirect/transitive dependencies.
• Zero-configuration principle, where Coana auto-installs and auto-builds projects, makes adaptation light-weight.

Cons

• The analysis can be resource-intensive (high CPU and memory costs).
• Certain languages, like C#, Ruby, and Go, are not yet supported by Coana (support for some of these languages is expected later in 2024 - sign up for our product newsletter here if you are interested in these languages ).
• Focuses exclusively on SCA.

2. Endor Labs

Endor Labs is one of the first companies founded on the idea of using static reachability analysis to prioritize open source vulnerabilities.

Like Coana, they maintain a database of vulnerable functions for most CVEs and use static analysis to check if these functions are reachable from the application code.

Their early focus on large enterprises makes their engine particularly effective for analyzing large statically typed programs written in languages like Java and .NET.

In addition to SCA with reachability, Endor Labs also offers other products such as secrets scanning and pipeline discovery to help manage security in the SDLC.

Pros

• Reachability analysis of indirect/transitive dependencies.
• Good coverage of popular languages.
• Highly configurable policy engine.

Cons

• Limited capabilities for dynamic languages like JavaScript and Python.
• Does not handle reflection in the Java language.
• The analysis can be resource-intensive (high CPU and memory costs).

3. Semgrep Supply Chain

Semgrep’s reachability analysis is based on their SAST engine (Semgrep Code).

Like Endor Labs and Coana, Semgrep maintains a database of vulnerable functions for a large fraction of the most common CVEs in dependencies.

Since Semgrep’s reachability engine is based on Semgrep’s existing SAST product, it cannot scan dependency code. This means that Semgrep is only able to determine the reachability of vulnerabilities in direct dependencies. However, this also makes the analysis considerably faster than most other options.

Semgrep also offers SAST and secrets scanning together with their SCA.

Pros

• Good coverage of popular languages.
• Very fast analysis.
• Includes both secret scanning and SAST, covering most AppSec needs.

Cons

• Does not scan indirect/transitive dependencies.
• The lightweight analysis struggles to handle certain patterns. For example, Semgrep generally cannot detect calls to vulnerable functions on library objects passed between functions.

Conclusion

Finding the right SCA tool with effective reachability analysis can be challenging. Nearly all vendors now claim to include some form of reachability analysis, but the precision and reliability of these analyses can vary widely. They range from highly accurate function-level reachability, as seen in the vendors discussed in this post, to very basic approaches that simply classify all direct dependency vulnerabilities as reachable.

In this post, we highlighted vendors we believe are the leading contenders in static reachability analysis. However, there are many more options available. We recommend that anyone seeking a modern SCA provider conducts thorough research and evaluates multiple tools to find the best fit for their needs.