Unpacking SCA with reachability analysis: Coana's new approach lets you disregard up to 95% false positives.
Number of engineers
If you are a security professional or a software developer, chances are you're well aware of the frustrations with the many false alarms produced by conventional Software Composition Analyses (SCAs). In this post, I will give you a quick rundown on SCAs, discuss why conventional SCAs yield up to 95% false alarms, and introduce you to Coana's reachability-based SCA, which dramatically reduces the number of false alarms.
Conventional SCAs are pretty basic tools at their core. Generally, they operate as follows:
They immediately notify you about vulnerabilities and allow you to quickly take the appropriate action required to remove the vulnerability (typically upgrading the vulnerable package).
However, in practice, a significant drawback of current SCA solutions is their tendency to flood you with vulnerability alerts. Upon closer inspection, you will typically also find that these alarms are almost all irrelevant. In fact, our analysis shows that up to 95% of all vulnerability alarms are not relevant in the context they are reported. Maybe the vulnerability is in a function that’s not even used or maybe it’s in a dependency that’s only used to build the application. Addressing these irrelevant alerts can be both costly and tedious, a challenge we delve into in our post Vulnerability Scanning is Broken.
Coana is an SCA tool that incorporates a reachability analysis, avoiding the up to 95% false positive alarms of conventional SCAs. Here is how it works:
The advantage is pretty clear: By letting you focus on just the reachable vulnerability alerts, you only need to spend a fraction of the time handling alerts without compromising your application’s security.
While the time-saving benefit is a strong selling point of reachability analysis, we believe the improved developer experience is just as important: Responding to irrelevant and noisy alerts can be both a stressful and demotivating experience for developers. Coana not only eliminates irrelevant alarms but also provides precise details on where in your code a reachable vulnerability may be triggered. This information enables you to swiftly assess the vulnerability, deciding if it needs immediate action or if it can be addressed later.
To categorize vulnerability alerts by their reachability, Coana uses a static analysis. You're likely familiar with various types of static analyses, such as linters and type checkers. The specific form of static analysis used by Coana is called a control-flow analysis. Its job is to construct a call graph, which is a data structure that lets you answer questions such as ‘from this specific place in my program to what other places in the program can the program execution go?’. That’s exactly the kind of question a reachability analysis needs to answer.
Explaining exactly how a control-flow analysis works is beyond the scope of this post. We do however encourage you to check our FAQ, where we answer some of the common questions our users have about reachability analysis.
Interested in exploring how Coana can improve vulnerability management for you? Book a short demo below.