What Is SCA with Reachability Analysis?

Unpacking SCA with reachability analysis: Coana's new approach lets you disregard up to 95% false positives.

What Is SCA with Reachability Analysis?

Written by

Martin Torp

CPO, Co-founder


No items found.


Number of engineers

Programming languages

No items found.

If you are a security professional or a software developer, chances are you're well aware of the frustrations with the many false alarms produced by conventional Software Composition Analyses (SCAs). In this post, I will give you a quick rundown on SCAs, discuss why conventional SCAs yield up to 95% false alarms, and introduce you to Coana's reachability-based SCA, which dramatically reduces the number of false alarms.

The Pain of Conventional SCA

Conventional SCAs are pretty basic tools at their core. Generally, they operate as follows:

  1. Extract the list of names and versions of all your dependency packages, including both direct and indirect packages.
  2. Cross-reference these against a database of publicly known vulnerabilities (CVEs).
  3. Inform you about potential matches (vulnerabilities in your project).

They immediately notify you about vulnerabilities and allow you to quickly take the appropriate action required to remove the vulnerability (typically upgrading the vulnerable package).

However, in practice, a significant drawback of current SCA solutions is their tendency to flood you with vulnerability alerts. Upon closer inspection, you will typically also find that these alarms are almost all irrelevant. In fact, our analysis shows that up to 95% of all vulnerability alarms are not relevant in the context they are reported. Maybe the vulnerability is in a function that’s not even used or maybe it’s in a dependency that’s only used to build the application. Addressing these irrelevant alerts can be both costly and tedious, a challenge we delve into in our post Vulnerability Scanning is Broken.

SCA with Reachability Analysis

Coana is an SCA tool that incorporates a reachability analysis, avoiding the up to 95% false positive alarms of conventional SCAs. Here is how it works:

  1. Coana performs a conventional vulnerability scan of your dependency packages.
  2. Whenever Coana identifies a vulnerability in one of your dependencies, it uses a static analysis to check if you actually use the vulnerable part of the dependency. This check also works for indirect dependencies; for example, Coana's analysis will check for usages of vulnerable parts of dependencies that lay deep down the dependency tree.
  3. If you use the vulnerable part of the dependency, the vulnerability gets flagged as reachable and Coana notifies you about the vulnerability.
  4. Conversely, if you don’t use the vulnerable part of the dependency, Coana flags the vulnerability as unreachable and refrains from issuing an alert.

The advantage is pretty clear: By letting you focus on just the reachable vulnerability alerts, you only need to spend a fraction of the time handling alerts without compromising your application’s security.

While the time-saving benefit is a strong selling point of reachability analysis, we believe the improved developer experience is just as important: Responding to irrelevant and noisy alerts can be both a stressful and demotivating experience for developers. Coana not only eliminates irrelevant alarms but also provides precise details on where in your code a reachable vulnerability may be triggered. This information enables you to swiftly assess the vulnerability, deciding if it needs immediate action or if it can be addressed later.

The Technical Bits

To categorize vulnerability alerts by their reachability, Coana uses a static analysis. You're likely familiar with various types of static analyses, such as linters and type checkers. The specific form of static analysis used by Coana is called a control-flow analysis. Its job is to construct a call graph, which is a data structure that lets you answer questions such as ‘from this specific place in my program to what other places in the program can the program execution go?’. That’s exactly the kind of question a reachability analysis needs to answer.

Explaining exactly how a control-flow analysis works is beyond the scope of this post. We do however encourage you to check our FAQ, where we answer some of the common questions our users have about reachability analysis. You can also check out the scanning section of our documentation.

Interested in exploring how Coana can improve vulnerability management for you? Book a short demo below.

Ready to talk?

Book a Demo with One of the Coana Founders