How does Coana determine the reachability of vulnerabilities?
Coana uses a static analysis known as a control-flow analysis to build a model of the analyzed program. This model, commonly known as a call graph, contains information about how the execution flows through the program. It allows us to answer questions like ‘from this specific place in my program to what other places in the program can the program execution go‘, where ‘this specific place’ could be any line in the analyzed program. Based on the call graph, Coana is able to tell which parts of the code are dead (unreachable) and which parts or live (reachable). You can learn more about how the static analysis works in the post What is SCA with reachability?
Can I trust Coana to correctly identify the reachability of vulnerabilities?
The reachability analysis is designed to over-approximate the actual runtime reachability of vulnerabilities. By over-approximating, the analysis will lean toward marking a vulnerability as reachable whenever it’s in doubt. By taking this approach, Coana allows you to safely ignore unreachable vulnerabilities without compromising on any real security.
What happens if the reachability of a vulnerability later changes?
As you develop and modify your program over time, the ways in which you use your dependencies are likely to change. That’s why Coana continues to monitor your application informing you about both new reachable vulnerabilities and unreachable vulnerabilities that become reachable.
How does Coana know which parts of a package are affected by a vulnerability?
At Coana, we have a dedicated security team that works on answering exactly that question. Whenever a new vulnerability is discovered, the security team initiates a thorough investigation of all the various resources related to the vulnerability. The team typically installs the affected package, reads the documentation, and builds a detailed understanding of how the package works. Once the functions, methods, properties, etc., responsible for the vulnerability have been identified, the team writes a specification that captures exactly these parts of the package. This specification is then used by the static analysis when it performs a reachability analysis on your code.
As a bonus, the team also writes an informal, human-readable version of this specification, which users of Coana can use to better understand the vulnerability.
What kind of configuration does Coana require?
Coana is designed as a zero-configuration, plug-and-play analysis tool that automatically infers whatever information it needs to run the analysis from the project being scanned. For example, it automatically determines the programming language(s) used in the project, which project manager(s) are utilized, etc. For more details about how to run the tool, please refer to our documentation.
How is Coana run?
Does Coana scan containers?
No, Coana does not provide any container scanning capabilities at the moment. Code that is packaged into containers is typically either bundled, compiled or minified in some way where information about the specific dependencies is lost making it impossible to conduct proper security scanning of application dependencies in containers.
What is a contributor?
A contributor is someone who makes commits to repositories scanned by Coana.
Why is the pricing model based on contributors and not scans or lines of code?
Our pricing model is centered on the number of contributors because it most accurately reflects the true value and impact of Coana on your organization. By focusing on contributors rather than the number of scans or lines of code, we ensure that our pricing aligns with the productivity gains your team experiences. This approach encourages unlimited usage of Coana, allowing you to run it as frequently as needed and across as many repositories as required, without any additional cost concerns.
What’s the ROI for using Coana?
Our customer research reveals that developers typically spend an average of 40 hours annually managing vulnerabilities in open-source dependencies. Coana's advanced reachability analysis—a method that assesses the actual usage of vulnerable third-party code in your codebase—significantly streamlines this process. By enabling teams to confidently disregard up to 95% of these vulnerabilities, Coana offers:
You can learn more about the ROI of doing reachability analysis in this blog post.
Is a proof of concept possible with Coana?
We provide a 30-day free pilot period, offering you to fully explore and understand how Coana can enhance your operations.
What does the contractual agreement entail?
Our contracts are structured on an annual basis. To ensure you are confident in your decision, we include a 30-day free pilot period. This trial allows you to thoroughly test and assess Coana's effectiveness in your environment.
Is there a free price tier for open source projects?
Stay up to date with our monthly vulnerability management newsletter