Socket Application-Level Reachability for Gradle Projects

Overview

Socket offers three tiers of reachability analysis:

Tier	Noise Reduction	Requires CLI `--reach`
3	~35%	No (automatic)
2	~80%	No (automatic)
1	~90%	Yes

This guide covers Tier 1 (Full Application Reachability) via the --reach flag. Tiers 2 and 3 apply automatically in the Dashboard without CLI flags.

Prerequisites

Install Socket CLI:

npm install -g socket
socket login

Or set API key:

export SOCKET_SECURITY_API_TOKEN=sktsec_<your_key>

Note: socket scan create requires an org slug. Run socket login to set a default, or pass --org <your-org-slug> on every command.

Step 1: Generate Gradle SBOM

Navigate to your Gradle project root and generate a Software Bill of Materials:

socket cdxgen -t gradle -o socket-gradle.cdx.json --install-deps --lifecycle build

This resolves the full dependency tree and creates thesocket-gradle.cdx.json file.

Note: Without --lifecycle build, the Socket CLI defaults to pre-build to avoid arbitrary code execution. Use --lifecycle build for a complete dependency graph that includes build-time resolved dependencies.

Step 2: Run Baseline Scan

Scan without reachability to establish baseline CVE count:

socket scan create .

Note the total CVE count.

Step 3: Run Reachability Scan

Execute scan with Full Application Reachability (Tier 1) enabled:

socket scan create --reach .

Socket constructs a cross-dependency module load graph from source code to determine which CVEs are exploitable. The project does not need to be compiled first — analysis works directly on source.

Local-Only Alternative

To run reachability analysis locally without uploading results:

socket scan reach

Results are saved to .socket.facts.json. Useful for sensitive codebases.

Performance Tuning

For large Gradle projects, adjust these flags as needed:

socket scan create --reach \
  --reach-analysis-timeout 1200 \
  --reach-analysis-memory-limit 32768 \
  --reach-concurrency 4 \
  .

Flag	Default	Description
`--reach-analysis-timeout`	600 (10 min)	Analysis timeout in seconds
`--reach-analysis-memory-limit`	8192	Memory limit in MB (16–32 GB recommended)
`--reach-concurrency`	1	Parallel workspace processing

Step 4: Compare Results

In Socket Dashboard, view the reachability scan and filter by reachability status.

The CLI outputs a Noise% column directly. You can also calculate manually:

Noise% = ((Unreachable + NoSup + NoReach) / Total Vulns) × 100

The CLI outputs a summary table per ecosystem:

Project                 │ Vulns │ Reach │ Unreach │ NoSup │ NoReach │ Skipped │ Error │ Noise%

Result Categories

Column	Meaning
Reach	Call chain exists from app code to vulnerable function
Unreach	No exploitable call chain; safe to ignore
NoSup	Socket hasn't classified the vulnerable functions for this CVE yet
NoReach	Reachability analysis not possible for this vulnerability
Skipped	Filtered out via `--reach-exclude-paths` or other options
Error	Analysis error; check logs or contact support
Noise%	Percentage of vulns filtered as non-reachable

In the Dashboard, additional statuses appear: Potentially Reachable (Tier 2 indirect chain), Pending Precomputation (Tier 2 processing), Not Determinable, and Unknown.

Step 5: Triage Reachable CVEs

Review CVEs marked as "Reachable" in Dashboard. For each:

Check severity and CVSS score
Evaluate upgrade path
Prioritize remediation

Step 6: Override Unreachable CVEs (Optional)

For unreachable CVEs with low business impact, click Override in Dashboard to suppress from future scans.