Reachability Analysis
Socket SCA with Reachability Analysis allows you to safely disregard unreachable vulnerabilities and easily patch the ones that matter.
Socket SCA with Reachability Analysis allows you to safely disregard unreachable vulnerabilities and easily patch the ones that matter.
Key features
- Based on top-tier research.
- Scans direct and indirect dependencies.
- Works with any CI platform. No complex configurations. No agents required.
Before Socket = Overwhelming Noise
Traditional SCA tools do not distinguish between exploitable and unexploitable vulnerabilities. As a consequence, more than 80% of the vulnerabilities that developers are remediating are irrelevant and can be safely ignored.
After Socket = Clean Signal
Socket employs Reachability Analysis to eliminate more than 80% false positives. As a consequence, developers only need to remediate the remaining few vulnerabilities that are relevant.
Reachability Maturity Levels
Socket language ecosystems are classified into three maturity levels for Reachability Analysis.
The differences are as follows:
| Tier 1 (Module-level transitive reachability) | Tier 2 (Pre-computed transitive reachability) | Tier 3 (Source code reachability) | |
|---|---|---|---|
| False positive reduction (varies between codebases) | Eliminate 20-40% false positives | Eliminate 60% false positives | Eliminate 80% false positives |
| Type of reachability | • Identify reachable vulnerabilities in transitive dependencies. • Eliminates unreachable vulnerabilities at a module and file level within transitive dependencies. • Scans the source of all files in each dependency to determine which modules are imported/required. | • Identify reachable vulnerabilities in transitive dependencies. • Eliminates unreachable vulnerabilities at a source code level within transitive dependencies. | • Identify reachable vulnerabilities in both direct and transitive dependencies. • Eliminates unreachable vulnerabilities at a source code level within both direct and transitive dependencies. • Pinpoint the exact locations in your code affected by reachable vulnerabilities. |
| Availability | Available for all Socket users. | Available for all Socket users. 🚧 In progress, launching Q2. | Available for all Socket users. 🚧 In progress, launching Q3 |
| Works out of the box | Yes | Yes | Need to add a CLI command / GitHub Action. |
Ecosystem support
See Ecosystem Support for a detailed list of which ecosystems are supported and at which maturity level.
Updated 2 days ago