New Feature: Enhance Software Composition Analysis (SCA) with Reachability | Arnica

What Arnica built 

Arnica’s Reachability feature provides a new layer of context and intelligence to your Software Composition Analysis (SCA) approach by identifying whether an exploitable function is actually called within your application. We do this by conducting deep analysis of function-level vulnerabilities, ensuring that reachability is highlighted within the git context of every finding. Arnica is able to conduct this analysis across both direct and transitive dependencies, as well as correlate potential reachability between git branches. 

How is Arnica’s Reachability different? 

Pipelineless Reachability Analysis

Arnica’s pipelineless approach is optimized to provide reachability information, in real-time, to the developer on every code push, while they’re still working on that code. This approach ensures developers are able to address critical vulnerabilities as they are developing their code. This approach runs counter to the norm of requiring a full git clone to scan for reachability, which results in slower feedback. 

Cross-Branch Correlation

Function-level reachability can happen at different times, be introduced by different developers (e.g. one developer introduces the use of the vulnerable function, another pushes a package update), and can happen across all git branches. Arnica builds context across branches and enriches each finding with a confidence level based on this context. 

For example, a package with version X.1 may be calling a function that is only exploitable in version X.2. When a developer pushes a package update to version X.2 in a feature branch, that developer will then get notified, in real-time, about the future reachability of the vulnerability in the production code. 

What are the primary use cases for reachability?  

Arnica’s implementation of Reachability within Software Composition Analysis (SCA) supports a number of core use cases for Arnica customers. 

1. Reduce Unhelpful Security Noise: If your reachability solution only filters out false positives, the reachability to-do list can remain overwhelming. Arnica enriches all findings with context, such as reachability, exploitability (EPSS), package depth, and more. This helps our customers prioritize only the most crucial findings with developers. 
2. Predictive Vulnerability Management: Arnica determines whether previously non-reachable vulnerabilities are now exploitable. This check happens in real-time when a developer pushes new code. 

As is the case with everything we build, Arnica’s enhanced Reachability detection drives security outcomes while unburdening developers from wasted effort. 

Book some time with the Arnica team to see for yourself and join our beta!