Reachability Analysis
Reachability analysis determines whether the vulnerable code inside a dependency is actually invoked by your application, separating exploitable findings from theoretical ones.
Reachability analysis asks a sharper question than "do you depend on a vulnerable package?" — it asks whether your application can actually execute the vulnerable code inside that package.
How It Works
The analysis builds a call graph from your code through its dependencies and checks whether any path reaches the vulnerable function or module. A vulnerability in a function your code never calls is far less urgent than one on a hot path. Results typically mark findings as reachable, unreachable, or unknown.
Why It Matters
Dependency scanners flag every vulnerable package version, but only a fraction of those findings are exploitable in a given application. Reachability pares the list down so teams patch what matters first. Its limits matter too: call-graph analysis is language- and ecosystem-specific, dynamic invocation can evade it, and "unknown" is not "safe." Careful scoring therefore uses reachability only to de-prioritize with a floor — it lowers noise but never raises a score above its evidence, and never pulls an actively exploited finding below its critical floor.
Related Terms
Reachability refines CVE triage alongside SSVC-style context, and acts as a de-emphasis modifier in scores like RiskScore.