RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/ below:

Static reachability analysis | GitLab Docs

Tier: Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Status: Beta

History

Introduced as an experiment in GitLab 17.5.
Changed from experiment to beta in GitLab 17.11.
Introduced support for JavaScript and TypeScript in GitLab 18.2 and Dependency Scanning Analyzer v0.32.0.

Static reachability analysis (SRA) helps you prioritize remediation of vulnerabilities in dependencies. SRA identifies which dependencies your application actually uses. While dependency scanning finds all vulnerable dependencies, SRA focuses on those that are reachable and pose higher security risks, helping you prioritize remediation based on actual threat exposure.

Getting started

If you are new to static reachability analysis, the following steps show how to enable it for your project.

Prerequisites:

Ensure the project uses supported languages and package managers.
Dependency Scanning analyzer version 0.32.0 and later.
Enable Dependency Scanning by using SBOM. Gemnasium analyzers are not supported.
Language-specific prerequisites:
- For Python, follow the pip or pipenv related instructions for dependency scanning using SBOM. You can also use any other Python package manager that is supported by the DS analyzer.
- For JavaScript and TypeScript, ensure your repository has lock files supported by the DS analyzer.

Exclusions:

SRA cannot be used together with either a scan execution policy or pipeline execution policy.

To enable SRA:

On the left sidebar, select Search or go to and find your project.

Edit the .gitlab-ci.yml file, and add one of the following.

If you’re using the CI/CD template, add the following (ensure there is only one variables: line):

variables:
  DS_STATIC_REACHABILITY_ENABLED: true

If you’re using the Dependency Scanning component, add the following (ensuring there is only one include: line.):

include:
  - component: ${CI_SERVER_FQDN}/components/dependency-scanning/main@0
    inputs:
      enable_static_reachability: true
    rules:
      - if: $CI_SERVER_HOST == "gitlab.com"

At this point, SRA is enabled in your pipeline. When dependency scanning runs and outputs an SBOM, the results are supplemented by static reachability analysis.

Understanding the results

To identify vulnerable dependencies that are reachable, either:

In the vulnerability report, hover over the Severity value of a vulnerability.
In a vulnerability’s details page, check the Reachable value.
Use a GraphQL query to list those vulnerabilities that are reachable.

A dependency can have one of the following reachability values:

Yes: The package linked to this vulnerability is confirmed reachable in code.
Not Found: SRA ran successfully but did not detect usage of the vulnerable package. If a vulnerable dependency’s reachability value is shown as Not Found, exercise caution rather than completely dismissing it, as SRA cannot always definitively determine package usage.
Not Available: SRA was not executed, so no reachability data exists.

When a direct dependency is marked as in use, all its transitive dependencies are also marked as in use.

Supported languages and package managers

Static reachability analysis is available only for Python, JavaScript, and TypeScript projects. Frontend frameworks are not supported.

SRA supplements the SBOMs generated by the new dependency scanner analyzer and so supports the same package managers. If a package manager without dependency graph support is used, all indirect dependencies are marked as not found.

Language Supported package managers Supported file suffix Python¹ pip, pipenv², poetry, uv .py JavaScript/TypeScript npm, pnpm, yarn .js, .ts

Footnotes:

When using Dependency Scanning with pipdeptree, optional dependencies are marked as direct dependencies instead of as transitive dependencies. Static reachability analysis might not identify those packages as in use. For example, requiring passlib[bcrypt] may result in passlib being marked as in_use and bcrypt is marked as not_found. For more details, see pip.
For Python pipenv, static reachability analysis doesn’t support Pipfile.lock files. Support is available only for pipenv.graph.json because it supports a dependency graph.

Running SRA in an offline environment

To use the dependency scanning component in an offline environment, you must first mirror the component project.

How static reachability analysis works

Dependency scanning generates an SBOM report that identifies all components and their transitive dependencies. Static reachability analysis checks each dependency in the SBOM report and adds a reachability value to the SBOM report. The enriched SBOM is then ingested by the GitLab instance.

The following are marked as not found:

Dependencies that are found in the project’s lock files but are not imported in the code.
Tools that are included in the project’s lock files for local usage but are not imported in the code. For example, tools such as coverage testing or linting packages are marked as not found even if used locally.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4