Phylum Vulnerability Reachability Project #67
Description
Overview:
Phylum has developed a reachability tool to perform call graph analysis in order to identify whether or not a particular vulnerability is reachable. This tool currently works for the Javascript programming language, and is functionally database-agnostic, enabling any vendor to provide their preferred catalogue of findings and prune/annotate false-positives. This is currently the cutting edge of the Software Composition Analysis (SCA) space, and as such, is quickly becoming a necessary feature in order to effectively compete.
Requirements for Implementation:
In order to integrate and utilize this tool, the following steps must be completed:
· Integration with an SCA Capability - Phylum’s vuln-reach tool needs to be integrated with an existing SCA product, and will need to receive the following bits of information:
o Vulnerability information
o Target files & packages to analyze
o Vulnerability location data
· Vulnerability Location Data - Vulnerability location data will need to be provided to match the vulnerability database being utilized. This will enable the vuln reachability tool to connect the two when analyzing a candidate codebase. The location data must be specific to the vulnerability dataset used - Phylum has some tools that can assist in automating this process.
How it Integrates:
The Phylum vuln reachability solution can be integrated in a variety of ways:
· Standalone CLI - a CLI utility to showcase the capability currently exists, and could operate as part of a suite of other tools.
· Library - The tool can also be packaged as a shared library to simplify integration with any product from a client perspective.