Modern software composition analysis needs reachability analysis
The Endor Labs report emphasizes the role of modern software composition analysis (SCA) when it comes to dependency management. While SCA tools are far from new, traditionally they have focused on common vulnerability scoring system (CVSS) severity scores, which makes sense, given most organizations also prioritize vulnerabilities for remediation, specifically High and Critical CVSS scores.
The problem, as we know from sources such as the Exploit Prediction Scoring System (EPSS), is that less than 5% of CVEs are ever exploited in the wild. So, organizations prioritizing based on CVSS severity scores are essentially just randomly using scarce resources to remediate vulnerabilities that never get exploited, and therefore pose little actual risk.
While scanning tools, including SCA, have increasingly begun integrating additional vulnerability intelligence such as CISA KEV and EPSS, some have yet to do so and most have not added this alongside deep function-level reachability, to show not only what components are known to be exploited, likely to be exploited, or actually reachable.
“For a vulnerability in an open-source library to be exploitable, there must at minimum be a call path from the application you write to the vulnerable function in that library,” Endor said in the report. “By examining a sample of our customer data where reachability analysis is being performed, we found this to be true in fewer than 9.5% of all vulnerabilities in the seven languages we support this level of analysis for at the time of publication (Java, Python, Rust, Go, C#, .NET, Kotlin, and Scala).”
