Expand description
--reachability: a heuristic source-presence check — NOT static call-graph
reachability analysis.
Two complementary signals, both build-free greps of the repo’s own source:
- Cargo (symbol-presence): for findings whose advisory names functions, grep the
affected repos’
.rssource for those names (“do I call any affected function in my code?”). SetsSome(true)/Some(false). - Tier-C feeders (import-presence): grep the repo’s source for use of a direct
dependency. For npm / Julia / RubyGems the lockfile coordinate is the import name (exact);
for PyPI / NuGet / Maven / Packagist / Swift / Hex the coordinate differs from the import
name, so the predicate derives import-name candidates from the coordinate (a per-ecosystem
heuristic — e.g. Hex
foo_bar→FooBarmodule). For GitHub Actions auses:reference is an active CI step, a sound-positive signal. Either way this only ever raises a finding toSome(true)on a positive match; it never emitsSome(false), because a grep can miss an import (dynamicrequire, re-export, an irregular dist→module name) and a falseSome(false)would let--reachable-onlydrop a real vulnerability. So the worst a Tier-C miss can do is leavereachable = None(unknown) — never a false-clean; and a heuristic over-match only over-reports reachability (safe).
Verdict meaning:
Some(true)— a name/import appears in your source (possibly reachable).Some(false)— Cargo only: no affected name appears in your source (could still be reached via a dependency — this only scans your code).None— not checked, advisory names no functions, or a Tier-C dep not found imported (unknown, never auto-suppressed).
A false never proves the vuln is unreachable, so it never auto-suppresses by default —
--reachable-only is a separate, explicit opt-in.
Functions§
- assess
- Annotate each vulnerability’s
reachablefrom the source-presence heuristic.