A large part of determining which security flaws present the most risk is understanding how they affect your operations. Regardless of severity or remediation requirements, vulnerability impact varies across different applications. When determining how a vulnerability affects your applications, one important consideration should be whether the vulnerable code is being executed.
One of the characteristics of open source is that nothing is customized for your specific use. This makes the components more modular and reusable, but it also means that unused code is included in your applications. After all, just because you pull in an entire Java library doesn’t mean you’re going to utilize every method in it.
Understanding whether a vulnerability is in your call path is another important factor in prioritizing remediation efforts, and Black Duck now provides that information. When customers scan projects with Black Duck, in addition to detailed Black Duck Security Advisories (BDSAs), they also receive a vulnerability impact analysis.
Focusing first on Java components used most commonly by our customers, the Synopsys Cybersecurity Research Center (CyRC) indicates whether a particular vulnerability is executed by an application. Should the flaw be in the execution path, it is tagged as “reachable” and a call graph is created that reveals both the method in which the vulnerability exists and the method that calls it, down to the line number. With this information in hand, you can gain visibility into where and how a vulnerability is being executed by the application, making your prioritization efforts simple and pointing you directly to the code that needs to be addressed.