Modern software composition analysis needs reachability analysis
The Endor Labs report highlights the role of modern software composition analysis (SCA) when it comes to dependency management. While SCA tools are far from new, they have traditionally focused on Common Vulnerability Scoring System (CVSS) severity scores, which makes sense as most organizations also prioritize vulnerabilities for remediation, especially high and critical CVSS scores.
The problem, as we know from sources such as the Exploit Prediction Scoring System (EPSS)is that less than 5% of CVEs are ever exploited in the wild. Thus, organizations that prioritize based on CVSS severity scores are essentially arbitrarily using scarce resources to remediate vulnerabilities that are never exploited, and therefore pose little actual risk.
While scanning tools, including SCA, have begun to integrate additional vulnerability information such as CISA KEV and EPSS, some have yet to do so and most have not yet added this to deep feature-level reachability to show not only which components are known as exploited, likely to be exploited, or actually accessible.
“To exploit a vulnerability in an open source library, there must be at least a call path from the application you are writing to the vulnerable function in that library,” Endor said in the report. “By examining a sample of our customer data on which reachability analysis is performed, we found that this is true for less than 9.5% of all vulnerabilities in the seven languages for which we support this level of analysis at the time of publication (Java, Python, Rust, Go, C#, .NET, Kotlin and Scala).