Skip to content

Vulnerability reachability (CVE / f-SBOM)

Full workflow

Complete guide (limitations, CI, published lens): cve-reachability

Why use CCE

A vulnerable package in go.mod or requirements.txt does not mean exploitable code paths exist. Security teams waste cycles on transitive deps that are never called.

CCE answers: is this advisory's function actually invoked? Each match is a reachable call site with file and line for triage.

Example command

cce -folder . -mapper-file https://releases.stackgen.com/cce/lenses/cve-reachability/latest/cve-reachability_lenses.yaml -filter all -format json

Analysis recipe

This use case is registered as recipe cve-reachability — run with:

cce run -folder . -language AUTO -recipes cve-reachability -output cve-reachability.json

Published lens

https://releases.stackgen.com/cce/lenses/cve-reachability/latest/cve-reachability_lenses.yaml