Vulnerability reachability (CVE / f-SBOM)
Full workflow
Complete guide (limitations, CI, published lens): cve-reachability
Why use CCE
A vulnerable package in go.mod or requirements.txt does not mean exploitable code paths exist. Security teams waste cycles on transitive deps that are never called.
CCE answers: is this advisory's function actually invoked? Each match is a reachable call site with file and line for triage.
Example command
cce -folder . -mapper-file https://releases.stackgen.com/cce/lenses/cve-reachability/latest/cve-reachability_lenses.yaml -filter all -format json
Analysis recipe
This use case is registered as recipe cve-reachability — run with:
cce run -folder . -language AUTO -recipes cve-reachability -output cve-reachability.json
Published lens
https://releases.stackgen.com/cce/lenses/cve-reachability/latest/cve-reachability_lenses.yaml