Skip to content

Vulnerability reachability (VRA / f-SBOM)

Full workflow

Complete guide (limitations, CI, published lens): vulnerability-reachability

Why use CCE

SCA tools report that a vulnerable package exists in your dependency tree, but not whether production code actually calls the vulnerable function. Teams waste cycles patching unreachable paths.

CCE produces a method-level reachability map — call sites tied to file, line, and signature — so security teams prioritize exploitable paths first.

Example command

cce -folder . -language AUTO -mapper-file https://releases.stackgen.com/cce/lenses/vulnerability-reachability/latest/vulnerability-reachability_lenses.yaml -filter all -format json -output vulnerability-reachability.json

Published lens

https://releases.stackgen.com/cce/lenses/vulnerability-reachability/latest/vulnerability-reachability_lenses.yaml