Vulnerability reachability (VRA / f-SBOM)
Full workflow
Complete guide (limitations, CI, published lens): vulnerability-reachability
Why use CCE
SCA tools report that a vulnerable package exists in your dependency tree, but not whether production code actually calls the vulnerable function. Teams waste cycles patching unreachable paths.
CCE produces a method-level reachability map — call sites tied to file, line, and signature — so security teams prioritize exploitable paths first.
Example command
cce -folder . -language AUTO -mapper-file https://releases.stackgen.com/cce/lenses/vulnerability-reachability/latest/vulnerability-reachability_lenses.yaml -filter all -format json -output vulnerability-reachability.json
Published lens
https://releases.stackgen.com/cce/lenses/vulnerability-reachability/latest/vulnerability-reachability_lenses.yaml