Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ dependencies = [
"urllib3==2.7.0",
"idna==3.16",
"GitPython==3.1.50",
"unidiff==0.7.5",

@tdruez tdruez Jul 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this absolutely needed? No built-in solutions available?

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The unidiff library doesn't have any dependencies, and we only need a single file from it: patch.py.
I'll include it in this PR files and add .ABOUT and .LICENSE files for it.

"lxml==6.1.1",
"certifi==2026.5.20",
# Profiling
Expand Down Expand Up @@ -142,6 +143,7 @@ run = "scancodeio:combined_run"
analyze_docker_image = "scanpipe.pipelines.analyze_docker:Docker"
analyze_root_filesystem_or_vm_image = "scanpipe.pipelines.analyze_root_filesystem:RootFS"
analyze_windows_docker_image = "scanpipe.pipelines.analyze_docker_windows:DockerWindows"
analyze_symbols_reachability = "scanpipe.pipelines.collect_symbols_reachability:SymbolReachability"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

analyze_symbols_reachability / collect_symbols_reachability
We need consistency, same for step and pipe names

benchmark_purls = "scanpipe.pipelines.benchmark_purls:BenchmarkPurls"
collect_strings_gettext = "scanpipe.pipelines.collect_strings_gettext:CollectStringsGettext"
collect_symbols_ctags = "scanpipe.pipelines.collect_symbols_ctags:CollectSymbolsCtags"
Expand Down
33 changes: 33 additions & 0 deletions scanpipe/pipelines/collect_symbols_reachability.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
#
# Copyright (c) nexB Inc. and others. All rights reserved.
# VulnerableCode is a trademark of nexB Inc.
# SPDX-License-Identifier: Apache-2.0
# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
# See https://github.com/aboutcode-org/vulnerablecode for support or download.
# See https://aboutcode.org for more information about nexB OSS projects.
#

from scanpipe.pipelines import Pipeline
from scanpipe.pipes import reachability


class SymbolReachability(Pipeline):
"""Patch reachability analysis for given vulnerability patches."""

download_inputs = False
is_addon = True
results_url = "/project/{slug}/resources/?extra_data=symbol_reachability"

@classmethod
def steps(cls):
return (cls.analyze_and_store_symbol_reachability,)

def analyze_and_store_symbol_reachability(self):
"""
Perform symbol-level reachability analysis for each patch. This step compares
the AST of patched/vulnerable files against the codebase resources.
Results are stored directly in the 'extra_data' of each CodebaseResource.
"""
reachability.collect_and_store_symbol_reachability_results(
project=self.project, logger=self.log
)
Loading
Loading