feat(backend): implement reachability analysis for vulnerable dependencies#28
Conversation
|
hi @ionfwsrijan kindly review it and let me know if any changes required. also attatched the screenshot for verification, its shows - reachability: true. Thanks! |
lakshay122007
changed the title
ionfwsrijan
added
enhancement
|
@lakshay122007 The code looks clean and good to me. |
There was a problem hiding this comment.
Pull request overview
Implements a post-processing “reachability analysis” step for OSV dependency findings, enriching each finding with whether the vulnerable package appears to be imported/required in the scanned source tree.
Changes:
- Extends the backend finding schema with an optional
reachabilityobject (reachable,evidence). - Adds a filesystem-based reachability check that scans source files for
import/require(...)patterns while pruning heavy directories. - Hooks reachability computation into the OSV scanner output so findings are returned with reachability metadata.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| backend/app/utils/fs.py | Adds check_reachability() to scan repo source files for import/require evidence while skipping heavy directories. |
| backend/app/scanners/osv.py | Enriches OSV findings with reachability results after the scanner JSON is parsed. |
| backend/app/models.py | Introduces Reachability model and adds optional reachability field to Finding. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@lakshay122007 Kindly review copilot comments |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
Done! @ionfwsrijan made the changes and they were valid also. |
Yes. Thanks for fixing them up. |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
let me fix the rest of the changes |
|
@lakshay122007 Can you please look into the suggestions again? They seem important to me. |
|
wait i forgot reuff formatting, just a moment! |
lakshay122007
force-pushed
the
feat/issue-22-reachability-analysis
branch
from
0c3e1d0 to
17264e0
Compare
|
Why so many suggestions😭, i guess they all are just ruff formatting issues?? i have fixed it |
|
Done @ionfwsrijan |
Linked issue
Closes #22
What this PR does
This PR introduces a reachability analysis engine that triggers after the
osv-scannerfinishes. It actively parses the source code directory to detect if flagged vulnerable packages are actually being imported (e.g.,require('pkg')orimport 'pkg'), helping developers distinguish between passive, unused dependencies and actively executing vulnerabilities.Type of change
ML tier (if applicable)
Changes
Backend
app/models.py: Extended theFindingschema with a newReachabilityPydantic model (reachableboolean andevidencestring).app/utils/fs.py: Addedcheck_reachability, a highly optimized regex parser. It usesos.walkwith in-place pruning of heavy directories (node_modules,.git,venv, etc.) to quickly find active imports in target source files without tanking performance.app/scanners/osv.py: Implemented a post-scan hook that iterates over the OSV findings, runs the reachability check for each vulnerable package, and mutates the finding object before returning it.Testing
How did you test this?
lodash(4.17.20) with known vulnerabilities.index.jsfile containingconst _ = require('lodash');.run_osv_scannerdirectly against the dummy project and verified the final JSON payload successfully appended:"reachability": { "reachable": true, "evidence": "Imported in index.js: line 1" }.see the screenshot -
Checklist
console.erroror unhandled Python exceptions introducedrequirements.txt/package.jsonupdated if new dependencies added.pkl,.pt, etc.) are gitignored, not committed