# Reachable CVE Gate

**Gate ID:** `reachable-cve`

Blocks only CVEs with confirmed reachable code paths from application entry points. This gate leverages Stella's reachability analysis to distinguish exploitable vulnerabilities from those in unreachable code.

## How It Works

1. Evaluates CVE findings against reachability analysis results
2. Filters to only reachable CVEs (code path exists from entry point to vulnerable function)
3. Applies severity threshold to reachable CVEs
4. Blocks if reachable CVEs exceed severity threshold

## Configuration

```json
{
  "Policy": {
    "Gates": {
      "ReachableCve": {
        "Enabled": true,
        "SeverityThreshold": 7.0,
        "RequireCompleteReachability": false,
        "TreatUnknownAsReachable": false,
        "BlockOnReachabilityError": false,
        "Environments": {
          "production": {
            "SeverityThreshold": 4.0,
            "TreatUnknownAsReachable": true
          }
        }
      }
    }
  }
}
```

### Options

| Option | Type | Default | Description |
|--------|------|---------|-------------|
| `Enabled` | bool | `true` | Whether the gate is active |
| `SeverityThreshold` | double | `7.0` | CVSS score threshold for reachable CVEs |
| `RequireCompleteReachability` | bool | `false` | Require reachability analysis for all components |
| `TreatUnknownAsReachable` | bool | `false` | Treat CVEs with unknown reachability as reachable |
| `BlockOnReachabilityError` | bool | `false` | Fail gate if reachability analysis fails |
| `Environments` | dict | `{}` | Per-environment overrides |

## Reachability States

| State | Description | Default Behavior |
|-------|-------------|------------------|
| `Reachable` | Code path confirmed from entry point | Subject to severity threshold |
| `NotReachable` | No code path found | Allowed (not blocked) |
| `Unknown` | Reachability not analyzed | Depends on `TreatUnknownAsReachable` |
| `Partial` | Some paths reachable | Treated as reachable |

## Example Gate Results

**Pass:**
```
Reachable CVE check passed. 8 CVE(s) found, 2 reachable, none above threshold 7.0
```

**Pass (no reachable):**
```
Reachable CVE check passed. 15 CVE(s) found, 0 reachable (all in unreachable code)
```

**Fail:**
```
Reachable high-severity CVE(s) found: CVE-2024-1234 (CVSS: 9.1, reachable via /api/upload), CVE-2024-5678 (CVSS: 7.5, reachable via /auth/login)
```

## CLI Usage

```bash
# Evaluate reachable CVE gate
stella policy evaluate --gate reachable-cve --image myapp:v1.2.3

# With specific severity threshold
stella policy evaluate --gate reachable-cve --severity 9.0 --image myapp:v1.2.3

# Treat unknown as reachable (conservative)
stella policy evaluate --gate reachable-cve --treat-unknown-reachable --image myapp:v1.2.3
```

## Integration with Reachability Analysis

This gate requires reachability analysis results from the Stella Scanner. Ensure images are scanned with reachability enabled:

```bash
stella scan --image myapp:v1.2.3 --reachability
```

Reachability analysis examines:
- Container entry points (ENTRYPOINT, CMD)
- Exposed ports and expected protocols
- Call graphs from entry points to vulnerable functions
- Language-specific dependency loading patterns

---

*Last updated: 2026-01-19.*