stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
17419ba7c4f8e35ed78033515115088eb40d20a7
git.stella-ops.org/docs/modules/policy/gates/reachable-cve.md

3.2 KiB
Raw Blame History

Reachable CVE Gate

Gate ID: reachable-cve

Blocks only CVEs with confirmed reachable code paths from application entry points. This gate leverages Stella's reachability analysis to distinguish exploitable vulnerabilities from those in unreachable code.

How It Works

  1. Evaluates CVE findings against reachability analysis results
  2. Filters to only reachable CVEs (code path exists from entry point to vulnerable function)
  3. Applies severity threshold to reachable CVEs
  4. Blocks if reachable CVEs exceed severity threshold

Configuration

{
  "Policy": {
    "Gates": {
      "ReachableCve": {
        "Enabled": true,
        "SeverityThreshold": 7.0,
        "RequireCompleteReachability": false,
        "TreatUnknownAsReachable": false,
        "BlockOnReachabilityError": false,
        "Environments": {
          "production": {
            "SeverityThreshold": 4.0,
            "TreatUnknownAsReachable": true
          }
        }
      }
    }
  }
}

Options

Option Type Default Description
Enabled bool true Whether the gate is active
SeverityThreshold double 7.0 CVSS score threshold for reachable CVEs
RequireCompleteReachability bool false Require reachability analysis for all components
TreatUnknownAsReachable bool false Treat CVEs with unknown reachability as reachable
BlockOnReachabilityError bool false Fail gate if reachability analysis fails
Environments dict {} Per-environment overrides

Reachability States

State Description Default Behavior
Reachable Code path confirmed from entry point Subject to severity threshold
NotReachable No code path found Allowed (not blocked)
Unknown Reachability not analyzed Depends on TreatUnknownAsReachable
Partial Some paths reachable Treated as reachable

Example Gate Results

Pass:

Reachable CVE check passed. 8 CVE(s) found, 2 reachable, none above threshold 7.0

Pass (no reachable):

Reachable CVE check passed. 15 CVE(s) found, 0 reachable (all in unreachable code)

Fail:

Reachable high-severity CVE(s) found: CVE-2024-1234 (CVSS: 9.1, reachable via /api/upload), CVE-2024-5678 (CVSS: 7.5, reachable via /auth/login)

CLI Usage

# Evaluate reachable CVE gate
stella policy evaluate --gate reachable-cve --image myapp:v1.2.3

# With specific severity threshold
stella policy evaluate --gate reachable-cve --severity 9.0 --image myapp:v1.2.3

# Treat unknown as reachable (conservative)
stella policy evaluate --gate reachable-cve --treat-unknown-reachable --image myapp:v1.2.3

Integration with Reachability Analysis

This gate requires reachability analysis results from the Stella Scanner. Ensure images are scanned with reachability enabled:

stella scan --image myapp:v1.2.3 --reachability

Reachability analysis examines:

  • Container entry points (ENTRYPOINT, CMD)
  • Exposed ports and expected protocols
  • Call graphs from entry points to vulnerable functions
  • Language-specific dependency loading patterns

Last updated: 2026-01-19.