105 lines
3.2 KiB
Markdown
105 lines
3.2 KiB
Markdown
# Reachable CVE Gate
|
|
|
|
**Gate ID:** `reachable-cve`
|
|
|
|
Blocks only CVEs with confirmed reachable code paths from application entry points. This gate leverages Stella's reachability analysis to distinguish exploitable vulnerabilities from those in unreachable code.
|
|
|
|
## How It Works
|
|
|
|
1. Evaluates CVE findings against reachability analysis results
|
|
2. Filters to only reachable CVEs (code path exists from entry point to vulnerable function)
|
|
3. Applies severity threshold to reachable CVEs
|
|
4. Blocks if reachable CVEs exceed severity threshold
|
|
|
|
## Configuration
|
|
|
|
```json
|
|
{
|
|
"Policy": {
|
|
"Gates": {
|
|
"ReachableCve": {
|
|
"Enabled": true,
|
|
"SeverityThreshold": 7.0,
|
|
"RequireCompleteReachability": false,
|
|
"TreatUnknownAsReachable": false,
|
|
"BlockOnReachabilityError": false,
|
|
"Environments": {
|
|
"production": {
|
|
"SeverityThreshold": 4.0,
|
|
"TreatUnknownAsReachable": true
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
### Options
|
|
|
|
| Option | Type | Default | Description |
|
|
|--------|------|---------|-------------|
|
|
| `Enabled` | bool | `true` | Whether the gate is active |
|
|
| `SeverityThreshold` | double | `7.0` | CVSS score threshold for reachable CVEs |
|
|
| `RequireCompleteReachability` | bool | `false` | Require reachability analysis for all components |
|
|
| `TreatUnknownAsReachable` | bool | `false` | Treat CVEs with unknown reachability as reachable |
|
|
| `BlockOnReachabilityError` | bool | `false` | Fail gate if reachability analysis fails |
|
|
| `Environments` | dict | `{}` | Per-environment overrides |
|
|
|
|
## Reachability States
|
|
|
|
| State | Description | Default Behavior |
|
|
|-------|-------------|------------------|
|
|
| `Reachable` | Code path confirmed from entry point | Subject to severity threshold |
|
|
| `NotReachable` | No code path found | Allowed (not blocked) |
|
|
| `Unknown` | Reachability not analyzed | Depends on `TreatUnknownAsReachable` |
|
|
| `Partial` | Some paths reachable | Treated as reachable |
|
|
|
|
## Example Gate Results
|
|
|
|
**Pass:**
|
|
```
|
|
Reachable CVE check passed. 8 CVE(s) found, 2 reachable, none above threshold 7.0
|
|
```
|
|
|
|
**Pass (no reachable):**
|
|
```
|
|
Reachable CVE check passed. 15 CVE(s) found, 0 reachable (all in unreachable code)
|
|
```
|
|
|
|
**Fail:**
|
|
```
|
|
Reachable high-severity CVE(s) found: CVE-2024-1234 (CVSS: 9.1, reachable via /api/upload), CVE-2024-5678 (CVSS: 7.5, reachable via /auth/login)
|
|
```
|
|
|
|
## CLI Usage
|
|
|
|
```bash
|
|
# Evaluate reachable CVE gate
|
|
stella policy evaluate --gate reachable-cve --image myapp:v1.2.3
|
|
|
|
# With specific severity threshold
|
|
stella policy evaluate --gate reachable-cve --severity 9.0 --image myapp:v1.2.3
|
|
|
|
# Treat unknown as reachable (conservative)
|
|
stella policy evaluate --gate reachable-cve --treat-unknown-reachable --image myapp:v1.2.3
|
|
```
|
|
|
|
## Integration with Reachability Analysis
|
|
|
|
This gate requires reachability analysis results from the Stella Scanner. Ensure images are scanned with reachability enabled:
|
|
|
|
```bash
|
|
stella scan --image myapp:v1.2.3 --reachability
|
|
```
|
|
|
|
Reachability analysis examines:
|
|
- Container entry points (ENTRYPOINT, CMD)
|
|
- Exposed ports and expected protocols
|
|
- Call graphs from entry points to vulnerable functions
|
|
- Language-specific dependency loading patterns
|
|
|
|
---
|
|
|
|
*Last updated: 2026-01-19.*
|