{"id":21000743,"url":"https://github.com/phylum-dev/vuln-reach","last_synced_at":"2025-10-13T06:18:04.232Z","repository":{"id":155306093,"uuid":"629637009","full_name":"phylum-dev/vuln-reach","owner":"phylum-dev","description":"A library for building tools to determine if vulnerabilities are reachable in a code base.","archived":false,"fork":false,"pushed_at":"2025-08-18T20:12:39.000Z","size":12276,"stargazers_count":16,"open_issues_count":21,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-08-18T22:06:22.100Z","etag":null,"topics":["cve","security","vulnerabilities"],"latest_commit_sha":null,"homepage":"https://phylum.io","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/phylum-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-04-18T18:05:22.000Z","updated_at":"2025-08-17T20:16:54.000Z","dependencies_parsed_at":"2024-08-08T19:28:07.178Z","dependency_job_id":null,"html_url":"https://github.com/phylum-dev/vuln-reach","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/phylum-dev/vuln-reach","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phylum-dev%2Fvuln-reach","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phylum-dev%2Fvuln-reach/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phylum-dev%2Fvuln-reach/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phylum-dev%2Fvuln-reach/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/phylum-dev","download_url":"https://codeload.github.com/phylum-dev/vuln-reach/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phylum-dev%2Fvuln-reach/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279013959,"owners_count":26085429,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-13T02:00:06.723Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve","security","vulnerabilities"],"created_at":"2024-11-19T08:12:10.871Z","updated_at":"2025-10-13T06:18:04.228Z","avatar_url":"https://github.com/phylum-dev.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"![Vuln Reach Logo](https://github.com/phylum-dev/vuln-reach/raw/main/assets/logo.png)\n\n![GitHub Repo stars](https://img.shields.io/github/stars/phylum-dev/vuln-reach) ![GitHub](https://img.shields.io/github/license/phylum-dev/vuln-reach)\n\n---\n\n# Overview\n**Vuln Reach** is a library for developing tools that determine if a given vulnerability is reachable. Provided to the open source community by [Phylum](https://phylum.io) to help reduce false positives and increase signal-to-noise for software developers.\n\n\u003cimg src=\"https://github.com/phylum-dev/vuln-reach/raw/main/assets/vulnreach.webp\" width=\"830\"\u003e\n\n# How does it work?\n\n**Vuln Reach** is a static analysis library written in Rust that leverages [`tree-sitter`](https://tree-sitter.github.io/tree-sitter/) for parsing. \nIt currently supports Javascript.\n\nIt builds an access graph of the source code of a package and its transitive dependencies, and then uses it to search for a path to a known vulnerable identifier node.\n\n# Usage\n\nAdd this to your `Cargo.toml`:\n```toml\n[dependencies]\nvuln-reach = { git = \"https://github.com/phylum-dev/vuln-reach\" }\n```\n\n# Example\n\nHere's an example of how you can find out whether an identifier node in a package is reachable from another package.\n\n```rust\nuse vuln_reach::javascript::package::reachability::VulnerableNode;\nuse vuln_reach::javascript::package::resolver::PackageResolver;\nuse vuln_reach::javascript::package::Package;\nuse vuln_reach::javascript::project::Project;\n\n// Build a package resolver.\nlet package_resolver = PackageResolver::builder()\n  .with_package(\"path-scurry\", Package::from_tarball_path(\"./tarballs/path-scurry-1.6.1.tgz\"))\n  .with_package(\"lru-cache\", Package::from_tarball_path(\"./tarballs/lru-cache-7.14.1.tgz\"))\n  .with_package(\"minipass\", Package::from_tarball_path(\"./tarballs/minipass-4.0.2.tgz\"))\n  .build();\n  \n// Build a project from the package resolver.\nlet project = Project::new(package_resolver);\n\n// Define a target node (rows/columns are zero-indexed).\nlet vulnerable_node = VulnerableNode::new(\"lru-cache\", \"index.js\", 1017, 17, 1017, 24);\n\n// Compute the reachability graph.\nlet reachability = project.reachability(\u0026vulnerable_node);\n\n// Find a path to the vulnerable node, starting from the given package.\nlet path = reachability.find_path(\"path-scurry\");\n```\n\nTo find out what the transitive dependencies for your project are, you can use [Phylum](https://phylum.io)!\n\nFor a more complete example of usage, check out the [cli](https://github.com/phylum-dev/vuln-reach/tree/main/vuln-reach-cli).\n\n# Contributing\n\n## How do you add support for additional languages?\n\nAt the moment, the codebase is relatively tightly coupled to Javascript. Plans are underway to abstract the non-language-specific bits to be used by all languages.\n\nAdding support for a new language requires the following steps:\n- Add the relevant tree-sitter parser to [`build.rs`](https://github.com/phylum-dev/vuln-reach/blob/main/vuln-reach/build.rs).\n- Create a module directory for your language in the [top level](https://github.com/phylum-dev/vuln-reach/blob/main/vuln-reach/src) of the `vuln-reach` package.\n- Implement abstractions for the language's imports and exports.\n- Implement [the concept of access](https://github.com/phylum-dev/vuln-reach/blob/main/vuln-reach/src/javascript/lang/accesses.rs) for your language -- this could be as simple as being equivalent to \"function call\" or as complex as necessary.\n\n# Commercial Licensing\nIf you're interested in using `vuln reach` in a commercial project and need a different licensing agreement, please reach out to partnerships@phylum.io.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphylum-dev%2Fvuln-reach","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphylum-dev%2Fvuln-reach","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphylum-dev%2Fvuln-reach/lists"}