Announcing Improved Reachability Analysis for JavaScript, Java, and Python

We are excited to share that starting on 9 March, we will introduce significant coverage and quality improvements to Reachability for JavaScript, Java, and Python. By deepening our mapping of cross-package relationships and upgrading our underlying ecosystem analysis, we've increased both the precision and recall of our engine.

Why Reachability matters 

Snyk’s Reachability analysis scans your source code to determine if the specific code that makes a vulnerability exploitable is actually being called, either directly or transitively.

This critical context allows you to:

• Gauge exploitation likelihood: Easily distinguish between theoretical risk and actual, exploitable risk.

• Prioritize effectively: Cut through the noise and focus your developers on the vulnerabilities that matter most.

• Drive risk-based security: Use Reachability independently or alongside the Snyk Risk Score to build a comprehensive risk-prioritization strategy.

What this release means for you 

By addressing both false positives and false negatives, we are ensuring your findings are more accurate and actionable than ever before. As we release these changes, you may notice significant fluctuations in the reachability and Risk Score for issues in the following project types: npm, pnpm, yarn, maven, gradle, pip, pipenv, and poetry. 

For more information on how to optimize your workflows with these new improvements, please check out our user documentation.