Prioritizing reachable vulnerabilities

What is Reachability?

FOSSA’s Reachability Analysis is designed to help you prioritize which vulnerabilities pose real risk in your application by understanding not just what dependencies you include, but what code is actually used. FOSSA currently support one class of reachability analysis:

🧱 Build-Level Reachability

Status: ✅ Generally Available (all ecosystems)

Build-level reachability answers the question: “Is this dependency and version actually included in the final build of the application?”

This is the foundation of FOSSA’s analysis today. FOSSA performs accurate dependency resolution at build time, taking into account the package manager, transitive dependencies, lockfiles, and build tooling to ensure: • Only actually included dependencies are analyzed (both direct and transitive) • Version and configuration-specific conditions are respected • You avoid false positives caused by unused or test-only packages

This enables highly accurate SBOM generation and vulnerability detection—far beyond what a static manifest scan provides. FOSSA performs this analysis out of the box, with no additional configuration required.