How does LunaTrace use Static Analysis?
LunaTrace uses Static Analysis to predict the likelihood of exploitation of a vulnerability and prioritize findings effectively. Vulnerability priority can be increased if a vulnerable code path is easily accessible or decreased if it is inaccessible.
Not Imported or Called
LunaTrace can detect if a package which contains a vulnerability is declared as a dependency but not imported or called. These findings are deprioritized because it is not possible to trigger the vulnerability in the application under normal conditions.
Vulnerabile Function Not Called
Certain vulnerabilities in the Vulnerability Database contain enchanced metadata including a function that must be invoked to exploit the vulnerability. When metadata is available, LunaTrace can detect if the function is called and use it to confirm or deprioritize the finding.