Skip to main content

Static Analysis

How does LunaTrace use Static Analysis?

LunaTrace uses Static Analysis to predict the likelihood of exploitation of a vulnerability and prioritize findings effectively. Vulnerability priority can be increased if a vulnerable code path is easily accessible or decreased if it is inaccessible.

Language Support

Static Analysis features are currently supported for JavaScript. Support for more languages is planned.

Analysis Methods

Reachability Analysis

Not Imported or Called

LunaTrace can detect if a package which contains a vulnerability is declared as a dependency but not imported or called. These findings are deprioritized because it is not possible to trigger the vulnerability in the application under normal conditions.

Vulnerabile Function Not Called

Certain vulnerabilities in the Vulnerability Database contain enchanced metadata including a function that must be invoked to exploit the vulnerability. When metadata is available, LunaTrace can detect if the function is called and use it to confirm or deprioritize the finding.