The current version of Vulnerable Functionality analysis is a pre-release. Results may be less accurate than expected and not all types of projects are supported at this time. The data gathered will be used for upcoming improvements. We currently only support the feature for Java, but after the main release we will look into adding support for more languages.
To enable Reachability Analysis (currently only supported for Java) you need to generate a call graph. This can be done using the Debricked CLI callgraph command, which can be added to your integration, so that it is generated appropriately before making a Debricked scan. To find out more about the command and the various available flags, run:
debricked callgraph -h
Reachability Analysis is supported for all Java projects, regardless of what dependency management system you use. All we need is the compiled code for your project, and the libraries it uses. By default, the command will attempt to do all the preparation work for the command to be successful, using maven. The success of the preparation depends on the specific project structure and configurations and if its using maven. In the event of failure, it is possible to configure the command not to run the preparation steps using the --no-build flag, and instead set it up separately before running the command.
How to set up call graph generation in your pipeline
When successful, the callgraph command will generate a debricked-call-graph file that is automatically picked up when running the debricked scan command and sent to Debricked, together with the dependency files, for analysis. For many projects, it will be possible to run the default configuration of the callgraph command, doing the preparation steps as part of the command. In this case, all that is needed is to add running debricked callgraph in your configuration, before running the scan, ensuring that the scan has access to the generated call graph file. For GitHub Action integrations, we also have Actions set up that can be found in our GitHub Actions repository.
If the build step of the callgraph command fails, or if you are already building the project in a previous stage of the pipeline, it’s highly recommended to build the project separately before running the callgraph command with the —no-build flag. Just make sure that the files resulting from the build are included in the stage where call graph generation is run.
The examples below use a Debricked CLI docker image to ensure that there is a compatible maven version included for the commands to succeed. Our recommendation is however that you incorporate the scan and callgraph commands in your build image/steps whenever possible, to ensure that versions of the underlying tools correlate with your environment.
Example: Building the project during the callgraph command
In this example, we run the callgraph command with its default configuration, which builds the project and prepares the necessary files automatically before generating the call graph.
# GitLab CI/CD template
image: debricked/cli:latest-resolution
stages:
- scan
debricked:
stage: scan
script:
- debricked callgraph
- debricked scan
Example: Using a separate build step
The example below is using maven to build the project and generate the files needed for call graph generation. It is important that the generated files are reachable in the stage where the callgraph command is run, so that it has all pre-requisites to be run successfully.
# GitLab CI/CD template
image: debricked/cli:latest-resolution
stages:
- build_project
- scan
scan_preparation:
stage: build_project
script:
# Build project based on the root pom.xml. If no root pom.xml is found, all pom.xml files will be built individually.
- mvn package -q -DskipTests -e
# Save class files from the target/ folder for use in the next stage.
artifacts:
expire_in: 1 day
paths:
- target/
debricked-scan:
stage: scan
script:
- debricked callgraph --no-build
- debricked scan