fix: reachability rendering

Author: paulrosca-snyk

internal/commands/ostest/__snapshots__/sbom_reachability_flow_test.snap

@@ -65,7 +65,7 @@
    "packageManager": "npm",
    "packageName": "foo",
    "publicationTime": "2025-07-28T17:11:43.000000Z",
-   "reachability": "REACHABLE",
+   "reachability": "function",
    "riskScore": 80,
    "severity": "high",
    "socialTrendAlert": false,

internal/legacy/definitions/legacy-json.tsp

@@ -17,8 +17,20 @@ enum VulnerabilitySeverity {
 }
 
 enum Reachability {
-  REACHABLE,
-  NOT_REACHABLE,
+  function,
+  package,
+  `no-info`,
+  `not-applicable`,
+}
+
+model ReachableFunctionPaths {
+  functionName: string;
+  callPaths: string[][];
+}
+
+model ReachablePaths {
+  pathCount: uint32;
+  paths: ReachableFunctionPaths[];
 }
 
 alias UpgradePath = string | boolean;
@@ -75,6 +87,7 @@ model Vulnerability {
   riskScore?: uint16;
   from: string[];
   reachability?: Reachability;
+  reachablePaths?: ReachablePaths;
   upgradePath: UpgradePath[];
   isUpgradable: boolean;
   isPatchable: boolean;

internal/legacy/definitions/oapi.gen.go

@@ -334,8 +334,37 @@ components:
     Reachability:
       type: string
       enum:
-        - REACHABLE
-        - NOT_REACHABLE
+        - function
+        - package
+        - no-info
+        - not-applicable
+    ReachableFunctionPaths:
+      type: object
+      required:
+        - functionName
+        - callPaths
+      properties:
+        functionName:
+          type: string
+        callPaths:
+          type: array
+          items:
+            type: array
+            items:
+              type: string
+    ReachablePaths:
+      type: object
+      required:
+        - pathCount
+        - paths
+      properties:
+        pathCount:
+          type: integer
+          format: uint32
+        paths:
+          type: array
+          items:
+            $ref: '#/components/schemas/ReachableFunctionPaths'
     Reference:
       type: object
       required:
@@ -492,6 +521,8 @@ components:
             type: string
         reachability:
           $ref: '#/components/schemas/Reachability'
+        reachablePaths:
+          $ref: '#/components/schemas/ReachablePaths'
         upgradePath:
           type: array
           items:

internal/legacy/definitions/spec.yaml

@@ -57,5 +57,6 @@
         Type:                 &"license",
         UpgradePath:          nil,
         Version:              "1.0.0",
+        ReachablePaths:       (*definitions.ReachablePaths)(nil),
     },
 }

internal/legacy/transform/__snapshots__/TestFindingToLegacyVulns_MultipleInstructions_1.snap

@@ -54,5 +54,6 @@
         Type:                 &"license",
         UpgradePath:          nil,
         Version:              "3.2.1",
+        ReachablePaths:       (*definitions.ReachablePaths)(nil),
     },
 }

internal/legacy/transform/__snapshots__/TestFindingToLegacyVulns_NoInstructions_1.snap

@@ -56,5 +56,6 @@
         Type:                 &"license",
         UpgradePath:          nil,
         Version:              "2.5.0",
+        ReachablePaths:       (*definitions.ReachablePaths)(nil),
     },
 }

internal/legacy/transform/__snapshots__/TestFindingToLegacyVulns_SingleInstruction_1.snap

@@ -209,7 +209,7 @@ func Test_RemediationSummaryToLegacy(t *testing.T) {
 				PackageName:      util.Ptr("baz"),
 				Version:          "1.0.0",
 				IsUpgradable:     false,
-				Reachability:     util.Ptr(definitions.REACHABLE),
+				Reachability:     util.Ptr(definitions.Function),
 				CvssScore:        util.Ptr(float32(9.7)),
 				Severity:         definitions.Critical,
 				ModificationTime: util.Ptr("2025-06-03T10:14:39Z"),
@@ -270,7 +270,7 @@ func Test_RemediationSummaryToLegacy(t *testing.T) {
 				PackageName:      util.Ptr("baz"),
 				Version:          "1.0.0",
 				IsUpgradable:     false,
-				Reachability:     util.Ptr(definitions.REACHABLE),
+				Reachability:     util.Ptr(definitions.Function),
 				CvssScore:        util.Ptr(float32(9.7)),
 				Severity:         definitions.Critical,
 				ModificationTime: util.Ptr("2025-06-03T10:14:39Z"),
@@ -284,7 +284,7 @@ func Test_RemediationSummaryToLegacy(t *testing.T) {
 			PackageName:      util.Ptr("foo"),
 			Version:          "1.0.0",
 			IsUpgradable:     true,
-			Reachability:     util.Ptr(definitions.REACHABLE),
+			Reachability:     util.Ptr(definitions.Function),
 			CvssScore:        util.Ptr(float32(7.7)),
 			Severity:         definitions.High,
 			ModificationTime: util.Ptr("2025-06-03T10:14:39Z"),

internal/legacy/transform/remediation_test.go

@@ -311,10 +311,12 @@ func ProcessEvidenceForFinding(vuln *definitions.Vulnerability, ev *testapi.Evid
 		}
 		switch reachEvidence.Reachability {
 		case testapi.ReachabilityTypeFunction:
-			vuln.Reachability = util.Ptr(definitions.REACHABLE)
+			vuln.Reachability = util.Ptr(definitions.Function)
 		case testapi.ReachabilityTypeNoInfo:
-			vuln.Reachability = util.Ptr(definitions.NOTREACHABLE)
-		case testapi.ReachabilityTypeNotApplicable, testapi.ReachabilityTypeNone:
+			vuln.Reachability = util.Ptr(definitions.NoInfo)
+		case testapi.ReachabilityTypeNotApplicable:
+			vuln.Reachability = util.Ptr(definitions.NotApplicable)
+		default:
 			// No reachability value set for these types
 		}
 	}

internal/legacy/transform/transform.go

@@ -203,8 +203,8 @@ func TestProcessingEvidenceForFinding(t *testing.T) {
 		{depPathEv, testDepList, nil, false},
 		{execFlowEv, nil, nil, false},  // Exec flow not yet supported.
 		{otherFlowEv, nil, nil, false}, // Other flow not yet supported.
-		{reachableEv, nil, util.Ptr(definitions.REACHABLE), false},
-		{notReachableEv, nil, util.Ptr(definitions.NOTREACHABLE), false},
+		{reachableEv, nil, util.Ptr(definitions.Function), false},
+		{notReachableEv, nil, util.Ptr(definitions.NoInfo), false},
 	}
 
 	for _, tt := range tests {