fix: reachability rendering

Author: paulrosca-snyk

go.mod

@@ -22,6 +22,8 @@ require (
 	github.com/stretchr/testify v1.10.0
 	golang.org/x/net v0.43.0
 	golang.org/x/sync v0.17.0
+	golang.org/x/text v0.29.0
+	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
@@ -100,10 +102,8 @@ require (
 	golang.org/x/crypto v0.42.0 // indirect
 	golang.org/x/oauth2 v0.27.0 // indirect
 	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
 // replace github.com/snyk/go-application-framework => ../go-application-framework

internal/commands/ostest/__snapshots__/sbom_reachability_flow_test.snap

@@ -27,7 +27,6 @@
  "projectName": "",
  "remediation": {
   "ignore": null,
-  "patch": null,
   "pin": {},
   "unresolved": [],
   "upgrade": {
@@ -65,7 +64,7 @@
    "packageManager": "npm",
    "packageName": "foo",
    "publicationTime": "2025-07-28T17:11:43.000000Z",
-   "reachability": "REACHABLE",
+   "reachability": "reachable",
    "riskScore": 80,
    "severity": "high",
    "socialTrendAlert": false,

internal/legacy/definitions/legacy-json.tsp

@@ -17,8 +17,19 @@ enum VulnerabilitySeverity {
 }
 
 enum Reachability {
-  REACHABLE,
-  NOT_REACHABLE,
+  reachable,
+  `no-reachable-paths`,
+  `not-applicable`,
+}
+
+model ReachableFunctionPaths {
+  functionName: string;
+  callPaths: string[][];
+}
+
+model ReachablePaths {
+  pathCount: uint32;
+  paths: ReachableFunctionPaths[];
 }
 
 alias UpgradePath = string | boolean;
@@ -75,6 +86,7 @@ model Vulnerability {
   riskScore?: uint16;
   from: string[];
   reachability?: Reachability;
+  reachablePaths?: ReachablePaths;
   upgradePath: UpgradePath[];
   isUpgradable: boolean;
   isPatchable: boolean;

internal/legacy/definitions/oapi.gen.go

@@ -334,8 +334,36 @@ components:
     Reachability:
       type: string
       enum:
-        - REACHABLE
-        - NOT_REACHABLE
+        - reachable
+        - no-reachable-paths
+        - not-applicable
+    ReachableFunctionPaths:
+      type: object
+      required:
+        - functionName
+        - callPaths
+      properties:
+        functionName:
+          type: string
+        callPaths:
+          type: array
+          items:
+            type: array
+            items:
+              type: string
+    ReachablePaths:
+      type: object
+      required:
+        - pathCount
+        - paths
+      properties:
+        pathCount:
+          type: integer
+          format: uint32
+        paths:
+          type: array
+          items:
+            $ref: '#/components/schemas/ReachableFunctionPaths'
     Reference:
       type: object
       required:
@@ -350,7 +378,6 @@ components:
       type: object
       required:
         - ignore
-        - patch
         - pin
         - unresolved
         - upgrade
@@ -359,10 +386,6 @@ components:
           type: object
           additionalProperties:
             type: string
-        patch:
-          type: object
-          additionalProperties:
-            type: string
         pin:
           type: object
           additionalProperties:
@@ -492,6 +515,8 @@ components:
             type: string
         reachability:
           $ref: '#/components/schemas/Reachability'
+        reachablePaths:
+          $ref: '#/components/schemas/ReachablePaths'
         upgradePath:
           type: array
           items:

internal/legacy/definitions/spec.yaml

@@ -43,6 +43,7 @@
         Proprietary:           (*bool)(nil),
         PublicationTime:       &"2025-01-01T12:00:00.000000Z",
         Reachability:          (*definitions.Reachability)(nil),
+        ReachablePaths:        (*definitions.ReachablePaths)(nil),
         References:            (*[]definitions.Reference)(nil),
         RiskScore:             (*uint16)(nil),
         Semver:                &definitions.SemVerInfo{

internal/legacy/transform/__snapshots__/TestFindingToLegacyVulns_MultipleInstructions_1.snap

@@ -40,6 +40,7 @@
         Proprietary:            (*bool)(nil),
         PublicationTime:        &"2025-01-01T12:00:00.000000Z",
         Reachability:           (*definitions.Reachability)(nil),
+        ReachablePaths:         (*definitions.ReachablePaths)(nil),
         References:             (*[]definitions.Reference)(nil),
         RiskScore:              (*uint16)(nil),
         Semver:                 &definitions.SemVerInfo{

internal/legacy/transform/__snapshots__/TestFindingToLegacyVulns_NoInstructions_1.snap

@@ -42,6 +42,7 @@
         Proprietary:           (*bool)(nil),
         PublicationTime:       &"2025-01-01T12:00:00.000000Z",
         Reachability:          (*definitions.Reachability)(nil),
+        ReachablePaths:        (*definitions.ReachablePaths)(nil),
         References:            (*[]definitions.Reference)(nil),
         RiskScore:             (*uint16)(nil),
         Semver:                &definitions.SemVerInfo{

internal/legacy/transform/__snapshots__/TestFindingToLegacyVulns_SingleInstruction_1.snap

@@ -209,7 +209,7 @@ func Test_RemediationSummaryToLegacy(t *testing.T) {
 				PackageName:      util.Ptr("baz"),
 				Version:          "1.0.0",
 				IsUpgradable:     false,
-				Reachability:     util.Ptr(definitions.REACHABLE),
+				Reachability:     util.Ptr(definitions.Reachable),
 				CvssScore:        util.Ptr(float32(9.7)),
 				Severity:         definitions.Critical,
 				ModificationTime: util.Ptr("2025-06-03T10:14:39Z"),
@@ -270,7 +270,7 @@ func Test_RemediationSummaryToLegacy(t *testing.T) {
 				PackageName:      util.Ptr("baz"),
 				Version:          "1.0.0",
 				IsUpgradable:     false,
-				Reachability:     util.Ptr(definitions.REACHABLE),
+				Reachability:     util.Ptr(definitions.Reachable),
 				CvssScore:        util.Ptr(float32(9.7)),
 				Severity:         definitions.Critical,
 				ModificationTime: util.Ptr("2025-06-03T10:14:39Z"),
@@ -284,7 +284,7 @@ func Test_RemediationSummaryToLegacy(t *testing.T) {
 			PackageName:      util.Ptr("foo"),
 			Version:          "1.0.0",
 			IsUpgradable:     true,
-			Reachability:     util.Ptr(definitions.REACHABLE),
+			Reachability:     util.Ptr(definitions.Reachable),
 			CvssScore:        util.Ptr(float32(7.7)),
 			Severity:         definitions.High,
 			ModificationTime: util.Ptr("2025-06-03T10:14:39Z"),

internal/legacy/transform/remediation_test.go

@@ -311,10 +311,12 @@ func ProcessEvidenceForFinding(vuln *definitions.Vulnerability, ev *testapi.Evid
 		}
 		switch reachEvidence.Reachability {
 		case testapi.ReachabilityTypeFunction:
-			vuln.Reachability = util.Ptr(definitions.REACHABLE)
+			vuln.Reachability = util.Ptr(definitions.Reachable)
 		case testapi.ReachabilityTypeNoInfo:
-			vuln.Reachability = util.Ptr(definitions.NOTREACHABLE)
-		case testapi.ReachabilityTypeNotApplicable, testapi.ReachabilityTypeNone:
+			vuln.Reachability = util.Ptr(definitions.NoReachablePaths)
+		case testapi.ReachabilityTypeNotApplicable:
+			vuln.Reachability = util.Ptr(definitions.NotApplicable)
+		default:
 			// No reachability value set for these types
 		}
 	}