snyk · paulrosca-snyk · Sep 4, 2025
@@ -45,7 +45,7 @@
    "packageManager": "npm",
    "packageName": "foo",
    "publicationTime": "2025-07-28T17:11:43.000000Z",
-   "reachability": "REACHABLE",
+   "reachability": "function",
    "riskScore": 80,
    "severity": "high",
    "socialTrendAlert": false,

@@ -17,8 +17,20 @@ enum VulnerabilitySeverity {
 }
 
 enum Reachability {
-  REACHABLE,
-  NOT_REACHABLE,
+  function,
+  package,
+  `no-info`,
+  `not-applicable`,
+}
+
+model ReachableFunctionPaths {
+  functionName: string;
+  callPaths: string[][];
+}
+
+model ReachablePaths {
+  pathCount: uint32;
+  paths: ReachableFunctionPaths[];
 }
 
 alias UpgradePath = string | boolean;
@@ -69,6 +81,7 @@ model Vulnerability {
   riskScore?: uint16;
   from: string[];
   reachability?: Reachability;
+  reachablePaths?: ReachablePaths;
   upgradePath: UpgradePath[];
   isUpgradable: boolean;
   isPatchable: boolean;

@@ -309,8 +309,37 @@ components:
     Reachability:
       type: string
       enum:
-        - REACHABLE
-        - NOT_REACHABLE
+        - function
+        - package
+        - no-info
+        - not-applicable
+    ReachableFunctionPaths:
+      type: object
+      required:
+        - functionName
+        - callPaths
+      properties:
+        functionName:
+          type: string
+        callPaths:
+          type: array
+          items:
+            type: array
+            items:
+              type: string
+    ReachablePaths:
+      type: object
+      required:
+        - pathCount
+        - paths
+      properties:
+        pathCount:
+          type: integer
+          format: uint32
+        paths:
+          type: array
+          items:
+            $ref: '#/components/schemas/ReachableFunctionPaths'
     Reference:
       type: object
       required:
@@ -463,6 +492,8 @@ components:
             type: string
         reachability:
           $ref: '#/components/schemas/Reachability'
+        reachablePaths:
+          $ref: '#/components/schemas/ReachablePaths'
         upgradePath:
           type: array
           items:

@@ -76,6 +76,7 @@
         Proprietary:           (*bool)(nil),
         PublicationTime:       &"2025-06-03T10:14:39.000000Z",
         Reachability:          (*definitions.Reachability)(nil),
+        ReachablePaths:        (*definitions.ReachablePaths)(nil),
         References:            &[]definitions.Reference{
             {Title:"GitHub Commit", Url:"https://github.com/mafintosh/tar-fs/commit/647447b572bc135c41035e82ca7b894f02b17f0f"},
             {Title:"Red Hat Bugzilla Bug", Url:"https://bugzilla.redhat.com/show_bug.cgi?id=2369875"},
@@ -171,6 +172,7 @@
         Proprietary:           (*bool)(nil),
         PublicationTime:       &"2025-06-03T10:14:39.000000Z",
         Reachability:          (*definitions.Reachability)(nil),
+        ReachablePaths:        (*definitions.ReachablePaths)(nil),
         References:            &[]definitions.Reference{
             {Title:"GitHub Commit", Url:"https://github.com/mafintosh/tar-fs/commit/647447b572bc135c41035e82ca7b894f02b17f0f"},
             {Title:"Red Hat Bugzilla Bug", Url:"https://bugzilla.redhat.com/show_bug.cgi?id=2369875"},

@@ -309,10 +309,12 @@ func ProcessEvidenceForFinding(vuln *definitions.Vulnerability, ev *testapi.Evid
 		}
 		switch reachEvidence.Reachability {
 		case testapi.ReachabilityTypeFunction:
-			vuln.Reachability = util.Ptr(definitions.REACHABLE)
+			vuln.Reachability = util.Ptr(definitions.Function)
 		case testapi.ReachabilityTypeNoInfo:
-			vuln.Reachability = util.Ptr(definitions.NOTREACHABLE)
-		case testapi.ReachabilityTypeNotApplicable, testapi.ReachabilityTypeNone:
+			vuln.Reachability = util.Ptr(definitions.NoInfo)
+		case testapi.ReachabilityTypeNotApplicable:
+			vuln.Reachability = util.Ptr(definitions.NotApplicable)
+		default:
 			// No reachability value set for these types
 		}
 	}

@@ -201,8 +201,8 @@ func TestProcessingEvidenceForFinding(t *testing.T) {
 		{depPathEv, testDepList, nil, false},
 		{execFlowEv, nil, nil, false},  // Exec flow not yet supported.
 		{otherFlowEv, nil, nil, false}, // Other flow not yet supported.
-		{reachableEv, nil, util.Ptr(definitions.REACHABLE), false},
-		{notReachableEv, nil, util.Ptr(definitions.NOTREACHABLE), false},
+		{reachableEv, nil, util.Ptr(definitions.Function), false},
+		{notReachableEv, nil, util.Ptr(definitions.NoInfo), false},
 	}
 
 	for _, tt := range tests {

@@ -8,13 +8,15 @@ Security issues: 1
    Finding ID: SNYK-JS-VM2-5537100
    Info: https://snyk.io/vuln/SNYK-JS-VM2-5537100
    Risk Score: 780
+   Reachability: Not Applicable
 
 
 License issues: 1
 
  ✗ [MEDIUM] LGPL-3.0 license
    Finding ID: snyk:lic:npm:web3-core:LGPL-3.0
    Info: https://snyk.io/vuln/snyk:lic:npm:web3-core:LGPL-3.0
+   Reachability: Not Applicable
 
 
 ╭─────────────────────────────────────────────────────────╮

@@ -15,7 +15,7 @@ import (
 	"github.com/snyk/go-application-framework/pkg/runtimeinfo"
 )
 
-const notApplicable = "N/A"
+const notApplicable = "Not Applicable"
 
 // add returns the sum of two integers.
 func add(a, b int) int {
@@ -181,8 +181,8 @@ func getReachability(finding testapi.FindingData) string {
 			case testapi.ReachabilityTypeFunction:
 				return "Reachable"
 			case testapi.ReachabilityTypeNoInfo:
-				return "No reachable path found"
-			case testapi.ReachabilityTypeNotApplicable, testapi.ReachabilityTypeNone:
+				return "No Path Found"
+			default:
 				return notApplicable
 			}
 		}
@@ -381,7 +381,7 @@ func getDefaultTemplateFuncMap(config configuration.Configuration, ri runtimeinf
 		if finding.Id != nil {
 			return finding.Id.String()
 		}
-		return notApplicable
+		return "N/A"
 	}
 
 	defaultMap := template.FuncMap{}