Sharang Parnerkar
7e12d1433a
Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com> Reviewed-on: #4
1.8 KiB
Impact Analysis
Impact Analysis uses the Code Knowledge Graph to determine the blast radius of a security finding. When a vulnerability is found in a specific function or file, impact analysis traces the call graph to show everything that could be affected.
Accessing Impact Analysis
Impact analysis is linked from the Graph Explorer. When viewing a repository's graph with findings, you can navigate to:
/graph/{repo_id}/impact/{finding_id}
What You See
Blast Radius
A count of the total number of code symbols (functions, methods, classes) affected by the vulnerability, both directly and transitively.
Entry Points Affected
A list of public entry points — main functions, HTTP handlers, API endpoints — that could be impacted by the vulnerable code. These represent the ways an attacker could potentially reach the vulnerability.
Call Chains
Complete call chain paths showing how execution flows from entry points through intermediate functions to the vulnerable code. Each chain shows the sequence of function calls.
Direct Callers
The immediate functions that call the vulnerable function. These are the first layer of impact.
How It Works
- The finding's file path and line number are matched to a node in the code graph
- The graph is traversed backwards along call edges to find all callers
- Entry points (functions with no callers, or known patterns like
main, HTTP handlers) are identified - All paths from entry points to the vulnerable node are computed
Use Cases
- Prioritization — A critical vulnerability in a function called by 50 entry points is more urgent than one in dead code
- Remediation scoping — Understand what tests need to run after a fix
- Risk assessment — Quantify the actual exposure of a vulnerability