CVE Triage: Reachability Beats CVSS
CVSS scores treat every CVE as if your code reaches it. Most do not. Reachability-aware triage is the upgrade.
The CVSS-only failure mode
CVSS scores severity assuming the worst case. A CVSS 9.8 in a library function your code never calls is, for you, low risk.
Patching every high-CVSS CVE buries security teams in non-reachable noise.
Reachability as the filter
- Reachability analysis: does my code call the vulnerable function? If not, the CVE cannot be exploited via my code path.
- Tools (Snyk Reachable Vulnerabilities, Endor Labs, Semgrep Supply Chain) walk the call graph and tag each CVE.
Tooling that does it
Pick a tool; integrate into CI; default policy: block on reachable + critical/high; warn on unreachable.
Triage queue drops 60-80% on day one. Real high-priority work surfaces.
Workflow integration
Workflow: reachable critical → immediate patch. Reachable high → patch within sprint. Unreachable → track for upgrade window; do not block.
The discipline catches what CVSS-only floods.
Antipatterns
- CVSS-only triage at scale. Buries the team.
- Ignoring unreachable forever. Code path can change in a refactor.
- One-time scan. Reachability changes with every release.
What to do this week
Three moves. (1) Pick one production system to apply this pattern to first. (2) Measure the security signal before/after. (3) Document the gap and write a follow-up ticket so the program stays alive between quarterly reviews.