CRAVEX 2 Code Reachability
Do vulnerable dependencies actually impacts security or not?
CRAVEX makes it easier for any organization to efficiently comply with the emerging CRA. CRAVEX collects, tracks, and triages FOSS package vulnerabilities, determines their exploitability in a portfolio of software products and projects, and provides reporting with SBOMs and VEX statements to share with stakeholders.
CRAVEX 2 enables CRAVEX users to triage vulnerabilities faster and more efficiently with automation and more accurate vulnerability data. An integrated, rule-based system automatically filters or reranks the vulnerabilities in the context of the managed application, system or device. This will integrate the emerging SSVC scoring for decision trees-driven automation. Vulnerable code "reachability" determines if the code impacted by a CVE is present, used, and exploitable. It will integrate and extend the features of NGI0-funded and FOSS projects, such as BANG.
With increased automation and more accurate data, CRAVEX 2 further facilitates CRAVEX users' ability to efficiently manage vulnerabilities towards CRA compliance.
- The project's own website: https://aboutcode.org
Run by AboutCode Europe ASBL
This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990.
