ββββββββββββββββ ββββββ ββββββββββββββββββββββ βββ ββββββ βββββββββββββββββ ββββββββββββββββββββββββββββββββββββββββββββββββββββ βββββββββββββββββββββββββ βββ βββββββββββββββββββ ββββββ βββββββββββ ββββββββββββββββ βββ βββ βββββββββββββββββββ ββββββ βββββββββββ ββββββββββββββββ βββ βββ βββ ββββββ ββββββββββββββββββββββββββββββββββββββ βββββββββββ βββ βββ βββ ββββββ βββ ββββββββββββββββββββββ βββββββββββ βββββββββββ βββ
Don't just scan. Understand.
The Reachability-Aware Vulnerability Intelligence Engine
Built by QuadCore β Saksham Sood Β· Aaradhya Khanna Β· Sameer Garg Β· Sourabh Bansal
Hack Helix Hackathon 2026
- Problem Statement
- Solution Overview
- Core Features
- System Architecture
- The Scoring Model
- API Reference
- Project Structure
- Local Setup Guide
- Troubleshooting
- Roadmap
- Team
Existing vulnerability scanners are loud, not smart. They flood developers with alerts without answering the only question that actually matters:
"Does this CVE affect my running application β and can an attacker actually reach it?"
| Pain Point | The Reality |
|---|---|
| Alert fatigue | Tools scream about every CVE in node_modules, whether or not the vulnerable code is ever called |
| No reachability context | "lodash is vulnerable" tells you nothing about whether lodash.template() is reachable from your login route |
| Phantom dependency noise | Packages declared in package.json but never imported inflate finding counts by 30β60% |
| No negative detection | Tools only alert β they never tell you a CVE is safe because the path doesn't exist |
| Missing call-graph depth | Package-level reachability is not function-level reachability. The difference is the difference between a false alarm and an actual RCE |
TraceBlast is a reachability-aware vulnerability intelligence engine. It does not just report which packages have CVEs β it traces every CVE from the package back through your dependency graph to your HTTP entry points, scores how exploitable it truly is, and tells you when something is not reachable.
It operates across three analysis tiers, automatically selecting the deepest tier available in your environment:
- Tier 1 β Manifest Analysis: BFS graph traversal + CVE scoring. Always available, runs in milliseconds.
- Tier 2 β Dependency Intelligence: Phantom detection, fix-commit diff analysis, OSV/npm ecosystem enrichment.
- Tier 3 β Full Signal Analysis: Semgrep taint/sink confirmation, js-callgraph / Jelly function-level reachability, combined six-signal exploitability model.
TraceBlast replaces simple CVSS scoring with a multi-signal formula:
E = S_cve Β· Ξ¦(E) Β· semgrep_boost Β· callgraph_multiplier Β· ecosystem_multiplier Β· (1 + Ξ± Β· log P)
Each signal either confirms or suppresses a finding. A CVE with CVSS 9.8 scores zero if the call graph proves the vulnerable function is unreachable.
If TraceBlast cannot find a path from any entry point to the vulnerable package, it says so explicitly with "reachable": false and "risk_label": "safe". Most scanners only scream. TraceBlast also knows when to stay quiet.
Packages declared in package.json but never imported or required anywhere in source are flagged as phantom dependencies. Their CVEs are suppressed entirely β no score, no alert, no noise.
TraceBlast fetches the actual commit that patched each CVE from the OSV database, parses the diff, and extracts the exact vulnerable function name. This upgrades call-graph and Semgrep queries from package-level to function-level precision.
A React/Vite frontend renders every dependency path as an interactive subway map. Each node is coloured by risk label. Click any stop to open the signal breakdown panel for that finding.
A native VS Code extension surfaces TraceBlast findings inline while you code β no terminal required.
A Node.js CLI (trace-cli) lets you pipe TraceBlast results into CI pipelines, scripts, or other tooling.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Client Layer β
β React/Vite Subway UI Β· VS Code Extension Β· trace-cli β
ββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββ
β HTTP POST /analyze
ββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββ
β Flask API Gateway β
β app.py Β· ingestion.py β
ββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββ
β
ββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββ
β Analysis Orchestrator (orchestrator.py) β
β β
β ββββ Tier 1 βββββββββββββββββββββββββββββββββββββββββββββββ β
β β traversal.py (NetworkX BFS) Β· heuristic.py (Ξ¦ calc) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β ββββ Tier 2 βββββββββββββββββββββββββββββββββββββββββββββββ β
β β phantom_signal.py Β· fixcommit_signal.py β β
β β ecosystem_signal.py (OSV API + npm downloads) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β ββββ Tier 3 βββββββββββββββββββββββββββββββββββββββββββββββ β
β β semgrep_signal.py (taint/sink) β β
β β callgraph_signal.py (Jelly / js-callgraph) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β exploitability_model.py β six-signal combiner + hard gates β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Signal | Module | Tier | What It Contributes |
|---|---|---|---|
| BFS Traversal | traversal.py |
1 | Shortest path from entry point to vulnerable package |
| Heuristic Ξ¦(E) | heuristic.py |
1 | Import-chain confidence score |
| OSV + npm | ecosystem_signal.py |
2 | CVSS enrichment, PoC detection, popularity multiplier |
| Phantom Detector | phantom_signal.py |
2 | Suppresses packages that are declared but never imported |
| Fix-Commit Diff | fixcommit_signal.py |
2 | Resolves exact vulnerable function from the patch commit |
| Semgrep | semgrep_signal.py |
3 | Confirms user-controlled data reaches the vulnerable sink |
| Call Graph | callgraph_signal.py |
3 | Function-level reachability via Jelly or js-callgraph |
E = S_cve Β· Ξ¦(E) Β· semgrep_boost Β· callgraph_multiplier Β· ecosystem_multiplier Β· (1 + Ξ± Β· log P)
| Term | Range | Meaning |
|---|---|---|
S_cve |
0 β 10 | Raw CVSS base score |
Ξ¦(E) |
0.1 β 1.0 | Import-chain confidence (lower for barrel exports / dynamic imports) |
semgrep_boost |
0.8 β 1.0 | Taint/sink confirmation from Semgrep |
callgraph_multiplier |
0.0 β 1.0 | 0.0 = hard gate if function is provably unreachable |
ecosystem_multiplier |
1.0 β 2.0 | Network exploitability + PoC availability + package popularity |
P (proximity) |
1 β N | Number of hops from entry point |
Ξ± |
0.0 β 5.0 | Tunable weight (default 0.5) |
Two conditions force the score to zero before the formula runs:
- Phantom gate β package declared but never imported β
score = 0,label = "phantom" - Call-graph gate β Jelly/js-callgraph finds no path to the vulnerable function β
score = 0,label = "safe"
| Score | Label |
|---|---|
| β₯ 9.0 | critical |
| β₯ 7.0 | high |
| β₯ 4.0 | medium |
| β₯ 1.0 | low |
| = 0.0 | safe |
| Ξ¦ < 0.4 | uncertain (manual review advised) |
| Phantom | phantom |
All endpoints are documented via Flask's interactive spec at /docs.
Run a full multi-tier analysis.
Request body:
{
"cves": [
{
"id": "CVE-2021-23337",
"package": "lodash",
"cvss": 7.2,
"description": "Command injection"
}
],
"entry_points": [{ "id": "POST /login", "type": "http" }],
"dependency_graph": {
"POST /login": ["app.js"],
"app.js": ["auth.js"],
"auth.js": ["lodash"]
},
"project_root": "/path/to/project",
"max_tier": 3,
"alpha": 0.5,
"github_token": "ghp_...",
"semgrep_rules": ["p/javascript.express"]
}Response:
{
"findings": [
{
"cve_id": "CVE-2021-23337",
"package": "lodash",
"cvss": 7.2,
"entry_point": "POST /login",
"reachable": true,
"risk_label": "high",
"score": 6.19,
"path": ["POST /login", "app.js", "auth.js", "lodash"],
"exploitability": {
"score": 6.19,
"breakdown": { "s_cve": 7.2, "phi": 0.333, "p_term": 1.693 }
},
"signals": { "ecosystem": {...}, "callgraph": {...} },
"investigative_prompts": ["..."],
"tier": 3
}
],
"nodes": [
{ "id": "POST /login", "type": "ingress" },
{ "id": "lodash", "type": "dependency" },
{ "id": "app.js", "type": "app" }
],
"edges": [
{ "from": "POST /login", "to": "app.js" },
{ "from": "app.js", "to": "auth.js" },
{ "from": "auth.js", "to": "lodash" }
],
"paths": [
{ "id": "path_0", "nodes": ["POST /login", "app.js", "auth.js", "lodash"] }
],
"tier_used": 3,
"signals_available": ["bfs_traversal", "heuristic_phi", "ecosystem_osv", "semgrep", "jelly"]
}Returns tier detection, available signals, and engine version.
{
"status": "ok",
"tier_available": 2,
"signals_available": [
"bfs_traversal",
"heuristic_phi",
"ecosystem_osv",
"phantom_detector",
"fix_commit_diff"
],
"engine_version": "2.0.0"
}Trace/
β
βββ Task12/ # Python Analysis Engine (Flask API)
β βββ app.py # Flask entrypoint β POST /analyze, GET /health
β βββ orchestrator.py # Three-tier orchestrator β selects tier, runs signals
β βββ traversal.py # NetworkX BFS path finder
β βββ heuristic.py # Ξ¦(E) confidence calculator
β βββ exploitability_model.py # Six-signal scoring formula + hard gates
β βββ phantom_signal.py # Phantom dependency detector
β βββ ecosystem_signal.py # OSV API + npm download enrichment
β βββ fixcommit_signal.py # Fix-commit diff β vulnerable function resolver
β βββ semgrep_signal.py # Semgrep taint/sink analyser
β βββ callgraph_signal.py # Jelly / js-callgraph reachability
β βββ ingestion.py # Payload validation
β βββ output.py # Output generator
β
βββ kdbdfvh/ # React / Vite Subway Visualizer
β βββ src/
β β βββ App.tsx
β β βββ trace/
β β β βββ TraceMapView.tsx # Root map component
β β β βββ SubwayPathCanvas.tsx
β β β βββ MergedSubwayCanvas.tsx
β β β βββ NodeDetailPanel.tsx
β β β βββ FilterToolbar.tsx
β β β βββ RiskLegend.tsx
β β β βββ ApiUrlInput.tsx
β β β βββ PathJsonInput.tsx
β β β βββ core/
β β β βββ buildDirectedGraph.ts
β β β βββ computeSubwayScene.ts
β β β βββ parsePayload.ts
β β β βββ filterPaths.ts
β β βββ ...
β βββ package.json
β βββ vite.config.ts
β
βββ traceblast/ # VS Code Extension
β βββ src/
β β βββ extension.ts # Extension entry point
β βββ dist/
β β βββ extension.js # Compiled output
β βββ package.json
β βββ esbuild.js
β
βββ trace-cli/ # Node.js CLI
β βββ index.js # CLI entry (commander + axios + chalk)
β βββ package.json
β
βββ traceblast.py # Root Python helper script
Follow all four phases in order.
π macOS
# Install Homebrew if you don't have it
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Node.js and Python
brew install node python@3.11 gitπͺ Windows
Install Git, Node.js LTS, and Python 3.11+ β check "Add Python to PATH" during the Python installer.
π§ Linux (Ubuntu / Debian)
sudo apt update
sudo apt install nodejs npm python3 python3-venv python3-pip gitgit clone https://github.com/AA-KH/Trace.git
cd Tracecd Task121. Create and activate a virtual environment
# macOS / Linux
python3 -m venv venv
source venv/bin/activate
# Windows
python -m venv venv
venv\Scripts\activate2. Install Python dependencies
pip install flask networkx requests3. (Optional) Install Tier 3 signal tools
Semgrep enables taint/sink analysis. Jelly or js-callgraph enables function-level call graph reachability. Both are optional β the engine degrades gracefully to Tier 1 without them.
# Semgrep
pip install semgrep
# js-callgraph (fallback call-graph backend)
npm install -g js-callgraph4. (Optional) Set your GitHub token
The fix-commit signal fetches patch diffs from GitHub. Without a token, requests are rate-limited to 60/hour.
export GITHUB_TOKEN=ghp_your_token_here5. Start the engine
python app.pyβ
The engine is live at http://localhost:5050. Visit http://localhost:5050/health to confirm tier detection and available signals.
Open a new terminal:
cd kdbdfvh
npm install
npm run devβ
The visualizer is live at http://localhost:5173. Point it at http://localhost:5050 using the API URL input in the UI.
Open another terminal:
cd trace-cli
npm install
# Run an analysis against the local engine
node index.js --url http://localhost:5050/analyze --payload payload.jsonOpen a new terminal:
cd traceblast
npm install
npm run compile # or: npm run watchThen press F5 in VS Code to launch the Extension Development Host.
If your frontend is running on a device that cannot reach localhost, update the API URL in the visualizer's URL input to your machine's local IP address, and start the Flask server with:
python app.py --host 0.0.0.0 --port 5050Find your local IP with ipconfig getifaddr en0 (macOS), ipconfig (Windows), or hostname -I (Linux).
| Error | Fix |
|---|---|
ModuleNotFoundError: flask |
Activate your virtual environment (source venv/bin/activate) and run pip install flask networkx |
Command not found: python (Windows) |
Re-run the Python installer β Modify β enable "Add Python to PATH" |
| Tier stays at 1 even with Semgrep installed | Confirm semgrep is on your PATH inside the virtual environment: which semgrep |
Call-graph signal returns backend_used: "none" |
Install js-callgraph globally: npm install -g js-callgraph |
| GitHub rate-limit errors in fix-commit signal | Set GITHUB_TOKEN environment variable |
| Vite dev server CORS error | Ensure the Flask engine is running with --host 0.0.0.0 and the API URL in the UI matches exactly |
npm install fails in kdbdfvh |
Try npm install --legacy-peer-deps |
- Three-tier analysis orchestrator
- Six-signal exploitability model with hard gates
- Phantom dependency pruning
- Fix-commit diff β function name resolver (OSV + GitHub API)
- OSV / npm ecosystem enrichment
- Semgrep taint/sink signal
- Call-graph reachability (Jelly + js-callgraph)
- Graph output (
nodes,edges,paths) alongside findings - React subway-map visualizer
- VS Code extension
- Node.js CLI
- TypeScript / monorepo support
- GitHub Actions integration
- SARIF export for GitHub Security tab
- Incremental analysis (only re-score changed packages)
- Support for Python dependency graphs (
requirements.txt,pyproject.toml) - Historical trend dashboard
| Name | Role |
|---|---|
| Saksham Sood | Backend Engine, Orchestration & Integration |
| Aaradhya Khanna | Signal Architecture & OSV / GitHub API Integration |
| Sameer Garg | Frontend Visualizer & VS Code Extension |
| Sourabh Bansal | CLI, Testing & DevOps |
This project was built for the Hack Helix Hackathon 2026 and is shared for educational and demonstration purposes only.
Made with π and way too many CVEs by QuadCore
TraceBlast β Don't just scan. Understand.