A comprehensive demo showing Socket's Precomputed Reachability feature with many Python packages that have CVEs in transitive dependencies.
This project includes a wide variety of Python packages across different categories. Many of these packages have CVEs in their transitive dependencies that should show as "Unreachable" because the vulnerable code paths are never called.
- Flask, Django, FastAPI, Falcon, Pyramid, Bottle, Tornado
- requests, boto3, httpx, aiohttp
- paramiko, cryptography, pyjwt
- pyyaml, pillow, lxml, beautifulsoup4
- celery
- sqlalchemy
- scrapy
- jinja2, mako
- gunicorn, uvicorn, werkzeug
- graphene (GraphQL), markdown, defusedxml
| Pattern | Example | Why Unreachable |
|---|---|---|
| Client vs Server | aiohttp CVE-2024-23334 | Client usage doesn't serve static files |
| Safe API variant | PyYAML CVE-2020-14343 | safe_load() not yaml.load() |
| Protocol mismatch | cryptography TLS CVEs | paramiko uses SSH |
| Specific function | Pillow CVE-2023-50447 | Basic ops, not ImageMath.eval() |
| Debug mode only | Werkzeug CVE-2024-34069 | Production runs debug=False |
| Unused feature | Jinja2 sandbox escape | Templates are developer-controlled |
poetry install
poetry run python app.py- Install Socket GitHub App
- Push to trigger scan
- View results in Dashboard
socket scan create --repo . --branch mainUpload poetry.lock in Socket Dashboard → New Scan
In Socket Dashboard, filter by:
- Reachability Status: Unreachable - CVEs safe to deprioritize
- Reachability Status: Potentially Reachable - CVEs that may need attention
Socket's Precomputed Reachability requires the full dependency graph. Poetry's poetry.lock contains complete transitive dependency resolution.