SOSS Community Day Europe 2024

A new day brings a new CVE alert for a third-party library, prompting urgent questions: Are we using this library? How many projects are affected? What’s our quick remediation plan? Traditional tools that analyze build manifests often fail to provide timely insights into these security vulnerabilities because they overlook actual code usage. In this talk, we'll demonstrate how static and reachability analyses offer a more effective approach by examining real dependency usage, enhancing prioritization and understanding of necessary updates for vulnerable libraries. Using real-world examples, we'll show how these analyses help developers better prioritize updates and understand dependency changes, aiding in informed decision-making. Our goal is to provide strategies for using these analyses to manage dependencies more effectively, uncover vulnerabilities, and enhance security and productivity in software development workflows.