6 min read
Known CVEs vs Zero-Day Candidates: What CA9 Should Find
How CA9 separates reachable known Python CVEs today and how a defensive agent can surface unknown vulnerability candidates in owned code.
by SkylosStop triaging false positives.
CA9 catches reachable Python dependency CVEs by proving which vulnerable packages, submodules, and covered code paths are actually used. Turn noisy SCA alerts into a handful of actionable fixes.
View on GitHub
$ pip install ca9
$ ca9 check snyk_report.json --repo .
CVE-2024-XXXX requests REACHABLE
↳ Imported directly and executed in 4 coverage files.
CVE-2023-YYYY urllib3 UNREACHABLE
↳ Affected submodule 'urllib3.connection' is never imported.
Result: 90% of flagged CVEs are unreachable — only 2 require action.
CVE-2024-XXXX requests REACHABLE
↳ Imported directly and executed in 4 coverage files.
CVE-2023-YYYY urllib3 UNREACHABLE
↳ Affected submodule 'urllib3.connection' is never imported.
Result: 90% of flagged CVEs are unreachable — only 2 require action.
What CA9 catches
Concrete evidence for Python CVEs that matter.
CA9 starts from known vulnerability reports, then checks your repository to decide which findings are reachable, unreachable, or still need more evidence.
Reachable known CVEs
Flags scanner-reported CVEs when the vulnerable dependency is imported by application code.
Vulnerable submodules
Checks whether the affected module path, not just the top-level package, appears in Python imports.
Transitive dependency risk
Distinguishes packages your app uses directly from dependencies that only sit in the environment.
Runtime-covered paths
Uses coverage evidence to identify vulnerable files or packages that actually ran during tests.
CI-blocking findings
Emits JSON and SARIF so high-confidence reachable CVEs can become build or code-scanning signals.
Suppressible false positives
Produces evidence for CVEs that are installed but not imported, helping teams justify suppressions.
How CA9 filters the noise
1
Ingest Alerts
Parses vulnerability reports directly from Snyk, Dependabot, Trivy, pip-audit, or OSV.dev.
2
Check Evidence
Scans your Python AST for specific submodule imports and checks pytest coverage for runtime execution.
3
Actionable Output
Spits out clean JSON, CLI tables, or SARIF files ready for GitHub Advanced Security and CI pipelines.
Real-world results
We ran CA9 against real Python projects scanned by leading SCA tools. Here's what happened to the noise.
Snyk scan
87%reduction
Snyk flagged 34 CVEs. CA9 proved only 4 were reachable.
34 flagged→ 4 actionable
pip-audit scan
92%reduction
pip-audit found 25 vulnerabilities. Only 2 were actually imported.
25 flagged→ 2 actionable
Trivy scan
78%reduction
Trivy reported 18 CVEs. CA9 narrowed it to 4 reachable issues.
18 flagged→ 4 actionable
Based on CA9 reachability analysis against real open-source Python projects.
Next: CA9 Agent
Defensive discovery for unknown vulnerability candidates.
CA9 handles known dependency CVEs today. The agent layer is for your own repositories: it reviews Python code for suspicious data flows, dangerous sinks, and missing security checks before a CVE exists.
Finds candidate bugs
Looks for SSRF, command injection, path traversal, unsafe deserialization, authz gaps, and secret exposure patterns.
Ranks exploitability
Connects sources, sanitizers, sinks, routes, jobs, and tests so reviewers see why a finding matters.
Produces evidence
Links each candidate to files, functions, reachable entry points, and the assumptions behind the verdict.
Suggests fixes
Prioritizes defensive patches, tests, and review notes for maintainers working on authorized code.
Field notes
Python vulnerability triage guides
5 min read
Python Vulnerability Reachability Triage: What It Changes
A practical guide to using import and coverage evidence to separate reachable Python CVEs from dependency scanner noise.
6 min read
How to Prioritize Snyk, Dependabot, Trivy, and pip-audit Alerts for Python
A workflow for ranking Python SCA alerts by reachability evidence before assigning fixes to engineering teams.