When it comes to vulnerabilities, security teams face an overwhelming number to address. The ability to prioritize effectively is necessary and one of the most impactful ways to reduce the noise is by identifying whether a vulnerable package is executed at runtime.
According to data from Sweet's customers, less than 10% of known vulnerabilities exist in packages that are actually executed, meaning the vast majority of flagged vulnerabilities never even come into play during runtime and pose no real threat to an application.Sweet drills down even further to the function level, identifying not only if a package is executed, but whether the specific vulnerable function is actively used.
Let’s take CVE-2021-23337 as an example—a known vulnerability in the popular JavaScript package lodash, one of the most widely used libraries in the developer community. lodash is known for its rich variety of utility functions, used for tasks such as object manipulation, array handling, string formatting, and more. This versatility makes it a go-to tool for many developers.
However, because lodash contains such a broad set of functions serving diverse use cases, most applications only rely on a small subset of them.In this case, Sweet Security identified that the vulnerable function associated with CVE-2021-23337 is the template function.
By knowing exactly which function is vulnerable and, at the same time, understanding which functions are actually executed across all packages in the customer’s environment, Sweet highlights only the vulnerabilities where the vulnerable function is truly executed.
This means you see only the vulnerabilities that pose a real, exploitable risk to your system, rather than hypothetical issues.This targeted approach drastically reduces the number of vulnerabilities requiring your attention, leaving you with a focused list of only the vulnerabilities that truly matter.