Static Reachability - Java Support: Documentation
Overview
Document Java static reachability support and create an ADR explaining architectural decisions.
Implementation Plan
-
Update public docs (See #547078 (comment 2677110866)) -
Document limitations - for example gitlab-org/security-products/analyzers/dependency-scanning!320 (comment 2720793251): Static reachability cannot detect dependencies where implementation selection occurs at runtime rather than through explicit imports.
- Only packages available in public repositories (Maven Central) can be marked as in_use
-
Document performance impact (See gitlab-org/security-products/analyzers/dependency-scanning!320 (comment 2730226386))
-
-
Update DS analyzer README: Change DS_*env var for enabling SR from beta to GA. -
Update metadata updated frequency in doc/user/application_security/detect/vulnerability_scanner_maintenance.mdif needed. (See !194846 (comment 2570261212))
-> Reference spike discussions for detailed rationale
Edited by Orin Naaman