### Background To bring the Static Reachability feature to General Availability (GA), we are expanding its support to include JavaScript dependencies, in addition to the current support for Java and Python. This enhancement will provide a more comprehensive analysis of dependency reachability, giving users insights into how vulnerabilities affect their environment across a wider range of programming languages. ### **What is Static Reachability?** Static Reachability refers to the determination of whether a dependency is actively used and imported by the code, as managed by a package manager. Understanding the reachability of dependencies provides valuable insights. For example, if a package with a known CVE (Common Vulnerabilities and Exposures) is reachable, its impact on a customer's environment is significantly higher than that of a package with a CVE that is not reachable. This information enables us to filter packages in the UI based on their reachability status, helping users focus on the most impactful vulnerabilities. Additionally, reachability data brings clarity to the customer environment, offering a clear view of which packages are actively used and which are not. ### Why Static reachability? The data generated from performing Static Reachability provides deeper insights into the packages in use and then matching those packages to vulnerabilities. This allows our users to better understand the risk profile of their projects and make more informed remediation decisions. ### Requirements to GA: * Improve performance of analysis engine * Full language support (Java, JavaScript, Python) * Support for offline environments * UI filtering on the vulnerability report * Replace analysis engine with semgrep-core to improve performance * Support for Pipeline Execution Policies ### Success measures 1. **Reachable dependencies remediated by CVSS Severity** 1. Helps us understand if certain severity levels associated with reachable dependencies are of higher urgency. 2. We should capture non-reachable dependencies as well to have a comparison. 2. **Time to remediation for reachable dependencies, grouping by CVSS Severity** 1. Highlights that users are prioritizing reachable dependencies for remediation, showing that we are solving the [problem](https://docs.google.com/document/d/1GlEl1M6kffwbCIeaShnuxt78Jc0--RkytAPtH7v_okI/edit?tab=t.0#bookmark=id.lbnlpbyrg53z) above. <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> > [!important] > This page may contain information related to upcoming products, features and functionality. > It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. > Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc. <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> ~release post item::secondary