### Background This epic delivers Static Reachability support for Java dependencies. Static Reachability determines whether dependencies are actively imported and used in the codebase. When a vulnerable package is reachable, it poses a real threat to the application. When it's not reachable, the risk is significantly lower. This capability helps users prioritize which vulnerabilities actually matter in their environment, reducing noise and enabling faster, more targeted remediation. ### Work completed * **Metadata Infrastructure** * Built a Maven metadata [scraper](https://gitlab.com/gitlab-org/security-products/license-db/static-reachability-modules-scraper/-/blob/main/scraper/maven/maven.go?ref_type=heads) that extracts import-to-package mappings from popular packages (ranked by dependent count from Google's deps.dev dataset) and vulnerable packages (from GLAD). Maven metadata is stored in radix tree format to save space, since Java packages share common prefixes. * Migrated from the language-specific `pypi-metadata` repository to a unified `static-reachability-metadata` [repository](https://gitlab.com/gitlab-org/security-products/static-reachability-metadata/-/tree/v1?ref_type=heads) supporting multiple languages. * Set up [scheduled pipeline](https://gitlab.com/gitlab-org/security-products/license-db/static-reachability-modules-scraper/-/pipeline_schedules) to keep Maven metadata current * **Core reachability Analysis** * Extended the Dependency Scanning analyzer with a [Java enricher](https://gitlab.com/gitlab-org/security-products/analyzers/dependency-scanning/-/blob/main/reachability/sbomenrichers/enrichers/java/java.go#L32) that maps semgrep findings to Maven coordinates * Implemented a radix tree for import path lookups (e.g. `com.google.common.collect` -> `com.google.guava/guava`) * Mark java dependencies as `in_use` or `not_found` based on actual code usage * **Testing**: Built end-to-end tests using real projects ([spring-petclinic-fork](https://gitlab.com/gitlab-org/security-products/tests/spring-petclinic-fork), [gson-fork](https://gitlab.com/gitlab-org/security-products/tests/gson-fork)) * **Documentation:** [Documented](https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/) usage guidelines, limitations and performance impact.