{"id":45628,"date":"2021-02-03T15:10:36","date_gmt":"2021-02-03T15:10:36","guid":{"rendered":"https:\/\/www.checkmarx.com\/?p=45628"},"modified":"2026-04-13T22:08:27","modified_gmt":"2026-04-13T20:08:27","slug":"exploitable-path-how-to-solve-a-static-analysis-nightmare","status":"publish","type":"post","link":"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/","title":{"rendered":"Exploitable Path \u2013 How to Solve a Static Analysis Nightmare"},"content":{"rendered":"<p>In my previous <a href=\"\/blog\/software-composition-analysis-why-exploitable-path-is-imperative\/\" target=\"_blank\" rel=\"noopener noreferrer\">blog<\/a>, I walked you through the reasoning and importance of the Exploitable Path feature in the Checkmarx CxSCA solution. We discussed the challenges of prioritizing vulnerabilities in open-source dependencies and defined what it means for a vulnerability to be exploitable:<\/p>\n<ul>\n<li>The vulnerable method in the library needs to be called directly or indirectly from a user\u2019s code.<\/li>\n<li>An attacker needs a carefully crafted input to reach the method to trigger the vulnerability.<\/li>\n<\/ul>\n<p>Now that we know the scope of the problem, let\u2019s dive into how uncovering an exploitable path is done.<\/p>\n<h2 class=\"article-anchor\" id=\"article-anchor-1\">Prerequisites<\/h2>\n<h3>1.\u00a0\u00a0\u00a0\u00a0 A SAST Engine<\/h3>\n<p>Every programming language has its set of quirks and features. Some use brackets; some don\u2019t. Some are loosely typed; others are strict. To be able to develop an Exploitable Path, we needed a certain level of abstraction for example, a \u201ccommon language.\u201d This is particularly hard when high level concepts like \u201cimports\u201d behave differently across languages.<br>\nTo solve this issue, Checkmarx uses its powerful <a href=\"https:\/\/checkmarx.com\/cxsast-source-code-scanning\/\" target=\"_blank\" rel=\"noopener noreferrer\">CxSAST<\/a> engine. CxSAST breaks down the code of every major language into an Abstract Syntax Tree (AST), which provides much of the needed abstraction. Imports, call graphs, method definitions, and invocations all become a tree.<\/p>\n<h3>2.\u00a0\u00a0\u00a0\u00a0 An AST Query Language<\/h3>\n<p>Having an AST, the next step is having a query language capable of even further abstractions. Checkmarx uses CxQuery that can run queries to answer various questions, for example:<\/p>\n<ul>\n<li>What are all the import statements in a codebase?<\/li>\n<li>Which methods have no definition but only usage?<\/li>\n<li>What\u2019s the namespace of every file?<\/li>\n<\/ul>\n<p>With a tool like CxQuery, you can get results in a unified format regardless of the programming language, such as, C#, Java, Python, etc.<\/p>\n<h2 class=\"article-anchor\" id=\"article-anchor-2\">Assumptions<\/h2>\n<h3>1.\u00a0\u00a0\u00a0\u00a0 Vulnerable Methods Are Known<\/h3>\n<p>Usually, the public data on a CVE provides a <a href=\"https:\/\/checkmarx.com\/learn\/open-source-security\/what-is-common-vulnerability-scoring-system-cvss\/\">CVSS score<\/a>, affected products, and versions, etc. However, the inner method in which the vulnerability is triggered is usually unknown. To help with this dilemma, the CxSCA Research Team has application security analysts on board who are responsible for analyzing CVEs and finding the method in which the vulnerability occurs. So, for the rest of the post we can assume that for every CVE, we know the method that triggers it.<\/p>\n<h3>2.\u00a0\u00a0\u00a0\u00a0 A SAST Scan Is Limited to One Project<\/h3>\n<p>You can think of a project as a folder containing all source code <strong><u>without<\/u><\/strong> the third-party package&#8217;s code. This makes life easier since there\u2019s a clear distinction between a user\u2019s code and the dependency&#8217;s code.<br>\nFor example, in case there\u2019s a user code that requires a single third-party package, two scans can be made:<\/p>\n<ul>\n<li>A scan on the user code.<\/li>\n<li>A scan on the third-party package.<\/li>\n<\/ul>\n<h2 class=\"article-anchor\" id=\"article-anchor-3\">Static Analysis Steps<\/h2>\n<p>Now that we\u2019ve covered the prerequisites and assumptions, let\u2019s understand the challenge itself by looking at the following example, written in Python.<br>\nHere\u2019s a simple code, importing an open-source library and calling a method in it. This method in turn calls a vulnerable method.<br>\n<a href=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/1.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-45647\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/1.jpg\" alt=\"\" width=\"429\" height=\"327\"><\/a><br>\nThe code of OSLib will be:<br>\n<a href=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/2.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-45643\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/2.jpg\" alt=\"\" width=\"436\" height=\"284\"><\/a><br>\nHere are the steps:<\/p>\n<h3>1.\u00a0\u00a0\u00a0\u00a0 Find Unresolved Methods in User\u2019s Code<\/h3>\n<p>The user code is parsed with CxSAST and a query is run to detect all methods that are called and are missing a definition \u2013 hence unresolved and belong to a third-party package. In our example, there are two calls:<\/p>\n<ul>\n<li>foo() \u2013 is defined in the user code and hence resolved.<\/li>\n<li>lib_foo() \u2013 is defined in OSLib and hence an unresolved method must be imported.<\/li>\n<\/ul>\n<p>In our case, there\u2019s a single import to OSLib, so it\u2019s obvious where the method was imported from.<br>\nUsually, there will be multiple imports, in which case a signature of the method is collected and searched across imported libraries. Assuming the code is functional and works, there will always be a single match.<\/p>\n<h3>2.\u00a0\u00a0\u00a0\u00a0 Find Exported Methods in Package Code<\/h3>\n<p>The code of package OSLib is also parsed with CxSAST, and a query is run to find all exported methods. In languages like C# and Java, an exported method is a public method in a public class that can be used by the user\u2019s code. In Python, all methods are public so the exported methods in our example will be lib_foo() and inner_vuln_method().<br>\nThis data is essential since it\u2019s used to match unresolved methods in the step above.<\/p>\n<h3>3.\u00a0\u00a0\u00a0\u00a0 Call Graph<\/h3>\n<p>A query for a call graph is run on both user\u2019s code and package code.<br>\nFor the user\u2019s code, the graph is:<br>\n<a href=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/3.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-45639\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/3.jpg\" alt=\"\" width=\"483\" height=\"64\"><\/a><br>\nFor the package code, the result is similar:<br>\n<a href=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/4.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-45635\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/4.jpg\" alt=\"\" width=\"477\" height=\"60\"><\/a><\/p>\n<h3>4.\u00a0\u00a0\u00a0\u00a0 Find Exploitable Path<\/h3>\n<p>Using all the data collected so far, a full call graph is built:<br>\n<a href=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/5.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-45631\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/5.jpg\" alt=\"\" width=\"817\" height=\"61\"><\/a><br>\nAll methods in the graph are checked for exploitability. In our example, inner_vuln_method() is the exploitable method, and so an <strong><u>Exploitable Path is found<\/u>.<\/strong><\/p>\n<h2 class=\"article-anchor\" id=\"article-anchor-4\">Further Topics<\/h2>\n<p>The example above provided a simple demonstration of how Exploitable Path is analyzed, but in reality, this problem is much harder. Some other research questions we faced, which are not discussed in this blog post, are:<\/p>\n<ul>\n<li>Detecting Exploitable Path in a dependency of a dependency<\/li>\n<li>Matching challenges between user\u2019s code and package code<\/li>\n<li>Integration of DFG (Data Flow Graph)<\/li>\n<\/ul>\n<h2 class=\"article-anchor\" id=\"article-anchor-5\">Summary<\/h2>\n<p>By using CxSAST with queries written in CxQuery, we created an abstraction layer to statically detect vulnerabilities that are exploitable. A single algorithm can detect Exploitable Path across multiple programming languages, and unlike other solutions on the market, CxSCA can easily extend support for more languages. Currently, Java and Python are already supported, with many more languages to follow.<br>\nWith <a href=\"https:\/\/checkmarx.com\/cxsca-open-source-scanning\/\" target=\"_blank\" rel=\"noopener noreferrer\">CxSCA<\/a>, Checkmarx enables your organizations to address open-source vulnerabilities earlier in the SDLC and cut down on manual processes by reducing false positives and background noise, so you can deliver secure software faster and at scale. For a free demonstration of CxSCA, please contact us <a href=\"https:\/\/checkmarx.com\/request-a-demo\/?utm_source=blog&amp;utm_medium=direct&amp;utm_campaign=exploitable-path-how-to-solve-a-static-analysis-nightmare\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/p>\n<p><a href=\"https:\/\/checkmarx.com\/blog\/exploitable-path-advanced-topics\/\">In the next post in this series<\/a>, we&#8217;ll look at some of the challenges we faced as we developed the Exploitable Path feature.<br>\n<a href=\"https:\/\/info.checkmarx.com\/ultimate-guide-software-compositon-analysis-ebook?utm_source=blog&amp;utm_medium=blog&amp;utm_search_query=eBook-The-Ultimate-Guide-to-SCA&amp;utm_campaign=X-LP-2021-CA-Ultimate-Guide-to-SCA-eBook\"><img decoding=\"async\" class=\"alignnone wp-image-62687 size-full\" style=\"margin-top: 1rem;\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/01\/Checkmarx-SCA-Cookbook-PaidMediaAds-GDN-1200x628-2.jpg\" alt=\"CHECKMARX ULTIMATE GUIDE - Download the eBook\" width=\"1200\" height=\"628\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/01\/Checkmarx-SCA-Cookbook-PaidMediaAds-GDN-1200x628-2.jpg 1200w, https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/01\/Checkmarx-SCA-Cookbook-PaidMediaAds-GDN-1200x628-2-300x157.jpg 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/01\/Checkmarx-SCA-Cookbook-PaidMediaAds-GDN-1200x628-2-1024x536.jpg 1024w, https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/01\/Checkmarx-SCA-Cookbook-PaidMediaAds-GDN-1200x628-2-768x402.jpg 768w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>In my previous blog, I walked you through the reasoning and importance of the Exploitable Path feature in the Checkmarx CxSCA solution. We discussed the challenges of prioritizing vulnerabilities in open-source dependencies and defined what it means for a vulnerability to be exploitable: The vulnerable method in the library needs to be called directly or [&hellip;]<\/p>\n","protected":false},"author":29,"featured_media":54233,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[84],"tags":[233,311,334,294,179],"class_list":["post-45628","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-cxsast","tag-cxsca","tag-exploitable-path-analysis","tag-open-source-analysis","tag-software-composition-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Exploitable Path: How to Solve a Static Analysis Nightmare<\/title>\n<meta name=\"description\" content=\"By using CxSAST with queries written in CxQuery, we created an abstraction layer to statically detect vulnerabilities that are exploitable.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Exploitable Path \u2013 How To Solve a Static Analysis Nightmare\" \/>\n<meta property=\"og:description\" content=\"By using CxSAST with queries written in CxQuery, we created an abstraction layer to statically detect vulnerabilities that are exploitable. A single algorithm can detect Exploitable Path across multiple programming languages, and unlike other solutions on the market, CxSCA can easily extend support for more languages.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:published_time\" content=\"2021-02-03T15:10:36+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-13T20:08:27+00:00\" \/>\n<meta name=\"author\" content=\"Alex Livshiz\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Exploitable Path \u2013 How To Solve a Static Analysis Nightmare\" \/>\n<meta name=\"twitter:description\" content=\"By using CxSAST with queries written in CxQuery, we created an abstraction layer to statically detect vulnerabilities that are exploitable. A single algorithm can detect Exploitable Path across multiple programming languages, and unlike other solutions on the market, CxSCA can easily extend support for more languages.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/Website-1024x512-1.png\" \/>\n<meta name=\"twitter:creator\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Alex Livshiz\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/\"},\"author\":{\"name\":\"Alex Livshiz\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/d9c679770d93d960ee90b422cff9a160\"},\"headline\":\"Exploitable Path \u2013 How to Solve a Static Analysis Nightmare\",\"datePublished\":\"2021-02-03T15:10:36+00:00\",\"dateModified\":\"2026-04-13T20:08:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/\"},\"wordCount\":997,\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/Website-1024x512-1.png\",\"keywords\":[\"CxSAST\",\"CxSCA\",\"Exploitable Path Analysis\",\"Open-Source Analysis\",\"Software Composition Analysis\"],\"articleSection\":[\"Blog\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/\",\"url\":\"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/\",\"name\":\"Exploitable Path: How to Solve a Static Analysis Nightmare\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/Website-1024x512-1.png\",\"datePublished\":\"2021-02-03T15:10:36+00:00\",\"dateModified\":\"2026-04-13T20:08:27+00:00\",\"description\":\"By using CxSAST with queries written in CxQuery, we created an abstraction layer to statically detect vulnerabilities that are exploitable.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/Website-1024x512-1.png\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/Website-1024x512-1.png\",\"width\":1024,\"height\":512},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/d9c679770d93d960ee90b422cff9a160\",\"name\":\"Alex Livshiz\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_29.jpg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_29.jpg\",\"caption\":\"Alex Livshiz\"},\"url\":\"https:\/\/checkmarx.com\/author\/alex\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Exploitable Path: How to Solve a Static Analysis Nightmare","description":"By using CxSAST with queries written in CxQuery, we created an abstraction layer to statically detect vulnerabilities that are exploitable.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/","og_locale":"en_US","og_type":"article","og_title":"Exploitable Path \u2013 How To Solve a Static Analysis Nightmare","og_description":"By using CxSAST with queries written in CxQuery, we created an abstraction layer to statically detect vulnerabilities that are exploitable. A single algorithm can detect Exploitable Path across multiple programming languages, and unlike other solutions on the market, CxSCA can easily extend support for more languages.","og_url":"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_published_time":"2021-02-03T15:10:36+00:00","article_modified_time":"2026-04-13T20:08:27+00:00","author":"Alex Livshiz","twitter_card":"summary_large_image","twitter_title":"Exploitable Path \u2013 How To Solve a Static Analysis Nightmare","twitter_description":"By using CxSAST with queries written in CxQuery, we created an abstraction layer to statically detect vulnerabilities that are exploitable. A single algorithm can detect Exploitable Path across multiple programming languages, and unlike other solutions on the market, CxSCA can easily extend support for more languages.","twitter_image":"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/Website-1024x512-1.png","twitter_creator":"@checkmarx","twitter_site":"@checkmarx","twitter_misc":{"Written by":"Alex Livshiz","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/#article","isPartOf":{"@id":"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/"},"author":{"name":"Alex Livshiz","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/d9c679770d93d960ee90b422cff9a160"},"headline":"Exploitable Path \u2013 How to Solve a Static Analysis Nightmare","datePublished":"2021-02-03T15:10:36+00:00","dateModified":"2026-04-13T20:08:27+00:00","mainEntityOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/"},"wordCount":997,"publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/Website-1024x512-1.png","keywords":["CxSAST","CxSCA","Exploitable Path Analysis","Open-Source Analysis","Software Composition Analysis"],"articleSection":["Blog"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/","url":"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/","name":"Exploitable Path: How to Solve a Static Analysis Nightmare","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/Website-1024x512-1.png","datePublished":"2021-02-03T15:10:36+00:00","dateModified":"2026-04-13T20:08:27+00:00","description":"By using CxSAST with queries written in CxQuery, we created an abstraction layer to statically detect vulnerabilities that are exploitable.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/blog\/exploitable-path-how-to-solve-a-static-analysis-nightmare\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/Website-1024x512-1.png","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2021\/02\/Website-1024x512-1.png","width":1024,"height":512},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]},{"@type":"Person","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/d9c679770d93d960ee90b422cff9a160","name":"Alex Livshiz","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_29.jpg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_29.jpg","caption":"Alex Livshiz"},"url":"https:\/\/checkmarx.com\/author\/alex\/"}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/45628","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/comments?post=45628"}],"version-history":[{"count":0,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/45628\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/54233"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=45628"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/categories?post=45628"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/tags?post=45628"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}