If an attacker-controlled path exists that connects an insecure application input to a CVE in a third-party library/package contained in the same application, then this CVE (open source vulnerability) will have “Attacker Reachability” in that app.
In turn, an attacker-controlled path is determined by tracing an application’s public inputs (or sources) to sensitive sinks (db, log, http, etc.), lacking any validation or sanitization routine between these sources, sinks. The analysis of the application is critical to identify Attacker Reachability. Any SCA solution that does not analyze the application and limits its analysis to merely the list of dependencies used by the application cannot conduct this analysis