Datadog Tracer Implements Runtime SCA Reachability to Slash False Positives

Datadog's application security tracer is implementing a new feature, Runtime SCA Reachability, designed to transform vulnerability reporting by identifying only the vulnerable code that is actually executed. This moves beyond static Software Composition Analysis (SCA) by instrumenting applications at runtime to trace which specific functions tied to known CVEs are invoked, promising a significant reduction in noisy, irrelevant security alerts.

The system activates when `DD_APPSEC_SCA_ENABLED=true`. At tracer startup, it loads CVE data from a `_cve_data.json` file, which maps vulnerable symbols (functions or methods) in third-party libraries to specific CVEs and version constraints. This data is filtered against the application's installed packages. For each applicable CVE target, the tracer then performs bytecode injection (`inject_hook`) on the vulnerable function itself. This instrumentation supports both eager hooking for already-imported modules and lazy hooking via a `ModuleWatchdog` mechanism for libraries that are imported later during execution.

Upon identifying applicable vulnerabilities, the tracer immediately registers them in its telemetry system. All relevant CVEs are reported in the `app-dependencies-loaded` payload with a `reached: []` field, initially empty, ready to be populated with actual execution data. This foundational shift from theoretical vulnerability lists to proven runtime exposure creates a higher-fidelity signal for security teams, allowing them to prioritize remediation efforts on code paths that are actively in use and pose a real, demonstrable risk.