Focus Only on the 3-5% of Open Source Packages That Can Actually be Exploited

Oxeye prioritizes the vulnerable packages you need to remediate by providing runtime context and focusing on exploitable packages - those that are loaded and used at runtime, and those that are accessible from the Internet


Legacy Software Composition Analysis (SCA) tools identify vulnerabilities in open source packages using a two-step process:

1. Scan and identify open source packages in package managers, source code, binary files, container images, etc., which are placed into a Software Bill of Materials (SBOM)
2. Compare this SBOM against a number of databases that usually include the National Vulnerability Database (NVD) to identify vulnerable packages

The result? A huge list of all possible vulnerabilities, without any context.


Modern tools start off by doing the same thing as legacy Software Composition Analysis (SCA) tools do, then filter out the results based on numerous factors.

  1. They distinguish between packages that are installed, loaded into memory, and used at runtime and those that are never used. Next generation tools filter out the latter, so you're focusing only on the packages that are potentially vulnerable at runtime
  2. The tools then trace whether a package is exposed to the Internet or not, whether directly or indirectly. Those that cannot be accessed from the Internet are filtered out, leaving only vulnerable packages that are both used at runtime, and that are accessible from the Internet
  3. They take configuration data from the Cluster, Container and Cloud layers to add additional risk factors such as extra permissions, to get a more refined view.

These steps filter 95% and up of open source and third party package vulnerabilities that can't be exploited, and prioritize the vulnerabilities, giving AppSec and development teams clear direction on which vulnerabilities to patch, and the order that they should patch them.


You get a much shorter list of vulnerabilities that can actually be exploited, instead of a long list of 'theoretical' vulnerabilities. Legacy tools have no way of analyzing these factors in microservices-based applications, hence the huge amount of noise. In practice, Oxeye removes over 95% of these non-exploitable vulnerabilities.

Not only does Oxeye reduce open source and third party package vulnerabilities, our Application Security Posture Management Platform (ASPM) also consolidates the functionality of SCA, SAST and DAST into a single tool to lower your application security testing tool costs, provide a unified view of results for both developers and AppSec teams, and lower AppSec-related operational costs.

Cloud Native SCA Tool comparison chart

Want to Learn More? Send Us a Message

Want to see what it looks like?