Socket is launching experimental reachability analysis for PHP, enabling teams to determine which CVEs are actually exploitable in their specific codebase rather than triaging every advisory blindly. The engine uses function-level call graph analysis with both Tier 1 (against actual source code) and Tier 2 (pre-computed against dependency graph) modes. Key technical challenges addressed include PHP's __call magic method dispatch (used in Laravel Facades, Doctrine proxies, PHPUnit mocks) and string-based class instantiation patterns used by Laravel, Symfony, and PHP-DI containers. A concrete example with CVE-2022-29248 in guzzlehttp/guzzle demonstrates how two apps on the same vulnerable Guzzle version get different verdicts based on whether they use cookie jar handling. The engine achieves over 90% accuracy on WordPress, PHPUnit, and Flysystem, and mid-to-high 80s on Twig and Espo, validated against dynamically observed call graphs.
Table of contents
How Reachability Analysis Works #Why PHP is harder than it looks #Advanced example: Guzzle CookieJar (CVE-2022-29248) #What we've tested it on #Experimental Status #Getting Started #Sort: