How do I handle findings in out-of-reach code?

  • Updated


I see a vulnerability being reported in a 3rd party library, or code that is unreachable. What can be done?


The Contrast agent will report vulnerabilities in all code running as part of the application. This includes your custom code and any libraries used by the application. Many users will simply mark out of reach findings as Not an Issue in order to focus on the vulnerabilities in their custom code. However, out of reach findings are still valid vulnerabilities and there's a number of potential options for dealing with them:

  1. If the library is open source, you could obtain the code, fix the vulnerability and repackage it for use with your application.
  2. Our recommended approach is to responsibly report the vulnerability (maybe as a CVE) to the open source team or vendor and request an ETA for a fix.
  3. Finally, it's possible to mitigate the risk from out of reach findings by deploying a RASP solution, such as Contrast Protect.

For further details on managing your Contrast findings, please see:

Was this article helpful?

1 out of 1 found this helpful

Have more questions? Submit a request