Why Hopper is What’s Next for SCA

Legacy SCA is Falling Short

Legacy Software Composition Analysis (SCA) solutions are falling short. They generate an overwhelming number of false positives, leaving security and engineering teams scrambling to prioritize a never-ending stream of vulnerabilities.

A core limitation of these legacy SCA tools is their heavy reliance on build manifests, often without analyzing the actual source code. Build manifests are structured files that define metadata and instructions for building software applications and packages. While the metadata provided by build manifests is an important input, legacy SCA solutions overlook a critical component, the source code itself, which is essential for conducting deeper, more accurate vulnerability analysis.

Hopper takes a fundamentally different approach, built on the premise that accurately analyzing how your specific codebase interacts with open-source packages is crucial for delivering effective, and actionable vulnerability detection and remediation guidance.

Enter Reachability Analysis

Reachability analysis is a technique used to determine whether a specific piece of code, such as a method, can potentially be invoked (i.e., is “reachable”) during the execution of an application. This analysis is typically categorized as either static or dynamic. Static analysis inspects the source code or compiled binaries without running the application, while dynamic analysis involves observing and analyzing the application's actual execution.

In the context of security, reachability analysis plays a critical role in identifying which vulnerabilities can realistically be exploited based on how the application’s code interacts with its direct and indirect dependencies. By distinguishing between reachable and unreachable vulnerabilities, security teams can prioritize findings more effectively, reducing false positives and enabling more accurate, code-aware vulnerability analysis and remediation.

A key advantage of static code analysis is that it operates independently of the analyzed application’s compute infrastructure, deployment model, or architecture. This is because it analyzes the code without executing it, eliminating the need to access or integrate with the production runtime environment. Another significant benefit is that it enables a unified approach to analyzing both server-side and client-side codebases. All future mentions of reachability analysis in this post refer to static code reachability.

Performing reachability analysis at scale presents significant technical challenges that SCA vendors must overcome:

• Compute and memory intensive – analyzing large, complex codebases, especially those with extensive dependencies, demands substantial computational and memory resources. The process often requires traversing deep call stacks, resolving indirect or polymorphic function calls, and tracking data and control flow across numerous files and packages.
• Handling advanced language features – language constructs such as reflection, lambda functions, and meta-programming significantly complicate the process of reachability analysis. These constructs often lead to coverage gaps or inaccurate results.
• Supporting modern application frameworks – widely adopted in today’s software development, modern frameworks introduce multiple layers of abstraction, dependency injection, runtime code generation, and complex lifecycle management. These characteristics obscure actual execution paths, making it challenging for reachability analysis to accurately determine how and when specific classes and methods are invoked. This ultimately results in coverage gaps or inaccurate results.

Modern reachability-based solutions often optimize for compute and memory, but struggle to support advanced language features and modern application frameworks.

Hopper takes a quality-first approach, leveraging state-of-the-art techniques to maintain high analysis quality while keeping execution time in check. Hopper’s advanced reachability analysis engine supports complex language features such as reflection and lambda functions, as well as popular application frameworks like Spring and ASP.NET.

As a result, Hopper cuts through 93% of vulnerability noise and delivers accurate, code based, vulnerability detection and remediation.

Shadow Dependencies, Hidden Vulnerabilities

Shadow dependencies are packages that are included in an application or library without being explicitly listed in its build manifest. They are typically introduced indirectly, through other dependencies consumed by the parent application or library. As a result, many legacy SCA solutions, which rely solely on build manifests, fail to detect them entirely.

This blind spot creates a critical risk: undetected vulnerable code paths may exist in applications and libraries without any awareness from security or engineering teams. Even when identified, the lack of visibility into how shadow dependencies interact with an application’s code can result in an inaccurate vulnerability assessment. Effectively addressing shadow dependencies requires combining information found in metadata and source code, and incorporating it into a comprehensive reachability analysis.

Hopper’s shadow dependency detection is integrated with its reachability analysis, enabling comprehensive coverage even when the target application or library includes shadowed packages.

Non-Intrusive, CI-Free Integration

Many security solutions require deploying agents in production environments or demand tight integration directly into an organization’s CI/CD pipelines. Such integrations often come at a steep cost, introducing operational risks like deployment challenges, reliability issues, and increased maintenance overhead. 

Hopper takes a streamlined approach to minimize the overhead typically associated with intrusive security solutions. By eliminating the need for agents or costly CI/CD pipeline integrations, Hopper enables seamless and scalable adoption, continuous security coverage, all without disrupting development workflows or compromising production environments.

For companies with policies that restrict the use of SaaS products, on-premise deployments are available.

Final Thoughts

As modern software systems grow in complexity, so does the risk introduced by using insecure open-source packages. Legacy SCA tools, relying primarily on build manifests, are no longer equipped to meet the demands of today’s fast-paced, GenAI integrated, yet security-conscious software development.

Hopper introduces a foundational advancement in open source risk management, by integrating deep code reachability analysis with a CI-independent deployment architecture. Hopper’s solution eliminates 93% of vulnerability noise, allowing security and engineering teams to prioritize vulnerabilities that can realistically be exploited in their specific codebase.