CA9 Logoby Skylos
Blog
5 min read

Using Coverage Evidence to Decide Which Python CVEs Need Action

How test coverage can strengthen vulnerability reachability decisions for Python packages, modules, and code paths.

coverage.pyPython CVEsRuntime evidence

Key points

  • Static imports can show whether vulnerable code is referenced, but coverage can show whether it actually ran in tests.
  • Coverage evidence is strongest when tests reflect production entry points and security-sensitive flows.
  • CA9 treats missing coverage as uncertainty, not proof that a CVE is safe.

Static reachability is a strong first pass

Import analysis can quickly eliminate many alerts. If a vulnerable package or submodule never appears in the repository, the finding is less likely to be exploitable from that application.

Static analysis also has limits. Dynamic imports, plugin systems, framework callbacks, and production-only configuration can hide call paths from a simple source scan.

Coverage adds runtime context

Coverage data gives the triage process another signal: which files and lines executed during a test run. When a vulnerable component is imported and covered, teams can prioritize the finding with more confidence.

The inverse needs care. Code that did not run in tests may still run in production. That is why CA9 distinguishes dynamic evidence from a blanket statement that a CVE is harmless.

Make coverage useful for security triage

Coverage is most valuable when tests exercise real application paths. Security triage benefits from tests that hit request handlers, background jobs, serializers, parsers, and third-party integrations.

For dependency risk, teams should also keep coverage artifacts easy to generate in CI so reachability checks can run on every scanner report.

  • Generate coverage from the same test command developers already trust.
  • Include integration tests for code paths that touch external inputs.
  • Review inconclusive findings instead of treating missing coverage as a pass.

A balanced verdict is easier to defend

Auditors and security reviewers often need to understand why a finding was fixed, suppressed, or deferred. A verdict with import evidence, coverage evidence, and a confidence signal is easier to defend than a manual note in a spreadsheet.

That is the core value of reachability-aware triage: fewer guesses, clearer priorities, and a record that can survive the next scan.