Part of the problem is that customers will scan your code with these tools and they won't accept "we never call that function" as an answer (and maybe that's rational if they can't verify that that's true). This is where actual security starts to really diverge from the practices we've developed in the name of security.

▲

unshavedyak 8 hours ago | parent [-]

Would be neat if the call graph could be asserted easily.. As you could not only validate what vulnerabilities you are / aren't exposed to, but also choose to blacklist some API calls as a form of mitigation. Ensuring you don't accidentally start using something that's proven unsafe.

	▲	chii 41 minutes ago \| parent \| next [-]
		but then if you could assert the call graph (easily, or even provably correctly), then why not just cull the unused code that led to vulnerability in the first place?
	▲	viraptor 7 hours ago \| parent \| prev [-]
		https://bandit.readthedocs.io/en/latest/ can do that for python.