Coana Auto-Fixing is a software composition analysis tool that automatically updates packages to resolve vulnerabilities in application dependencies. The tool uses static control-flow analysis to build call graphs and determine vulnerability reachability, distinguishing between reachable and unreachable vulnerabilities in both direct and transitive dependencies. The product operates through a command-line interface that applies fixes directly to vulnerable dependencies. It calculates optimal upgrade paths for vulnerable packages while ensuring compatibility with other dependencies in the project. The analysis runs on-premises, keeping source code within the user's environment without requiring cloud access. Coana integrates with CI/CD environments without requiring disruptive agents. The tool automatically identifies project types, workspace configurations, programming languages, and package managers used in the codebase. It can operate without internet access if needed. The reachability analysis uses over-approximation to mark vulnerabilities as reachable when uncertain, allowing users to safely ignore unreachable vulnerabilities. A dedicated security team investigates new vulnerabilities to identify affected functions, methods, and properties within packages, creating specifications used by the static analysis engine. The tool continues monitoring applications over time, alerting users to new reachable vulnerabilities and previously unreachable vulnerabilities that become reachable as code changes. It does not provide container scanning capabilities.