diff --git a/manifests/java.yml b/manifests/java.yml
index 6ea0f0424d8..481fe1d1f9b 100644
--- a/manifests/java.yml
+++ b/manifests/java.yml
@@ -2432,11 +2432,31 @@ manifest:
         akka-http: v1.22.0
         play: v1.22.0
         spring-boot-3-native: irrelevant (GraalVM. Tracing support only)
-  tests/appsec/test_sca_reachability.py::Test_SCA_Reachability_CVE_After_Vulnerable_Call: missing_feature
-  tests/appsec/test_sca_reachability.py::Test_SCA_Reachability_CVE_Registered_At_Load_Time: missing_feature
-  tests/appsec/test_sca_reachability.py::Test_SCA_Reachability_Deduplication: missing_feature
-  tests/appsec/test_sca_reachability.py::Test_SCA_Reachability_Dependencies_Have_Metadata: missing_feature
-  tests/appsec/test_sca_reachability.py::Test_SCA_Reachability_First_Hit_Wins: missing_feature
+  tests/appsec/test_sca_reachability.py::Test_SCA_Reachability_CVE_After_Vulnerable_Call:
+    - weblog_declaration:
+        "*": irrelevant (endpoint only implemented in spring-boot weblog)
+        spring-boot: v1.63.0-SNAPSHOT
+        spring-boot-3-native: irrelevant (GraalVM. Tracing support only)
+  tests/appsec/test_sca_reachability.py::Test_SCA_Reachability_CVE_Registered_At_Load_Time:
+    - weblog_declaration:
+        "*": irrelevant (endpoint only implemented in spring-boot weblog)
+        spring-boot: v1.63.0-SNAPSHOT
+        spring-boot-3-native: irrelevant (GraalVM. Tracing support only)
+  tests/appsec/test_sca_reachability.py::Test_SCA_Reachability_Deduplication:
+    - weblog_declaration:
+        "*": irrelevant (endpoint only implemented in spring-boot weblog)
+        spring-boot: v1.63.0-SNAPSHOT
+        spring-boot-3-native: irrelevant (GraalVM. Tracing support only)
+  tests/appsec/test_sca_reachability.py::Test_SCA_Reachability_Dependencies_Have_Metadata:
+    - weblog_declaration:
+        "*": irrelevant (endpoint only implemented in spring-boot weblog)
+        spring-boot: v1.63.0-SNAPSHOT
+        spring-boot-3-native: irrelevant (GraalVM. Tracing support only)
+  tests/appsec/test_sca_reachability.py::Test_SCA_Reachability_First_Hit_Wins:
+    - weblog_declaration:
+        "*": irrelevant (endpoint only implemented in spring-boot weblog)
+        spring-boot: v1.63.0-SNAPSHOT
+        spring-boot-3-native: irrelevant (GraalVM. Tracing support only)
   tests/appsec/test_service_activation_metric.py::TestServiceActivationEnvVarConfigurationMetric: missing_feature
   tests/appsec/test_service_activation_metric.py::TestServiceActivationEnvVarMetric: missing_feature
   tests/appsec/test_service_activation_metric.py::TestServiceActivationRemoteConfigMetric: missing_feature
diff --git a/tests/appsec/test_sca_reachability.py b/tests/appsec/test_sca_reachability.py
index 6de0afc3608..4052ca5c9a9 100644
--- a/tests/appsec/test_sca_reachability.py
+++ b/tests/appsec/test_sca_reachability.py
@@ -25,6 +25,12 @@
         "path": "app.py",
         "symbol": "sca_requests_vulnerable_call",
     },
+    "java": {
+        "cve_id": "GHSA-mjmj-j48q-9wg2",
+        "vulnerable_dep": "org.yaml:snakeyaml",
+        "path": "com.datadoghq.system_tests.springboot.ScaReachability",
+        "symbol": "scaVulnerableCall",
+    },
 }
 
 
diff --git a/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/ScaReachability.java b/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/ScaReachability.java
new file mode 100644
index 00000000000..8be99c94ea3
--- /dev/null
+++ b/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/ScaReachability.java
@@ -0,0 +1,35 @@
+package com.datadoghq.system_tests.springboot;
+
+import javax.annotation.PostConstruct;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.yaml.snakeyaml.Yaml;
+
+@RestController
+@RequestMapping("/sca")
+public class ScaReachability {
+
+  @PostConstruct
+  private void preloadVulnerableClass() {
+    // Force Yaml class load during Spring startup so the SCA transformer can register the CVE
+    // with reached=[] before any HTTP request triggers yaml.load(). Without this, the class
+    // loads lazily on the first /sca/vulnerable-call request, causing registerCve() and
+    // recordHit() to fire in the same request with no heartbeat window between them.
+    new Yaml();
+  }
+
+  @GetMapping("/vulnerable-call")
+  public String scaVulnerableCall() {
+    Yaml yaml = new Yaml();
+    yaml.load("key: value");
+    return "OK";
+  }
+
+  @GetMapping("/vulnerable-call-alt")
+  public String scaVulnerableCallAlt() {
+    Yaml yaml = new Yaml();
+    yaml.load("alt: value");
+    return "OK";
+  }
+}