Upgrading OS libraries in my legacy application is costly for historical reasons. Suppose my app uses an Open Source library A which requires OS library B which uses library C. I find that C has a vulnerability.
If running 100% regression on my app finds that the vulnerable part of C is not called, can I assume that this particular vulnerability is a false positive FOR MY APP?
JaCoCo reports can tell me if any specific parts of my application and all of its component OS libraries were called. Given that this might let me avoid a library upgrade, is this a practical method of ranking vulnerabilities? Is there a better way to determine whether a vulnerability is accessible?
What is a good way to determine what parts of a given OS library contain the vulnerability?