When a new CVE surfaces in an open-source dependency, teams face an immediate question: Do we really need to update? Is the vulnerability eploitable? In practice, nearly 90% of reported issues never affect the consuming application, but identifying the critical 10% is far from trivial. Reachability analysis offers a path forward by tracing vulnerable functions from the upstream component through multi-hop call graphs to determine whether the affected code is ever invoked downstream.

Despite its value, reachability analysis is notoriously difficult to automate. Most organizations still rely on manual investigation, while existing SCA tools frequently fall short, leaving teams uncertain and prompting unnecessary upgrades.

This talk presents a concrete case study from Apache Hadoop and Solr, illustrating how accurate reachability analysis can prevent wasted effort, reduce noise, and focus attention on the vulnerabilities that truly matter. The reachability of vulnerabilities will be analyzed using the Open Source VEX Generation Toolset project.