Effectiveness of using call graphs to detect propagated vulnerabilities

Nowadays software development greatly relies upon using third-party source code. A logical consequence is that vulnerabilities from such sources can be propagated to applications making use of those. Tools like Dependabot can alert developers about packages they use, which entail vulnerabilities. Such alerts oftentimes turn out to be false...