IIUC, Java dependency resolution does not take into account import reachability (unlike Go). This means there's an opportunity to do some kind of import reachability analysis to prune (VEX) out vulnerability matches that likely do not affect the project.
oliverchang
commented
3 weeks ago
With transitive pom.xml resolution landing soon in https://github.com/google/osv-scanner/pull/1028, we'll likely start to get a lot more vulnerability matches for Java projects.
IIUC, Java dependency resolution does not take into account import reachability (unlike Go). This means there's an opportunity to do some kind of import reachability analysis to prune (VEX) out vulnerability matches that likely do not affect the project.
One tool that may be useful for this is jdeps: https://docs.oracle.com/en/java/javase/11/tools/jdeps.html