Using Reachability Analysis to Filter Vulnerabilities

The author's team is overwhelmed by CVEs coming from SCA and CSPM tools. Half of these vulnerabilities are found in unused packages or in code paths that are never called, leading to a significant waste of time in triaging non-real risks. The author wonders if anyone is using reachability analysis to filter these vulnerabilities, ideally showing whether a vulnerability is actually exploitable based on call paths or execution context.