Security tooling gets ignored if they don't lead to remediation. This is the problem with security tooling throwing too many false positives.

We added code analysis support in vet, our free and open source supply chain security tool. As part of the first use-case, we implemented the ability to track and collect import usage evidence by analysing AST of supported languages. This helps confirm that a vulnerable library is indeed used in first party application code.