There's lots of common sense missing in how CVEs are used at ground level in a company also.
Like, say, I use node.js in my project solely in the build/deploy process, and not at all in the deployed code. Something like using the serverless framework to make python AWS Lambdas.
The processes in place often can't make that distinction, so some "high /critical node.js when used as a web server" problem halts all builds, even though there's no node.js in the deployed application, and node.js is only used cli style.
This is why having an accurate scope is key. Easiest way to do that in an hour is to prefer to scan a workload like a container instead of a code repo. Or have a scanner that understands how something is built (and ideally how it runs).
Like, say, I use node.js in my project solely in the build/deploy process, and not at all in the deployed code. Something like using the serverless framework to make python AWS Lambdas.
The processes in place often can't make that distinction, so some "high /critical node.js when used as a web server" problem halts all builds, even though there's no node.js in the deployed application, and node.js is only used cli style.