Tracing method calls in app to assess security vulnerability to CVE - best practices?

Question

I've been working to help deal with updates to packages and refactors to some apps to address security CVEs. Oftentimes, the CVEs are due to some vulnerable method/function and if we can prove that said method/functions are not called within an app, then I can ignore it as a false positive.

My question/request is as follows: Does anyone have some best practices/resources for how to properly track the use of a vulnerable method/function through an app (from node_modules through src code)? Please don't suggest bumping NodeJS version, that is not applicable to this situation.

• What I was recommended: A former colleague recommended starting with the method in question and where it was first called. They said to note the functions within node_modules that the vulnerable method is used in and go up from there to see where all of those functions are used. Then find if/where in the source code that each of the functions found in node_modules are called. If any of those functions are called, then the finding CANNOT be a false positive.

  • I found this to be tricky and very cumbersome with apps with numerous packages and or loads of nested dependencies. If the way that I was recommended to track vulnerable methods is a good practice, that's great! But I'm hoping to see if some others in the community may have tips/tricks/best practices to recommend as well.