I've seen startups claiming to solve these with reachability analysis. I think upgrading libs regardless could be a better solution, particularly for high-risk vulnerabilities.
But is upgrading libs ENOUGH? and does that make you feel confident that you are secured?
We are not claiming to solve using reachability analysis or claiming to solve anything but saving dev their time at this point!
When I was responsible for resolving vulns in my previous companies' docker images, in many cases upgrading the libraries was enough to resolve the vuln.
My role, and others like me, need to get that critical vuln number down. Meaning yes, upgrading libs was enough.
Mind me asking how big your organization was at that point? And were you the one responsible for patching after if something didn't resolve with upgrading libs?
Shouldn't your analysis/understanding show that upgrading the library is enough? If a CVE or vulnerability scanners test isn't telling you the problem that needs to be solved upgrading a library or anything else won't make a difference and you wouldn't know the problem either way.
Approaching vulnerability management from a developers view is a very narrow scope.