I wonder if having some sort of dependency scanner giving more upfront visibility would help clear things up. Then you'd be able to get a sense of what the composition of issues might look like. Seems like there's so many scanners out there that something must solve this.