Hi Mark,

A vulnerability in a library may not always mean that the application is also vulnerable. Libraries contain lots of functions in them and sometimes applications only call for a few of these functions within a particular library. There is a possibility that the outdated library has a vulnerability in one of their functions and the rest is good. And the application may only imports a few non-vulnerable functions from this outdated library. 

SecOps pulls vulnerability detection information from your vulnerability scanner.

What normally your infrastructure vulnerability scanner does is, if the outdated libraries have vulnerabilities in used functions, then they associate this library with the version of the application (in your case TinyMC) and present the vulnerability as if it is in the application. The scanner usually does the fingerprinting based on versions.

But vulnerabilities within software components (like libraries) are detected through a different type of vulnerability scan. It is called Component Analysis. This type of scan is similar to SCA (Static Code Analysis) scans. It basically checks all the components of a compiled software and presents the vulnerabilities in the components. But the problem is usually with the functions in libraries. If the used functions are not vulnerable, there is no vulnerability in the application we can speak of.

Hope that helps.

Please mark it as helpful if it is!

Fatih!