This work addresses the limitations of existing reachability analyses for third-party library calls in Java projects, which predominantly rely on static methods and lack dynamic execution evidence, often leading to inaccurate reachability judgments. To overcome this, we propose FIKA, a novel pipeline that, for the first time, integrates dynamic execution evidence into reachability assessment. FIKA combines code generation, dynamic execution tracing, and test coverage techniques to empirically validate the executability of third-party library invocations. Evaluated on eight real-world projects, FIKA improves call-site coverage by 20% on average, verifies the executability of 2,363 dependency methods, and achieves strong executability guarantees—exceeding 75% coverage—in six projects. These results substantially enhance the accuracy of vulnerability prioritization in static analysis tools such as Semgrep.

Automated third-party library analysis tools help developers by addressing key dependency management challenges, such as automating version updates, detecting vulnerabilities, and detecting breaking updates. Dependency reachability analysis aims at improving the precision of dependency management, by reducing the space of dependency issues to the ones that actually matter. Most tools for dependency reachability analysis are static and fundamentally limited by the absence of execution. In this paper, we propose FIKA, a pipeline for providing guarantees of executability for third-party library call sites. FIKA generates code that is executed, and whose execution trace provides guarantees that a third-party library call site is actually reachable. We apply our approach to a dataset of eight Java projects to empirically evaluate the effectiveness of FIKA. On average, 54% of these call sites are covered by the existing test suites, and therefore, have evidence for their executability. FIKA further improves this coverage by 20% and is able to demonstrate executability for 2363 dependency methods. In six out of eight projects, FIKA provides strong guarantees that more than 75% of call sites are executable. We further demonstrate that FIKA is capable of improving the results provided by Semgrep, a state-of-the-art static vulnerability reachability analysis tool. We show that FIKA can help prioritize the vulnerability updates with stronger guarantees of executability in cases where Semgrep yields inconclusive reachability results.