Vulnerabilities in libraries are not vulnerabilities in applications
We have a number of customers that do their own dependency scans for CVE vulnerabilities using the OWASP dependency checker plugin, it finds vulnerabilities all the time, but having a vulnerability in a library does not mean the application is subject the that vulnerability. It may be in part of a library that is not used, or it may only be exploitable under a specific set of circumstances which will never occur in the application.
Even if you are exposed to a vulnerability, it is often in a 2nd or 3rd tier dependency and you are dependent on the frameworks you are using updating their dependencies, rather than it being anything you can fix yourself.
The key thing is to be aware of what vulnerabilities you are exposed to, and have mitigations in place (or be prepared to accept the risk), it is not feasible to aim for zero reported CVE vulnerabilities.