Abstract: To eliminate the false positives caused by coarse-grained impact analysis of existing software component analysis tools, a C/C++ third party library (TPL)'s vulnerability impact analysis method based on call graph analysis is proposed. The method evaluated the impact of TPL vulnerabilities by checking whether the TPL vulnerabilities were reachable through the call graph of the software, which provided a fine-grained, method-level and accurate TPL vulnerability impact analysis. The experiments show that the method achieves a precision of 94% and a recall of 77%, and reduces 80% of the false positives caused by coarse-grained impact analysis.