How can I tell whether or not a given library method is being referenced by a consumer program statically in OOP languages?

Preface: This question is about source code reverse engineering and static analysis. Meaning, there is no built code available but I have access to the source code of the program.

Imagine I’m looking at some source code for a Java library. I know that in class foo, there is a public method bar() that either contains a bug or calls another private method which contains the bug.

With no prior knowledge of the codebase, and by only looking at source code, what are some techniques I can employ to find out if a given program that consumes this Java library, potentially calls the functionality, or triggers execution of the code with the bug in it?

I’m looking to answer the question "Does this program use the vulnerable method/function either directly or indirectly?" I know that technically it may not be possible without running the program to determine if the functionality is actually called because there may be a branch that is resolved at runtime based on external input. However, I only need to know whether or not the method has any chance at or could potentially be called.

I know how to find out if a method is used directly. I will search for the name of the class with vulnerable/buggy code throughout the program consuming the library, or even just search for the method itself. However, if the buggy function is not directly called by that program, this is where I am needing some tips. If the method is private or internal, it will never be directly called by the consuming program, but I’ve also seen cases where a method is public but isn’t directly called by the consuming program, however, another method in the library calls it.

This has made it difficult to find out if code using a given library is vulnerable to a bug. What are some tips to statically hunt down these references for Java? If you have relevant information that is for another OOP language, that could be useful here as well.