How do we choose an attack vector, actor and setting for findings related with source code, more specifically, non-updatable dependencies findings? Do we require that the attacker have access to the source code so that he knows that the vulnerable components are present or do we assume a worst-case scenario in which the vulnerabilities that might be reported for those dependencies could be exploited by anyone on internet with minumum privileges?
For an attacker to exploit a non-updatable dependencies findings the only thing that he needs is access to the app, because some vendor vulnerabilities can be exploited by anyone on internet with minimum privileges you should assume that scenario.
The attacker doesn’t need access to the source code in order to know that the software is outdated, some vulnerabilities can be discovered with the responses of the application or server. But there’s a trick on that finding, not all of the CVEs can be exploited, most of the times you will find that none of them can. It is important that you read the vulnerabilities and check if they can be exploited, this should appear on your CVSSV3 scoring too.