Vulnerable Open Source Dependencies: Counting Those That Matter