Much like automated dynamic application security testing (DAST) solutions, false positives are produced with static analysis of source code reviews, particularly when pure automation is involved.
For any given application where thousands (if not millions) of lines of code are ingested into a solution, many developers begin to receive an endless list of findings that are often riddled with the following:
- False positives that consume developers time
- Security findings devoid of any threat context
- Static findings that are devoid of supportive dynamic results