BSides Vancouver 2026

Static analysis tools are an integral part of modern-day software development processes to find bugs and security vulnerabilities. However, they suffer from a drawback: false positive findings. False positives are findings that are incorrectly identified by the static analysis tools as a vulnerability. Such alerts may waste developers' time and effort since these are not exploitable and need no patching. A substantial number of false positives can lead to developer fatigue and reduce the adoption of static analysis tools within software development teams. This may cause real vulnerabilities to go unnoticed, and thereby increasing the software's overall attack surface. Therefore, it is imperative that false positives from SAST findings, and the noise that it creates, be reduced significantly.

In an attempt to realize this objective, we propose a novel approach that combines inter-procedural call graph analysis with large-language model reasoning to identify false positives in SAST findings. Our approach constructs precise call-graphs with bidirectional execution context (caller chain and callee chain) to help the LLM conduct a comprehensive data flow analysis. To help the LLM reason better, our method guides the LLMs using CWE-specific prompts which drives more accurate results.

The system detects over 90% false positives for specific CWEs like CWE-22 (Path Traversal) and CWE-89 (SQL Injection). Our research demonstrates that inter-procedural call graph analysis coupled with LLM reasoning powered by CWE-specific prompting can significantly reduce the number of false positives in SAST findings, thereby increasing the usability of SAST tools.