Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Iranmanesh, Mohsen, Sabet, Sina Moradi, Marefat, Sina, Ghasr, Ali Javidi, Wilson, Allison, Sharafaldin, Iman, Tayebi, Mohammad A.
Format: Preprint
Veröffentlicht: 2025
Schlagworte:
Online-Zugang:https://arxiv.org/abs/2510.02534
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
_version_ 1866918153578086400
author Iranmanesh, Mohsen
Sabet, Sina Moradi
Marefat, Sina
Ghasr, Ali Javidi
Wilson, Allison
Sharafaldin, Iman
Tayebi, Mohammad A.
author_facet Iranmanesh, Mohsen
Sabet, Sina Moradi
Marefat, Sina
Ghasr, Ali Javidi
Wilson, Allison
Sharafaldin, Iman
Tayebi, Mohammad A.
contents Static Application Security Testing (SAST) tools are integral to modern software development, yet their adoption is undermined by excessive false positives that weaken developer trust and demand costly manual triage. We present ZeroFalse, a framework that integrates static analysis with large language models (LLMs) to reduce false positives while preserving coverage. ZeroFalse treats static analyzer outputs as structured contracts, enriching them with flow-sensitive traces, contextual evidence, and CWE-specific knowledge before adjudication by an LLM. This design preserves the systematic reach of static analysis while leveraging the reasoning capabilities of LLMs. We evaluate ZeroFalse across both benchmarks and real-world projects using ten state-of-the-art LLMs. Our best-performing models achieve F1-scores of 0.912 on the OWASP Java Benchmark and 0.955 on the OpenVuln dataset, maintaining recall and precision above 90%. Results further show that CWE-specialized prompting consistently outperforms generic prompts, and reasoning-oriented LLMs provide the most reliable precision-recall balance. These findings position ZeroFalse as a practical and scalable approach for enhancing the reliability of SAST and supporting its integration into real-world CI/CD pipelines.
format Preprint
id arxiv_https___arxiv_org_abs_2510_02534
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle ZeroFalse: Improving Precision in Static Analysis with LLMs
Iranmanesh, Mohsen
Sabet, Sina Moradi
Marefat, Sina
Ghasr, Ali Javidi
Wilson, Allison
Sharafaldin, Iman
Tayebi, Mohammad A.
Software Engineering
Static Application Security Testing (SAST) tools are integral to modern software development, yet their adoption is undermined by excessive false positives that weaken developer trust and demand costly manual triage. We present ZeroFalse, a framework that integrates static analysis with large language models (LLMs) to reduce false positives while preserving coverage. ZeroFalse treats static analyzer outputs as structured contracts, enriching them with flow-sensitive traces, contextual evidence, and CWE-specific knowledge before adjudication by an LLM. This design preserves the systematic reach of static analysis while leveraging the reasoning capabilities of LLMs. We evaluate ZeroFalse across both benchmarks and real-world projects using ten state-of-the-art LLMs. Our best-performing models achieve F1-scores of 0.912 on the OWASP Java Benchmark and 0.955 on the OpenVuln dataset, maintaining recall and precision above 90%. Results further show that CWE-specialized prompting consistently outperforms generic prompts, and reasoning-oriented LLMs provide the most reliable precision-recall balance. These findings position ZeroFalse as a practical and scalable approach for enhancing the reliability of SAST and supporting its integration into real-world CI/CD pipelines.
title ZeroFalse: Improving Precision in Static Analysis with LLMs
topic Software Engineering
url https://arxiv.org/abs/2510.02534