Comment by seanmcdirmid
9 hours ago
Most (all?) static analyzers are conservative, and reducing your false positive rate is always a struggle. You should never expect a false positive rate of zero (it’s probably impossible to not have false positives), but you shouldn’t be presenting your false positives as successes either.
> it’s probably impossible to not have false positives
It's possible to have no false positives or no false negatives, but it can be proven it's impossible to have neither of them.
Sure, but this one doesn’t pass the sniff test. I’ve written plenty of static analysis tools (including ones that do symbolic execution), and one of the first things you do to ensure that your results are valid is create some model of tainting/reachability. Even an analysis that’s 1-callsite sensitive would have caught this and discarded it as a false positive.
(In case it isn’t clear, I’m saying this is slop that someone whipped up and didn’t even bother to spot check.)