FP-Predictor - False Positive Prediction for Static Analysis Reports

A team of researchers from the Software Engineering community has introduced FP-Predictor, a novel AI system designed to tackle one of the most persistent problems in software security: the high rate of false positives generated by Static Application Security Testing (SAST) tools. These automated scanners are crucial for finding vulnerabilities in source code, but they often flood developers with irrelevant alerts, wasting time and eroding trust in automated analysis. The new model uses a Graph Convolutional Network (GCN) architecture that processes Code Property Graphs (CPGs), which combine a program's abstract syntax tree, control flow graph, and program dependence graph into a single representation. This allows the AI to capture both the structural and semantic relationships within the code that are indicative of a genuine vulnerability versus a false alarm.

Trained and tested on established security benchmarks, FP-Predictor's performance is striking. On the CamBenchCAP dataset with an 80/20 train-test split, the model achieved a perfect 100% accuracy. More importantly, in a practical evaluation on the CryptoAPI-Bench, it maintained an overall accuracy of up to 96.6%. A qualitative review revealed that many of its apparent 'misclassifications' were actually conservative judgments where the model correctly identified subtle, genuine security weaknesses that were missed in the benchmark's ground truth. The paper, accepted at the STATIC 26 workshop co-located with ICSE 2026, acknowledges current limitations, such as incomplete interprocedural analysis, and outlines a roadmap for future work. This includes integrating full call graphs, applying graph explainability techniques for better transparency, and expanding training data across multiple SAST tools to improve generalization.