Bibliography
============
Academic papers, reports, and industry references used to benchmark SqC and
contextualize its results against the static analysis landscape.
Juliet & Vulnerability Detection Studies
-----------------------------------------
**[ISSTA2022]** Steinhöfel, D. et al.
"An Empirical Study on the Effectiveness of Static C Code Analyzers for
Vulnerability Detection."
*ISSTA 2022*, ACM SIGSOFT International Symposium on Software Testing and
Analysis.
| ACM: https://dl.acm.org/doi/10.1145/3533767.3534380
| Preprint: https://mediatum.ub.tum.de/doc/1659728/1659728.pdf
Key finding: state-of-the-art tools miss 47--80% of vulnerabilities; on
average ~20% detection. Combining tools increases effectiveness by 26%.
----
**[Goseva2015]** Goseva-Popstojanova, K. and Perhinschi, A.
"On the capability of static code analysis to detect security
vulnerabilities."
*Information and Software Technology*, 2015.
| PDF: https://community.wvu.edu/~kagoseva/Papers/IST-2015.pdf
| ACM: https://dl.acm.org/doi/10.1016/j.infsof.2015.08.002
Key finding: 27% of C/C++ vulnerabilities missed by all three commercial
tools tested; 41% detected by all three. Even commercial tools miss
significant portions.
----
**[JKU2014]** Neumayer, P. et al.
"Using the Juliet Test Suite to Compare Static Security Scanners."
Johannes Kepler University Linz, 2014.
| PDF: https://www.se.jku.at/wp-content/uploads/2014/08/2014.Using-the-Juliet-Test-Suite.pdf
Directly compares scanner performance using the Juliet Test Suite as ground
truth.
----
**[Li2024]** Li, K. et al.
"An Empirical Study of Static Analysis Tools for Secure Code Review."
*ISSTA 2024*, ACM.
| ACM: https://dl.acm.org/doi/10.1145/3650212.3680313
| Preprint: https://arxiv.org/abs/2407.12241
Key finding: 52% of vulnerable code changes warned by a single tool; 76%+
of warnings in vulnerable functions are irrelevant to the actual
vulnerability; 22% of VCCs undetected by any tool.
----
**[Chen2023]** Chen, Y. et al.
"A Comparison of Static Analysis Tools for Vulnerability Detection in
C/C++ Code."
Compares multiple tools on C/C++ vulnerability detection with quantitative
precision/recall metrics.
NIST SATE Reports
-----------------
**[SATE-VI]** National Institute of Standards and Technology.
"Static Analysis Tool Exposition (SATE) VI."
NIST, 2018--2023.
| Overview: https://www.nist.gov/itl/ssd/software-quality-group/static-analysis-tool-exposition-sate-vi
| Bug Injection Report: https://www.nist.gov/publications/sate-vi-report-bug-injection-and-collection
| Ockham Criteria: https://www.nist.gov/publications/sate-vi-ockham-sound-analysis-criteria-0
| Workshop: https://samate.nist.gov/SATE6Workshop.html
Security-focused bug-finding evaluation exercise. Showed significant
variability across tool effectiveness depending on test cases, bug classes,
and complexity.
----
**[NIST-SP500-297]** Okun, V. et al.
"Report on the Static Analysis Tool Exposition (SATE) IV."
NIST SP 500-297.
| PDF: https://www.govinfo.gov/content/pkg/GOVPUB-C13-85ce8522f8e17f9964cecdf57250a8c6/pdf/GOVPUB-C13-85ce8522f8e17f9964cecdf57250a8c6.pdf
----
**[Juliet-v1.3]** NIST SAMATE.
"Juliet Test Suite v1.3 for C/C++."
| Download: https://samate.nist.gov/SARD/test-suites/112
54,484 C/C++ files covering 118 CWEs with ground truth (OMITBAD/OMITGOOD).
Tool Comparison & Industry Studies
----------------------------------
**[Lenarduzzi2022]** Lenarduzzi, V., Pecorelli, F., Saarimäki, N., Lujan, S.,
and Palomba, F.
"A critical comparison on six static analysis tools: Detection, agreement,
and precision."
*Journal of Systems and Software*, 2022.
| arXiv: https://arxiv.org/abs/2101.08832
| ScienceDirect: https://www.sciencedirect.com/science/article/pii/S0164121222002515
Compared six tools (Java); FindBugs 57% precision. Low inter-tool agreement
across all pairs.
----
**[Chou2005]** Chou, A. et al.
"False Positives Over Time (Coverity)."
Bug Workshop 2005.
| PDF: https://www.cs.umd.edu/~pugh/BugWorkshop05/papers/34-chou.pdf
Early industry data on FP rates and how they evolve as tools mature.
----
**[Machiry2022]** Machiry, A. et al.
"An Empirical Study on the Use of Static Analysis Tools."
| PDF: https://machiry.github.io/files/emsast.pdf
How developers use static analysis in practice; adoption barriers
including FP rates.
----
**[NCC-Group]** NCC Group.
"Best Practices for Static Analysis."
Industry guidance on deploying static analysis effectively, managing
FP rates, and integrating into development workflows.
False Positive Rate Benchmarks
------------------------------
**[CASTLE2025]** CASTLE Benchmarking Dataset. 2025.
| arXiv: https://arxiv.org/abs/2503.09433
New benchmark for static code analyzers and LLMs; considers both TP/FP +
severity weighting.
----
**[AICodeSec2025]** "2025 AI Code Security Benchmark: Snyk vs Semgrep vs
CodeQL."
| Blog: https://sanj.dev/post/ai-code-security-tools-comparison
CodeQL 5% FP, Snyk 8% FP, Semgrep 12% FP (AI-augmented SAST).
Industry FP Rate Context
~~~~~~~~~~~~~~~~~~~~~~~~~
- **10--20% FP rate**: optimally acceptable for SAST adoption in development
(industry consensus)
- **5% FP rate**: stringent target (DeepSource, validated by major tech
companies)
- **3--48%**: observed range across 10 SAST tools (2018 study)
- **>95% FP rate**: open-source SAST on Linux kernel null-pointer deref
(worst case)
Standards & Specifications
--------------------------
**[CERT-C]** Software Engineering Institute.
"SEI CERT C Coding Standard."
| https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard
283 rules across 17 categories. The rule set implemented by SqC.
----
**[SARIF-2.1]** OASIS.
"Static Analysis Results Interchange Format (SARIF) Version 2.1.0."
| https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
The output format used by SqC for CI/CD integration.
NASA & Aerospace
-----------------
**[NASA-SA]** NASA.
"Static Code Analysis for Security."
Static analysis practices in safety-critical aerospace software
development.