Traditionally, most software security analysis tools generate erroneous, invalid or non-real findings, or findings that have low value, which may be collectively referred to as false positive findings. Some types of analysis tools, such as Static Application Security Testing (SAST) tools, often generate false positive data far greater than true positive data. To reduce noise created by the false positive data, application owners are forced to manually assess each finding through a tedious and time-consuming process. Otherwise, application owners may process the entire set of findings by accepting the risk of having false positive data. The existing technology does not provide any efficient and automated mechanism that produces true positive results, or produces results that have a high likelihood of accuracy.
In view of the foregoing, a need exists for an efficient solution that automatically validates findings generated by software security analysis tools, and eliminates false positive findings with a high degree of accuracy. Embodiments of the present disclosure are directed to this and other considerations.