Static information flow analysis tools, referred to herein as “static analyzers,” are well known tools that provide information about computer software while applying only static considerations (i.e., without executing a computer software application). In one type of static analysis, information flows are traced within a computer software application from sources, being application programming interfaces (API) that introduce “untrusted” input into a program, such as user input, to sinks, being security-sensitive operations, and such flows are identified as security vulnerabilities that may require further analysis by a software developer and possibly corrective action. However, many such information flows may encounter one or more points within the application, referred to herein as “downgraders,” that validate and/or sanitize data, and particularly data that are input into the application from sources that are external to the application. These downgraders ensure that the data do not contain illegal characters or are not represented in an illegal format, both common tactics used in malicious attacks.