CommercialJavaLast updated: 2023-11-10
Manual CVE_R
Based on S_M-C after manual review
0.6%
1 / 165 CVEs
OWASP Benchmark F1
84.4%
OWASP Benchmark v1.2 (Java)
Composite score
Manual 60 / F1 30 / (1-FP)10
25.7
Approx.FP: 100.0%
Real-world detections by scenario
Counts (bar) plus percentages (line) per benchmark scenario.
Approximate false positives
#Dvul and #Dvul&Dpatch for S_F-C / S_M-C.
SF-C
100.0%#Dvul = 2, #Dvul&Dpatch = 2
| Dvul | 2 |
| Dvul&Dpatch | 2 |
| Rate | 100.0% |
SM-C
100.0%#Dvul = 1, #Dvul&Dpatch = 1
| Dvul | 1 |
| Dvul&Dpatch | 1 |
| Rate | 100.0% |
Claimed vs measured coverage
Over-claim is computed with the Manual (S_M-C) column.
Over-claim
(#Supported - #Detected) / #Supported
99.1%
Speed notes
Qualitative tier plus study observations.
Tier: fast
Scan completes ~<=5 min (LoC < 50k)
- Run time jumps sharply once projects pass ~50k LoC (all tools).
- Tagged as a fastest-tier tool in the study (Insider / Contrast cohort).
Manual definition: research teams manually inspected S_M-C detections and removed patch-only hits. Over-claim is evaluated against that Manual baseline.