CommercialJavaLast updated: 2023-09-20
Manual CVE_R
Based on S_M-C after manual review
2.4%
4 / 165 CVEs
OWASP Benchmark F1
13.9%
OWASP Benchmark v1.2 (Java)
Composite score
Manual 60 / F1 30 / (1-FP)10
5.6
Approx.FP: 100.0%
Real-world detections by scenario
Counts (bar) plus percentages (line) per benchmark scenario.
Approximate false positives
#Dvul and #Dvul&Dpatch for S_F-C / S_M-C.
SF-C
100.0%#Dvul = 11, #Dvul&Dpatch = 11
| Dvul | 11 |
| Dvul&Dpatch | 11 |
| Rate | 100.0% |
SM-C
100.0%#Dvul = 4, #Dvul&Dpatch = 4
| Dvul | 4 |
| Dvul&Dpatch | 4 |
| Rate | 100.0% |
Claimed vs measured coverage
Over-claim is computed with the Manual (S_M-C) column.
Over-claim
(#Supported - #Detected) / #Supported
95.8%
Speed notes
Qualitative tier plus study observations.
Tier: fast
Scan completes ~<=5 min (LoC < 50k)
- Run time jumps sharply once projects pass ~50k LoC (all tools).
- Tagged as a fastest-tier tool in the study (Insider / Contrast cohort).
Manual definition: research teams manually inspected S_M-C detections and removed patch-only hits. Over-claim is evaluated against that Manual baseline.