OSSJavaLast updated: 2023-07-30
Manual CVE_R
Based on S_M-C after manual review
10.3%
17 / 165 CVEs
OWASP Benchmark F1
82.8%
OWASP Benchmark v1.2 (Java)
Composite score
Manual 60 / F1 30 / (1-FP)10
31.6
Approx.FP: 94.1%
Real-world detections by scenario
Counts (bar) plus percentages (line) per benchmark scenario.
Approximate false positives
#Dvul and #Dvul&Dpatch for S_F-C / S_M-C.
SF-C
96.2%#Dvul = 26, #Dvul&Dpatch = 25
| Dvul | 26 |
| Dvul&Dpatch | 25 |
| Rate | 96.2% |
SM-C
94.1%#Dvul = 17, #Dvul&Dpatch = 16
| Dvul | 17 |
| Dvul&Dpatch | 16 |
| Rate | 94.1% |
Claimed vs measured coverage
Over-claim is computed with the Manual (S_M-C) column.
Over-claim
(#Supported - #Detected) / #Supported
86.7%
Speed notes
Qualitative tier plus study observations.
Tier: mid
Roughly 5-15 min depending on project size
- Run time jumps sharply once projects pass ~50k LoC (all tools).
Manual definition: research teams manually inspected S_M-C detections and removed patch-only hits. Over-claim is evaluated against that Manual baseline.