Original Post: Shoulda, Woulda…Coulda
In the context of Static Application Security Testing (SAST), findings are typically categorized into true positives (confirmed vulnerabilities) and false positives (non-vulnerabilities). A critical concern, however, is false negatives—vulnerabilities that the SAST tool failed to detect. SAST requires an iterative process of scanning, triaging, discovering false negatives via reviews, updating rules, and rescanning.
To address false negatives, r2c introduced a Semgrep CLI feature called shouldafound. This feature allows users to report false negatives directly to the security research team. Example scenarios for using shouldafound include bug bounty reports, manual code reviews, and findings by security consultants.
Users report false negatives with a command that specifies their email, a message, and the code lines in question. This command generates a support ticket and a public link to the reported issue. The security team then reviews these reports to update or create new rules, enhancing the tool’s detection capabilities. This feature aims to reduce false negatives, enabling users to focus on more critical tasks.
Go here to read the Original Post