You are required to read and agree to the below before accessing a full-text version of an article in the IDE article repository.

The full-text document you are about to access is subject to national and international copyright laws. In most cases (but not necessarily all) the consequence is that personal use is allowed given that the copyright owner is duly acknowledged and respected. All other use (typically) require an explicit permission (often in writing) by the copyright owner.

For the reports in this repository we specifically note that

  • the use of articles under IEEE copyright is governed by the IEEE copyright policy (available at http://www.ieee.org/web/publications/rights/copyrightpolicy.html)

  • the use of articles under ACM copyright is governed by the ACM copyright policy (available at http://www.acm.org/pubs/copyright_policy/)

  • technical reports and other articles issued by M‰lardalen University is free for personal use. For other use, the explicit consent of the authors is required

  • in other cases, please contact the copyright owner for detailed information

By accepting I agree to acknowledge and respect the rights of the copyright owner of the document I am about to access.

If you are in doubt, feel free to contact webmaster@ide.mdh.se

Friends or Foes? Combining Static Analysis Tools and LLMs for Vulnerability Detection

Fulltext:


Authors:

Rafael Ramires , Sarmad Bashir, Muhammad Abbas Khan, Mehrdad Saadatmand, Iberia Medeiros

Publication Type:

Conference/Workshop Paper

Venue:

The 10th International Workshop on Testing Extra-Functional Properties and Quality Characteristics of Software Systems

Abstract

Industrial products and devices (e.g., vehicles, drones) are broadly accessed and managed using web applications. These applications have been a major concern for enterprises, as they are the preferred targets of attackers due to persistent vulnerabilities in their code. To address vulnerabilities, Static analysis tools (SASTs) have been widely used for detection, alongside the growing trend of employing prompt-engineered large language models (LLMs). Although they have proven useful for detection, both techniques tend to generate false positives (FPs), thereby unnecessarily increasing manual effort in the search for non-existent vulnerabilities; moreover, SASTs tend to miss vulnerabilities. In contrast, fine-tuned LLMs have proven effective at reasoning and classification tasks, but often require expensive training with balanced corpora. In this paper, we study SASTs, both types of LLMs, and their combination to improve overall vulnerability detection in web applications. We tested two modern SAST tools and two LLM models, across seven datasets for SQL injection (SQLi) vulnerability detection. Our f indings reveal that combining the results of multiple solutions can improve vulnerability detection. The best combination integrates both LLMs and a SAST, where i) the fine-tuned LLM, together with the SAST, reduces FPs, mainly produced by the prompt-engineering LLM, and ii) both LLMs overcome SAST’s limitation of missing vulnerabilities. On average, the F1-Score increases by 17-60% when SASTS and LLMs are combined. In particular, it can improve from 6% (with a standalone solution) to ≈100% when LLMs are combined with SASTs

Bibtex

@inproceedings{Ramires7373,
author = {Rafael Ramires and Sarmad Bashir and Muhammad Abbas Khan and Mehrdad Saadatmand and Iberia Medeiros},
title = {Friends or Foes? Combining Static Analysis Tools and LLMs for Vulnerability Detection},
month = {May},
year = {2026},
booktitle = {The 10th International Workshop on Testing Extra-Functional Properties and Quality Characteristics of Software Systems},
url = {http://www.ipr.mdu.se/publications/7373-}
}