What problem does this paper attempt to address?

The problem that this paper attempts to solve is the large number of false positives generated by Static Application Security Testing (SAST) tools when detecting code vulnerabilities. Specifically, although SAST tools are crucial for early error detection, improving code quality and efficiency in modern software development, they often produce many false positives, which require manual review and thus slow down the development progress. Therefore, automated False Positive Mitigation (FPM) is very critical for improving the performance of SAST tools. The paper points out that the existing methods based on large - language models (LLMs) have two main limitations: 1. **The extracted code fragments are too broad and messy**: The relevant warning code fragments usually contain too much irrelevant control - flow and data - flow information, reducing the precision. 2. **The lack of key code context**: Important code context information (such as global variables or external function definitions) is often ignored, resulting in an incomplete representation, which in turn misleads LLMs and causes inaccurate evaluations. To solve these problems, the authors propose a framework named LLM4FPM, which aims to use accurate and complete code context to guide LLMs for automatic false - positive mitigation. The core components of this framework include: - **eCPG - Slicer**: Build an Extended Code Property Graph (eCPG) and then extract the line - level accurate code context related to the warning from it. - **FARF algorithm**: Build a file reference graph and identify strongly connected components to efficiently detect all files related to a given warning in linear time, ensuring a complete code - context representation. Through these improvements, LLM4FPM can more accurately determine whether the warnings generated by SAST tools are false positives, thereby significantly reducing the number of false positives and improving development efficiency and code quality. ### Specific contributions 1. **Proposed a line - level accurate code slicer eCPG - Slicer**: It builds an Extended Code Property Graph (eCPG) and extracts the line - level code context related to the warning from a given file. 2. **Designed a linear - complexity algorithm FARF**: It is used to identify the source files related to the warning, enabling the slicer to extract the complete code context. 3. **Integrated eCPG - Slicer and FARF algorithm into the LLM4FPM framework**: This framework can efficiently drive LLMs to judge the warnings generated by SAST tools. ### Evaluation results The paper evaluated LLM4FPM on the Juliet data set. The results show that it achieved an F1 score of more than 99% on various Common Weakness Enumerations (CWEs), and the false - positive rate in actual projects was reduced by more than 85%. In addition, the operation cost of LLM4FPM is low, with an average inspection time of 4.7 seconds per warning, saving about $2,758 per run. In conclusion, this paper emphasizes the importance of accurate and complete code context and shows the potential of combining program analysis with LLMs, promoting the development of automatic vulnerability analysis and improving the quality and efficiency of modern software development.