Shoulda, Woulda...Coulda

In the realm of Static Application Security Testing (SAST), accurately identifying vulnerabilities is crucial, with the common challenge being the differentiation between true positives, false positives, and the often-overlooked false negatives, which are vulnerabilities not detected by the system. The iterative process of using SAST involves scanning for vulnerabilities, triaging results, and refining detection rules to improve accuracy. r2c has introduced a new feature in the Semgrep CLI called "shouldafound," which allows users to report false negatives directly to the security research team for further analysis and rule updates. This feature is particularly useful in scenarios such as when a bug bounty report reveals an undetected vulnerability, during manual code reviews, or by security consultants seeking automated detection for specific issues. Users can report false negatives by specifying code segments and messages, with the process ensuring data anonymization for public access considerations. The security research team then reviews these reports to update existing rules or create new ones, aiming to enhance the detection accuracy and reduce false negatives, thereby allowing users to focus on more critical tasks.