Comparing SAST tools is challenging due to limitations in using vulnerability lists, test suites, and benchmarking. These methods have scope limitations, are too generic, potentially outdated, and may not be relevant for all languages or environments. Test suites and intentionally vulnerable apps also come with their own limitations, such as limited language support, overfitting, and lack of semantic holism. As a result, these standards are not ideal for measuring SAST tools, but can still play a role in educating developers about common security issues.