Analyzing benchmarks with SAST products can help assess their capabilities, but results may vary due to intentionally faked vulnerabilities or limitations in detecting business logic flaws. Two categories of test cases that are often excluded from ground truth datasets include fake vulnerabilities and purely business logic vulnerabilities. Fake vulnerabilities, such as those found in the WebGoat platform, are intentionally designed to be undetectable by SAST tools, while purely business logic vulnerabilities rely on context and human understanding to identify potential security issues. As a result, SAST tools excel at detecting code-level issues but may struggle with detecting issues that require contextual understanding, such as authentication or access-control flaws.