English

Many Tools, Few Exploitable Vulnerabilities: A Survey of 246 Static Code Analyzers for Security

Cryptography and Security 2026-02-23 v1 Software Engineering

Abstract

Static security analysis is a widely used technique for detecting software vulnerabilities across a wide range of weaknesses, application domains, and programming languages. While prior work surveyed static analyzes for specific weaknesses or application domains, no overview of the entire security landscape exists. We present a systematic literature review of 246 static security analyzers concerning their targeted vulnerabilities, application domains, analysis techniques, evaluation methods, and limitations. We observe that most analyzers focus on a limited set of weaknesses, that the vulnerabilities they detect are rarely exploitable, and that evaluations use custom benchmarks that are too small to enable robust assessment.

Keywords

Cite

@article{arxiv.2602.18270,
  title  = {Many Tools, Few Exploitable Vulnerabilities: A Survey of 246 Static Code Analyzers for Security},
  author = {Kevin Hermann and Sven Peldszus and Thorsten Berger},
  journal= {arXiv preprint arXiv:2602.18270},
  year   = {2026}
}
R2 v1 2026-07-01T10:44:16.461Z