Static Analysis Tools (SATs) are central to security engineering activities, as they enable early identification of code weaknesses without requiring execution. However, their effectiveness is often limited by high false-positive rates and incomplete coverage of vulnerability classes. At the same time, developers frequently document security-related shortcuts and compromises as Self-Admitted Technical Debt (SATD) in software artifacts, such as code comments. While prior work has recognized SATD as a rich source of security information, it remains unclear whether -and in what ways- it is utilized during SAT-aided security analysis. OBJECTIVE: This work investigates the extent to which security-related SATD complements the output produced by SATs and helps bridge some of their well-known limitations. METHOD: We followed a mixed-methods approach consisting of (i) the analysis of a SATD-annotated vulnerability dataset using three state-of-the-art SATs and (ii) an online survey with 72 security practitioners. RESULTS: The combined use of all SATs flagged 114 of the 135 security-related SATD instances, spanning 24 distinct Common Weakness Enumeration (CWE) identifiers. A manual mapping of the SATD comments revealed 33 unique CWE types, 6 of which correspond to categories that SATs commonly overlook or struggle to detect (e.g., race conditions). Survey responses further suggest that developers frequently pair SAT outputs with SATD insights to better understand the impact and root causes of security weaknesses and to identify suitable fixes. IMPLICATIONS: Our findings show that such SATD-encoded information can be a meaningful complement to SAT-driven security analysis, while helping to overcome some of SATs' practical shortcomings.

翻译：静态分析工具（SATs）是安全工程活动的核心，因其能够在无需执行代码的情况下实现早期缺陷识别。然而，其有效性常受限于较高的误报率以及对漏洞类别覆盖的不完整性。与此同时，开发者常在软件制品（如代码注释）中将与安全相关的临时方案和妥协记录为自承技术债务（SATD）。尽管已有研究认识到SATD是安全信息的丰富来源，但尚不清楚在SAT辅助的安全分析过程中是否——以及以何种方式——利用了这些信息。目标：本研究旨在探究与安全相关的SATD能在多大程度上补充SATs的输出结果，并帮助弥合其某些已知局限。方法：我们采用混合方法，包括（i）使用三种前沿SAT工具对SATD标注的漏洞数据集进行分析，以及（ii）对72位安全从业者开展在线调查。结果：所有SAT工具联合使用共标记出135个安全相关SATD实例中的114个，涵盖24个不同的通用缺陷枚举（CWE）标识符。对SATD注释的人工映射揭示了33种独特的CWE类型，其中6类对应SAT工具通常忽略或难以检测的漏洞类别（例如竞争条件）。调查反馈进一步表明，开发者经常将SAT输出与SATD信息结合使用，以更深入理解安全缺陷的影响与根本原因，并确定合适的修复方案。启示：我们的研究结果表明，此类SATD编码信息能够有效补充SAT驱动的安全分析，同时有助于克服SATs在实际应用中的某些缺陷。