Many state-of-the-art software assurance tools, technologies and capabilities have not kept pace with the complexity and size of modern software. Static analysis is listed by Underwriters Lab as one of the assessments that will be used to identify weaknesses in software, along with other activities such as fuzz testing, evaluation of known vulnerabilities, hunting for malware, and static binary analysis. There is a dirty little secret about static analysis tools that is largely ignored: there is a residual risk in using these tools.”]
Source: https://www.darkreading.com/attacks-breaches/certifying-software-why-we-re-not-there-yet