Your approach could result in false positives, but more likely false negatives, which is worse, and/or too low risk ratings.
The data flow analyzer uses global, inter-procedural taint propagation analysis to detect the flow of data between a source (user input) and a sink (dangerous function call).
If the data flow analyzer cannot find the sink, then the analyzer will stop following this taint propagation and move on to another, missing the vulnerability (false negative).
The following pseudo-code is an example of both PII exposure and SQL Injection:
public static void main(String args[]) throws Exception {
ResultSet results = SQLInj(args);
System.out.println(results.Password);
}
public static ResultSet SQLInj(String args[]) {
String query = "SELECT * FROM user_data WHERE last_name = '" + args[1] + "'";
Statement statement = connection.createStatement();
ResultSet results = statement.executeQuery(query);
}
The source is main->args[] and the sink is SQLInj->executeQuery().
If the function SQLInj resides in code that is not scanned (not your team's code), the SQL Injection issue will not be found because the data flow analyzer never finds the sink. The PII exposure may be found by the Semantic analyzer by looking for the word "password", but given a much lower confidence rating.