What is a 'false negative' in this context, and how can it be mitigated?

A false negative occurs when a real vulnerability exists in the codebase but the scanning tool fails to detect it. This gap can arise if detection rules are outdated, the tool doesn’t cover all languages or constructs used, or variants of a vulnerability aren’t captured by existing rules. The best way to mitigate this is to keep detection logic current by updating queries and rules, expand language support so more files and patterns are analyzed, and refine rules to better catch diverse vulnerability variants without introducing excessive noise. These steps directly address misses in detection, reducing the chance that a vulnerability slips through. The other options describe issues like reporting duplicates, misclassifying severity, or vulnerabilities that are detected but cannot be fixed, which are different problems.