User avatar
daniel:// stenberg:// @bagder@mastodon.social
6mo
We currently have three pending CVEs to be announced in the next release (severity low + medium x 2)

All three found with AI powered tooling.

So it is happening.
3
0
0
0
User avatar
shadowwwind @shadowwwind@fosstodon.org
6mo
@bagder If you know, where they reported by people new in the field or did they understand what they were reporting?
1
0
0
0
User avatar
daniel:// stenberg:// @bagder@mastodon.social
6mo
@shadowwwind all three of them were reported by people with knowledge, respect and understanding. Just proving that tooling is still just one part of this.
1
0
0
0
User avatar
Tane Piper ⁂ @tanepiper@tane.codes
6mo
@bagder @shadowwwind This is good to see - AI still produces a lot of crap and loves to randomly change code - but when focused on finding issues with a human who understands the code I've found the hit rate is close to 100% correct so far.
3
0
0
0
User avatar
sijmen @sijmen@shrimp.vijf.life
6mo
@tanepiper @shadowwwind @bagder I suppose using AI to find vulnerabilities is not unlike using a fuzzer to find vulnerabilities. Sure, it can find many positives, but it's up to the human to determine if it's a true or false one.
1
0
0
0
User avatar
Tane Piper ⁂ @tanepiper@tane.codes
6mo
@sijmen @shadowwwind @bagder My concern here that LLMs do give worse-than results than something like Sonar - in many cases static code analysis was good enough to catch things that LLMs miss.

Ideally we would still use different tools, but GitHub seems to want to push everything into models.

tane.codes/@tanepiper/115674333918638273
2
0
0
0
User avatar
sijmen @sijmen@shrimp.vijf.life
6mo
@tanepiper @shadowwwind @bagder I definitely agree that LLM vulnerability finding should only be done after the right tools are in place, like, indeed, static analysis
0
0
0
0