daniel:// stenberg://

2 days ago

daniel:// stenberg://
2 days ago

We currently have three pending CVEs to be announced in the next #curl release (severity low + medium x 2)

All three found with AI powered tooling.

So it is happening.

#curl

in reply to daniel:// stenberg://

shadowwwind

in reply to daniel:// stenberg:// 2 days ago

If you know, where they reported by people new in the field or did they understand what they were reporting?

in reply to shadowwwind

daniel:// stenberg://

in reply to shadowwwind 2 days ago

all three of them were reported by people with knowledge, respect and understanding. Just proving that tooling is still just one part of this.

in reply to daniel:// stenberg://

Tane Piper ⁂

in reply to daniel:// stenberg:// 2 days ago

This is good to see - AI still produces a lot of crap and loves to randomly change code - but when *focused* on finding issues with a human who understands the code I've found the hit rate is close to 100% correct so far.

in reply to Tane Piper ⁂

sijmen (now on iceshrimp)

in reply to Tane Piper ⁂ 2 days ago

@tanepiper@shadowwwind@bagder I suppose using AI to find vulnerabilities is not unlike using a fuzzer to find vulnerabilities. Sure, it can find many positives, but it's up to the human to determine if it's a true or false one.

@daniel:// stenberg:// @Tane Piper ⁂ @shadowwwind

This entry was edited (2 days ago)

in reply to sijmen (now on iceshrimp)

Tane Piper ⁂

in reply to sijmen (now on iceshrimp) 2 days ago

My concern here that LLMs do give worse-than results than something like Sonar - in many cases *static* code analysis was good enough to catch things that LLMs miss.

Ideally we would still use different tools, but GitHub seems to want to push everything into models.

tane.codes/@tanepiper/11567433…

Tane Piper ⁂

2025-12-06 19:44:21

Turned on the new #GitHub "Code Quality" feature that seems to be some extended CodeQL + AI.
It's actually worse than anything #SonarQube gave us. That actually gave really good reports on code smells, regressions and coverage failure. It was reliable.
It really does appear tech companies are replacing everything with expensive, resource intensive systems that give worse results and expect us to pay more @pluralistic #enshitificaton

in reply to Tane Piper ⁂

daniel:// stenberg://

in reply to Tane Piper ⁂ 2 days ago

based on what? The AI-powered code analyzers we engage with now seem to outperform the ones without AI... This is anecdotal observations in our project only.

in reply to daniel:// stenberg://

Tane Piper ⁂

in reply to daniel:// stenberg:// 2 days ago

different strokes I guess 🤷🏼‍♀️ we maintain a platform across multiple technologies.

in reply to Tane Piper ⁂

daniel:// stenberg://

in reply to Tane Piper ⁂ 2 days ago

you also need to compare to and use the dedicated tools made for this, not just "an LLM". The AI chat things are still horrible.

in reply to daniel:// stenberg://

While hibernating, Svavar

in reply to daniel:// stenberg:// 2 days ago

Considering how many garbage AI pull requests you must get, I imagine it's still unclear if the technology is a net positive.

I think it's also important to note that the PRs were reviewed by someone skilled so, while the LLM may have helped, the vulnerabilities were still vetted by a human who understood what was wrong.

⇧

daniel:// stenberg:// 2 days ago • •

daniel:// stenberg://
2 days ago