top | item 46433512

(no title)

From the article:

> It has been proven numerous times already that strcpy in source code is like a honey pot for generating hallucinated vulnerability claims

This closing thought in the article really stood out to me. Why even bother to run AI checking on C code if the AI flags strcpy() as a problem without caveat?

discuss

CGamesPlay|2 months ago

It's not quite as black and white as the article implies. The hallucinated vulnerability reports don't flag it "without caveat", they invent a convoluted proof of vulnerability with a logical error somewhere along the way, and then this is what gets submitted as the vulnerability report. That's why it's so agitating for the maintainers: it requires reading a "proof" and finding the contradiction.

Sharlin|2 months ago

Because these people who run AI checks on OSS code and submit bogus bug reports either assume that AIs don't make mistakes, or just don't care if the report is legit or not, because there's little to no personal cost to them even if it isn't.

skirge|1 month ago

even stupid report may give you invites to private programs

saagarjha|2 months ago

Because people are stupid and use AI for things it is not good at.

Tempest1981|2 months ago

> people are stupid

people overestimate AI