Remix.run Logo
jaimefjorge 4 days ago

Hey thanks for testing! That's been my experience well, it's very frequent to see libraries with vulnerable versions being introduced in code. What's also interesting is that, despite using incredible AI coding models like Sonnet 4, you still get CVEs in your code. Try this with Codacy Guardrails: "create a Java server using undertow".

Thanks for testing. Please do share your feedback when you test further!

im3w1l 4 days ago | parent [-]

I mean it's almost inherent to LLM's right? Like they only know about version before it's knowledge cutoff. I guess it's a big argument for not putting exact versions in files generated by LLM, only major (+minor?)

jaimefjorge 4 days ago | parent [-]

Yes. My point is that because of training cutoffs it should be mandatory to run SCA scans when dealing with AI code generation. Not putting exact versions would be a good idea. But that’s not what’s happening today.