| ▲ | lpapez 2 days ago | |
What is the overall severity distribution, including human code? Based on the churn I have fixing security vulnerabilities reported by Snyk and Trivy, I have a feeling that issues have a tendency to be labeled mostly as HIGH or CRITICAL when they are assigned a CVE, for better or worse. | ||
| ▲ | dmonroy 2 days ago | parent | next [-] | |
You're absolutely right about CVE inflation. I deal with the same Snyk/Trivy noise daily where a prototype pollution in some deep dependency gets marked CRITICAL. Our distribution (71% High, 18% Critical) is definitely skewed compared to normal CVEs. Part of this is selection bias: nobody reports when AI generates boring secure code. But even accounting for that, the pattern is real: AI seems to either nail security or fail spectacularly. Very few "medium" mistakes. The key difference from your Snyk alerts: these aren't dependency updates or theoretical vulnerabilities. They're actual logic flaws: - Missing auth checks - SQL injections - hardcoded secrets You know, The stuff that makes you go "how did this pass code review?" This is ongoing research, and hopefully we'll be in a position to elaborate better conclusions soon. | ||
| ▲ | DeepYogurt a day ago | parent | prev [-] | |
Highs and Critical are together more than 50% | ||