I have tested the AI SAST tools that were hyped after a curl article on several C code bases and they found nothing.

Which low level code base have you tried this latest tool on? Official Anthropic commercials do not count.

You're posting this comment on a thread attached to an article where Filippo Valsorda - a noted cryptography expert - used these tools to track down gnarly bugs in Go cryptography code.

▲

tptacek 5 days ago | parent | next [-]

They're also using "AI SAST tools", which: I would not expect anything branded as a "SAST" tool to find interesting bugs. SAST is a term of art for "pattern matching to a grocery list of specific bugs".

	▲	bgwalter 5 days ago \| parent [-]
		ZeroPath for example brands itself as "AI" SAST. I agree that these tools do not find anything interesting.

▲

delusional 5 days ago | parent | prev [-]

These are not "gnarly bugs".

▲

tptacek 5 days ago | parent [-]

They're not?

	▲	nmadden 5 days ago \| parent [-]
		100% reproducible deterministic bugs are absolutely the easiest class of bugs.