Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
demorro 3 hours ago

If you're not already applying static analysis and linters to your codebase (and I know many of you aren't), ask yourself why you would bother to apply an expensive LLM tool?

Not to say these things won't catch vulnerabilities static tools cannot, I think they can, it's just we already have the capability to automatically catch a large surface area of common vulns, and have chosen not to, often for expense reasons.

If you're a team that does already apply several layers of analysis and linting, and wants to add this on top, all power to you.

SkyPuncher 3 hours ago | parent | next [-]

> If you're not already applying static analysis and linters to your codebase

Because most issues are in business logic that static analyzers aren't going to catch.

solenoid0937 an hour ago | parent | prev | next [-]

Static analysis won't develop a one click exploit that works end to end for you.

I'm at a FAANG and even our static analysis tools are not great at identifying how many issues are actually reachable.

Ideally you use both. An AI model that has static analysis as part of the harness, so it can evaluate each potential finding.

nozzlegear an hour ago | parent [-]

> Ideally you use both. An AI model that has static analysis as part of the harness, so it can evaluate each potential finding.

Ideally the static analysis tools are improved so that we don't need to piss away yet more tokens like we're competing on Mark's leaderboard just to find vulnerabilities.

solenoid0937 an hour ago | parent [-]

When you reach that ideal world, let me know. My company has thrown a decade+ and multiple teams at the idea you've described. We still aren't there yet.

Your proposal of relying purely on static analysis is over-idealistic and just not feasible for large, diverse codebases in the real world.

That's where AI comes in.

sobellian 3 hours ago | parent | prev | next [-]

Static analysis often shows many false positives. A more intelligent tool can help not to waste limited engineering time.

seanmcdirmid 2 hours ago | parent [-]

False positives are noise, but if the tool is filtering out its own noise via AI, it might work. Or you could take a high false positive/low false negative tool and instead of bothering humans with its noisy output, have AI investigate and evaluate if found issues are false positives or not.

redsocksfan45 3 hours ago | parent | prev [-]

[dead]