If you're curious, here are 158 of Joshua's reported issues on #curl to give you an idea what we talk about.
We have manually gone trough them all and dismissed or addressed them. None of them has been deemed a security problem. Not all the PRs for the valid problems have been merged yet.
Another fun mistake the AI analyzer found:
One of the curl test servers (for SOCKS) had a help text output listing around ten command line options. One of the options it listed was never implemented and thus didn't work. The AI found out and reported.
Kind of cool.
As of now, I am no longer the author of more than half the lines added to the #curl repository. The "others" have overtaken me. I have now added less than half the lines.
On the topic of AI tools finding issues: we always thought they *could* do good. The right tool used by a skilled person is a recipe for awesome outcomes. An AI chat in the hands of someone who doesn't quite know what they ask for nor understand what the output says is not. Not to mention that the LLMs frequently just plainly lie.
A primary problem is the myths sold by "big AI" that make people believe they can do these things by themselves. That leads to slop avalanches.
I said it before. Getting a confirmed security vulnerability can be truly soul crushing and leave you wondering WHY THE HECK did we do it that way? Or why didn't we address this before? Especially when it is so obvious that *I* did the mistake.
Then slowly realize and accept that for every found and fixed vulnerability, we make the product a tad bit better.
