AI has found 50 bugs in cURL. "AI-native SASTs work well"

Summary

AI-generated bug reports are usually trash. But when a security researcher used LLM-based scanners the right way, he found 50 real bugs in libcURL. Swedish tech journalist talks to Swedish cURL maintainer Daniel Stenberg and to Joshua Rogers, an australian hacker / security researcher that used AI SAST tools to find 50 real cURL bugs – and counting. With the help of generative AI–based tools, a developer named Joshua Rogers has identified no fewer than 50 flaws in one of the world’s most widely used open-source projects, cURL. The Swedish maintainer of cURL — who recently vented his frustration over worthless AI-generated bug reports — is, this time, astonished by AI’s capability. Something big just happened in the cybersecurity world. Generative AI has now proven that it can independently discover new vulnerabilities in high-quality source code. New generative AI tools are suddenly digging up bugs that traditional static analysis tools have been overlooking for years. Daniel Stenberg ”I’m actually overwhelmed by the quality of some of these findings”, says Daniel Stenberg, maintainer of the file-transfer library cURL, in an interview with Swedish industrial electronics news publisher Elektroniktidningen ("Electronics Magazine”, etn.se). In a well-known talk this August, Daniel Stenberg warned that he and his team were being flooded with AI-generated bug reports — wrong, confused, hallucinatory garbage created by generative AI. Such “AI slop” has begun to waste valuable time for open-source maintainers, not only in cURL. The community is struggling with how to stem the tide. Still, banning AI wasn’t the solution, Stenberg argued back then. He believed that AI might yet prove useful. And he turned out to be right. In September, a batch of cURL bug reports arrived that has so far led to 50 fixes in the cURL library source code. It marks a clean break from the previous wave of junk reports. There may have been the odd valid AI-based bug report before, but this time, St...