Something not priced in to opensource security is AI reviewing code for potential vulnerabilities. It's not perfect of course, but it can call for more expert review by identifying suspicious practices in code or simply labeling a library as sus
Recently added our repos to socket to monitor our npm based supply chain for deps, and it's pretty awesome. Will be even more awesome when there are several others available
If you applied such an AI bot to the XZ backdoor and it found it (without including it in your dataset of course) I'd be more enthusiastic. The degree of code obfuscation with this was pretty high to be fair.
reply
This actually would be an interesting experiment.
Did somebody try to test whether running copilot or any other source code AI tool will identify it as a vulnerability?
reply
Yea it was buried really good, but that will also result in automating new kinds of tests
reply
I look forward to it.
reply