[organsnyder]

Finding a vulnerability by looking at the diff that fixed it is very different than just looking through the code.

[Izkata]

They're saying to do that scan to every diff before release, to see if it finds anything.

[riknos314]

I believe their point was that:

"How likely is this diff a patch for an existing vulnerability?"

Seems to be an easier question to answer than

"Are there any new vulnerabilities introduced by this diff?"

In other words identifying that a patch is for a vulnerability is typically easier than finding the vulnerability in the first place.

[luipugs]

If the diff will just be fed to LLMs regardless then what is easier is probably a moot point.

[alt227]

The point is that even if all code commits are scanned as safe by ai, black hats can still analyse the commits and diffs to find vulnerabilites for people who havent patched yet.

Scanning every commit doesnt automatically make everyone in the world patch immediately, vulns can still be found from commits and diffs and used against those who havent patched yet.

[Izkata]

Look at GP to my comment again, the one I was clarifying: they're not talking about black hats or any other kind of hacker, they're talking about the original developers and preventing such vulnerabilities from existing in the first place.

[alt227]

Yes I am aware, however that still does not stop anybody examining your commits and diffs to find vulnerabilities.

Do you assume ai will just stop at a certain level? Or is it possible that it will keep increasing in intelligence? If the latter, then isnt it possible that even if you are auto checking all your commits, next week a more advanced ai model might be released that finds vulns in your old commits, even though they were checked by (an inferior) ai?

Blinding saying that auto checking commits will make you safe from ai based attacks and vulnerability free is just madness.

[skinfaxi]

The diff yields the patched code which is used to produce the exploit.