Dutch and Iranian security researchers have created an automated genAI tool that can scan huge open source repositories and patch vulnerable code that could compromise applications.
Tested by scanning GitHub for a particular path traversal vulnerability in Node.js projects that’s been around since 2010, the tool identified 1,756 vulnerable projects, some described as “very influential,” and led to 63 projects being patched so far.
The tool opens the possibility for genAI platforms like ChatGPT to automatically create and distribute patches in code repositories, dramatically increasing the security of open source applications.
But the research, described in a recently published paper, also points to a serious limitation in the use of AI that will need to be fixed for this solution to be effective. While automated patching by a large language model (LLM) dramatically improves scalability, the patch also might introduce other bugs.
