Daniel Stenberg on 22 curl bugs found by AI and fixed (mastodon.social)

Daniel Stenberg reported that AI tools helped uncover 22 bugs in curl that have since been fixed — a concrete example of machine learning-assisted code review finding subtle, real issues in a mature open-source project. The story underscores both the practical value and current limits of AI for software security: these tools can rummage through large codebases and surface edge cases humans might miss, speeding SAST and pentester workflows, but they also tend to generate noisy or fabricated results that require human validation. One concrete technical example: a socket read returning “OK” with 0 length actually indicates the peer closed the connection and therefore represents the server’s first reply; a variable named first_byte was meant to track that first_reply. The code behavior was correct, but misleading naming caused confusion — the AI flagged the anomaly, and maintainers resolved related issues. A linked long-form review of SAST/security AI tools documents broader findings and caveats. Bottom line: ML tools are already useful for spotting patterns and inconsistencies in code, but their outputs must be interpreted by knowledgeable engineers to avoid chasing hallucinations or misdiagnosed bugs.