I reviewed more code that was also reviewed by an
AI service. None of the issues it flagged were real issues, but of course, the comments generated by it were confident and did talk about real security problems. It's just that those security problems weren't in the code it highlighted.
Also, it appears to have been trained on comment that use the word "necessitates" a lot.
One of its issues was that framework internals were being manipulated. I think `Object.keys(someObjectFromTheFramework)` lead it toward that output. Then there was another in which some string was being validated via multiple clauses connect by `&&` with the final one being `someString.length > 2`. It said oh, only strings longer than 2 are being validated. I could see some statistical basis for that. I guess the probability that the (correct) interpretation that strings longer that 2 are being
further validated because shorter ones were already rejected is less likely.
Anyway, snyk right now is a business that just pitches out tons of false positives and yet has a billion in VC cash.