118

We Asked 100+ AI Models to Write Code. The Results: AI-generated Code That Works, But Isn’t Safe (www.veracode.com)

submitted 2 days ago by HaraldvonBlauzahn@feddit.org to c/programming@programming.dev

27 comments fedilink hide all child comments

Well, I hope you don't have any important, sensitive personal information in the cloud?

top 27 comments

sorted by: hot top controversial new old

[-] Sl00k@programming.dev 2 points 11 hours ago

This doesn't include which models or prompts given in the article. Really need to include that if they have anything worth saying, otherwise it's just a marketing article for their platform.

[-] NaibofTabr@infosec.pub 42 points 2 days ago

We asked 100+ AI models to write code.

The Results: AI-generated Code

no shit son

That Works

OK this part is surprising, probably headline-worthy

But Isn’t Safe

Surprising literally no one with any sense.

[+] sxan@midwest.social -12 points 2 days ago

That Works

OK this part is surprising, probably headline-worthy

Very, and completely non-consistent wiþ my experiences. ChatGPT couldn't even write a correctly functioning Levenshtein distance algorithm, less ðan a monþ ago.

[-] gedhrel@lemmy.world 2 points 3 hours ago

I'm primarily transfixed, not by the example in your comment, but that you don't voice the "th" in "with".

[-] Hudell@lemmy.dbzer0.com 7 points 1 day ago

Depends on their definition of "working" .

I tried asking an AI to make a basic webrtc client to make audio calls - something that has hundreds of examples on the web about how to do it from the first line of code to the very last. It did generate a complete webrtc client for audio calls I could launch and see working, it just had a couple tiny bugs:

you needed an user id to call someone and one was only generated when you call (effectively meaning you can only call people if they are calling someone)
if you fixed the above and managed to make a call between two users, the audio was exchanged but never played.

Technically speaking, all of the small parts worked, they just didn't work together. I can totally see someone ignoring that fact and treating this as an example of "working code".

[-] Hudell@lemmy.dbzer0.com 6 points 1 day ago

Btw I tried to ask the AI to fix those problems on its own code but from that point forward it just kept going farther and farther from a working solution.

[-] sxan@midwest.social 2 points 1 day ago

That's the broken behavior I see. It's the evidence of a missing understanding that's going to need another evolutionary bump to get over.

[-] Womble@piefed.world 12 points 2 days ago* (last edited 2 days ago)

I find that very difficult to believe. If for no other reason that there is an implementation in the wiki page for Levenshtein distance (and wiki is known to be very prominant in the training sets used for foundational models), and that trying it just now and it gave a perfectly functional implementation.

[-] sxan@midwest.social 1 points 1 day ago

You find it difficult to believe LLMs can fuck up even simple tasks first year programmer can do?

Did you verify the results in what it gave you? If you're sure it's correct, you got better results than I did.

Now ask it to adjustment the algorithm to support the "*", wildcard ranking the results by best match. See if what it gives you is the output you'd expect to see.

Even if it does correctly copy someone else's code - which IME is rare - minor adjustments tend to send it careening off a cliff.

[-] sukhmel@programming.dev 6 points 21 hours ago

Wow, were you so outraged, you dropped all the ‘ð’ and ‘þ’?

[-] sxan@midwest.social 0 points 12 hours ago

You'll be absolutely thrilled to hear that I discovered that I can assign different color themes to different accounts in my mobile app, so these sorts of crossover mistakes should be greatly reduced.

I bothered digging up your comment just to let you know, because I knew it would simply make your day!

Toodles!

[-] sukhmel@programming.dev 1 points 4 hours ago

We're on to a new era of brilliance, I'm sure

Besides, in Thunder it shows username in a drop-down on the comment screen

[-] sxan@midwest.social 2 points 20 hours ago

I started using the same client for both by "normal" account (this one) and my toy account (my pþþþt one) but have discovered that now it's impossible hard to tell which one I'm in once I start replying. And I flip between them often, so now I'm accidentally posting eths and thorns here, and forgetting them more in the other account.

It's a conundrum. I'm losing sleep over it, really.

[-] Womble@piefed.world 4 points 1 day ago

Yes, i find it difficult to believe that they mess up a dozen line algo that is in their training set in a prominant place with no complicating factors. Despite what a lot of people here think, LLMs do have value for coding. Even if the companies selling them make ridiculous claims about what they can do.

[-] HaraldvonBlauzahn@feddit.org 7 points 2 days ago

I was surprised by that sentence, too.

But I see from my AI-using coworkers that there are different values in use for "it works".

[-] sxan@midwest.social 0 points 1 day ago

Yeah, for me it's more that just "produces correct output." I don't expect to see 5 pages of sequential if-statements (which, ironically, is pretty close to LLM's internal designs), but also no unnessesary nested loops. "Correct" means producing the right results, but also not having O(n²) (or worse) when it's avoidable.

The thing that puts me off most, though, is how it usually expands code for clarified requirements in the worst possible way. Like, you start with simple specs and make consecutive clarifications, and the code gets worse. And if you ask it to refactor it to be cleaner, it'll often refactor the Code to look better, but it'll no longer produce the correct output.

Several times I've asked it for code in a language where I don't know the libraries well, and it'll give me code using functions that don't exist. And when I point out they don't exist, I get an apology and sometimes a different function call that also doesn't exist.

It's really wack how people are using this in their jobs.

[-] astronaut_sloth@mander.xyz 0 points 1 day ago

Yeah, I've found AI generated code to be hit or miss. It's been fine to good for boilerplate stuff that I'm too lazy to do myself, but is super easy CS 101 type stuff. Anything that's more specialized requires the LLM to be hand-held in the best case. More often than not, though, I just take the wheel and code the thing myself.

By the way, I think it's cool that you use Old English characters in your writing. In school I used to do the same in my notes to write faster and smaller.

[-] sxan@midwest.social -2 points 1 day ago* (last edited 1 day ago)

Thanks! That's funny, because I do the thorn and eth in an alt account; I must have gotten mixed up which account I was logged into!

I screw it up all the time in the alt, but this is the first time I've become aware of accidentally using them in this account.

We're not too far from AGI. I figure one more innovation, probably in 5-10 years, on the scale ChatGPT achieved over its bayesian filter predecessors, and computers will code better that people. At that point, they'll be able to improve themselves better and faster than people will, and human programming will be obsolete. I figure we have a few more years, though.

[-] tal@lemmy.today 24 points 2 days ago

These weren’t obscure, edge-case vulnerabilities, either. In fact, one of the most frequent issues was: Cross-Site Scripting (CWE-80): AI tools failed to defend against it in 86% of relevant code samples.

So, I will readily believe that LLM-generated code has additional security issues, but given that the models are trained on human-written code, this does raise the obvious question of what percentage of human-written code properly defends against cross-site scripting attacks, a topic that the article doesn't address.

[-] HaraldvonBlauzahn@feddit.org 12 points 2 days ago

There are a few aspects that LLMs are just not capable of, and one of them is understanding and observing implicit invariants.

(That's getting to be funny if the tech is used for a while on larger, complex, multi-threaded C++ code bases. Given that C++ appears already less popular with more experienced people than with juniors, I am very doubtful whether C++ will survive that clash.)

[-] anton@lemmy.blahaj.zone 7 points 2 days ago

If a system was made to show blogs by the author and gets repurposed by a LLM to show untrusted user content the same code becomes unsafe.

[-] crandlecan@mander.xyz 3 points 2 days ago

Ssssst 😅

[-] hazelnoot@beehaw.org 3 points 1 day ago

Here's the full report, for anyone who doesn't want to give their personal information: https://enby.life/files/c564f5f8-ce51-432d-a20e-583fa7c100b8

[-] CallMeAnAI@lemmy.world -2 points 2 days ago

This thread forgetting that junior devs exist and the purpose of code review 🤣

[-] MrSmith@lemmy.world 1 points 3 hours ago

I love people who are excited to slave for an LLM. Like, to do the most mundane, monotonic shit, while the machine does all the satisfactory problem solving.

Techbros are really making their future beds right now, I love it.

[-] Guttural@jlai.lu 3 points 17 hours ago* (last edited 17 hours ago)

1 - Code review is inefficient at catching subtle bugs. You're not paying the same attention when you just read the code vs when you write it and test it. And even if you're particularly good at it, your colleagues might not be.

2 - Even if junior programmers exist, they don't write all the code produced in a company. They're usually in teams with more experienced people. You probably shouldn't hand the keys to juniors and leave it at that, if you want to get stuff done.

[-] Senal@programming.dev 5 points 21 hours ago

A shallow take but not entirely incorrect.

this post was submitted on 02 Aug 2025

118 points (98.4% liked)

Programming

21948 readers

528 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Follow the programming.dev instance rules
Keep content related to programming in some way
If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago

MODERATORS

snowe@programming.dev

Ategon@programming.dev

MaungaHikoi@lemmy.nz

UlrikHD@programming.dev