The argument is not if it can find them or not. The point is that most of the vulnerabilites it finds aren’t exploitable directly, and these are what are currently plaguing the open source community.
Yes, it can find actual exploits, especially if the attacker is motivated and knowledgeable enough. But the amount of slop like “this inaccessible private function has a bit overflow exploit if you change x variable before compiling” greatly outweighs the actual exploits.
That is not slop, if the developer didn’t intend for that behavior it’s still a bug. Though you could argue that some bugs aren’t that important. I’d argue that even if we filter those out, we’re seeing that the amount of important bugs is still beginning to overwhelm open source developers.
The argument is not if it can find them or not. The point is that most of the vulnerabilites it finds aren’t exploitable directly, and these are what are currently plaguing the open source community.
Yes, it can find actual exploits, especially if the attacker is motivated and knowledgeable enough. But the amount of slop like “this inaccessible private function has a bit overflow exploit if you change x variable before compiling” greatly outweighs the actual exploits.
That is not slop, if the developer didn’t intend for that behavior it’s still a bug. Though you could argue that some bugs aren’t that important. I’d argue that even if we filter those out, we’re seeing that the amount of important bugs is still beginning to overwhelm open source developers.