AI assistants are not able to evaluate the semantics and security of code.
Security experts from the company Snyk conducted a study that showed that the GitHub Copilot automatic code writing tool is able to generate code with vulnerabilities if the source project already has similar problems. This is because Copilot algorithms simply analyze the existing code base, but do not understand how it works.
During the experiment, the Snyk team asked Copilot to generate an SQL query. The first request generated by the helper turned out to be high-quality and safe, using named parameters, which eliminates the risk of using injections:
Then the researchers independently wrote a vulnerable SQL query in a neighboring project file and again asked the neural network to write the code. For the second time, the assistant suggested a code that increases the risk of vulnerability:
By using vulnerable code as context, Copilot not only reproduced the existing problem, but also potentially doubled the number of vulnerabilities in the project. Researchers emphasize that if inexperienced developers are involved in a project, the risk of multiple vulnerabilities increases exponentially.
Snyk notes the following factors that aggravate the use of GitHub Copilot:
To solve the problem, experts recommend combining AI code generation with traditional security methods, such as code analysis and developer training. This will allow you to find a balance between innovation and code reliability.
Security experts from the company Snyk conducted a study that showed that the GitHub Copilot automatic code writing tool is able to generate code with vulnerabilities if the source project already has similar problems. This is because Copilot algorithms simply analyze the existing code base, but do not understand how it works.
During the experiment, the Snyk team asked Copilot to generate an SQL query. The first request generated by the helper turned out to be high-quality and safe, using named parameters, which eliminates the risk of using injections:
Code:
// create query to match input with the description or product name
var query = em.createQuery("SELECT p FROM Product p WHERE LOWER(p.description) like OR lower(p.productName) like :input", Product.class);Then the researchers independently wrote a vulnerable SQL query in a neighboring project file and again asked the neural network to write the code. For the second time, the assistant suggested a code that increases the risk of vulnerability:
Code:
// create query to match input with the description or product name
String query = "Select * from Product where lower(description) like '%" + lowerInput + "%' OR lower(product_name) like '%" + lowerInput + "%'";By using vulnerable code as context, Copilot not only reproduced the existing problem, but also potentially doubled the number of vulnerabilities in the project. Researchers emphasize that if inexperienced developers are involved in a project, the risk of multiple vulnerabilities increases exponentially.
Snyk notes the following factors that aggravate the use of GitHub Copilot:
- Fixing a bad approach. Beginners who rely on AI assistants may not realize their mistakes, assuming that the code generated by artificial intelligence is automatically secure.
- Lack of checks. AI assistants are not able to analyze the security of their proposals, while developers often skip this stage, thereby increasing the risk of introducing vulnerabilities into the project.
- Using outdated patterns. GitHub Copilot can offer fragments that are no longer considered reliable in the professional community, containing vulnerabilities and bugs.
- Ignoring security concerns: Copilot focuses on code generation, not security assessment. Developers may be more concerned with functionality than security, inadvertently overlooking vulnerabilities.
To solve the problem, experts recommend combining AI code generation with traditional security methods, such as code analysis and developer training. This will allow you to find a balance between innovation and code reliability.
