Maybe. But an unreliable scanner means a human has to check all the false positives and false negatives which can quickly take a lot of time for projects that are run by benevolent devs.
It’s really important to keep in mind this is done for free and that supply chain attacks like this one are very hard to identify.
I mean this is usually not the devs being careless, it’s very complex attacks on projects with very limited ressources. Attackers even sometimes choose purposefully projects that are “understaffed” (well, more understaffed than others).
I wish it was that simple but I doubt there is any scanner that can differentiate between legitimate and malicious code.
Maybe an AI but even then it would probably be quite unreliable.
Unreliable is still a step up from completely absent.
Maybe. But an unreliable scanner means a human has to check all the false positives and false negatives which can quickly take a lot of time for projects that are run by benevolent devs.
It’s really important to keep in mind this is done for free and that supply chain attacks like this one are very hard to identify.
I mean this is usually not the devs being careless, it’s very complex attacks on projects with very limited ressources. Attackers even sometimes choose purposefully projects that are “understaffed” (well, more understaffed than others).