upvote

points

by eranation14 hours ago |
comments
upvoteby tirpen8 hours ago|
next
[-]
Which LLM did you use? I assume that will make a pretty big difference.
reply
upvoteby eranation7 hours ago|
parent|
[-]
gpt-5-mini and gpt-5.5 (had to tweak the code a bit to make it work)

Surprisingly not as big of a difference as one would hope. It turns out that smarter models are more conservative. Smarter model / More thinking = slightly worse recall sometimes.

I think it says more about the benchmark itself perhaps. Reviews are highly opinionated. And it could be that the smarter models are actually better, just the “golden” state is very opinionated.

reply
upvoteby bobkb8 hours ago|
prev|
next
[-]
False positives from the deterministic audits a very difficult problem to address. Comparing and deduplicating across different methods or LLM audits seems to the only way.
reply
upvoteby akie13 hours ago|
prev|
next
[-]
I would say that recall is the most important metric here though. I'd want it to catch all the issues.

False positives are easy to ignore.

reply
upvoteby witx12 hours ago|
parent|
[-]
What, no they're not. You still need to analyze them to understand they are false positives. It's time wasted
reply
upvoteby chaoz_9 hours ago|
parent|
next
[-]
Agree, it's something that will eventually teach your developers to ignore points raised as it's mostly garbage.
reply
upvoteby onion2k11 hours ago|
parent|
prev|
[-]
Finding problems is optimizing for the customer. Avoiding false positives is optimizing for the developer. Which is right depends on your org's culture.
reply
upvoteby evolve-maz11 hours ago|
parent|
[-]
If I flag every line in your PR as a potential security bug then I have 100% recall.

Obviously you need a mixture of high recall and low false positive rate. If 7/8 flagged items are fine its much more likely people will ignore the warnings, much like they would any security tool with a 90% false positive rate. That is not optimized for the customer.

reply
upvoteby onion2k11 hours ago|
parent|
next
[-]
The ideal is finding all the problems without getting any false positives, but the reality is that you can't often have that. An org's engineering culture should be designed to fix problems with systems. If you're seeing an 87.5% false positive rate that should be seen as another engineering problem to fix. However, that's a separate issue to whether or not you accept false positives in a system designed to find problems.

Presenting it as either a system that misses real problems or a system that has a huge number of false positives is a false dilemma. You can have a system that's designed to find all the problems and then optimize it to reduce the false positives. If you can't reduce the number then you optimize to identify false positives as fast as possible. Just ignoring the identified problems on the assumption that they're false is giant red flag and a signal that the org has a very a broken engineering culture (but, as you say, that's quite common.)

reply
upvoteby eranation11 hours ago|
parent|
prev|
next
[-]
Yep. Similarly - you can predict with 99.9% accuracy if a Volcano will erupt today by using a rock that has "No" written on it.
reply
upvoteby williamdclt9 hours ago|
parent|
prev|
[-]
> If I flag every line in your PR as a potential security bug then I have 100% recall.

No. A code review isn't about "flagging a line of code", it's about identifying an issue or a risk. If a 10-line PR has one issue and you leave a comment on every single character, if you still miss the issue you have 0% recall.

reply
upvoteby isabellehue11 hours ago|
prev|
[-]
[flagged]
reply