← Back to context

Comment by gpm

6 months ago

The first chart does in fact a compelling reason to believe the effect is not that at all. If the "easy" code was predominantly being rewritten you would expect to % new memory unsafe code and % memory safety vulnerabilities to scale at different rates as the difficult to work on areas remained in C and kept causing new memory vulnerabilities.

Personal experience also provides a compelling reason, my experience is absolutely that people are more inclined to rewrite the things that are causing trouble in a new language.

It's not a blinded randomly controlled trial of course, it's observational data. You can't be completely sure there isn't a confounding factor that explains the data, but it seems far more likely than not that it is a real effect.

6 comments

gpm

Reply
pizlonator  6 months ago

I would expect memory safety vulns to be dropping in most C/C++ projects due to better practices

  • Ar-Curunir  6 months ago

    This contradicts what Google has reported about their own code, which is that most vulnerabilities are in new code

    • josefx  6 months ago

      I haven't looked at Googles style for c++ in a long time, but from what I remember it was actively hostile to best practices. Actively hostile to any improvement introduced by the language and actively hostile to the wider ecosystem of c++. Also Rob Pike was involved somehow at the time and that guy went around claiming that his C inspired GCed language would be the perfect replacement for C++ everywhere after the c++ standard simplified some common patterns for library authors because he was actively hostile towards reusable code.

      I am not sure I even want to know what the average Google C++ codebase looks like.

    • pizlonator  6 months ago

      I don't see a contradiction between the statement that vulns in C++ code are generally on a downward trajectory, and the statement that most vulns are in new code.

  • tialaramex  6 months ago

    This is basically the C++ treadmill for decades and I think people are starting to realise they were duped.

    Bjarne's C++ promised that if you use this instead of C you won't have these problems. The problems persisted of course. Then it was well you need to use standard C++ 98 not that crap pre-standard C++ you've been doing, once you adopt C++ 98 the problems will subside. Then it's you need "modern" C++ 11, of course you've got problems, that's because you used C++ 98, use this "modern" C++ instead.

    By around 2020 they started to say the "modern" C++ 11 wasn't up to it, you need to write "contemporary" C++ 20 or better.

    What was it George W Bush told us? "Fool me once, shame on...shame on you. Fool me...you can't get fooled again".