Finally, note to self, probably still don’t use SQLite if you have a good alternative? Twice is suspicious, although they did fix the bug same day and it wasn’t ever released.
But is this because SQLite is unusually buggy, or because its code is unusually open, short and readable and thus understandable by an AI? I would guess that MySQL (for example) has significantly worse vulnerabilities but they’re harder to find.
There are severe issues with the measure I’m about to employ (not least is everything listed in https://www.sqlite.org/cves.html) , but the order of magnitude is still meaningful:
But is this because SQLite is unusually buggy, or because its code is unusually open, short and readable and thus understandable by an AI? I would guess that MySQL (for example) has significantly worse vulnerabilities but they’re harder to find.
SQLite is ludicrously well tested; similar bugs in other databases just don’t get found and fixed.
There are severe issues with the measure I’m about to employ (not least is everything listed in https://www.sqlite.org/cves.html) , but the order of magnitude is still meaningful:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sqlite 170 records
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=postgresql 292 records (+74 postgres and maybe another 100 or so under pg; the specific spelling “postgresql” isn’t used as consistently as “sqlite” and “mysql” is)
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql 2026 records
Finding two bugs in a large codebase doesn’t seem especially suspicious to me.