You're absolutely right about CVE inflation. I deal with the same Snyk/Trivy noise daily where a prototype pollution in some deep dependency gets marked CRITICAL.
Our distribution (71% High, 18% Critical) is definitely skewed compared to normal CVEs. Part of this is selection bias: nobody reports when AI generates boring secure code. But even accounting for that, the pattern is real: AI seems to either nail security or fail spectacularly. Very few "medium" mistakes.
The key difference from your Snyk alerts: these aren't dependency updates or theoretical vulnerabilities. They're actual logic flaws:
- Missing auth checks - SQL injections - hardcoded secrets
You know, The stuff that makes you go "how did this pass code review?"
This is ongoing research, and hopefully we'll be in a position to elaborate better conclusions soon.
Highs and Critical are together more than 50%
Based on the churn I have fixing security vulnerabilities reported by Snyk and Trivy, I have a feeling that issues have a tendency to be labeled mostly as HIGH or CRITICAL when they are assigned a CVE, for better or worse.