There are at least a couple commercial offerings that do something similar.<p>There are non-trivial challenges in identifying qualitative code behaviour with static analysis, then the problem of whether you can dynamically exercise a sufficient majority of code paths in a program and classify the results is also a hard one.<p>This can work well as an open source project because it's basically an advisory tool where the user takes on the risk and ownership of the results. Commercially this is hard because the confusion matrix of the classifier is going to exclude customers with a high sensitivity to false-negatives. Great project, and good to move the state of the art on this forward.