lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Hatcher <e...@ehatchersolutions.com>
Subject Fwd: Lucene code review
Date Fri, 15 Dec 2006 11:30:11 GMT
(sorry if this is a duplicate post, wanted to be sure it made it  
through)

	Erik


Begin forwarded message:

> From: Brian Chess <brian@fortifysoftware.com>
> Date: December 15, 2006 1:42:13 AM EST
> To: Erik Hatcher <erik@ehatchersolutions.com>, <java- 
> dev@lucene.apache.org>
> Cc: Gary McGraw <gem@cigital.com>
> Subject: Re: Lucene code review
>
> Hi Erik, thanks for the intro.  I'd be happy to set up an account  
> for anyone
> involved with the projects who'd like to take a look.  (Because we're
> checking for security problems, we don't share specific findings  
> with the
> general public.)
>
> Erik is right, from Lucene, Nutch, and Solr, the most important  
> things we
> found were the cross-site scripting bugs in Solr.  There are a few  
> more bugs
> that I think are worth looking at, but nothing to get worked up about.
>
> Brian
>
>> From: Erik Hatcher <erik@ehatchersolutions.com>
>> Date: Thu, 14 Dec 2006 23:43:33 -0500
>> To: <java-dev@lucene.apache.org>
>> Cc: Brian Chess <brian@fortifysoftware.com>, Gary McGraw  
>> <gem@cigital.com>
>> Subject: Re: Lucene code review
>>
>>
>> On Dec 13, 2006, at 1:00 AM, Otis Gospodnetic wrote:
>>> Just spotted this on Slashdot:  http://
>>> opensource.fortifysoftware.com/welcome.html
>>> I wonder what the 3 defects they found and reviewed are... I don't
>>> see a way to see them from their site.
>>
>> I had an early peek at the Fortify analysis of several open source
>> projects, primarily Lucene, Nutch, and Solr.  Lucene and Nutch both
>> had very minor cosmetic issues (don't recall off the top of my head
>> what they were).  Solr had cross-site scripting issues in its JSP
>> pages, which I think are now all fixed (?).
>>
>> Brian Chess at Fortify was instrumental in the analysis and is eager
>> to work with open source communities closely to have these types of
>> analyses automated and useful to the projects.  I'm sure we'll hear
>> more from his organization in the near future.
>>
>> Erik
>>


---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org


Mime
View raw message