tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Osipov <>
Subject Re: Assuring Security by testing
Date Thu, 01 May 2008 10:02:52 GMT
Mark Thomas wrote:
> Jim Manico wrote:
>> The Fortify Opensource project automatically scans the Tomcat codebase 
>> on a regular basis.
>> This probably only gives you 10% security coverage at best, but it's a 
>> free report form a $50k tool.
> A great example of why I have don't have much faith (hope for the future 
> yes - faith for the current crop no) in these tools. In summary:
> - they are looking at 4.1.10, 5.5.20 and 6.?
> - I don't know which TC6 version they analysed (but I suspect it is 
> quite old) since they never responded to my requests to add me to that 
> project and I lost interest
> - there are so many false positives I got fed up looking at them
> - the bug reporting is way to clunky compared to just using Eclipse or 
> any other decent IDE
> - it missed most (all if I recall correctly - I don't have the time or 
> inclination to check) of the XSS issues we know were in 4.1.10 onwards


if I got you and Jim correctly, the free service provided by Coverity is 
almost worthless because the positive to false positive rate is awefully 
 From your point of view this tool isn't worth 50 k$?

I thought the tools are directly given to the projects. If they do not 
tell you what they have scanned, it's pretty superfluous to me.

<NO> OOXML - Say NO To Microsoft Office broken standard

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message