tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bartolomeo Nicolotti <bnicolo...@siapcn.it>
Subject RE: Findbugs results when run against Tomcat6
Date Mon, 29 Sep 2008 12:21:27 GMT
Here's a list of static checkers:

http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis

Bye!

Il giorno sab, 27/09/2008 alle 09.13 -0500, Jim Manico ha scritto:
> This is really helpful info, Mark. I'd like to get my hands on an account there, too.
If all else fails try emailing support@fortifysoftware.com - or maybe we could getsome other
vendor to donate their product and/or time....
> 
> -----Original Message-----
> From: Mark Thomas <markt@apache.org>
> Sent: Saturday, September 27, 2008 5:58 AM
> To: Tomcat Developers List <dev@tomcat.apache.org>
> Subject: Re: Findbugs results when run against Tomcat6
> 
> Jim Manico wrote:
> > Findbugs does a real bad job of findings real security bugs - I would
> > recommend running the codebase against Fortify + include the new Cigital
> > rulepack.
> > 
> > Or take a look at the results of the Fortify Open Source Analysis project
> > 
> > https://opensource.fortify.com/teamserver/welcome.fhtml
> 
> Past experience with that site and it's ability to find genuine security
> bugs wasn't great. For example, with 4.1.10 if found a whole handful of
> false positives and no genuine security issues. It isn't as if there were
> plenty to find (http://tomcat.apache.org/security-4.html).
> 
> I made some suggestions on what needed to be done to improve it over a year
>  ago. As yet, there has been no response although it appears that some of
> those suggestions have been acted on which is a positive sign.
> 
> Out of curiosity and I did try and request an account today to look at the
> latest Tomcat 6 results but the request an account link only shows the
> login page. I found an e-mail address so I have sent my request there.
> 
> My previous conclusion was that findbugs on its own would be a better bet
> for finding bugs but I never got around to trying it. Sebb's e-mail has
> prompted me to download it and see what the results look like.
> 
> Mark
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message