tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Findbugs results when run against Tomcat6
Date Sat, 27 Sep 2008 10:58:02 GMT
Jim Manico wrote:
> Findbugs does a real bad job of findings real security bugs - I would
> recommend running the codebase against Fortify + include the new Cigital
> rulepack.
> Or take a look at the results of the Fortify Open Source Analysis project

Past experience with that site and it's ability to find genuine security
bugs wasn't great. For example, with 4.1.10 if found a whole handful of
false positives and no genuine security issues. It isn't as if there were
plenty to find (

I made some suggestions on what needed to be done to improve it over a year
 ago. As yet, there has been no response although it appears that some of
those suggestions have been acted on which is a positive sign.

Out of curiosity and I did try and request an account today to look at the
latest Tomcat 6 results but the request an account link only shows the
login page. I found an e-mail address so I have sent my request there.

My previous conclusion was that findbugs on its own would be a better bet
for finding bugs but I never got around to trying it. Sebb's e-mail has
prompted me to download it and see what the results look like.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message