tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Findbugs results when run against Tomcat6
Date Sat, 27 Sep 2008 10:58:02 GMT
Jim Manico wrote:
> Findbugs does a real bad job of findings real security bugs - I would
> recommend running the codebase against Fortify + include the new Cigital
> rulepack.
> 
> Or take a look at the results of the Fortify Open Source Analysis project
> 
> https://opensource.fortify.com/teamserver/welcome.fhtml

Past experience with that site and it's ability to find genuine security
bugs wasn't great. For example, with 4.1.10 if found a whole handful of
false positives and no genuine security issues. It isn't as if there were
plenty to find (http://tomcat.apache.org/security-4.html).

I made some suggestions on what needed to be done to improve it over a year
 ago. As yet, there has been no response although it appears that some of
those suggestions have been acted on which is a positive sign.

Out of curiosity and I did try and request an account today to look at the
latest Tomcat 6 results but the request an account link only shows the
login page. I found an e-mail address so I have sent my request there.

My previous conclusion was that findbugs on its own would be a better bet
for finding bugs but I never got around to trying it. Sebb's e-mail has
prompted me to download it and see what the results look like.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message