tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Manico <...@manico.net>
Subject RE: Findbugs results when run against Tomcat6
Date Sat, 27 Sep 2008 14:13:45 GMT
This is really helpful info, Mark. I'd like to get my hands on an account there, too. If all
else fails try emailing support@fortifysoftware.com - or maybe we could getsome other vendor
to donate their product and/or time....

-----Original Message-----
From: Mark Thomas <markt@apache.org>
Sent: Saturday, September 27, 2008 5:58 AM
To: Tomcat Developers List <dev@tomcat.apache.org>
Subject: Re: Findbugs results when run against Tomcat6

Jim Manico wrote:
> Findbugs does a real bad job of findings real security bugs - I would
> recommend running the codebase against Fortify + include the new Cigital
> rulepack.
> 
> Or take a look at the results of the Fortify Open Source Analysis project
> 
> https://opensource.fortify.com/teamserver/welcome.fhtml

Past experience with that site and it's ability to find genuine security
bugs wasn't great. For example, with 4.1.10 if found a whole handful of
false positives and no genuine security issues. It isn't as if there were
plenty to find (http://tomcat.apache.org/security-4.html).

I made some suggestions on what needed to be done to improve it over a year
 ago. As yet, there has been no response although it appears that some of
those suggestions have been acted on which is a positive sign.

Out of curiosity and I did try and request an account today to look at the
latest Tomcat 6 results but the request an account link only shows the
login page. I found an e-mail address so I have sent my request there.

My previous conclusion was that findbugs on its own would be a better bet
for finding bugs but I never got around to trying it. Sebb's e-mail has
prompted me to download it and see what the results look like.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message