https://bz.apache.org/bugzilla/show_bug.cgi?id=62582
--- Comment #7 from Christopher Schultz <ch...@christopherschultz.net> ---
For those interested, here is the dependency-check target I knocked-up in a few
minutes. you can throw it onto the end of your build.xml in Tomcat and run it.
You are responsible for downloading the "ant" distribution of OWASP DC and
providing a suppression file.
<target name="dependency-check">
<property name="dependency-check.home"
value="${user.home}/packages/dependency-check-ant" />
<property name="doc.dir" value="output" />
<path id="dependency-check.path">
<pathelement
location="${dependency-check.home}/dependency-check-ant.jar"/>
<fileset dir="${dependency-check.home}/lib">
<include name="*.jar"/>
</fileset>
</path>
<taskdef resource="dependency-check-taskdefs.properties">
<classpath refid="dependency-check.path" />
</taskdef>
<property name="dependency-check.output-dir" value="${doc.dir}" />
<mkdir dir="${dependency-check.output-dir}" />
<dependency-check projectname="${ant.project.name}"
reportoutputdirectory="${dependency-check.output-dir}">
<suppressionfile path="res/dependency-check-suppressions.xml" />
<fileset dir="output/build">
<include name="lib/*.jar"/>
<include name="bin/*.jar"/>
</fileset>
</dependency-check>
</target>
I ran this and it found ALL KINDS OF THINGS!!
Of course, they are all problems with distribution-specific file permissions
and all kinds of weird things like that that have nothing at all to do with
Tomcat itself.
So, you can chase-down all of these false positives, suppress them, and then
call yourself secure if you'd like.
The one item this tool does flag (which is real) is for a different version of
Tomcat (I scanned 9.0.x/trunk, and the vulnerability is for 7.0.x and 8.0.x.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
