On 13/09/2023 11:18, ma...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit a78ed4a68522203def8f0c6b590678b1ff069fc0
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Sep 13 11:16:49 2023 +0100
Experimenting with Semgrep
Semgrep have offered Tomcat free access to the tool so I am setting it
up to see if it is useful or not.
The initial results are in. Just under 300 findings and they pretty much
all look to be some degree of false positive. There are a few things
(such as Javadoc links using http rather than https) that we might want
to look at but nothing I can see that comes close to something we'd
consider to be a vulnerability.
I have noticed that the tool isn't good at understanding context. It
looks like it is just using a form of grep to look for patterns as it
can't distinguish between SomeOtherObject.setSecure() and Cookie.setSecure()
I am currently wondering whether the low value results are worth the
time it will take to review and dismiss the false positives. Maybe. But
I have a long list of things I'd consider more important to do first.
If any other committer wants access to the dashboard just ping me a
private email and I'll get you added.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
