On Wed, Sep 10, 2025 at 12:15 PM Mark Thomas <ma...@apache.org> wrote:
> All, > > One of the topics at the security day we held in Bratislava was adding > unit tests for CVEs once the CVEs were public. > > I have just rediscovered a test case for CVE-2025-53506 sat in a git > stash it would be good to get committed. > > Before I commit anything, I was wondering how we wanted to organise > these. Options include: > - just another test in the relevant class > - dedicated CVE test classes alongside the standard test classes > - a dedicated package for CVE tests > > I was thinking a new, dedicated package: > > org.apache.tomcat.security > > One class per year e.g.: > TestSecurity2025 > TestSecurity2024 > ... > +1 for the dedicated package. It will be good to have CVE related tests organised, as it will be easier to discover, maintain and enhance. Though a possible concern of concentrating CVE tests would be that we lower the bar for one to discover edge cases or gaps in fixes. > > One (or more tests per CVE) > > public void testCVE_2025_53506() > or > public void testCVE_2025_53506a() > public void testCVE_2025_53506b() > or > public void testCVE_2025_53506_01() > public void testCVE_2025_53506_02() > ... > > +1 testCVE_YYYY_NNNNN[_nn]() > I'm not expecting every CVE to get a test case but, where we have them, > I think it makes sense to make them known and available. This is also > something we can add to over time. I suspect there are a few existing > tests that are for known CVEs but were never marked as such. > > +1 in moving pre existing CVE focused tests to the dedicated package. > Thoughts? > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > > I am already working on creating tests for CVEs that do not have a test scenario in the commit that points to the fix. Some extra thoughts: 1) We add the link to the fix commit of each CVE as well as to the CVE itself in the test classes, as it is in https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.44, for traceability. 2) Avoid over explanatory comments in code that will make easier for someone to discover scenarios we haven't considered. Kind regards, Dimitris
