On Wed, Sep 10, 2025 at 7:23 AM Dimitris Soumis <[email protected]> wrote:
> On Wed, Sep 10, 2025 at 12:15 PM Mark Thomas <[email protected]> wrote: > > > All, > > > > One of the topics at the security day we held in Bratislava was adding > > unit tests for CVEs once the CVEs were public. > > > > I have just rediscovered a test case for CVE-2025-53506 sat in a git > > stash it would be good to get committed. > > > > Before I commit anything, I was wondering how we wanted to organise > > these. Options include: > > - just another test in the relevant class > > - dedicated CVE test classes alongside the standard test classes > > - a dedicated package for CVE tests > > > > I was thinking a new, dedicated package: > > > > org.apache.tomcat.security > > > > One class per year e.g.: > > TestSecurity2025 > > TestSecurity2024 > > ... > > > +1 for the dedicated package. It will be good to have CVE related tests > organised, as it will be easier to discover, maintain and enhance. > Though a possible concern of concentrating CVE tests would be that we lower > the bar for one to discover edge cases or gaps in fixes. > > > > > One (or more tests per CVE) > > > > public void testCVE_2025_53506() > > or > > public void testCVE_2025_53506a() > > public void testCVE_2025_53506b() > > or > > public void testCVE_2025_53506_01() > > public void testCVE_2025_53506_02() > > ... > > > > +1 testCVE_YYYY_NNNNN[_nn]() > > > I'm not expecting every CVE to get a test case but, where we have them, > > I think it makes sense to make them known and available. This is also > > something we can add to over time. I suspect there are a few existing > > tests that are for known CVEs but were never marked as such. > > > > +1 in moving pre existing CVE focused tests to the dedicated package. > > > Thoughts? > > > > Mark > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > I am already working on creating tests for CVEs that do not have a test > scenario in the commit that points to the fix. > > Some extra thoughts: > 1) We add the link to the fix commit of each CVE as well as to the CVE > itself in the test classes, as it is in > https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.44, > for > traceability. > 2) Avoid over explanatory comments in code that will make easier for > someone to discover scenarios we haven't considered. > +1 from me to all of Dimitris' comments > > Kind regards, > Dimitris >
