Jim Manico wrote:
The Fortify Opensource project automatically scans the Tomcat codebase
on a regular basis.
This probably only gives you 10% security coverage at best, but it's a
free report form a $50k tool.
http://opensource.fortifysoftware.com
A great example of why I have don't have much faith (hope for the future
yes - faith for the current crop no) in these tools. In summary:
- they are looking at 4.1.10, 5.5.20 and 6.?
- I don't know which TC6 version they analysed (but I suspect it is quite
old) since they never responded to my requests to add me to that project
and I lost interest
- there are so many false positives I got fed up looking at them
- the bug reporting is way to clunky compared to just using Eclipse or any
other decent IDE
- it missed most (all if I recall correctly - I don't have the time or
inclination to check) of the XSS issues we know were in 4.1.10 onwards
I maintain that you will get greater benefit for time invested just by
clearing the issues flagged by a decent IDE.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
