Jim Manico wrote: > Findbugs does a real bad job of findings real security bugs - I would > recommend running the codebase against Fortify + include the new Cigital > rulepack. > > Or take a look at the results of the Fortify Open Source Analysis project > > https://opensource.fortify.com/teamserver/welcome.fhtml
Past experience with that site and it's ability to find genuine security bugs wasn't great. For example, with 4.1.10 if found a whole handful of false positives and no genuine security issues. It isn't as if there were plenty to find (http://tomcat.apache.org/security-4.html). I made some suggestions on what needed to be done to improve it over a year ago. As yet, there has been no response although it appears that some of those suggestions have been acted on which is a positive sign. Out of curiosity and I did try and request an account today to look at the latest Tomcat 6 results but the request an account link only shows the login page. I found an e-mail address so I have sent my request there. My previous conclusion was that findbugs on its own would be a better bet for finding bugs but I never got around to trying it. Sebb's e-mail has prompted me to download it and see what the results look like. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
