Here's a list of static checkers: http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
Bye! Il giorno sab, 27/09/2008 alle 09.13 -0500, Jim Manico ha scritto: > This is really helpful info, Mark. I'd like to get my hands on an account > there, too. If all else fails try emailing [EMAIL PROTECTED] - or maybe we > could getsome other vendor to donate their product and/or time.... > > -----Original Message----- > From: Mark Thomas <[EMAIL PROTECTED]> > Sent: Saturday, September 27, 2008 5:58 AM > To: Tomcat Developers List <dev@tomcat.apache.org> > Subject: Re: Findbugs results when run against Tomcat6 > > Jim Manico wrote: > > Findbugs does a real bad job of findings real security bugs - I would > > recommend running the codebase against Fortify + include the new Cigital > > rulepack. > > > > Or take a look at the results of the Fortify Open Source Analysis project > > > > https://opensource.fortify.com/teamserver/welcome.fhtml > > Past experience with that site and it's ability to find genuine security > bugs wasn't great. For example, with 4.1.10 if found a whole handful of > false positives and no genuine security issues. It isn't as if there were > plenty to find (http://tomcat.apache.org/security-4.html). > > I made some suggestions on what needed to be done to improve it over a year > ago. As yet, there has been no response although it appears that some of > those suggestions have been acted on which is a positive sign. > > Out of curiosity and I did try and request an account today to look at the > latest Tomcat 6 results but the request an account link only shows the > login page. I found an e-mail address so I have sent my request there. > > My previous conclusion was that findbugs on its own would be a better bet > for finding bugs but I never got around to trying it. Sebb's e-mail has > prompted me to download it and see what the results look like. > > Mark > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
