I received notification that Veracode had scanned Tomcat 7.0.11 today. I thought folks would be interested in the results (committers can request an account to get access to the full details).
Of the 33 flaws reported: - 1 was a coding error (fixed in r1085303) - 1 unnecessary call to System.exit() (fixed in r1085323) - 2 were related to Random/SecureRandom entropy in the Tribes UUID generator (fixed in r1085346) - 7 were triggered by test code shipped in the JSTL 1.1 jar in the examples (will be fixed when 1.2 is released and we update) - 22 were false positives Overall, still a lot of false positives but now few enough that things we might actually want to change/find are relatively easy to spot. Of the things I did change, only the first might have caused a problem for users. The rest was more clean-up. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
