That's really cool, Mark. I'm glad you're doing this. I know we all have our doubts about scanning tools like this. But my main issue with them is always so many false positives that it feels hopeless. You seem to have fixed that.
Thanks, Yoav On Fri, Mar 25, 2011 at 8:22 AM, Mark Thomas <ma...@apache.org> wrote: > I received notification that Veracode had scanned Tomcat 7.0.11 today. I > thought folks would be interested in the results (committers can request > an account to get access to the full details). > > Of the 33 flaws reported: > - 1 was a coding error (fixed in r1085303) > - 1 unnecessary call to System.exit() (fixed in r1085323) > - 2 were related to Random/SecureRandom entropy in the Tribes UUID > generator (fixed in r1085346) > - 7 were triggered by test code shipped in the JSTL 1.1 jar in the > examples (will be fixed when 1.2 is released and we update) > - 22 were false positives > > Overall, still a lot of false positives but now few enough that things > we might actually want to change/find are relatively easy to spot. Of > the things I did change, only the first might have caused a problem for > users. The rest was more clean-up. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
