lingocoder commented on issue #642: FINERACT-724 Upgrade Spring Boot, Spring and Spring Security to their latest stable version URL: https://github.com/apache/fineract/pull/642#issuecomment-546510522 > „...*I'm also hoping that we get a few more eyes from the community to review this - let's see*...“ This looks like a job tailor-made for [*SonarQube's Cloud-based security vulnerability analysis*](http://bit.ly/SonarSaaS). It codifies a bunch of heuristics and static analysis to give you a sort of automated *expert security analyst*. For free! Here's an example of the sort of vulnerabilities it detects: * [*ProcessorHelper - HostNameVerifier*](http://bit.ly/PrcHlprVer) * [*TrustModifier - TrustHostnameVerifier*](http://bit.ly/TrstModVer) * [*ProcessorHelper - checkServerTrusted*](http://bit.ly/PrcHlprSvr) * [*ProcessorHelper - checkClientTrusted*](http://bit.ly/PrcHlprClnt) * [*TrustModifier - checkServerTrusted*](http://bit.ly/TrstModSvr) * [*TrustModifier - checkClientTrusted*](http://bit.ly/TrstModClnt) As you probably already know: ***Whether or not the things it reports are real-world security concerns for your particular system, is your call***. SonarQube just tells you what it detects. Then you have to determine — [*out of all the different things it reports*](http://bit.ly/FnrActSecIssues) — which ones are *false positives* and which ones are actual vulnerabilities, in the particular context of your specific system. HTH
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
