awasum commented on issue #642: FINERACT-724 Upgrade Spring Boot, Spring and Spring Security to their latest stable version URL: https://github.com/apache/fineract/pull/642#issuecomment-556994084 > > „..._I'm also hoping that we get a few more eyes from the community to review this - let's see_...“ > > This looks like a job tailor-made for [_SonarQube's Cloud-based security vulnerability analysis_](http://bit.ly/SonarSaaS). > > It codifies a bunch of heuristics and static analysis to give you a sort of automated _expert security analyst_. For free! > > Here's an example of the sort of vulnerabilities it detects: > > * [_ProcessorHelper - HostNameVerifier_](http://bit.ly/PrcHlprVer) > * [_TrustModifier - TrustHostnameVerifier_](http://bit.ly/TrstModVer) > * [_ProcessorHelper - checkServerTrusted_](http://bit.ly/PrcHlprSvr) > * [_ProcessorHelper - checkClientTrusted_](http://bit.ly/PrcHlprClnt) > * [_TrustModifier - checkServerTrusted_](http://bit.ly/TrstModSvr) > * [_TrustModifier - checkClientTrusted_](http://bit.ly/TrstModClnt) > > As you probably already know: _**Whether or not the things it reports are real-world security concerns for your particular system, is your call**_. SonarQube just tells you what it detects. Then you have to determine — [_out of all the different things it reports_](http://bit.ly/FnrActSecIssues) — which ones are _false positives_ and which ones are actual vulnerabilities, in the particular context of your specific system. > > HTH Looks like Apache Infra has a process to enable this: https://cwiki.apache.org/confluence/display/INFRA/SonarQube+Analysis We might look at this in a separate PR/issue.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
