It might be useful to add a note to the commons security page about automated vulnerability checkers.
These tend to produce a lot of false positives and may report items which could never be a security issue (e.g. poor code style, dead code). Even if the issue is potentially a vulnerability, it often depends on the context. This is particularly true of Commons - the code generally relies on the application to do validation of input parameters. Thoughts? --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
