On Tue, Oct 15, 2019 at 9:47 AM Matt Sicker <boa...@gmail.com> wrote:
> What we’ve been doing in Jenkins Security about this has been to request > demonstrable exploits only. That sounds good but it should not be a requirement. Something might just be plain wrong. I do agree that most of these tools turn up far too many false positives. Gary > Output from an automated tool is not a security > vulnerability report. Plus, these tools generally don’t understand greater > context and usage of code, so you’ll get false positives that require > someone familiar with the code base to confirm or deny. With a huge report, > that can be a huge waste of time. > > On Tue, Oct 15, 2019 at 05:55, sebb <seb...@gmail.com> wrote: > > > On Tue, 15 Oct 2019 at 11:03, Claude Warren <cla...@xenei.com> wrote: > > > > > > If the style is to rely on external code to do input validation, then I > > > think that should be in the javadocs as well as on the page you > mention. > > > > Perhaps I phrased it wrong. > > > > What I meant was that the code generally does what it is told to do. > > > > e.g. a delete_tree(path) method is not going to prevent you from using > > path='/' > > > > Commons cannot in general validate such parameters. > > > > > Claude > > > > > > On Tue, Oct 15, 2019 at 10:59 AM sebb <seb...@gmail.com> wrote: > > > > > > > It might be useful to add a note to the commons security page about > > > > automated vulnerability checkers. > > > > > > > > These tend to produce a lot of false positives and may report items > > > > which could never be a security issue (e.g. poor code style, dead > > > > code). > > > > > > > > Even if the issue is potentially a vulnerability, it often depends on > > > > the context. > > > > This is particularly true of Commons - the code generally relies on > > > > the application to do validation of input parameters. > > > > > > > > Thoughts? > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > > > > > > > > > -- > > > I like: Like Like - The likeliest place on the web > > > <http://like-like.xenei.com> > > > LinkedIn: http://www.linkedin.com/in/claudewarren > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > -- > Matt Sicker <boa...@gmail.com> >
