All,
One of the topics at the security day we held in Bratislava was adding
unit tests for CVEs once the CVEs were public.
I have just rediscovered a test case for CVE-2025-53506 sat in a git
stash it would be good to get committed.
Before I commit anything, I was wondering how we wanted to organise
these. Options include:
- just another test in the relevant class
- dedicated CVE test classes alongside the standard test classes
- a dedicated package for CVE tests
I was thinking a new, dedicated package:
org.apache.tomcat.security
One class per year e.g.:
TestSecurity2025
TestSecurity2024
...
One (or more tests per CVE)
public void testCVE_2025_53506()
or
public void testCVE_2025_53506a()
public void testCVE_2025_53506b()
or
public void testCVE_2025_53506_01()
public void testCVE_2025_53506_02()
...
I'm not expecting every CVE to get a test case but, where we have them,
I think it makes sense to make them known and available. This is also
something we can add to over time. I suspect there are a few existing
tests that are for known CVEs but were never marked as such.
Thoughts?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
