On Wed, May 13, 2026 at 12:46 PM Mark Thomas <[email protected]> wrote: > > On 13/05/2026 09:53, Mark Thomas wrote: > > On 12/05/2026 21:45, Rémy Maucherat wrote: > >> On Tue, May 12, 2026 at 6:07 PM Mark Thomas <[email protected]> wrote: > > > > <snip/> > > > >>> Given this change in circumstances, I think it is worth reconsidering > >>> how we approach security vulnerabilities and releases. > > > > <snip/> > > > > > >>> - Run some (which?) AI security scans on the Tomcat code base to try get > >>> ahead (unlikely) but at least keep up with anything an attacker > >>> could > >>> find. > >> > >> I plan to do that (sorry, I started with the javadoc instead ...). It > >> is important to do it all the time, as soon as a more "capable" model > >> is released (I'm not sure it is really more capable, but since they're > >> all quite different they might catch different issues). > > > > I'll see what I can enable in GitHub. > > We have 111 issues found by CodeQL. They all look to be false positives. > I am going to start working through the list and resolving them as such.
Quick look. Ok. Is it possible to not run these tools on the "test" folder ? Rémy --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
