On 13/05/2026 12:56, Mark Thomas wrote:
On 13/05/2026 12:53, Rémy Maucherat wrote:
On Wed, May 13, 2026 at 12:46 PM Mark Thomas <[email protected]> wrote:
On 13/05/2026 09:53, Mark Thomas wrote:
On 12/05/2026 21:45, Rémy Maucherat wrote:
On Tue, May 12, 2026 at 6:07 PM Mark Thomas <[email protected]> wrote:
<snip/>
Given this change in circumstances, I think it is worth reconsidering
how we approach security vulnerabilities and releases.
<snip/>
- Run some (which?) AI security scans on the Tomcat code base to
try get
ahead (unlikely) but at least keep up with anything an attacker
could
find.
I plan to do that (sorry, I started with the javadoc instead ...). It
is important to do it all the time, as soon as a more "capable" model
is released (I'm not sure it is really more capable, but since they're
all quite different they might catch different issues).
I'll see what I can enable in GitHub.
We have 111 issues found by CodeQL. They all look to be false positives.
I am going to start working through the list and resolving them as such.
Quick look. Ok. Is it possible to not run these tools on the "test"
folder ?
Possibly - if we manually tweak the configuration. I'll take a look.
There were only a few issues reported against the tests so I dismissed
them. At least the GitHub UI supports dismissing in bulk.
A few places where I added logging / made existing logging clearer that
the configuration was less than ideal from a security PoV. Other than
that, all false positives and no real issues. I'm going to try turning
up the sensitivity next.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
