Mark Thomas wrote:
Jim Manico wrote:
The Fortify Opensource project automatically scans the Tomcat codebase
on a regular basis.
This probably only gives you 10% security coverage at best, but it's a
free report form a $50k tool.
http://opensource.fortifysoftware.com
A great example of why I have don't have much faith (hope for the future
yes - faith for the current crop no) in these tools. In summary:
- they are looking at 4.1.10, 5.5.20 and 6.?
- I don't know which TC6 version they analysed (but I suspect it is
quite old) since they never responded to my requests to add me to that
project and I lost interest
- there are so many false positives I got fed up looking at them
- the bug reporting is way to clunky compared to just using Eclipse or
any other decent IDE
- it missed most (all if I recall correctly - I don't have the time or
inclination to check) of the XSS issues we know were in 4.1.10 onwards
Mark,
if I got you and Jim correctly, the free service provided by Coverity is
almost worthless because the positive to false positive rate is awefully
bad?
From your point of view this tool isn't worth 50 k$?
I thought the tools are directly given to the projects. If they do not
tell you what they have scanned, it's pretty superfluous to me.
Thanks
--
<NO> OOXML - Say NO To Microsoft Office broken standard
http://www.noooxml.org
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
