David Crayford wrote: >It's company policy where I work to perform code scans using Synopsis
>tools such as Black Duck and Polaris. These tools scan for license >issues, vulnerabilities, compliance etc. Polaris is so sophisticated >it flagged a violation because it had detected I was using an SSLSocket >without verifying the peer hostname. These scans are run in our DevOps >pipeline every time we merge into our development branch or master. I know YOU know this, David, but it bears stating explicitly: none of these tools would (did) detect the log4j vuln. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
