So... has anyone actually run Apache RAT yet? It has a scan only mode
which I'd think would be the simplest place to start.
Personally, I'd recommend working on basic RAT scans, with the scripts
to run them and any exception rules (for known files, etc.) all checked
into SVN with the build tools for the code. But hey, it's easy for me
to suggest "we" do stuff, when I only currently have time to be a mentor
and thus can get away with just making suggestions. 8-)
I like the general concept of storing the IP type for files in SVN
properties; although properties are easy to change, Apache does have a
strong history of being able to provide oversight for commit logs
throughout a project's history.
- Shane