https://bz.apache.org/bugzilla/show_bug.cgi?id=62582
--- Comment #2 from Mark Thomas <ma...@apache.org> --- I'm not convinced of the value of this for the Tomcat builds. Which dependencies are we expecting it to catch problems in? Vulnerabilities in compile only dependencies are not a concern. Vulnerabilities in test only dependencies (e.g. JUnit) are not a concern. Vulnerabilities in other Apache libraries we'll know about as soon as they are reported and way before this tool does (including those we pull in via svn/git that this tool won't be able to catch). Vulnerabilities in ECJ - not a concern as a malicious JSP would be required to exploit it and if an attacker can insert a malicious JSP there are much simpler attacks. Vulnerabilities in NSIS - not distributed as a JAR so does not appear to covered by this tool. I'll note that the SRC:CLR trial the ASF ran showed that only in about 10% of cases (on average across a wide range of Java based projects at the ASF including Tomcat) did a vulnerability in a dependency result in a vulnerability in the dependent project. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org