https://bz.apache.org/bugzilla/show_bug.cgi?id=62582
--- Comment #3 from ABakerIII <alb...@protonmail.com> --- Mark Thomas : I have seen several yr old, known vulnerabilities in many open source projects. Many of those could be detected by OWASP D.C. and culled. I have seen new exploitation mechanisms be used that finds newly discovered vulnerabilities in old-legacy jars. Christopher Schultz : On frequency of running the report. It depends on the rate of change of the project(how many new libaries are added per week/month), and the rate of new vulnerability discovery in the set of existing libraries per week/month to deternine how often the report should be run, and read. In new systems, when 5-10 libs are being added daily, the report should be run nightly. In Tomcat ??? start with weekly ? If after a while there are more than four weeks that go by without a true positive, perhaps monthly is OK. IMO, its a falicy to complain about a small performance hit once per week compared to the number of instances of sites that get broken into, PII stolen, money stolen, other nefaurious that bad actors could do. Its a far away issue until it happens to you or someone close to you. Also it is common for these open source systems to be used in critical infrastructure, banking, gov, military. A once weekly performance penalty is a small price. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
