https://bz.apache.org/bugzilla/show_bug.cgi?id=62582
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WONTFIX
--- Comment #5 from Mark Thomas <ma...@apache.org> ---
The Tomcat dependencies fall into one of the following categories:
- Test only dependencies where vulnerabilities are not considered a threat
- Compile only dependencies where vulnerabilities are not considered a threat
- Dependencies on other ASF projects were Tomcat receives notice of any
vulnerabilities before they are public and hence before the OWASP tool can
report them
- External dependencies that are not covered by the OWASP tool (e.g. NSIS)
- External dependencies where the ability to exploit means an attacker already
has a simpler route to exploit (e.g. ECJ)
There are no Tomcat dependencies where the use of the OWASP tool would provide
additional / earlier notice of a genuine threat. Hence there is no benefit to
the Tomcat project of deploying this tool.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
