On Wed, Sep 13, 2023 at 12:53 PM Mark Thomas <ma...@apache.org> wrote: > > On 13/09/2023 11:18, ma...@apache.org wrote: > > This is an automated email from the ASF dual-hosted git repository. > > > > markt pushed a commit to branch main > > in repository https://gitbox.apache.org/repos/asf/tomcat.git > > > > commit a78ed4a68522203def8f0c6b590678b1ff069fc0 > > Author: Mark Thomas <ma...@apache.org> > > AuthorDate: Wed Sep 13 11:16:49 2023 +0100 > > > > Experimenting with Semgrep > > > > Semgrep have offered Tomcat free access to the tool so I am setting it > > up to see if it is useful or not. > > The initial results are in. Just under 300 findings and they pretty much > all look to be some degree of false positive. There are a few things > (such as Javadoc links using http rather than https) that we might want > to look at but nothing I can see that comes close to something we'd > consider to be a vulnerability. > > I have noticed that the tool isn't good at understanding context. It > looks like it is just using a form of grep to look for patterns as it > can't distinguish between SomeOtherObject.setSecure() and Cookie.setSecure() > > I am currently wondering whether the low value results are worth the > time it will take to review and dismiss the false positives. Maybe. But > I have a long list of things I'd consider more important to do first. > > If any other committer wants access to the dashboard just ping me a > private email and I'll get you added.
I looked at the Semgrep output from the GH runs and it seems like a waste of resources in the context of Tomcat (does the ASF pay for the GH workflows ?). Basically, it doesn't like: - Path traversal stuff. - Cookies. - Class.forName. - URL rewriting with session ids. Overall those are very good pieces of advice for apps, but they don't apply to Tomcat. Can we drop it ? I see coverity might be used with GH instead. I like the output of that one, although in a few cases I would say it is a bit too good. https://community.synopsys.com/s/article/Coverity-Integrations-GitHub-with-GitHub-Hosted-Runners Would that work ? I'm really bad at GH stuff ... Rémy --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
