Re: [tomcat] 02/03: Experimenting with Semgrep

Wed, 26 Jun 2024 08:38:25 -0700 

On 26/06/2024 16:30, Rémy Maucherat wrote:

On Wed, Sep 13, 2023 at 12:53 PM Mark Thomas <ma...@apache.org> wrote:


On 13/09/2023 11:18, ma...@apache.org wrote:

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit a78ed4a68522203def8f0c6b590678b1ff069fc0
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Sep 13 11:16:49 2023 +0100

      Experimenting with Semgrep

      Semgrep have offered Tomcat free access to the tool so I am setting it
      up to see if it is useful or not.


The initial results are in. Just under 300 findings and they pretty much
all look to be some degree of false positive. There are a few things
(such as Javadoc links using http rather than https) that we might want
to look at but nothing I can see that comes close to something we'd
consider to be a vulnerability.

I have noticed that the tool isn't good at understanding context. It
looks like it is just using a form of grep to look for patterns as it
can't distinguish between SomeOtherObject.setSecure() and Cookie.setSecure()

I am currently wondering whether the low value results are worth the
time it will take to review and dismiss the false positives. Maybe. But
I have a long list of things I'd consider more important to do first.

If any other committer wants access to the dashboard just ping me a
private email and I'll get you added.


I looked at the Semgrep output from the GH runs and it seems like a
waste of resources in the context of Tomcat (does the ASF pay for the
GH workflows ?).

Basically, it doesn't like:
- Path traversal stuff.
- Cookies.
- Class.forName.
- URL rewriting with session ids.

Overall those are very good pieces of advice for apps, but they don't
apply to Tomcat.

Can we drop it ?


+1


I see coverity might be used with GH instead. I like the output of
that one, although in a few cases I would say it is a bit too good.
https://community.synopsys.com/s/article/Coverity-Integrations-GitHub-with-GitHub-Hosted-Runners
Would that work ? I'm really bad at GH stuff ...



Not sure. That seems to be discussing a private Coverity instance rather 
than the one we use.


Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org























					Reply via email to