Hi All,
if you decide to have CVE tests made public I would suggest 1 small
caveat, that the fixes should older than x number of months,
that would permit users to upgrade their systems.
Best
Paul
On 10/09/2025 14:18, Coty Sutherland wrote:
On Wed, Sep 10, 2025 at 7:23 AM Dimitris Soumis <[email protected]> wrote:
On Wed, Sep 10, 2025 at 12:15 PM Mark Thomas <[email protected]> wrote:
All,
One of the topics at the security day we held in Bratislava was adding
unit tests for CVEs once the CVEs were public.
I have just rediscovered a test case for CVE-2025-53506 sat in a git
stash it would be good to get committed.
Before I commit anything, I was wondering how we wanted to organise
these. Options include:
- just another test in the relevant class
- dedicated CVE test classes alongside the standard test classes
- a dedicated package for CVE tests
I was thinking a new, dedicated package:
org.apache.tomcat.security
One class per year e.g.:
TestSecurity2025
TestSecurity2024
...
+1 for the dedicated package. It will be good to have CVE related tests
organised, as it will be easier to discover, maintain and enhance.
Though a possible concern of concentrating CVE tests would be that we lower
the bar for one to discover edge cases or gaps in fixes.
One (or more tests per CVE)
public void testCVE_2025_53506()
or
public void testCVE_2025_53506a()
public void testCVE_2025_53506b()
or
public void testCVE_2025_53506_01()
public void testCVE_2025_53506_02()
...
+1 testCVE_YYYY_NNNNN[_nn]()
I'm not expecting every CVE to get a test case but, where we have them,
I think it makes sense to make them known and available. This is also
something we can add to over time. I suspect there are a few existing
tests that are for known CVEs but were never marked as such.
+1 in moving pre existing CVE focused tests to the dedicated package.
Thoughts?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
I am already working on creating tests for CVEs that do not have a test
scenario in the commit that points to the fix.
Some extra thoughts:
1) We add the link to the fix commit of each CVE as well as to the CVE
itself in the test classes, as it is in
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.44,
for
traceability.
2) Avoid over explanatory comments in code that will make easier for
someone to discover scenarios we haven't considered.
+1 from me to all of Dimitris' comments
Kind regards,
Dimitris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
