Not only that. Many of the vulnerabilities are zero day. This means that they were not known at the time you packed your product. LOG4J is a great example for a 0D. As such, as Phill mentioned, they will not be discovered by any toll you have.
ITschak ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * On Fri, Jan 28, 2022 at 6:53 PM Phil Smith III <li...@akphs.com> wrote: > David Crayford wrote: > > >It's company policy where I work to perform code scans using Synopsis > > >tools such as Black Duck and Polaris. These tools scan for license > > >issues, vulnerabilities, compliance etc. Polaris is so sophisticated > > >it flagged a violation because it had detected I was using an SSLSocket > > >without verifying the peer hostname. These scans are run in our DevOps > > >pipeline every time we merge into our development branch or master. > > > > I know YOU know this, David, but it bears stating explicitly: none of these > tools would (did) detect the log4j vuln. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN