commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Sicker <boa...@gmail.com>
Subject Re: [ALL] Update to commons security page
Date Tue, 15 Oct 2019 13:47:02 GMT
What we’ve been doing in Jenkins Security about this has been to request
demonstrable exploits only. Output from an automated tool is not a security
vulnerability report. Plus, these tools generally don’t understand greater
context and usage of code, so you’ll get false positives that require
someone familiar with the code base to confirm or deny. With a huge report,
that can be a huge waste of time.

On Tue, Oct 15, 2019 at 05:55, sebb <sebbaz@gmail.com> wrote:

> On Tue, 15 Oct 2019 at 11:03, Claude Warren <claude@xenei.com> wrote:
> >
> > If the style is to rely on external code to do input validation, then I
> > think that should be in the javadocs as well as on the page you mention.
>
> Perhaps I phrased it wrong.
>
> What I meant was that the code generally does what it is told to do.
>
> e.g. a delete_tree(path) method is not going to prevent you from using
> path='/'
>
> Commons cannot in general validate such parameters.
>
> > Claude
> >
> > On Tue, Oct 15, 2019 at 10:59 AM sebb <sebbaz@gmail.com> wrote:
> >
> > > It might be useful to add a note to the commons security page about
> > > automated vulnerability checkers.
> > >
> > > These tend to produce a lot of false positives and may report items
> > > which could never be a security issue (e.g. poor code style, dead
> > > code).
> > >
> > > Even if the issue is potentially a vulnerability, it often depends on
> > > the context.
> > > This is particularly true of Commons - the code generally relies on
> > > the application to do validation of input parameters.
> > >
> > > Thoughts?
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > > For additional commands, e-mail: dev-help@commons.apache.org
> > >
> > >
> >
> > --
> > I like: Like Like - The likeliest place on the web
> > <http://like-like.xenei.com>
> > LinkedIn: http://www.linkedin.com/in/claudewarren
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
> --
Matt Sicker <boards@gmail.com>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message