Tomcat entry updates #4590
Comments
|
Hey @joshbressers, if you do some searching you'll find a previous conversation about our tomcat advisories and some were brought up and corrected. If you've got a full list the easiest (for us) thing to do would be to just open a butt load of PRs (maybe rate limit it for us). One PR per advisory though please :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I have a spreadsheet with a large number of Tomcat advisory updates (this sheet is not current with the latest Tomcat vulnerabilities)
https://docs.google.com/spreadsheets/d/1b8XqUEK1PuOfTjm1jj-YSIoQa92A7uwjVfF06kd4bXg/edit?gid=0#gid=0
Many GitHub advisories for tomcat reference the package
org.apache.tomcat:tomcat, which is not an installable jar. For exampleGHSA-3p86-xgrq-m6p6
Vulnerability scanners should be detecting specific components of the Tomcat project rather than the project itself, and vulnerabilities affect specific Tomcat jars, not all Tomcat jars.
There are some GitHub Tomcat advisories that do capture the specific components that a vulnerability affects
GHSA-f4qf-m5gf-8jm8
In the spreadsheet I have identified the Tomcat component(s) affected by the given vulnerabilities in column D. Some of the vulnerabilities couldn't be figured out, or are documentation or example updates. I left them in for posterity.
I have a few questions about how to submit this large corpus of updates. I would like to work with the GitHub team to minimize friction. I'm very open to suggestions. I can submit one big PR, many small PRs. I'm happy to trickle them in if that's easier. Whatever works best for the GitHub team.
The text was updated successfully, but these errors were encountered: