darakian
commented
1 month ago Hey @joshbressers, if you do some searching you'll find a previous conversation about our tomcat advisories and some were brought up and corrected. If you've got a full list the easiest (for us) thing to do would be to just open a butt load of PRs (maybe rate limit it for us). One PR per advisory though please :) Else maybe just dump the list of GHSA numbers here and I'll open an issue for us to re-review them
Hello,
I have a spreadsheet with a large number of Tomcat advisory updates (this sheet is not current with the latest Tomcat vulnerabilities) https://docs.google.com/spreadsheets/d/1b8XqUEK1PuOfTjm1jj-YSIoQa92A7uwjVfF06kd4bXg/edit?gid=0#gid=0
Many GitHub advisories for tomcat reference the package
org.apache.tomcat:tomcat, which is not an installable jar. For example https://github.com/advisories/GHSA-3p86-xgrq-m6p6Vulnerability scanners should be detecting specific components of the Tomcat project rather than the project itself, and vulnerabilities affect specific Tomcat jars, not all Tomcat jars.
There are some GitHub Tomcat advisories that do capture the specific components that a vulnerability affects https://github.com/advisories/GHSA-f4qf-m5gf-8jm8
In the spreadsheet I have identified the Tomcat component(s) affected by the given vulnerabilities in column D. Some of the vulnerabilities couldn't be figured out, or are documentation or example updates. I left them in for posterity.
I have a few questions about how to submit this large corpus of updates. I would like to work with the GitHub team to minimize friction. I'm very open to suggestions. I can submit one big PR, many small PRs. I'm happy to trickle them in if that's easier. Whatever works best for the GitHub team.