Apache Wicket & Static Analysis Security Testing

[Eric Gulatee <eg...@osc.ny.gov>]

Hello Wicketeers,

Does anyone know if there are any SAST (Static Analysis Security Testing) tools (Commercial or OpenSource) that support Apache Wicket?
https://www.owasp.org/index.php/Source_Code_Analysis_Tools

Is there value in adopting a SAST tool if it doesn’t explicitly support the apache wicket framework?

--
Cheers,

Eric Gulatee
NYS OSC AppDev Enterprise Architect  [Garnet River & Abilis]

Re: Apache Wicket & Static Analysis Security Testing

[Martin Spielmann <ma...@martinspielmann.de>]

Hi,

I would also always go for static code analysis if you have the possibility. Using Sonarqube I never had any Wicket related issues in the past.
I can remember one rule (from the default java ruleset) that had to be customized because it identified the use of anonymous inner classes as bad behavior. However, this is pretty common with Wicket. 
Everything else works just fine with the defaults.

Best regards, 
Martin


Am 12. März 2019 17:37:24 MEZ schrieb lukas@k40s.net:
>Hi,
>
>I use the FindBugs (SpotBugs) plugin for IntelliJ to scan for 
>vulnerabilities. It's actually not made for security bugs but there is
>a 
>plugin (FindSecBugs) with a focus on that.
>
>In any case I'd say that it makes sense to use static code analyzers 
>whenever possible.
>Most of the found bugs will be Java related anyways.
>
>Regards
>
>Lukas Fülling
>
>Am 2019-03-12 15:36, schrieb Eric Gulatee:
>> Hello Wicketeers,
>> 
>> Does anyone know if there are any SAST (Static Analysis Security
>> Testing) tools (Commercial or OpenSource) that support Apache Wicket?
>> https://www.owasp.org/index.php/Source_Code_Analysis_Tools
>> 
>> Is there value in adopting a SAST tool if it doesn’t explicitly
>> support the apache wicket framework?
>> 
>> --
>> Cheers,
>> 
>> Eric Gulatee
>> NYS OSC AppDev Enterprise Architect  [Garnet River & Abilis]
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>For additional commands, e-mail: users-help@wicket.apache.org

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

Re: Apache Wicket & Static Analysis Security Testing

[lu...@k40s.net]

Hi,

I use the FindBugs (SpotBugs) plugin for IntelliJ to scan for 
vulnerabilities. It's actually not made for security bugs but there is a 
plugin (FindSecBugs) with a focus on that.

In any case I'd say that it makes sense to use static code analyzers 
whenever possible.
Most of the found bugs will be Java related anyways.

Regards

Lukas Fülling

Am 2019-03-12 15:36, schrieb Eric Gulatee:
> Hello Wicketeers,
> 
> Does anyone know if there are any SAST (Static Analysis Security
> Testing) tools (Commercial or OpenSource) that support Apache Wicket?
> https://www.owasp.org/index.php/Source_Code_Analysis_Tools
> 
> Is there value in adopting a SAST tool if it doesn’t explicitly
> support the apache wicket framework?
> 
> --
> Cheers,
> 
> Eric Gulatee
> NYS OSC AppDev Enterprise Architect  [Garnet River & Abilis]

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: Apache Wicket & Static Analysis Security Testing

[Martin Grigorov <mg...@apache.org>]

Hi,

I am not aware of any such tool that has special rules for Wicket classes.
Anyway, I think static analysis tools are still useful!

On Tue, Mar 12, 2019 at 4:36 PM Eric Gulatee <eg...@osc.ny.gov> wrote:

> Hello Wicketeers,
>
> Does anyone know if there are any SAST (Static Analysis Security Testing)
> tools (Commercial or OpenSource) that support Apache Wicket?
> https://www.owasp.org/index.php/Source_Code_Analysis_Tools
>
> Is there value in adopting a SAST tool if it doesn’t explicitly support
> the apache wicket framework?
>
> --
> Cheers,
>
> Eric Gulatee
> NYS OSC AppDev Enterprise Architect  [Garnet River & Abilis]
>
>
>
>