wicket-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Spielmann <m...@martinspielmann.de>
Subject Re: Apache Wicket & Static Analysis Security Testing
Date Tue, 12 Mar 2019 20:24:58 GMT
Hi,

I would also always go for static code analysis if you have the possibility. Using Sonarqube
I never had any Wicket related issues in the past.
I can remember one rule (from the default java ruleset) that had to be customized because
it identified the use of anonymous inner classes as bad behavior. However, this is pretty
common with Wicket. 
Everything else works just fine with the defaults.

Best regards, 
Martin


Am 12. März 2019 17:37:24 MEZ schrieb lukas@k40s.net:
>Hi,
>
>I use the FindBugs (SpotBugs) plugin for IntelliJ to scan for 
>vulnerabilities. It's actually not made for security bugs but there is
>a 
>plugin (FindSecBugs) with a focus on that.
>
>In any case I'd say that it makes sense to use static code analyzers 
>whenever possible.
>Most of the found bugs will be Java related anyways.
>
>Regards
>
>Lukas Fülling
>
>Am 2019-03-12 15:36, schrieb Eric Gulatee:
>> Hello Wicketeers,
>> 
>> Does anyone know if there are any SAST (Static Analysis Security
>> Testing) tools (Commercial or OpenSource) that support Apache Wicket?
>> https://www.owasp.org/index.php/Source_Code_Analysis_Tools
>> 
>> Is there value in adopting a SAST tool if it doesn’t explicitly
>> support the apache wicket framework?
>> 
>> --
>> Cheers,
>> 
>> Eric Gulatee
>> NYS OSC AppDev Enterprise Architect  [Garnet River & Abilis]
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>For additional commands, e-mail: users-help@wicket.apache.org

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
Mime
  • Unnamed multipart/alternative (inline, 7-Bit, 0 bytes)
View raw message