Reputation: 31
Is there any SAST tool for Workfusion code?
Currently I'm involved in a project for implementing security code reviews for Workfusion bots. Workfusion can handle a mix of Java and Groovy code embedded in XML files or standalone code.
My team is trying to assess if it's possible to use any free/opensource Static Application Security Tool for it. I'm currently exploring the posiblity of creating a plugin for Spotbugs.
I was able to run reviews successfully with Java code + Maven with Spotbugs and FindSecBugs plugins, but I haven't figured out how to extend Spotbugs in order to parse the XML files, extract the embedded Groovy scripts and analyze them.
Do you know any static application security tool for Workfusion or could suggest any approach to extend any other SAST tool?
Upvotes: 2
Views: 131
Answers (1)
Reputation: 6631
The main requirement for Find Security Bugs to work is the ability to compile the code. If you have access to the class files, FindSecurityBugs should work. If the code is evaluate at runtime, you'll need to compile the snippet which is not an easy task if the script have access to a special context with initialized objects.
Upvotes: 0
Related Questions
- Is there a code coverage tool tor Mathematica?
- Automating Fortify Audit Workbench
- Is there a SWT debugger/spy?
- How to explore audit workbench through fortify software security center?
- ColdFusion IDE? Visual Studio Plugin?
- What is the best plugin for code analysis in groovy?
- Is there any code covergae tool for Windows Workflow 4.0?
- Groovy code editor suggestions
- Is there an alternative to Microsoft Code Contracts static analysis?
- What would be a good Coldfusion-based bug tracking software?