[Owasp-leaders] Access to SAST tooling
dave.wichers at owasp.org
Mon Oct 30 16:27:24 UTC 2017
Are you doing this for security scanning? or just quality? PMD/FindBugs
have almost no security rules. If you are looking for security, there is a
FindBugs plugin called FindSecurityBugs. And then there is SonarQube. I'd
recommend looking at those.
On Fri, Oct 27, 2017 at 11:01 AM, Kevin W. Wall <kevin.w.wall at gmail.com>
> Coverity provides free scanning of FOSS projects. ESAPI has used it in the
> past. I suspect that other SAST vendors may have similar offers, but I
> don't have any experience with them. There's also things like PMD and
> Findbugs that are closer to 'list' than SAST tools, but that can be useful.
> Both have plug-ins for various IDEs.
> Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
> NSA: All your crypto bit are belong to us.
> On Oct 27, 2017 07:24, "Mike Goodwin" <mike.goodwin at owasp.org> wrote:
>> Hello all,
>> I'm interested in building static code scanning into my OWASP tool
>> project <https://www.owasp.org/index.php/OWASP_Threat_Dragon> but they
>> are pretty expensive. Does OWASP have any organisation-wide license for a
>> tool to do this? Or a subscription to an online service?
>> Best regards,
>> *Mike Goodwin*
>> OWASP Newcastle UK Chapter Leader
>> OWASP Threat Dragon Project Leader
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders