[Owasp-o2-platform] Why doesn't SAST have better Framework support (for example Spring MVC)?

dinis cruz dinis.cruz at owasp.org
Sat Oct 22 19:03:18 EDT 2011

I received this question today, and before I answered it, I was wondering if
you guys wanted to have a go at it first:

*"...I was reading over some of your blog entries, that made me thinks about
the current state of SAST regarding the current frameworks.*
*I've been aware for a long time that SAST do not handle properly
framework-level information. In the case of Spring MVC, the tools just don't
get the data flow, etc.*
*Since you worked at Ounce before, do you know any particular reason why
they didn't want to fo into that direction? I mean, this is a solvable
problem (you somewhat show how to do that in O2). Even if they would need
to implement new front-ends, this is still a very important task to be done
if they wanted to compete directly with Fortify (especially since F. doesn't
get it either)....*

For reference here are some of my previous Framework (i.e.Spring MVC)
related posts:

   - Current O2 support for analyzing Spring

   - What needs to be done to map Static Analysis Traces from Controllers
   and Views<http://diniscruz.blogspot.com/2011/07/what-needs-to-be-done-to-map-static.html>

   - http://o2platform.wordpress.com/category/java/spring-mvc/ (numbers of
   code samples at O2's blog)
   - In this (longish presentation) I also talk about some of the challenges
   that we have in supporting frameworks:

What do you think?

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20111023/4a843a51/attachment.html 

More information about the Owasp-o2-platform mailing list