[Owasp-o2-platform] Why doesn't SAST have better Framework support (for example Spring MVC)?

Alvaro Muñoz alvaro.picapau at gmail.com
Sun Oct 23 07:07:43 EDT 2011

Thats not exactly true. In the case of Fortify, its completly capable to
follow data flow in frameworks like spring that use configuration files to
define how the data flows. Actually I have use it recently with good


Sent from my mobile device.  Please excuse my brevity, poor grammar, typos,

El 23/10/2011, a las 01:03, dinis cruz <dinis.cruz at owasp.org> escribió:

I received this question today, and before I answered it, I was wondering if
you guys wanted to have a go at it first:

*"...I was reading over some of your blog entries, that made me thinks about
the current state of SAST regarding the current frameworks.*
*I've been aware for a long time that SAST do not handle properly
framework-level information. In the case of Spring MVC, the tools just don't
get the data flow, etc.*
*Since you worked at Ounce before, do you know any particular reason why
they didn't want to fo into that direction? I mean, this is a solvable
problem (you somewhat show how to do that in O2). Even if they would need
to implement new front-ends, this is still a very important task to be done
if they wanted to compete directly with Fortify (especially since F. doesn't
get it either)....*

For reference here are some of my previous Framework (i.e.Spring MVC)
related posts:

   - Current O2 support for analyzing Spring

   - What needs to be done to map Static Analysis Traces from Controllers
   and Views<http://diniscruz.blogspot.com/2011/07/what-needs-to-be-done-to-map-static.html>

   - http://o2platform.wordpress.com/category/java/spring-mvc/ (numbers of
   code samples at O2's blog)
   - In this (longish presentation) I also talk about some of the challenges
   that we have in supporting frameworks:

What do you think?

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2

Owasp-o2-platform mailing list
Owasp-o2-platform at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20111023/e1cab614/attachment.html 

More information about the Owasp-o2-platform mailing list