Hi Bernhard,
Are there any plans on your side to further enhance lapse+ and integrate new features? E.g. lapse+ claims to be a security scanner for JEE applications but doesn't support any JEE APIs like JPA or JSF at all (servlet API seems to be the only exception).
To enhance lapse+ API support it's sufficient to add sink nodes to sinks.xml, isn't it?
E.g.
<sink id="javax.persistence.EntityManager.createQuery(String)">
<paramCount>1</paramCount>
<vulnParam>0</vulnParam>
<category>SQL Injection</category>
</sink>
However, in order to support JSF vulnerability sources, it would be necessary to parse XHTMLs in addition to Java sources as well?
Br,
nyc
Hi Bernhard,
Are there any plans on your side to further enhance lapse+ and integrate new features? E.g. lapse+ claims to be a security scanner for JEE applications but doesn't support any JEE APIs like JPA or JSF at all (servlet API seems to be the only exception).
To enhance lapse+ API support it's sufficient to add sink nodes to sinks.xml, isn't it?
E.g.
<sink id="javax.persistence.EntityManager.createQuery(String)">
<paramCount>1</paramCount>
<vulnParam>0</vulnParam>
<category>SQL Injection</category>
</sink>
However, in order to support JSF vulnerability sources, it would be necessary to parse XHTMLs in addition to Java sources as well?
Br,
nyc