2

Currently I'm involved in a project for implementing security code reviews for Workfusion bots. Workfusion can handle a mix of Java and Groovy code embedded in XML files or standalone code.

My team is trying to assess if it's possible to use any free/opensource Static Application Security Tool for it. I'm currently exploring the posiblity of creating a plugin for Spotbugs.

I was able to run reviews successfully with Java code + Maven with Spotbugs and FindSecBugs plugins, but I haven't figured out how to extend Spotbugs in order to parse the XML files, extract the embedded Groovy scripts and analyze them.

Do you know any static application security tool for Workfusion or could suggest any approach to extend any other SAST tool?

Alex Percont
  • 31
  • 2

1 Answers1

0

The main requirement for Find Security Bugs to work is the ability to compile the code. If you have access to the class files, FindSecurityBugs should work. If the code is evaluate at runtime, you'll need to compile the snippet which is not an easy task if the script have access to a special context with initialized objects.

h3xStream
  • 6,293
  • 2
  • 47
  • 57
  • Definitively that is my situation: Groovy code is embedded in XML files which are run under the context of Workfusion. As a temporary solution we told the developers to take the most of the code out of the XML files to allow compilation. – Alex Percont Nov 14 '18 at 19:20
  • https://github.com/find-sec-bugs/find-sec-bugs-demos/tree/master/groovy-simple Instructions for compiling Groovy. – h3xStream Nov 14 '18 at 20:04