Hi, I would also always go for static code analysis if you have the possibility. Using Sonarqube I never had any Wicket related issues in the past. I can remember one rule (from the default java ruleset) that had to be customized because it identified the use of anonymous inner classes as bad behavior. However, this is pretty common with Wicket. Everything else works just fine with the defaults.
Best regards, Martin Am 12. März 2019 17:37:24 MEZ schrieb lu...@k40s.net: >Hi, > >I use the FindBugs (SpotBugs) plugin for IntelliJ to scan for >vulnerabilities. It's actually not made for security bugs but there is >a >plugin (FindSecBugs) with a focus on that. > >In any case I'd say that it makes sense to use static code analyzers >whenever possible. >Most of the found bugs will be Java related anyways. > >Regards > >Lukas Fülling > >Am 2019-03-12 15:36, schrieb Eric Gulatee: >> Hello Wicketeers, >> >> Does anyone know if there are any SAST (Static Analysis Security >> Testing) tools (Commercial or OpenSource) that support Apache Wicket? >> https://www.owasp.org/index.php/Source_Code_Analysis_Tools >> >> Is there value in adopting a SAST tool if it doesn’t explicitly >> support the apache wicket framework? >> >> -- >> Cheers, >> >> Eric Gulatee >> NYS OSC AppDev Enterprise Architect [Garnet River & Abilis] > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >For additional commands, e-mail: users-h...@wicket.apache.org -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
