Empathy List Archives

MA

Mushtaq Ahmed (ITSNR)

Sun, May 4, 2014 6:58 AM

Dear All,

Need some help on the findbugs as a SCA tool. Kindly let me know if you have any resources or have already done some research on how findbugs fare as a SCA tool. What are its capabilities and would it even work to find security vulnerabilities and if it does where does it rank among the SCA tools.

Thank you in advance for the help,

Regards,
Mushtaq

Dear All, Need some help on the findbugs as a SCA tool. Kindly let me know if you have any resources or have already done some research on how findbugs fare as a SCA tool. What are its capabilities and would it even work to find security vulnerabilities and if it does where does it rank among the SCA tools. Thank you in advance for the help, Regards, Mushtaq

SK

Sherif Koussa

Thu, May 8, 2014 2:28 AM

Mushtaq,

Unfortunately the open-source SCA tools are way behind their commercial
counterparts as far as maturity, and completeness of security rules. You
need to spend good amount of time writing custom rules for OSS SCA tools
like FindBugs and PMD to get some mileage out of them. That's my personal
experience.

Regards,
Sherif

On Sun, May 4, 2014 at 2:58 AM, Mushtaq Ahmed (ITSNR) <
mushtaq.ahmed@emirates.com> wrote:

Dear All,

 Need some help on the findbugs as a SCA tool. Kindly let me know if

you have any resources or have already done some research on how findbugs
fare as a SCA tool. What are its capabilities and would it even work to
find security vulnerabilities and if it does where does it rank among the
SCA tools.

Thank you in advance for the help,

Regards,

Mushtaq

wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org

Mushtaq, Unfortunately the open-source SCA tools are way behind their commercial counterparts as far as maturity, and completeness of security rules. You need to spend good amount of time writing custom rules for OSS SCA tools like FindBugs and PMD to get some mileage out of them. That's my personal experience. Regards, Sherif On Sun, May 4, 2014 at 2:58 AM, Mushtaq Ahmed (ITSNR) < mushtaq.ahmed@emirates.com> wrote: > Dear All, > > > > Need some help on the findbugs as a SCA tool. Kindly let me know if > you have any resources or have already done some research on how findbugs > fare as a SCA tool. What are its capabilities and would it even work to > find security vulnerabilities and if it does where does it rank among the > SCA tools. > > > > Thank you in advance for the help, > > > > Regards, > > Mushtaq > > _______________________________________________ > wasc-satec mailing list > wasc-satec@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org > >

MA

Mushtaq Ahmed (ITSNR)

Thu, May 8, 2014 2:54 AM

Thank you Sherif,

Well my question is If I have to spend time on writing custom rules, where should I start from or what are the rules which are already there. This is just an analysis to prove the management that findbugs is not worth spending time on. Directly if I suggest the commercial tools they would ask for this analysis anyway.

Thank you in advance
Mushtaq
Sent from Samsung Mobile

-------- Original message --------
From: Sherif Koussa
Date:08/05/2014 06:28 (GMT+04:00)
To: "Mushtaq Ahmed (ITSNR)"
Cc: wasc-satec@lists.webappsec.org
Subject: Re: [WASC-SATEC] How does Findbugs fare as a SCA tool

Mushtaq,

Unfortunately the open-source SCA tools are way behind their commercial counterparts as far as maturity, and completeness of security rules. You need to spend good amount of time writing custom rules for OSS SCA tools like FindBugs and PMD to get some mileage out of them. That's my personal experience.

Regards,
Sherif

On Sun, May 4, 2014 at 2:58 AM, Mushtaq Ahmed (ITSNR) <mushtaq.ahmed@emirates.com mailto:mushtaq.ahmed@emirates.com> wrote:
Dear All,

Need some help on the findbugs as a SCA tool. Kindly let me know if you have any resources or have already done some research on how findbugs fare as a SCA tool. What are its capabilities and would it even work to find security vulnerabilities and if it does where does it rank among the SCA tools.

Thank you in advance for the help,

Regards,
Mushtaq

wasc-satec mailing list
wasc-satec@lists.webappsec.org mailto:wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org

Thank you Sherif, Well my question is If I have to spend time on writing custom rules, where should I start from or what are the rules which are already there. This is just an analysis to prove the management that findbugs is not worth spending time on. Directly if I suggest the commercial tools they would ask for this analysis anyway. Thank you in advance Mushtaq Sent from Samsung Mobile -------- Original message -------- From: Sherif Koussa Date:08/05/2014 06:28 (GMT+04:00) To: "Mushtaq Ahmed (ITSNR)" Cc: wasc-satec@lists.webappsec.org Subject: Re: [WASC-SATEC] How does Findbugs fare as a SCA tool Mushtaq, Unfortunately the open-source SCA tools are way behind their commercial counterparts as far as maturity, and completeness of security rules. You need to spend good amount of time writing custom rules for OSS SCA tools like FindBugs and PMD to get some mileage out of them. That's my personal experience. Regards, Sherif On Sun, May 4, 2014 at 2:58 AM, Mushtaq Ahmed (ITSNR) <mushtaq.ahmed@emirates.com<mailto:mushtaq.ahmed@emirates.com>> wrote: Dear All, Need some help on the findbugs as a SCA tool. Kindly let me know if you have any resources or have already done some research on how findbugs fare as a SCA tool. What are its capabilities and would it even work to find security vulnerabilities and if it does where does it rank among the SCA tools. Thank you in advance for the help, Regards, Mushtaq _______________________________________________ wasc-satec mailing list wasc-satec@lists.webappsec.org<mailto:wasc-satec@lists.webappsec.org> http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org

SK

Sherif Koussa

Thu, May 8, 2014 3:21 AM

Fortunately, you don't have to start from scratch, check this out
http://h3xstream.github.io/find-sec-bugs/bugs.htm

Regards,
Sherif

On Wed, May 7, 2014 at 10:54 PM, Mushtaq Ahmed (ITSNR) <
mushtaq.ahmed@emirates.com> wrote:

Thank you Sherif,

Well my question is If I have to spend time on writing custom rules,
where should I start from or what are the rules which are already there.
This is just an analysis to prove the management that findbugs is not worth
spending time on. Directly if I suggest the commercial tools they would ask
for this analysis anyway.

Thank you in advance
Mushtaq
Sent from Samsung Mobile

-------- Original message --------
From: Sherif Koussa
Date:08/05/2014 06:28 (GMT+04:00)
To: "Mushtaq Ahmed (ITSNR)"
Cc: wasc-satec@lists.webappsec.org
Subject: Re: [WASC-SATEC] How does Findbugs fare as a SCA tool

Mushtaq,

Unfortunately the open-source SCA tools are way behind their commercial
counterparts as far as maturity, and completeness of security rules. You
need to spend good amount of time writing custom rules for OSS SCA tools
like FindBugs and PMD to get some mileage out of them. That's my personal
experience.

Regards,
Sherif

On Sun, May 4, 2014 at 2:58 AM, Mushtaq Ahmed (ITSNR) <
mushtaq.ahmed@emirates.com> wrote:

Dear All,

 Need some help on the findbugs as a SCA tool. Kindly let me know if

you have any resources or have already done some research on how findbugs
fare as a SCA tool. What are its capabilities and would it even work to
find security vulnerabilities and if it does where does it rank among the
SCA tools.

Thank you in advance for the help,

Regards,

Mushtaq

wasc-satec mailing list
wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org

Fortunately, you don't have to start from scratch, check this out http://h3xstream.github.io/find-sec-bugs/bugs.htm Regards, Sherif On Wed, May 7, 2014 at 10:54 PM, Mushtaq Ahmed (ITSNR) < mushtaq.ahmed@emirates.com> wrote: > Thank you Sherif, > > Well my question is If I have to spend time on writing custom rules, > where should I start from or what are the rules which are already there. > This is just an analysis to prove the management that findbugs is not worth > spending time on. Directly if I suggest the commercial tools they would ask > for this analysis anyway. > > Thank you in advance > Mushtaq > Sent from Samsung Mobile > > > -------- Original message -------- > From: Sherif Koussa > Date:08/05/2014 06:28 (GMT+04:00) > To: "Mushtaq Ahmed (ITSNR)" > Cc: wasc-satec@lists.webappsec.org > Subject: Re: [WASC-SATEC] How does Findbugs fare as a SCA tool > > Mushtaq, > > Unfortunately the open-source SCA tools are way behind their commercial > counterparts as far as maturity, and completeness of security rules. You > need to spend good amount of time writing custom rules for OSS SCA tools > like FindBugs and PMD to get some mileage out of them. That's my personal > experience. > > Regards, > Sherif > > > On Sun, May 4, 2014 at 2:58 AM, Mushtaq Ahmed (ITSNR) < > mushtaq.ahmed@emirates.com> wrote: > >> Dear All, >> >> >> >> Need some help on the findbugs as a SCA tool. Kindly let me know if >> you have any resources or have already done some research on how findbugs >> fare as a SCA tool. What are its capabilities and would it even work to >> find security vulnerabilities and if it does where does it rank among the >> SCA tools. >> >> >> >> Thank you in advance for the help, >> >> >> >> Regards, >> >> Mushtaq >> >> _______________________________________________ >> wasc-satec mailing list >> wasc-satec@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org >> >> >

MA

Mushtaq Ahmed (ITSNR)

Thu, May 8, 2014 5:02 AM

Thank you Sherif,

Sent from Samsung Mobile

-------- Original message --------
From: Sherif Koussa
Date:08/05/2014 07:21 (GMT+04:00)
To: "Mushtaq Ahmed (ITSNR)"
Cc: wasc-satec@lists.webappsec.org
Subject: Re: [WASC-SATEC] How does Findbugs fare as a SCA tool

Fortunately, you don't have to start from scratch, check this out http://h3xstream.github.io/find-sec-bugs/bugs.htm

Regards,
Sherif

On Wed, May 7, 2014 at 10:54 PM, Mushtaq Ahmed (ITSNR) <mushtaq.ahmed@emirates.com mailto:mushtaq.ahmed@emirates.com> wrote:
Thank you Sherif,

Well my question is If I have to spend time on writing custom rules, where should I start from or what are the rules which are already there. This is just an analysis to prove the management that findbugs is not worth spending time on. Directly if I suggest the commercial tools they would ask for this analysis anyway.

Thank you in advance
Mushtaq
Sent from Samsung Mobile

-------- Original message --------
From: Sherif Koussa
Date:08/05/2014 06:28 (GMT+04:00)
To: "Mushtaq Ahmed (ITSNR)"
Cc: wasc-satec@lists.webappsec.org mailto:wasc-satec@lists.webappsec.org
Subject: Re: [WASC-SATEC] How does Findbugs fare as a SCA tool

Mushtaq,

Unfortunately the open-source SCA tools are way behind their commercial counterparts as far as maturity, and completeness of security rules. You need to spend good amount of time writing custom rules for OSS SCA tools like FindBugs and PMD to get some mileage out of them. That's my personal experience.

Regards,
Sherif

On Sun, May 4, 2014 at 2:58 AM, Mushtaq Ahmed (ITSNR) <mushtaq.ahmed@emirates.com mailto:mushtaq.ahmed@emirates.com> wrote:
Dear All,

Need some help on the findbugs as a SCA tool. Kindly let me know if you have any resources or have already done some research on how findbugs fare as a SCA tool. What are its capabilities and would it even work to find security vulnerabilities and if it does where does it rank among the SCA tools.

Thank you in advance for the help,

Regards,
Mushtaq

wasc-satec mailing list
wasc-satec@lists.webappsec.org mailto:wasc-satec@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org

Thank you Sherif, Sent from Samsung Mobile -------- Original message -------- From: Sherif Koussa Date:08/05/2014 07:21 (GMT+04:00) To: "Mushtaq Ahmed (ITSNR)" Cc: wasc-satec@lists.webappsec.org Subject: Re: [WASC-SATEC] How does Findbugs fare as a SCA tool Fortunately, you don't have to start from scratch, check this out http://h3xstream.github.io/find-sec-bugs/bugs.htm Regards, Sherif On Wed, May 7, 2014 at 10:54 PM, Mushtaq Ahmed (ITSNR) <mushtaq.ahmed@emirates.com<mailto:mushtaq.ahmed@emirates.com>> wrote: Thank you Sherif, Well my question is If I have to spend time on writing custom rules, where should I start from or what are the rules which are already there. This is just an analysis to prove the management that findbugs is not worth spending time on. Directly if I suggest the commercial tools they would ask for this analysis anyway. Thank you in advance Mushtaq Sent from Samsung Mobile -------- Original message -------- From: Sherif Koussa Date:08/05/2014 06:28 (GMT+04:00) To: "Mushtaq Ahmed (ITSNR)" Cc: wasc-satec@lists.webappsec.org<mailto:wasc-satec@lists.webappsec.org> Subject: Re: [WASC-SATEC] How does Findbugs fare as a SCA tool Mushtaq, Unfortunately the open-source SCA tools are way behind their commercial counterparts as far as maturity, and completeness of security rules. You need to spend good amount of time writing custom rules for OSS SCA tools like FindBugs and PMD to get some mileage out of them. That's my personal experience. Regards, Sherif On Sun, May 4, 2014 at 2:58 AM, Mushtaq Ahmed (ITSNR) <mushtaq.ahmed@emirates.com<mailto:mushtaq.ahmed@emirates.com>> wrote: Dear All, Need some help on the findbugs as a SCA tool. Kindly let me know if you have any resources or have already done some research on how findbugs fare as a SCA tool. What are its capabilities and would it even work to find security vulnerabilities and if it does where does it rank among the SCA tools. Thank you in advance for the help, Regards, Mushtaq _______________________________________________ wasc-satec mailing list wasc-satec@lists.webappsec.org<mailto:wasc-satec@lists.webappsec.org> http://lists.webappsec.org/mailman/listinfo/wasc-satec_lists.webappsec.org