Security Scanning for GWT Code

Skip to first unread message

Niraj Salot

Sep 10, 2021, 2:09:53 AM9/10/21
to GWT Users
Which tools can be used to Scan the GWT Source Code for doing Security Scan?

Thomas Broyer

Sep 10, 2021, 3:57:07 AM9/10/21
to GWT Users
What kind of security vulnerabilities are you looking for?
Of the OWASP Top 10, I think only XSS could be detected by static analysis, looking for any call to unsafe methods, making sure you're using SafeHtml et al. everywhere (and SafeHtmlUtils.fromSafeConstant and SafeHtmlUtils.fromTrustedString, and similar SafeStylesUtils and UriUtils methods, would still have to be manually inspected). I believe Google has some ErrorProne check for that (which would respect @SuppressIsSafeHtmlCastCheck et al.), but I don't think they opensourced it.

Sep 22, 2021, 6:29:08 AM9/22/21
to GWT Users
For Java code scanning you can use anything like BlackDuck, Snyk, etc. all for Java code / libs security scanning.

GWT code is just Java code.

If you need to scan the "result" then you can scan the JavaScript result... I'm not sure whether this makes sense?
Reply all
Reply to author
0 new messages