Open carlspring opened 1 year ago
Hi @carlspring! Thanks for the suggestion. We'll look into Vert.X and get back to you soon.
Hi @carlspring, after some analysis on Vert.X we decided not to include it on our short-term roadmap. We will keep an eye on it and track its adoption and popularity. We'll revisit this decision later to see how things evolved.
@coadaflorin , @sj ,
Thanks for getting back to me!
What would make you reconsider and help move this forward? Would a list of typical security issues with sample code help? Would an established contributor with the Vert.X help?
The company I'm representing is a large client of Github's with an on-prem GHES and is also a big and regular contributor to Vert.X.
@carlspring
What would make you reconsider and help move this forward? Would a list of typical security issues with sample code help? Would an established contributor with the Vert.X help?
When we get to the point of writing support for the framework all these are extremely helpful. Knowing that people use certain frameworks is what helps us prioritise things. As you've done that already we are very thankful and will try to keep you up to date on how things progress. We will follow up with updates/plans as soon as we have anything.
Hi,
We've been working on adding some queries for the Vert.X framework for Java. At the moment this is a separate project. We intend to contribute the code back to CodeQL once it has a sufficient amount of meaningful queries that we have tested against our code base.
We are working under the following repositories:
If anyone is interested in joining this effort, this would be much appreciated!
Task Description
We would like to see specialized rules for the Vert.x Java framework. This is a popular Eclipse framework hosted on Github with over 13000 followers (as of now).
Based on our research, it appears Checkmarx is the only SAST tool that has rules for Vert.X, targetting Kotlin.
Our codebase is written in Java and heavily dependent on Vert.X. We are already using GHAS for scanning our private repositories (in GHES). We would like to not need to use several different tools such as Fortify, Checkmarx, Mend, etc for the job.
It would be great, it we could see the same support in CodeQL.
Task List
The following tasks will have to be carried out:
Useful Links