I'm working on building a code generation tool using JHipster. It gives promts on CLI through which customer can choose and then required Java package for CRUD layer of the micro service gets generated. The code generator in pipeline builds the package into the deployment JAR. Beside approved code scanning tools, what else can be done here on security front ? Is there reference of potential Threat models for similar kind of tools, potential vulnerabilities or security issues which we can take as reference or guidance on similar Jhipster based code generation tools ? Thank you !
Used : Code scanning tools like Semgrep.
JHipster generator is a node application, so you can scan it as any other node application using
npm audit
or other npm compatible tool, same for your own tool.Then, the most important part is to scan the generated code as part of your continuous integration tool chain (sonarqube, snyk, gitlab, ..) and to scan vulnerable dependencies (maven owasp dependency plugin, ...)