J-WAVE: A Java Web Application for Vulnerability Education

TR Number



Journal Title

Journal ISSN

Volume Title


Virginia Tech


Static application security testing (SAST) tools are commonly used by professionals to identify security vulnerabilities before deployment. While there are many such tools, they offer competing features and can be difficult and time-consuming to install and configure. To simplify the usage of these services for professors and students alike, this paper describes the Java web application for vulnerability education, or J-WAVE. J-WAVE combines 5 SAST tools into one web application: PMD, FindSecurityBugs, Semgrep, Yasca, and SonarQube. Making these tools available in an educational context is a proactive application of tools typically used in a reactive manner. J-WAVE offers simplicity to users by handling each tool's setup internally, while offering access to the large, collective rule set contributed by the combined tool suite. These attributes allow students to easily scan their own projects to detect a variety of security issues prior to submission. Likewise, educators can scan their students' code to detect common vulnerabilities present. This process is made easier as J-WAVE can accept batch submissions containing thousands of files. The SAST tools in JWAVE are complementary, and using them together helps detect a wider range of problems. However, different tools should be prioritized depending on what files are being scanned. PMD and SonarQube reports should be prioritized within general applications. Whereas, Semgrep and Yasca reports should be prioritized for scans of web applications. This paper reports on experiences from applying J-WAVE's tool suite to student submissions in two courses: an advanced data structures course, and a web application development course.



Vulnerability education, SAST, vulnerability analysis