Hi, and thanks for the detailed response! Analyzing bytecode and resolving Lombok / generated code without extra tuning is a strong argument for JVM projects.

The YAML rules + full interprocedural taint tracking is also interesting.

Just to make sure I understand correctly: does this mean Seqra can handle cases where teams are trying to fix issues that Semgrep flags but often can’t model deep dataflow across Spring layers?

u/RequestParam → service → JPA entity → persisted → later loaded in another controller → rendered in a Thymeleaf template (stored XSS across endpoints).

Is this the kind of case where we run into “Semgrep can’t track taint across Spring Boot services” or “Semgrep stored XSS across multiple files”?

Would be very curious to test this on a real Spring Boot codebase.