AppScan Source has a [not-so] secret weapon in the Battle for Visibility: WAFL
The Web Application Framework Language (WAFL) was designed as a Framework for Frameworks (F4F) by the Ounce Analysis Engine Team to model the effects that modern frameworks have on the data flowing through an application. Although this technology is mainly utilized behind the scenes to provide support for specific Java Frameworks, such as Spring MVC and Struts, as well as generic .NET framework validation and data binding - the information captured in the .wafl files produced can be extremely valuable by itself.
Each time a supported web application is analyzed with AppScan Source, framework information is captured from both the configuration files as well as any pertinent source code annotations and serialized in an xml file (with a .wafl extension) in the working directory for the scan. The mechanism for capturing and transforming each specific framework's settings is called a "WAFL Generator" and there is an F4F_API (see AppScan Source For Analysis Utilities manual) that allows for the creation and extension of these generators in order to support additional frameworks / functionality.
For more information on WAFL, F4F and solving the visibility issues surrounding static analysis of Frameworks, see these IBM references:
And this blog post with more recent insights (and the original source of these links):
I've posted a first pass at a WAFL_Viewer (V0.5) in the Tools section for this Group <link_TDI> . This version only exposes some of the elements from the actual .wafl file; of specific interest are the <entrypoints/> which contain the mappings from the application URLs to the signatures of the underlying methods called...
Next Up: Less Talk. More Tools...Mapping URLs to Findings