APEX, SERT, and EPG

APEX, SERT, and EPG

Application Express, Security Evaluation and Recommendation Tool, and the Embedded PL/SQL Gateway

My organisation has only just started seriously working with APEX and have recently launched our first internal production app (that was a challenge... I was told that this app needed to be in production in 2 days and nobody had bothered to check with me what was needed to make this happen).  I've learned a lot about APEX in the past few weeks and I've got a lot more to go.

I recently came across SERT (https://github.com/OraOpenSource/apex-sert) and it sounds like a really nifty tool.  Today I found some time to try it out and see if our dev team might find it useful.  I decided to install it in our dev database.  This uses the EPG rather than ORDS.

The install didn't go so well.  The first install failed near the end because I think I used a lowercase 'y' for a response somewhere and it got confused, bombing out with an ORA-06502 error.  At least removal and re-install was simple.

The second install attempt, all appeared to work just fine.  I got all the expected confirmations, and added the link to the "System message" section as described in the manual.  I clicked the link as described and got this error:

Wed, 21 Jun 2017 10:52:06 GMT

Failed to parse target procedure
sv_sert_apex.launch_sert: PROCEDURE DOESN'T EXIST

(and lots more text with session/debug info) 

I puzzled a while over this and reasoned that because the user 'anonymous' is used to connect to the database from the EPG (I think?), it must be because this user doesn't have permissions to execute that procedure.  I granted it execute and retried the link, and got this:

Wed, 21 Jun 2017 10:55:50 GMT

Attempt to invoke forbidden procedure

I'm now at a loss.  There is a section in the installation manual for steps that need to be taken if using ORDS, but nothing about the EPG.  I've put out a few posts on Twitter but I'm not too hopeful of any responses at this point.