Overall, the tool is pretty good. But it missed a couple of issues that were detected manually during a recent assessment.
1) External XML loading (via URL in configpath) - not sure this is detectable via static anaylsis?
2) Security.allowDomain() issues - Security.allowDomain(“*”) and Security.allowInsecureDomain(“*”)
That is a known bug. At this time, we do not have any plans on releasing an additional version (althought that might change). We are fixing these assessment issues in WebInpsect, though.