[Esapi-dev] Recommendation: code scan build validations
Rob Spremulli
rob.spremulli+esapi at gmail.com
Mon Aug 8 15:39:57 EDT 2011
I know there's a healty suite of JUnits but unit tests aren't the proper
tool for this type of job, as the errors this would catch are the
"programming without enough caffeine" type of errors where the mistake is so
simple, so slight in this case, almost invisible if default configurations
are used - that it would only be caught by a CWT, either by a person, or
automated. just figured I'd toss the suggestion out to the mailing list,
and see how it was received. sounds good guys.
On Mon, Aug 8, 2011 at 3:32 PM, Chris Schmidt <chris.schmidt at owasp.org>wrote:
> This will be happening soon as part of a bigger effort – look for an
> email within the next couple weeks.
>
> Thanks for the input Rob!
>
>
>
> On 8/8/11 12:28 PM, "Jim Manico" <jim.manico at owasp.org> wrote:
>
> We have solid build automation in place and could easily add a few SAST
> rules to enhance the build quality.
>
> The trouble is, we are human resource starved and are desperate for skilled
> assistance...
>
> But I agree this is critical and should be done when possible.
>
> Thanks Rob,
>
> - Jim Manico
>
> On Aug 8, 2011, at 3:20 PM, Rob Spremulli <rob.spremulli+esapi at gmail.com>
> wrote:
>
> I just logged defect 241, <
> http://code.google.com/p/owasp-esapi-java/issues/detail?id=241&colspec=ID%20Type%20Status%20Priority%20Milestone%20Component%20Owner%20Summary<
> http://code.google.com/p/owasp-esapi-java/issues/detail?id=241&colspec=ID%20Type%20Status%20Priority%20Milestone%20Component%20Owner%20Summary>
> > in the issue tracker, which while admittedly is a minor issue, could have
> been caught.
>
>
> I was wondering if there had been any consideration given to build
> validations, which, as part of the build process, run a set of validations
> confirming that certain things are not done. an example is that except for
> a short whitelist, no method accesses properties, and they are only accessed
> through provided accessor methods. Another simple one would be to limit
> System.outs only to logSpecial.
>
> Has this been considered at all for the esapi project?
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
>
>
> ------------------------------
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
>
>
> Chris Schmidt
> ESAPI Project Manager (http://www.esapi.org)
> ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
> Blog: http://yet-another-dev.blogspot.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20110808/3dc80ade/attachment.html
More information about the Esapi-dev
mailing list