[Owasp-orizon] On formalism used for describing a rule...
thesp0nge at owasp.org
Wed Feb 25 10:34:24 EST 2009
I mean. Now we've got safe coding recipes that says in example:
The check O_CR_2_1_2 must be improved. The getObject method must throw
just an IOException to stop object serialization, it is not enough
having it declared.
<check id="O_CR_2_1_2" family="design"
description="Class must not be serialized in order not to expose its
<design subj="class" verb="contains" value="method">
<what name="readObject" modifier="private|final" type="void" />
What do you thing describing the check in a non XML notation letting
us helped by freecc to generate rule parser?
In a way like the following:
CHECK "Class serialization"
SET id "O_CR_2_1_2"
SET description="Class must not be serialized in order not to expose
its internal representation"
IF CLASS CONTAINS
METHOD NAMED readObject WITH SCOPE Private OR Final
THAT RETURNS void
On Wed, Feb 25, 2009 at 4:06 PM, Stephen Craig Evans
<stephencraig.evans at gmail.com> wrote:
> Hi Paolo,
> Because of my inexperience with static analysis rules engines could
> you explain further and/or give an example?
> I have 2 of your prezos,
> if it helps to refer to any of those slides.
> Thanks in advance,
> On Tue, Feb 24, 2009 at 4:00 PM, Paolo Perego <thesp0nge at owasp.org> wrote:
>> Hi guys, yesterday evening I was wondering about freecc and parser
>> generator stuff we used in Mirage... it is great.
>> So I thought, why don't we use the same approach for rule engine? I
>> mean, we can use, instead of a sort of XML, a proper "Orizon language"
>> to describe rule and let freecc generate the parser for it.
>> What do you think? Does it make sense?
>> Ciao ciao
>> "stay hungry, stay foolish"
>> OWASP Orizon project, http://orizon.sourceforge.net
>> "enjoy your code review experience"
>> Owasp-orizon mailing list
>> Owasp-orizon at lists.owasp.org
> Owasp-orizon mailing list
> Owasp-orizon at lists.owasp.org
"stay hungry, stay foolish"
OWASP Orizon project, http://orizon.sourceforge.net
"enjoy your code review experience"
More information about the Owasp-orizon