[Owasp-orizon] On formalism used for describing a rule...
Paolo Perego
thesp0nge at owasp.org
Wed Feb 25 10:34:24 EST 2009
I mean. Now we've got safe coding recipes that says in example:
<!--
The check O_CR_2_1_2 must be improved. The getObject method must throw
just an IOException to stop object serialization, it is not enough
having it declared.
-->
<check id="O_CR_2_1_2" family="design"
name="Class serialization"
description="Class must not be serialized in order not to expose its
internal representation"
weight="0.5"
severity="error"
impact="low"
language="all">
<design subj="class" verb="contains" value="method">
<what name="readObject" modifier="private|final" type="void" />
</design>
</check>
What do you thing describing the check in a non XML notation letting
us helped by freecc to generate rule parser?
In a way like the following:
CHECK "Class serialization"
INFO
SET id "O_CR_2_1_2"
SET family="design"
SET description="Class must not be serialized in order not to expose
its internal representation"
SET weight="0.5"
SET severity="error"
SET impact="low"
SET language="all"
BEGIN
IF CLASS CONTAINS
METHOD NAMED readObject WITH SCOPE Private OR Final
THAT RETURNS void
THEN
SecurityIssue()
FI
END
On Wed, Feb 25, 2009 at 4:06 PM, Stephen Craig Evans
<stephencraig.evans at gmail.com> wrote:
> Hi Paolo,
>
> Because of my inexperience with static analysis rules engines could
> you explain further and/or give an example?
>
> I have 2 of your prezos,
> The_Owasp_Orizon_Project_Towards_version_1.0_v1.0.ppt
> The_Owasp_Orizon_Project_Internals_v2_2_Paolo.ppt
>
> if it helps to refer to any of those slides.
>
> Thanks in advance,
> Stephen
>
>
> On Tue, Feb 24, 2009 at 4:00 PM, Paolo Perego <thesp0nge at owasp.org> wrote:
>> Hi guys, yesterday evening I was wondering about freecc and parser
>> generator stuff we used in Mirage... it is great.
>> So I thought, why don't we use the same approach for rule engine? I
>> mean, we can use, instead of a sort of XML, a proper "Orizon language"
>> to describe rule and let freecc generate the parser for it.
>>
>> What do you think? Does it make sense?
>>
>> Ciao ciao
>> Paolo
>> --
>> "stay hungry, stay foolish"
>>
>> OWASP Orizon project, http://orizon.sourceforge.net
>> "enjoy your code review experience"
>> _______________________________________________
>> Owasp-orizon mailing list
>> Owasp-orizon at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-orizon
>>
>
>
>
> --
> http://www.linkedin.com/in/stephencraigevans
> _______________________________________________
> Owasp-orizon mailing list
> Owasp-orizon at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-orizon
>
--
"stay hungry, stay foolish"
OWASP Orizon project, http://orizon.sourceforge.net
"enjoy your code review experience"
More information about the Owasp-orizon
mailing list