[Owasp-codereview] [Owasp-leaders] Simple Beta code review tool

Jeff Williams jeff.williams at aspectsecurity.com
Mon Feb 18 09:11:52 EST 2008


Seems like the CRGuide should also mention OWASP LAPSE - which does data
flow analysis (far beyond simple grep or AST analysis).

--Jeff

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Monday, February 18, 2008 5:52 AM
To: Paolo Perego
Cc: owasp-ireland at lists.owasp.org; Owasp-codereview at lists.owasp.org;
OWASP Leaders
Subject: Re: [Owasp-leaders] Simple Beta code review tool

Great,
static code review tools just rock. "But remember a fool with a tool
is still a fool :)"
If you would like to add a chapter to the code review guide please
feel free. (under automated code review section in the wiki).

It should detail usage and setup.
Thing with open source tools in general is they can be a pain to set
up or they are unstable. People download them, spend 5 mins trying to
get it working and then delete. So a configuration guide, usage guide
and benefits so people will actaully use it!!!!
The guide shall now have two tools, one a .NET assembly (Code Crawler)
and this one (Orizon). Lets hope they can get along :)



On 15/02/2008, Paolo Perego <thesp0nge at gmail.com> wrote:
> Hi guys, just a note to announce that I just released a new version of
> Owasp Orizon Framework with the source code crawling APIs available
> for Java and CSharp.
>
> How can you use it?
> Look at this example:
>
http://orizon.svn.sourceforge.net/viewvc/orizon/orizon_package/src/org/o
wasp/orizon/demo/jCrawlerDemo.java?view=markup&pathrev=269
> Orizon default library contains both all the java than the csharp
> dangerous keywords as listed in the Code review Guide.
> In your crawling code you can extract the XML file containing the
> keywords from the library and then create a JavaCrawler object using
> the XML filename as contructor parameter.
> As you may see, you have just to call the crawl method that returns
> true if some keywords were found or false otherwise.
> If crawl() method will return true, a Report object will be available
> via getReport() method and full of the matching keywords.
> Is it very simple isn't it?
>
> Orizon v0.70 Jar file is available at this link:
>
http://sourceforge.net/project/platformdownload.php?group_id=177056&sel_
platform=280
>
> I hope you can find it usefull, I'm planning to add to Owasp Orizon
> framework all the checks  you guys suggested in the Code review Guide.
> Eoin sorry if I was not able to write some notes about my framework
> for the printing copy of the guide but I was full of work. Am I in
> time for the RC3 of the guide?
>
> I'm waiting your feedback
> Thanks
> thesp0nge
> On 12/02/2008, Eoin <eoin.keary at owasp.org> wrote:
> > Hello,
> >  The code review site now contains a link to a *very* simple beta
code
> >  rerview tool (CodeCrawler) which scans code for the API calls
listed
> >  in the code review guide ("Crawling code").
> >
> >  It can be found here:
> >  https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
> >
> >  ek
> >
> >
> >
> >  --
> >  Eoin Keary OWASP - Ireland
> >  http://www.owasp.org/local/ireland.html
> >  http://www.owasp.org/index.php/OWASP_Code_Review_Project
> >  _______________________________________________
> >  OWASP-Leaders mailing list
> >  OWASP-Leaders at lists.owasp.org
> >  https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
>
>
> --
> Owasp Orizon leader
> orizon.sourceforge.net
>


-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/OWASP_Code_Review_Project
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the Owasp-codereview mailing list