[Owasp-codereview] Yasca v1.0 Released
Michael V. Scovetta
scovetta at users.sourceforge.net
Wed Oct 1 04:58:17 EDT 2008
I suppose part of it is hindsight being what it is. I started out just
wanting a wrapper around grep to scan for simple things, but as things got
more complex, I realized it had to be a bit better than that. Each of those
tools are great at finding certain things, but (a) all are only Java (except
for Jlint, which does C/C++ too) [Yasca is more generic - it has a few
to scanning using their own framework (i.e. it'd be difficult to integrate
Jlint or FindBugs' ruleset into PMD). In that regard you could call that
aspect of Yasca a wrapper.
On Wed, Oct 1, 2008 at 3:57 AM, Stephen de Vries <stephen at twisteddelight.org
> Hi Mike,
> Looks very interesting! I'm curious about the reasons you chose to
> implement a framework from scratch instead of using PMD/jlint/findbugs ?
> On Oct 1, 2008, at 1:25 AM, Michael V. Scovetta wrote:
>> I thought this would be relevant to the OWASP Code Review Project, since
>> I started writing Yasca to help with code reviews.
>> Yasca ("Yet Another Source Code Scanner") is a framework and
>> implementation for performing source code analysis. It integrates some
>> security scanners (PMD, FindBugs, Jlint) and has some of its own too. It's
>> meant to find on the "low hanging fruit" in web applications, and be
>> **very** easily extensible (i.e. ~30 seconds to write a new rule) yet
>> powerful (i.e. arbitrary call-outs to your own scanning code). Yasca is
>> written in command-line PHP, is cross-platform, and is simple and quick to
>> Yasca is open-source (BSD license) and is available on SourceForge (
>> http://sourceforge.net/projects/yasca) or http://yasca.org/.
>> I'm very interested in hearing feedback and suggestions.
>> Thank you,
>> Mike Scovetta
>> Owasp-codereview mailing list
>> Owasp-codereview at lists.owasp.org
-[ Michael Scovetta ]-
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-codereview