[Owasp-codereview] Yasca v1.0 Released

Paolo Perego thesp0nge at gmail.com
Wed Oct 1 10:27:41 EDT 2008


That's the same for me. The reason I started writing Orizon was to
provide a set of rules that will be cross for the existing tools.

After all, I've seen the code and the approach Yasca uses in
programming language is different than mine but seems to be good too
:)

thesp0nge

2008/10/1 Michael V. Scovetta <scovetta at users.sourceforge.net>:
> Hi Stephen,
>    I suppose part of it is hindsight being what it is. I started out just
> wanting a wrapper around grep to scan for simple things, but as things got
> more complex, I realized it had to be a bit better than that. Each of those
> tools are great at finding certain things, but (a) all are only Java (except
> for Jlint, which does C/C++ too) [Yasca is more generic - it has a few
> scanners for HTML/JavaScript and even a COBOL one], and (b) they are limited
> to scanning using their own framework (i.e. it'd be difficult to integrate
> Jlint or FindBugs' ruleset into PMD). In that regard you could call that
> aspect of Yasca a wrapper.
>
> Thanks!
>
> Mike
>
> On Wed, Oct 1, 2008 at 3:57 AM, Stephen de Vries
> <stephen at twisteddelight.org> wrote:
>>
>> Hi Mike,
>>
>> Looks very interesting!  I'm curious about the reasons you chose to
>> implement a framework from scratch instead of using PMD/jlint/findbugs ?
>>
>> cheers,
>> Stephen
>>
>> On Oct 1, 2008, at 1:25 AM, Michael V. Scovetta wrote:
>>
>>> Hello,
>>>   I thought this would be relevant to the OWASP Code Review Project,
>>> since I started writing Yasca to help with code reviews.
>>>
>>> Yasca ("Yet Another Source Code Scanner") is a framework and
>>> implementation for performing source code analysis. It integrates some
>>> security scanners (PMD, FindBugs, Jlint) and has some of its own too. It's
>>> meant to find on the "low hanging fruit" in web applications, and be
>>> **very** easily extensible (i.e. ~30 seconds to write a new rule) yet
>>> powerful (i.e. arbitrary call-outs to your own scanning code). Yasca is
>>> written in command-line PHP, is cross-platform, and is simple and quick to
>>> run.
>>>
>>> Yasca is open-source (BSD license) and is available on SourceForge
>>> (http://sourceforge.net/projects/yasca) or http://yasca.org/.
>>>
>>> I'm very interested in hearing feedback and suggestions.
>>>
>>> Thank you,
>>>
>>> Mike Scovetta
>>> _______________________________________________
>>> Owasp-codereview mailing list
>>> Owasp-codereview at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-codereview
>>
>
>
>
> --
> -[ Michael Scovetta ]-
>
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-codereview
>
>



-- 
Owasp Orizon leader
orizon.sourceforge.net


More information about the Owasp-codereview mailing list