[Owasp-codereview] Yasca v1.0 Released

Eoin eoinkeary at gmail.com
Wed Oct 1 11:02:14 EDT 2008


Would you like to present these tools (Orizon, Yasaca & Code crawler) at
OWASP Portugal?
I hope to do OWASP Code review training and think the integration of such
tools with the guide would be very useful to the community?
When the tools reach maturity I would suggest a "bake-off" competition of
the tools also looking at which tools is better is different areas.
what y'all think?



2008/10/1 Paolo Perego <thesp0nge at gmail.com>

> That's the same for me. The reason I started writing Orizon was to
> provide a set of rules that will be cross for the existing tools.
>
> After all, I've seen the code and the approach Yasca uses in
> programming language is different than mine but seems to be good too
> :)
>
> thesp0nge
>
> 2008/10/1 Michael V. Scovetta <scovetta at users.sourceforge.net>:
>  > Hi Stephen,
> >    I suppose part of it is hindsight being what it is. I started out just
> > wanting a wrapper around grep to scan for simple things, but as things
> got
> > more complex, I realized it had to be a bit better than that. Each of
> those
> > tools are great at finding certain things, but (a) all are only Java
> (except
> > for Jlint, which does C/C++ too) [Yasca is more generic - it has a few
> > scanners for HTML/JavaScript and even a COBOL one], and (b) they are
> limited
> > to scanning using their own framework (i.e. it'd be difficult to
> integrate
> > Jlint or FindBugs' ruleset into PMD). In that regard you could call that
> > aspect of Yasca a wrapper.
> >
> > Thanks!
> >
> > Mike
> >
> > On Wed, Oct 1, 2008 at 3:57 AM, Stephen de Vries
> > <stephen at twisteddelight.org> wrote:
> >>
> >> Hi Mike,
> >>
> >> Looks very interesting!  I'm curious about the reasons you chose to
> >> implement a framework from scratch instead of using PMD/jlint/findbugs ?
> >>
> >> cheers,
> >> Stephen
> >>
> >> On Oct 1, 2008, at 1:25 AM, Michael V. Scovetta wrote:
> >>
> >>> Hello,
> >>>   I thought this would be relevant to the OWASP Code Review Project,
> >>> since I started writing Yasca to help with code reviews.
> >>>
> >>> Yasca ("Yet Another Source Code Scanner") is a framework and
> >>> implementation for performing source code analysis. It integrates some
> >>> security scanners (PMD, FindBugs, Jlint) and has some of its own too.
> It's
> >>> meant to find on the "low hanging fruit" in web applications, and be
> >>> **very** easily extensible (i.e. ~30 seconds to write a new rule) yet
> >>> powerful (i.e. arbitrary call-outs to your own scanning code). Yasca is
> >>> written in command-line PHP, is cross-platform, and is simple and quick
> to
> >>> run.
> >>>
> >>> Yasca is open-source (BSD license) and is available on SourceForge
> >>> (http://sourceforge.net/projects/yasca) or http://yasca.org/.
> >>>
> >>> I'm very interested in hearing feedback and suggestions.
> >>>
> >>> Thank you,
> >>>
> >>> Mike Scovetta
> >>> _______________________________________________
> >>> Owasp-codereview mailing list
> >>> Owasp-codereview at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-codereview
> >>
> >
> >
> >
> > --
> > -[ Michael Scovetta ]-
> >
> > _______________________________________________
> > Owasp-codereview mailing list
> > Owasp-codereview at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-codereview
> >
> >
>
>
>
> --
> Owasp Orizon leader
> orizon.sourceforge.net
> _______________________________________________
>  Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-codereview
>



-- 
Eoin Keary CISSP CISA
OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-codereview/attachments/20081001/96b41db4/attachment-0001.html 


More information about the Owasp-codereview mailing list