[Owasp-codereview] Yasca v1.0 Released

Paolo Perego thesp0nge at gmail.com
Wed Oct 1 11:05:13 EDT 2008


I'm presenting my tool as SOC partecipant and I'm waiting to know if
an "hands on" session is approved for using Owasp Orizon to write a
simple tool.

To me sounds exciting. More open tools there are, more powerful each
other can became learning each other :)
Sure a comparison matrix will be good when maturity level will be reached :)

Paolo

2008/10/1 Eoin <eoinkeary at gmail.com>:
> Would you like to present these tools (Orizon, Yasaca & Code crawler) at
> OWASP Portugal?
> I hope to do OWASP Code review training and think the integration of such
> tools with the guide would be very useful to the community?
> When the tools reach maturity I would suggest a "bake-off" competition of
> the tools also looking at which tools is better is different areas.
> what y'all think?
>
>
> 2008/10/1 Paolo Perego <thesp0nge at gmail.com>
>>
>> That's the same for me. The reason I started writing Orizon was to
>> provide a set of rules that will be cross for the existing tools.
>>
>> After all, I've seen the code and the approach Yasca uses in
>> programming language is different than mine but seems to be good too
>> :)
>>
>> thesp0nge
>>
>> 2008/10/1 Michael V. Scovetta <scovetta at users.sourceforge.net>:
>> > Hi Stephen,
>> >    I suppose part of it is hindsight being what it is. I started out
>> > just
>> > wanting a wrapper around grep to scan for simple things, but as things
>> > got
>> > more complex, I realized it had to be a bit better than that. Each of
>> > those
>> > tools are great at finding certain things, but (a) all are only Java
>> > (except
>> > for Jlint, which does C/C++ too) [Yasca is more generic - it has a few
>> > scanners for HTML/JavaScript and even a COBOL one], and (b) they are
>> > limited
>> > to scanning using their own framework (i.e. it'd be difficult to
>> > integrate
>> > Jlint or FindBugs' ruleset into PMD). In that regard you could call that
>> > aspect of Yasca a wrapper.
>> >
>> > Thanks!
>> >
>> > Mike
>> >
>> > On Wed, Oct 1, 2008 at 3:57 AM, Stephen de Vries
>> > <stephen at twisteddelight.org> wrote:
>> >>
>> >> Hi Mike,
>> >>
>> >> Looks very interesting!  I'm curious about the reasons you chose to
>> >> implement a framework from scratch instead of using PMD/jlint/findbugs
>> >> ?
>> >>
>> >> cheers,
>> >> Stephen
>> >>
>> >> On Oct 1, 2008, at 1:25 AM, Michael V. Scovetta wrote:
>> >>
>> >>> Hello,
>> >>>   I thought this would be relevant to the OWASP Code Review Project,
>> >>> since I started writing Yasca to help with code reviews.
>> >>>
>> >>> Yasca ("Yet Another Source Code Scanner") is a framework and
>> >>> implementation for performing source code analysis. It integrates some
>> >>> security scanners (PMD, FindBugs, Jlint) and has some of its own too.
>> >>> It's
>> >>> meant to find on the "low hanging fruit" in web applications, and be
>> >>> **very** easily extensible (i.e. ~30 seconds to write a new rule) yet
>> >>> powerful (i.e. arbitrary call-outs to your own scanning code). Yasca
>> >>> is
>> >>> written in command-line PHP, is cross-platform, and is simple and
>> >>> quick to
>> >>> run.
>> >>>
>> >>> Yasca is open-source (BSD license) and is available on SourceForge
>> >>> (http://sourceforge.net/projects/yasca) or http://yasca.org/.
>> >>>
>> >>> I'm very interested in hearing feedback and suggestions.
>> >>>
>> >>> Thank you,
>> >>>
>> >>> Mike Scovetta
>> >>> _______________________________________________
>> >>> Owasp-codereview mailing list
>> >>> Owasp-codereview at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp-codereview
>> >>
>> >
>> >
>> >
>> > --
>> > -[ Michael Scovetta ]-
>> >
>> > _______________________________________________
>> > Owasp-codereview mailing list
>> > Owasp-codereview at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-codereview
>> >
>> >
>>
>>
>>
>> --
>> Owasp Orizon leader
>> orizon.sourceforge.net
>> _______________________________________________
>> Owasp-codereview mailing list
>> Owasp-codereview at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-codereview
>
>
>
> --
> Eoin Keary CISSP CISA
> OWASP Code Review Guide Lead Author
> OWASP Ireland Chapter Lead
>



-- 
Owasp Orizon leader
orizon.sourceforge.net


More information about the Owasp-codereview mailing list