[Owasp-o2-platform] Scanning vanilla java with O2
dinis.cruz at owasp.org
Fri Aug 13 08:20:30 EDT 2010
The short answer is NO, you can't use O2 to perform a static analysis
of that code because the current version of O2 doesn't have a Scanning
Engine (it only has one for .Net)
The long answer is YES, you can use O2 to help you reviewing that App
(from both BlackBox and WhiteBox points of view)
Focusing on the whitebox part. There are a number of O2 modules that
will be able to help you a lot.
Question: do you have access to a static analysis scan result
(Fortify, IBM, Veracode, Armorize) of that application? (don't think
is an equivalent Open Source one). If you have these results, no
matter how big, you will be able to consume them in O2.
In terms of what O2 can help you with, here are some of existing
- there is an web.XML parser and visualizer (and one of struts and
- you can consume results from other tools like: Orizon, FindBugs,
WebScarab, Burp, etc...
- you can convert the .class files into an CIR object which you can
then visualize and manipulate via scripts
- you can create CALL-FLOW traces from the CIR (and see 'makes call
to' and 'is called by' trees (with source code mappings))
- you can create O2Findings from those call-flow traces
- you can apply source to sink rules to those findings
Let me know which path you want to take and I'll write some
documentation & Scripts for it :)
On 12 Aug 2010, at 11:00, Yiannis Pavlosoglou <yiannis at owasp.org> wrote:
> Hi list!
> Having gone through the process of downloading and installing O2, we
> are a bit disappointed in not being able to achieve even a baseline
> scan in what is considered a simple project. Ergo, I would like to run
> the following past you guys, to see if anything has been missed.
> There is a codebase of appr. 1/4 million lines of code in java 1.5 (no
> frameworks, no components, no noise) mainly consisting of POJOs;
> standard configuration in eclipse; can also be built through ant, can
> also be build through maven.
> * Can this be scanned in/by O2?
> * What are the rules for this?
> The above questions follow the standard workflow of: We would like to
> input the code, configure the rules, receive a scan report back.
> I would appreciate a comment here, as there has been a hold-off in
> assessing O2 by means of giving it a simple enough project for it to
> cope. Now even that seems to be problematic.
> Thank you in advance,
> Owasp-o2-platform mailing list
> Owasp-o2-platform at lists.owasp.org
More information about the Owasp-o2-platform