[Owasp-o2-platform] Scanning vanilla java with O2

Yiannis Pavlosoglou yiannis at owasp.org
Fri Aug 13 10:58:01 EDT 2010

Hi Dinis,

Thanks for the clarification; it sounds tempting to go up the findbugs
avenue on this project and in this way present to O2 a data set on
rules defined that can be received as input.

I'll keep you posted, if we choose that avenue.

Hope your tour is going well.

All the best,


On 13 August 2010 13:20, dinis cruz <dinis.cruz at owasp.org> wrote:
> Hi Yiannis
> The short answer is NO, you can't use O2 to perform a static analysis
> of that code because the current version of O2 doesn't have a Scanning
> Engine (it only has one for .Net)
> The long answer is YES, you can use O2 to help you reviewing that App
> (from both BlackBox and WhiteBox points of view)
> Focusing on the whitebox part. There are a number of O2 modules that
> will be able to help you a lot.
> Question: do you have access to a static analysis scan result
> (Fortify, IBM, Veracode, Armorize) of that application? (don't think
> is an equivalent Open Source one). If you have these results, no
> matter how big, you will be able to consume them in O2.
> In terms of what O2 can help you with, here are some of existing
> capabilities:
>  - there is an web.XML parser and visualizer (and one of struts and
> Spring)
>  - you can consume results from other tools like: Orizon, FindBugs,
> WebScarab, Burp, etc...
>  - you can convert the .class files into an CIR object which you can
> then visualize and manipulate via scripts
>  - you can create CALL-FLOW traces from the CIR (and see 'makes call
> to' and 'is called by' trees (with source code mappings))
>  - you can create O2Findings from those call-flow traces
>  - you can apply source to sink rules to those findings
> Let me know which path you want to take and I'll write some
> documentation & Scripts for it :)
> Dinis Cruz
> On 12 Aug 2010, at 11:00, Yiannis Pavlosoglou <yiannis at owasp.org> wrote:
>> Hi list!
>> Having gone through the process of downloading and installing O2, we
>> are a bit disappointed in not being able to achieve even a baseline
>> scan in what is considered a simple project. Ergo, I would like to run
>> the following past you guys, to see if anything has been missed.
>> There is a codebase of appr. 1/4 million lines of code in java 1.5 (no
>> frameworks, no components, no noise) mainly consisting of POJOs;
>> standard configuration in eclipse; can also be built through ant, can
>> also be build through maven.
>> * Can this be scanned in/by O2?
>> * What are the rules for this?
>> The above questions follow the standard workflow of: We would like to
>> input the code, configure the rules, receive a scan report back.
>> I would appreciate a comment here, as there has been a hold-off in
>> assessing O2 by means of giving it a simple enough project for it to
>> cope. Now even that seems to be problematic.
>> Thank you in advance,
>> Yiannis
>> _______________________________________________
>> Owasp-o2-platform mailing list
>> Owasp-o2-platform at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform

More information about the Owasp-o2-platform mailing list