[Owasp-testing] Code Review project and Code-Scanning-Tool(s)

Stephen de Vries stephen at corsaire.com
Thu Jan 18 04:06:33 EST 2007


On 18 Jan 2007, at 15:46, Javier Fernández-Sanguino wrote:

> Dinis Cruz dijo:
>> I don't care if in its initial version it is just a bunch of regEx  
>> and
>> cleaver searches (ideally we would expand of projects like our own  
>> OWASP
>> LAPSE Project
>> <https://www.owasp.org/index.php/Category:OWASP_LAPSE_Project> ,  
>> but I
>> don't want the guide to be depended on a tool development)
>
> Wouldn't it be possible to extend existing OSS tools (such as
> Flawfinder, which is actively being developed) for the OWASP specifics
> of Code Review?

In the Java space, the OWASP LAPSE tool is easily the best open  
source security code review tool available, IMO.  The other  
contenders such as: findbugs and PMD include only limited security  
tests.
But LAPSE is far from perfect, and it would be great to be able to  
extend this tool to compete with the commercial offerings.  What  
would be really useful is:
- Support for .NET (this could be a LOT of work)
- Support for scanning xml configuration files (and the necessary  
rules for the most popular J2EE servers)
- Support for JSP and JSF

>
> I mention Flawfinder (and not Rats) because it seems to be more  
> actively
> developed. It has been brought to my attention that the latest release
> (1.27) includes the capability to work with control version systems
> (reporting on the differences found when making changes).

Am I correct in assuming that flawfinder can only find issues in C/C+ 
+ code?  If so, this would be of limited benefit to the web app world  
because it's not used as often as things like .NET, PHP and even RoR.

Are there any existing tools in OSS land for .NET and PHP?

regards,

-- 
Stephen de Vries
Corsaire Ltd
E-mail: stephen at corsaire.com
Tel:	+44 1483 226014
Fax: 	+44 1483 226068
Web: 	http://www.corsaire.com






----------------------------------------------------------------------
CONFIDENTIALITY:  This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited.  If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER:  Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
Corsaire Limited, registered in England No. 3338312. Registered
office: 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF.
Telephone: +44 (0)1483-226000




More information about the Owasp-testing mailing list