[Owasp-testing] Code Review project and Code-Scanning-Tool(s)

Jeff Williams jeff.williams at aspectsecurity.com
Thu Jan 18 09:07:37 EST 2007


I'd strongly recommend using bytecode for Java and .NET.  The compiler
handles a LOT of sticky issues for you - like resolving symbols, so you
can make much more sophisticated rules.  For example if you see a call
to runtime.exec() in a Java program, what type is the "runtime" variable
- probably Runtime, but it could be something else.  All variables are
resolved in the bytecode.

 

If you're interested in a supercharged engine, James Gosling's Jackpot
engine is really really cool.  It's basically an API for source code.
See http://jackpot.netbeans.org/.  You can use it to find problems, and
ALSO to actually transform the code.  It's integrated into netbeans, but
I spent a few hours to extract it and make a command line version.
Never did anything with it though.  If anyone wants to pick up that
work, let me know.

 

--Jeff

 

________________________________

From: owasp-testing-bounces at lists.owasp.org
[mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Thursday, January 18, 2007 8:14 AM
To: Dinis Cruz
Cc: Owasp-codereview at lists.owasp.org; owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Code Review project and
Code-Scanning-Tool(s)

 

I was thinking of using the "Checkstyle" framework?

Check it out (google Checkstyle).



 

On 18/01/07, Dinis Cruz <dinis at ddplus.net> wrote: 

We must take this opportunity and use some of the energy that is going
into the Code Review Guide to create a Code Scanning Tool which
identifies the issues raised. 

I don't care if in its initial version it is just a bunch of regEx and
cleaver searches (ideally we would expand of projects like our own OWASP
LAPSE Project
<https://www.owasp.org/index.php/Category:OWASP_LAPSE_Project>  , but I
don't want the guide to be depended on a tool development)

What I would like to happen is that for each major issue (or 'gotcha')
covered in the Guide, information would be provided on how to detect
that in a semi-automatic way. 

I know that there are exceptions (and let's keep the business logic
vulnerabilities out of this one) but most issues should be detectable. 

Dinis Cruz
Chief OWASP Evangelist, Are you a member yet? 
http://www.owasp.org <http://www.owasp.org/>  
_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
http://lists.owasp.org/mailman/listinfo/owasp-testing






-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html 
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/OWASP_Code_Review_Project 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070118/917ff6ea/attachment.html 


More information about the Owasp-testing mailing list