[Owasp-testing] Code Review project and Code-Scanning-Tool(s)

Stephen de Vries stephen at corsaire.com
Thu Jan 18 09:15:35 EST 2007


On 18 Jan 2007, at 21:07, Jeff Williams wrote:
> I’d strongly recommend using bytecode for Java and .NET.  The  
> compiler handles a LOT of sticky issues for you – like resolving  
> symbols, so you can make much more sophisticated rules.  For  
> example if you see a call to runtime.exec() in a Java program, what  
> type is the “runtime” variable – probably Runtime, but it could be  
> something else.  All variables are resolved in the bytecode.
>
> If you’re interested in a supercharged engine, James Gosling’s  
> Jackpot engine is really really cool.  It’s basically an API for  
> source code. See http://jackpot.netbeans.org/.  You can use it to  
> find problems, and ALSO to actually transform the code.  It’s  
> integrated into netbeans, but I spent a few hours to extract it and  
> make a command line version.  Never did anything with it though.   
> If anyone wants to pick up that work, let me know.
I'm beginning to sound like a LAPSE cheerleader, but why should we  
reinvent the wheel when there is already a Java code review tool that  
is not only open source, but it's an existing OWASP project!

Stephen

>
>
> --Jeff
>
>
>
> From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing- 
> bounces at lists.owasp.org] On Behalf Of Eoin
> Sent: Thursday, January 18, 2007 8:14 AM
> To: Dinis Cruz
> Cc: Owasp-codereview at lists.owasp.org; owasp-testing at lists.owasp.org
> Subject: Re: [Owasp-testing] Code Review project and Code-Scanning- 
> Tool(s)
>
>
>
> I was thinking of using the "Checkstyle" framework?
>
> Check it out (google Checkstyle).
>
>
>
>
>
> On 18/01/07, Dinis Cruz <dinis at ddplus.net> wrote:
>
> We must take this opportunity and use some of the energy that is  
> going into the Code Review Guide to create a Code Scanning Tool  
> which identifies the issues raised.
>
> I don't care if in its initial version it is just a bunch of regEx  
> and cleaver searches (ideally we would expand of projects like our  
> own OWASP LAPSE Project , but I don't want the guide to be depended  
> on a tool development)
>
> What I would like to happen is that for each major issue (or  
> 'gotcha') covered in the Guide, information would be provided on  
> how to detect that in a semi-automatic way.
>
> I know that there are exceptions (and let's keep the business logic  
> vulnerabilities out of this one) but most issues should be detectable.
>
> Dinis Cruz
> Chief OWASP Evangelist, Are you a member yet?
> http://www.owasp.org
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>
>
>
> -- 
> Eoin Keary OWASP - Ireland
> http://www.owasp.org/local/ireland.html
> http://www.owasp.org/index.php/OWASP_Testing_Project
> http://www.owasp.org/index.php/OWASP_Code_Review_Project
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing

-- 
Stephen de Vries
Corsaire Ltd
E-mail: stephen at corsaire.com
Tel:	+44 1483 226014
Fax: 	+44 1483 226068
Web: 	http://www.corsaire.com






----------------------------------------------------------------------
CONFIDENTIALITY:  This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited.  If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER:  Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
Corsaire Limited, registered in England No. 3338312. Registered
office: 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF.
Telephone: +44 (0)1483-226000




More information about the Owasp-testing mailing list