[Owasp-testing] Code Review project and Code-Scanning-Tool(s)

Dinis Cruz dinis at ddplus.net
Thu Jan 18 11:18:23 EST 2007


I'm with Stephen on this one, we should leverage LAPSE's work and take it to
the next level (I also like the fact that LAPSE is an Eclipse plug-in). For
reference you can get LAPSE from here
http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project

Benjamin Livshits (LAPSE project leader), can you join this thread (which
started here:
http://lists.owasp.org/pipermail/owasp-testing/2007-January/001324.html) and
share with us your plans for LAPSE?

Thanks

Dinis Cruz

On 1/18/07, Stephen de Vries <stephen at corsaire.com> wrote:
>
>
> On 18 Jan 2007, at 21:07, Jeff Williams wrote:
> > I'd strongly recommend using bytecode for Java and .NET.  The
> > compiler handles a LOT of sticky issues for you – like resolving
> > symbols, so you can make much more sophisticated rules.  For
> > example if you see a call to runtime.exec() in a Java program, what
> > type is the "runtime" variable – probably Runtime, but it could be
> > something else.  All variables are resolved in the bytecode.
> >
> > If you're interested in a supercharged engine, James Gosling's
> > Jackpot engine is really really cool.  It's basically an API for
> > source code. See http://jackpot.netbeans.org/.  You can use it to
> > find problems, and ALSO to actually transform the code.  It's
> > integrated into netbeans, but I spent a few hours to extract it and
> > make a command line version.  Never did anything with it though.
> > If anyone wants to pick up that work, let me know.
> I'm beginning to sound like a LAPSE cheerleader, but why should we
> reinvent the wheel when there is already a Java code review tool that
> is not only open source, but it's an existing OWASP project!
>
> Stephen
>
> >
> >
> > --Jeff
> >
> >
> >
> > From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-
> > bounces at lists.owasp.org] On Behalf Of Eoin
> > Sent: Thursday, January 18, 2007 8:14 AM
> > To: Dinis Cruz
> > Cc: Owasp-codereview at lists.owasp.org; owasp-testing at lists.owasp.org
> > Subject: Re: [Owasp-testing] Code Review project and Code-Scanning-
> > Tool(s)
> >
> >
> >
> > I was thinking of using the "Checkstyle" framework?
> >
> > Check it out (google Checkstyle).
> >
> >
> >
> >
> >
> > On 18/01/07, Dinis Cruz <dinis at ddplus.net> wrote:
> >
> > We must take this opportunity and use some of the energy that is
> > going into the Code Review Guide to create a Code Scanning Tool
> > which identifies the issues raised.
> >
> > I don't care if in its initial version it is just a bunch of regEx
> > and cleaver searches (ideally we would expand of projects like our
> > own OWASP LAPSE Project , but I don't want the guide to be depended
> > on a tool development)
> >
> > What I would like to happen is that for each major issue (or
> > 'gotcha') covered in the Guide, information would be provided on
> > how to detect that in a semi-automatic way.
> >
> > I know that there are exceptions (and let's keep the business logic
> > vulnerabilities out of this one) but most issues should be detectable.
> >
> > Dinis Cruz
> > Chief OWASP Evangelist, Are you a member yet?
> > http://www.owasp.org
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > http://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> >
> >
> >
> >
> > --
> > Eoin Keary OWASP - Ireland
> > http://www.owasp.org/local/ireland.html
> > http://www.owasp.org/index.php/OWASP_Testing_Project
> > http://www.owasp.org/index.php/OWASP_Code_Review_Project
> >
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > http://lists.owasp.org/mailman/listinfo/owasp-testing
>
> --
> Stephen de Vries
> Corsaire Ltd
> E-mail: stephen at corsaire.com
> Tel:    +44 1483 226014
> Fax:    +44 1483 226068
> Web:    http://www.corsaire.com
>
>
>
>
>
>
> ----------------------------------------------------------------------
> CONFIDENTIALITY:  This e-mail and any files transmitted with it are
> confidential and intended solely for the use of the recipient(s) only.
> Any review, retransmission, dissemination or other use of, or taking
> any action in reliance upon this information by persons or entities
> other than the intended recipient(s) is prohibited.  If you have
> received this e-mail in error please notify the sender immediately
> and destroy the material whether stored on a computer or otherwise.
> ----------------------------------------------------------------------
> DISCLAIMER:  Any views or opinions presented within this e-mail are
> solely those of the author and do not necessarily represent those
> of Corsaire Limited, unless otherwise specifically stated.
> ----------------------------------------------------------------------
> Corsaire Limited, registered in England No. 3338312. Registered
> office: 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF.
> Telephone: +44 (0)1483-226000
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070118/de8b333f/attachment.html 


More information about the Owasp-testing mailing list