[Owasp-testing] [Owasp-codereview] Code Review project and Code-Scanning-Tool(s)

Jim Manico jim at manico.net
Thu Jan 18 14:37:49 EST 2007

In the Java space the best code scanning tool I see in the OSS space is
FindBugs; and in the commercial space I think Fortify is best.

Instead of worrying about building an actual code scanning tool, why not
focus on maxing a flaw taxonomy database that any tool vendor or OSS
project can use?

- Jim

Javier Fernández-Sanguino wrote:
> Stephen de Vries dijo:
>>> I mention Flawfinder (and not Rats) because it seems to be more  
>>> actively
>>> developed. It has been brought to my attention that the latest release
>>> (1.27) includes the capability to work with control version systems
>>> (reporting on the differences found when making changes).
>> Am I correct in assuming that flawfinder can only find issues in C/C+ 
>> + code?  If so, this would be of limited benefit to the web app world  
>> because it's not used as often as things like .NET, PHP and even RoR.
> True, flawfinder only works currently for C/C++ code (RATS provides 
> coverage of more languages including PHP, Perl and Python). Anyone of 
> them, however, could be possibly extended to cover more languages. Maybe 
> that's a SoC project on it's own.
>> Are there any existing tools in OSS land for .NET and PHP?
> For PHP: Rats
> For .NET: I don't know of any
> Regards
> Javier
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-codereview

Best Regards,
Jim Manico
GIAC GSEC Professional, Sun Certified Java Programmer
jim at manico.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070118/160e5fcb/attachment.html 

More information about the Owasp-testing mailing list