[Owasp-testing] [Owasp-codereview] Code Review project and Code-Scanning-Tool(s)

Andrew van der Stock vanderaj at owasp.org
Thu Jan 18 15:49:19 EST 2007


I can help with the PHP code review items as long as it can be implemented
in a language neutral way. Luckily, PHP¹s vulnerability sources (those
couple of hundred functions and constructs which are a bit dodgy) are
relatively easy to identify, but input taint is HARD with a capital H, A, R
and D. It might be easier to use a php -> JVM or php -> .net IL compiler and
use that to determine what is actually happening.

LAPSE has caused Eclipse 3.2.1 on Intel MacOS X to barf, so there¹s some
stability issues to be worked out as well. The next time it happens, I¹ll
take good note of the VM exception.

Thanks,
Andrew


On 1/18/07 11:18 AM, "Dinis Cruz" <dinis at ddplus.net> wrote:

> I'm with Stephen on this one, we should leverage LAPSE's work and take it to
> the next level (I also like the fact that LAPSE is an Eclipse plug-in). For
> reference you can get LAPSE from here
> http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project
> 
> Benjamin Livshits (LAPSE project leader), can you join this thread (which
> started here: 
> http://lists.owasp.org/pipermail/owasp-testing/2007-January/001324.html) and
> share with us your plans for LAPSE?
> 
> Thanks
> 
> Dinis Cruz
> 
> On 1/18/07, Stephen de Vries <stephen at corsaire.com> wrote:
>> 
>> On 18 Jan 2007, at 21:07, Jeff Williams wrote:
>>> > I'd strongly recommend using bytecode for Java and .NET.  The
>>> > compiler handles a LOT of sticky issues for you ­ like resolving
>>> > symbols, so you can make much more sophisticated rules.  For
>>> > example if you see a call to runtime.exec() in a Java program, what
>>> > type is the "runtime" variable ­ probably Runtime, but it could be
>>> > something else.  All variables are resolved in the bytecode.
>>> >
>>> > If you're interested in a supercharged engine, James Gosling's
>>> > Jackpot engine is really really cool.  It's basically an API for
>>> > source code. See http://jackpot.netbeans.org/
>>> <http://jackpot.netbeans.org/> .  You can use it to
>>> > find problems, and ALSO to actually transform the code.  It's
>>> > integrated into netbeans, but I spent a few hours to extract it and
>>> > make a command line version.  Never did anything with it though.
>>> > If anyone wants to pick up that work, let me know.
>> I'm beginning to sound like a LAPSE cheerleader, but why should we
>> reinvent the wheel when there is already a Java code review tool that
>> is not only open source, but it's an existing OWASP project!
>> 
>> Stephen
>> 
>>> >
>>> >
>>> > --Jeff
>>> >
>>> >
>>> >
>>> > From: owasp-testing-bounces at lists.owasp.org [mailto: owasp-testing-
>>> <mailto:owasp-testing->
>>> > bounces at lists.owasp.org] On Behalf Of Eoin
>>> > Sent: Thursday, January 18, 2007 8:14 AM
>>> > To: Dinis Cruz
>>> > Cc: Owasp-codereview at lists.owasp.org; owasp-testing at lists.owasp.org
>>> > Subject: Re: [Owasp-testing] Code Review project and Code-Scanning-
>>> > Tool(s)
>>> >
>>> >
>>> >
>>> > I was thinking of using the "Checkstyle" framework?
>>> >
>>> > Check it out (google Checkstyle).
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > On 18/01/07, Dinis Cruz < dinis at ddplus.net <mailto:dinis at ddplus.net> >
>>> wrote:
>>> >
>>> > We must take this opportunity and use some of the energy that is
>>> > going into the Code Review Guide to create a Code Scanning Tool
>>> > which identifies the issues raised.
>>> >
>>> > I don't care if in its initial version it is just a bunch of regEx
>>> > and cleaver searches (ideally we would expand of projects like our
>>> > own OWASP LAPSE Project , but I don't want the guide to be depended
>>> > on a tool development)
>>> >
>>> > What I would like to happen is that for each major issue (or
>>> > 'gotcha') covered in the Guide, information would be provided on
>>> > how to detect that in a semi-automatic way.
>>> >
>>> > I know that there are exceptions (and let's keep the business logic
>>> > vulnerabilities out of this one) but most issues should be detectable.
>>> >
>>> > Dinis Cruz
>>> > Chief OWASP Evangelist, Are you a member yet?
>>> > http://www.owasp.org
>>> > _______________________________________________
>>> > Owasp-testing mailing list
>>> > Owasp-testing at lists.owasp.org  <mailto:Owasp-testing at lists.owasp.org>
>>> > http://lists.owasp.org/mailman/listinfo/owasp-testing
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Eoin Keary OWASP - Ireland
>>> > http://www.owasp.org/local/ireland.html
>>> > http://www.owasp.org/index.php/OWASP_Testing_Project
>>> <http://www.owasp.org/index.php/OWASP_Testing_Project>
>>> > http://www.owasp.org/index.php/OWASP_Code_Review_Project
>>> >
>>> > _______________________________________________
>>> > Owasp-testing mailing list
>>> > Owasp-testing at lists.owasp.org
>>> > http://lists.owasp.org/mailman/listinfo/owasp-testing
>> 
>> --
>> Stephen de Vries
>> Corsaire Ltd
>> E-mail: stephen at corsaire.com
>> Tel:    +44 1483 226014
>> Fax:    +44 1483 226068
>> Web:    http://www.corsaire.com  <http://www.corsaire.com>
>> 
>> 
>> 
>> 
>> 
>> 
>> ----------------------------------------------------------------------
>> CONFIDENTIALITY:  This e-mail and any files transmitted with it are
>> confidential and intended solely for the use of the recipient(s) only.
>> Any review, retransmission, dissemination or other use of, or taking
>> any action in reliance upon this information by persons or entities
>> other than the intended recipient(s) is prohibited.  If you have
>> received this e-mail in error please notify the sender immediately
>> and destroy the material whether stored on a computer or otherwise.
>> ----------------------------------------------------------------------
>> DISCLAIMER:  Any views or opinions presented within this e-mail are
>> solely those of the author and do not necessarily represent those
>> of Corsaire Limited, unless otherwise specifically stated.
>> ----------------------------------------------------------------------
>> Corsaire Limited, registered in England No. 3338312. Registered
>> office: 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF.
>> Telephone: +44 (0)1483-226000
>> 
>> 
> 
> 
> 
> 
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-codereview


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070118/ec31c334/attachment-0001.html 


More information about the Owasp-testing mailing list