[Owasp-testing] Code Review project and Code-Scanning-Tool(s)

Benjamin Livshits livshits at cs.stanford.edu
Tue Jan 23 01:32:01 EST 2007


Hello everybody. Sorry, I am just reading this now.

Well, I am all for pushing LAPSE further. I basically think about
LAPSE as a straw man project in terms of the technology it uses.
Dinis, I think you need to explain what you are proposing.

Various injection issues (or at least their sinks) are easy to spot.
In fact, LAPSE does that already. Code analysis for race detection is
considerably more complex. Some of the more architectural issues
mentioned in the code review guide and not exactly connected to the
code.

So, what exactly is being proposed?

Best,
-Ben

On 1/18/07, Dinis Cruz <dinis at ddplus.net> wrote:
> I'm with Stephen on this one, we should leverage LAPSE's work and take it to
> the next level (I also like the fact that LAPSE is an Eclipse plug-in). For
> reference you can get LAPSE from here
> http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project
>
> Benjamin Livshits (LAPSE project leader), can you join this thread (which
> started here:
> http://lists.owasp.org/pipermail/owasp-testing/2007-January/001324.html)
> and share with us your plans for LAPSE?
>
> Thanks
>
> Dinis Cruz
>
> On 1/18/07, Stephen de Vries <stephen at corsaire.com> wrote:
> >
> > On 18 Jan 2007, at 21:07, Jeff Williams wrote:
> > > I'd strongly recommend using bytecode for Java and .NET.  The
> > > compiler handles a LOT of sticky issues for you – like resolving
> > > symbols, so you can make much more sophisticated rules.  For
> > > example if you see a call to runtime.exec() in a Java program, what
> > > type is the "runtime" variable – probably Runtime, but it could be
> > > something else.  All variables are resolved in the bytecode.
> > >
> > > If you're interested in a supercharged engine, James Gosling's
> > > Jackpot engine is really really cool.  It's basically an API for
> > > source code. See http://jackpot.netbeans.org/ .  You can use it to
> > > find problems, and ALSO to actually transform the code.  It's
> > > integrated into netbeans, but I spent a few hours to extract it and
> > > make a command line version.  Never did anything with it though.
> > > If anyone wants to pick up that work, let me know.
> > I'm beginning to sound like a LAPSE cheerleader, but why should we
> > reinvent the wheel when there is already a Java code review tool that
> > is not only open source, but it's an existing OWASP project!
> >
> > Stephen
> >
> > >
> > >
> > > --Jeff
> > >
> > >
> > >
> > > From: owasp-testing-bounces at lists.owasp.org [mailto:
> owasp-testing-
> > > bounces at lists.owasp.org] On Behalf Of Eoin
> > > Sent: Thursday, January 18, 2007 8:14 AM
> > > To: Dinis Cruz
> > > Cc: Owasp-codereview at lists.owasp.org;
> owasp-testing at lists.owasp.org
> > > Subject: Re: [Owasp-testing] Code Review project and Code-Scanning-
> > > Tool(s)
> > >
> > >
> > >
> > > I was thinking of using the "Checkstyle" framework?
> > >
> > > Check it out (google Checkstyle).
> > >
> > >
> > >
> > >
> > >
> > > On 18/01/07, Dinis Cruz < dinis at ddplus.net> wrote:
> > >
> > > We must take this opportunity and use some of the energy that is
> > > going into the Code Review Guide to create a Code Scanning Tool
> > > which identifies the issues raised.
> > >
> > > I don't care if in its initial version it is just a bunch of regEx
> > > and cleaver searches (ideally we would expand of projects like our
> > > own OWASP LAPSE Project , but I don't want the guide to be depended
> > > on a tool development)
> > >
> > > What I would like to happen is that for each major issue (or
> > > 'gotcha') covered in the Guide, information would be provided on
> > > how to detect that in a semi-automatic way.
> > >
> > > I know that there are exceptions (and let's keep the business logic
> > > vulnerabilities out of this one) but most issues should be detectable.
> > >
> > > Dinis Cruz
> > > Chief OWASP Evangelist, Are you a member yet?
> > > http://www.owasp.org
> > > _______________________________________________
> > > Owasp-testing mailing list
> > > Owasp-testing at lists.owasp.org
> > > http://lists.owasp.org/mailman/listinfo/owasp-testing
> > >
> > >
> > >
> > >
> > >
> > > --
> > > Eoin Keary OWASP - Ireland
> > > http://www.owasp.org/local/ireland.html
> > > http://www.owasp.org/index.php/OWASP_Testing_Project
> > >
> http://www.owasp.org/index.php/OWASP_Code_Review_Project
> > >
> > > _______________________________________________
> > > Owasp-testing mailing list
> > > Owasp-testing at lists.owasp.org
> > > http://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> > --
> > Stephen de Vries
> > Corsaire Ltd
> > E-mail: stephen at corsaire.com
> > Tel:    +44 1483 226014
> > Fax:    +44 1483 226068
> > Web:    http://www.corsaire.com
> >
> >
> >
> >
> >
> >
> >
> ----------------------------------------------------------------------
> > CONFIDENTIALITY:  This e-mail and any files transmitted with it are
> > confidential and intended solely for the use of the recipient(s) only.
> > Any review, retransmission, dissemination or other use of, or taking
> > any action in reliance upon this information by persons or entities
> > other than the intended recipient(s) is prohibited.  If you have
> > received this e-mail in error please notify the sender immediately
> > and destroy the material whether stored on a computer or otherwise.
> >
> ----------------------------------------------------------------------
> > DISCLAIMER:  Any views or opinions presented within this e-mail are
> > solely those of the author and do not necessarily represent those
> > of Corsaire Limited, unless otherwise specifically stated.
> >
> ----------------------------------------------------------------------
> > Corsaire Limited, registered in England No. 3338312. Registered
> > office: 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF.
> > Telephone: +44 (0)1483-226000
> >
> >
> >
>
>
>


-- 
Thanks,
-Ben


More information about the Owasp-testing mailing list