OWASP Orizon Project XML

The Orizon check XML schema
A check contained in a safe coding recipe, follows this schema:

&lt;check id=check identifier code severity=[info | warning | error] impact=[low | medium | high | critical | panic ] description=a short description for this check positive_fail=[yes | no] &gt; [method_check | class_check | attribute_check | compare_check | variable_check | source_check] &lt;/check&gt;

... some ideas ...
Security checks can be divided in:
 * design_check
 * keyword_check
 * execution_check

Design check
Design checks are about source file design (how many class are contained in a source? how many methods? what is the scope of the method A?).


 * source code statistics

&lt;design subj="stats" name=[loc | loC] verb=[lt | gt | le | ge | ne | eq | ratio] [ direct_object= [loc | loC] ] value=numeric value /&gt;

where:
 * name is the statistics name and can be one of the following:
 * loc: line of code
 * loC: line of Comment


 * verb is the boolean comparison operator between the subject and the value:
 * lt: lesser than
 * gt: grater than
 * le: lesser or equal than
 * ge: greater or equal than
 * ne: not equal than
 * eq: equal than
 * ratio: indicates the ratio subj versus direct_object

&lt;design subj=[class|field|attribute] name=the subject name when appliable verb=[contains|count|has_scope] value=the value being checked /&gt;

&lt;design subj="class" verb=[extends|implements] value=the value being checked /&gt;

&lt;keyword name=keyword name /&gt;
 * keyword_check, about keyword specific checks

&lt;exec caller_class=a class name caller_method=a method name /&gt;
 * execution_check: extra care must be taken for parameter in this desing...