Difference between revisions of "OWASP Orizon Project XML"

From OWASP
Jump to: navigation, search
(New page: == The Orizon check XML schema == A check contained in a safe coding recipe, follows this schema: <check id=''check identifier code'' severity=[info | warning | error] imp...)
 
Line 12: Line 12:
 
   [method_check | class_check | attribute_check | compare_check | variable_check | source_check]
 
   [method_check | class_check | attribute_check | compare_check | variable_check | source_check]
 
&lt;/check&gt;
 
&lt;/check&gt;
 +
 +
== ... some ideas ... ==
 +
Security checks can be divided in:
 +
* design_check
 +
* keyword_check
 +
* execution_check
 +
 +
where:
 +
* design_check, about source file design (how many class are contained in a source? how many methods? what is the scope of the method A?):
 +
&lt;design
 +
    subj=[class|field|attribute]
 +
    name=''the subject name when appliable''
 +
    verb=[contains|count|has_scope]
 +
    value=''the value being checked''
 +
/&gt;
 +
 +
&lt;design
 +
    subj="class"
 +
    verb=[extends|implements]
 +
    value=''the value being checked''
 +
/&gt;
 +
 +
* keyword_check, about keyword specific checks
 +
&lt;keyword
 +
    name=''keyword name''
 +
/&gt;
 +
 +
* execution_check: extra care must be taken for parameter in this desing...
 +
&lt;exec
 +
    caller_class=''a class name''
 +
    caller_method=''a method name''
 +
/&gt;

Revision as of 05:38, 29 April 2008

The Orizon check XML schema

A check contained in a safe coding recipe, follows this schema:

<check

  id=check identifier code 
  severity=[info | warning | error] 
  impact=[low | medium | high | critical | panic ]
  description=a short description for this check
  positive_fail=[yes | no]

>

  [method_check | class_check | attribute_check | compare_check | variable_check | source_check]

</check>

... some ideas ...

Security checks can be divided in:

  • design_check
  • keyword_check
  • execution_check

where:

  • design_check, about source file design (how many class are contained in a source? how many methods? what is the scope of the method A?):

<design

   subj=[class|field|attribute]
   name=the subject name when appliable
   verb=[contains|count|has_scope]
   value=the value being checked

/>

<design

   subj="class"
   verb=[extends|implements]
   value=the value being checked

/>

  • keyword_check, about keyword specific checks

<keyword

   name=keyword name

/>

  • execution_check: extra care must be taken for parameter in this desing...

<exec

   caller_class=a class name
   caller_method=a method name

/>