Difference between revisions of "OWASP Orizon Project XML"

From OWASP
Jump to: navigation, search
(... some ideas ...)
Line 18: Line 18:
 
* keyword_check
 
* keyword_check
 
* execution_check
 
* execution_check
 +
 +
=== Design check ===
 +
Design checks are about source file design (how many class are contained in a source? how many methods? what is the scope of the method A?).
 +
 +
* source code statistics
 +
 +
<design
 +
    subj="stats"
 +
    name=[loc | loC]
 +
    verb=[lt | gt | le | ge | ne | eq | ratio]
 +
    [ direct_object= [loc | loC] ]
 +
    value=''numeric value''
 +
/>
  
 
where:
 
where:
* design_check, about source file design (how many class are contained in a source? how many methods? what is the scope of the method A?):
+
* name is the statistics name and can be one of the following:
 +
** loc: line of code
 +
** loC: line of Comment
 +
 
 +
* verb is the boolean comparison operator between the subject and the value:
 +
** lt: lesser than
 +
** gt: grater than
 +
** le: lesser or equal than
 +
** ge: greater or equal than
 +
** ne: not equal than
 +
** eq: equal than
 +
** ratio: indicates the ratio subj versus direct_object
 +
 
 +
 
 
<design  
 
<design  
 
     subj=[class|field|attribute]
 
     subj=[class|field|attribute]
Line 33: Line 59:
 
     value=''the value being checked''
 
     value=''the value being checked''
 
/>
 
/>
 +
  
 
* keyword_check, about keyword specific checks
 
* keyword_check, about keyword specific checks

Revision as of 08:57, 14 May 2008

The Orizon check XML schema

A check contained in a safe coding recipe, follows this schema:

<check

  id=check identifier code 
  severity=[info | warning | error] 
  impact=[low | medium | high | critical | panic ]
  description=a short description for this check
  positive_fail=[yes | no]

>

  [method_check | class_check | attribute_check | compare_check | variable_check | source_check]

</check>

... some ideas ...

Security checks can be divided in:

  • design_check
  • keyword_check
  • execution_check

Design check

Design checks are about source file design (how many class are contained in a source? how many methods? what is the scope of the method A?).

  • source code statistics

<design

   subj="stats"
   name=[loc | loC]
   verb=[lt | gt | le | ge | ne | eq | ratio]
   [ direct_object= [loc | loC] ]
   value=numeric value

/>

where:

  • name is the statistics name and can be one of the following:
    • loc: line of code
    • loC: line of Comment
  • verb is the boolean comparison operator between the subject and the value:
    • lt: lesser than
    • gt: grater than
    • le: lesser or equal than
    • ge: greater or equal than
    • ne: not equal than
    • eq: equal than
    • ratio: indicates the ratio subj versus direct_object


<design

   subj=[class|field|attribute]
   name=the subject name when appliable
   verb=[contains|count|has_scope]
   value=the value being checked

/>

<design

   subj="class"
   verb=[extends|implements]
   value=the value being checked

/>


  • keyword_check, about keyword specific checks

<keyword

   name=keyword name

/>

  • execution_check: extra care must be taken for parameter in this desing...

<exec

   caller_class=a class name
   caller_method=a method name

/>