Difference between revisions of "OWASP Orizon Project XML"

From OWASP
Jump to: navigation, search
(... some ideas ...)
Line 1: Line 1:
== The Orizon check XML schema ==
+
= The Orizon check XML schema =
  
 
A check contained in a safe coding recipe, follows this schema:
 
A check contained in a safe coding recipe, follows this schema:
Line 19: Line 19:
 
* execution_check
 
* execution_check
  
=== Design check ===
+
== Design check ==
 
Design checks are about source file design (how many class are contained in a source? how many methods? what is the scope of the method A?).
 
Design checks are about source file design (how many class are contained in a source? how many methods? what is the scope of the method A?).
  
* source code statistics
+
=== source code statistics ===
  
 
<design
 
<design

Revision as of 09:00, 14 May 2008

Contents

The Orizon check XML schema

A check contained in a safe coding recipe, follows this schema:

<check

  id=check identifier code 
  severity=[info | warning | error] 
  impact=[low | medium | high | critical | panic ]
  description=a short description for this check
  positive_fail=[yes | no]

>

  [method_check | class_check | attribute_check | compare_check | variable_check | source_check]

</check>

... some ideas ...

Security checks can be divided in:

  • design_check
  • keyword_check
  • execution_check

Design check

Design checks are about source file design (how many class are contained in a source? how many methods? what is the scope of the method A?).

source code statistics

<design

   subj="stats"
   name=[loc | loC]
   verb=[lt | gt | le | ge | ne | eq | ratio]
   [ direct_object= [loc | loC] ]
   value=numeric value

/>

where:

  • name is the statistics name and can be one of the following:
    • loc: line of code
    • loC: line of Comment
  • verb is the boolean comparison operator between the subject and the value:
    • lt: lesser than
    • gt: grater than
    • le: lesser or equal than
    • ge: greater or equal than
    • ne: not equal than
    • eq: equal than
    • ratio: indicates the ratio subj versus direct_object


<design

   subj=[class|field|attribute]
   name=the subject name when appliable
   verb=[contains|count|has_scope]
   value=the value being checked

/>

<design

   subj="class"
   verb=[extends|implements]
   value=the value being checked

/>


  • keyword_check, about keyword specific checks

<keyword

   name=keyword name

/>

  • execution_check: extra care must be taken for parameter in this desing...

<exec

   caller_class=a class name
   caller_method=a method name

/>