Difference between revisions of "OWASP Orizon Project XML"

From OWASP
Jump to: navigation, search
Line 71: Line 71:
 
     caller_method=''a method name''
 
     caller_method=''a method name''
 
/>
 
/>
 +
 +
= The Orizon Input file XML schema =

Revision as of 06:06, 31 July 2008

Contents

The Orizon check XML schema

A check contained in a safe coding recipe, follows this schema:

<check

  id=check identifier code 
  severity=[info | warning | error] 
  impact=[low | medium | high | critical | panic ]
  description=a short description for this check
  positive_fail=[yes | no]

>

  [method_check | class_check | attribute_check | compare_check | variable_check | source_check]

</check>

... some ideas ...

Security checks can be divided in:

  • design_check
  • keyword_check
  • execution_check

Design check

Design checks are about source file design (how many class are contained in a source? how many methods? what is the scope of the method A?).

source code statistics

<design

   subj="stats"
   name=[loc | loC]
   verb=[lt | gt | le | ge | ne | eq | ratio]
   [ direct_object= [loc | loC] ]
   value=numeric value

/>

where:

  • name is the statistics name and can be one of the following:
    • loc: line of code
    • loC: line of Comment
  • verb is the boolean comparison operator between the subject and the value:
    • lt: lesser than
    • gt: grater than
    • le: lesser or equal than
    • ge: greater or equal than
    • ne: not equal than
    • eq: equal than
    • ratio: indicates the ratio subj versus direct_object


<design

   subj=[class|field|attribute]
   name=the subject name when appliable
   verb=[contains|count|has_scope]
   value=the value being checked

/>

<design

   subj="class"
   verb=[extends|implements]
   value=the value being checked

/>


  • keyword_check, about keyword specific checks

<keyword

   name=keyword name

/>

  • execution_check: extra care must be taken for parameter in this desing...

<exec

   caller_class=a class name
   caller_method=a method name

/>

The Orizon Input file XML schema