OWASP Orizon Project XML

From OWASP
Revision as of 05:38, 29 April 2008 by Thesp0nge (Talk | contribs)

Jump to: navigation, search

The Orizon check XML schema

A check contained in a safe coding recipe, follows this schema:

<check

  id=check identifier code 
  severity=[info | warning | error] 
  impact=[low | medium | high | critical | panic ]
  description=a short description for this check
  positive_fail=[yes | no]

>

  [method_check | class_check | attribute_check | compare_check | variable_check | source_check]

</check>

... some ideas ...

Security checks can be divided in:

  • design_check
  • keyword_check
  • execution_check

where:

  • design_check, about source file design (how many class are contained in a source? how many methods? what is the scope of the method A?):

<design

   subj=[class|field|attribute]
   name=the subject name when appliable
   verb=[contains|count|has_scope]
   value=the value being checked

/>

<design

   subj="class"
   verb=[extends|implements]
   value=the value being checked

/>

  • keyword_check, about keyword specific checks

<keyword

   name=keyword name

/>

  • execution_check: extra care must be taken for parameter in this desing...

<exec

   caller_class=a class name
   caller_method=a method name

/>