Difference between revisions of "Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.3.0/Assessment"

From OWASP
Jump to: navigation, search
 
(9 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
<small>[[:OWASP Zed Attack Proxy Project|Click here to return to project's main page]]</small><br>
 
<small>[[:OWASP Zed Attack Proxy Project|Click here to return to project's main page]]</small><br>
  
== Stable Release Review of the OWASP Zed Attack Proxy Project - [[Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.1.0|Release ZAP 1.3.0]] ==
+
== Stable Release Review of the OWASP Zed Attack Proxy Project - [[Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.3.0|Release ZAP 1.3.0]] ==
  
 
==== Project Leader for this Release ====
 
==== Project Leader for this Release ====
Line 58: Line 58:
  
 
==== First Reviewer ====
 
==== First Reviewer ====
'''''[[User:Yiannis|Yiannis]]'s Review:'''''<br />
+
'''''[[User:Dr. Markus Maria Miedaner|Markus]]'s Review:'''''<br />
 
<small>Ideally, reviewers should be an existing OWASP project leader or chapter leader.</small>
 
<small>Ideally, reviewers should be an existing OWASP project leader or chapter leader.</small>
  
Line 64: Line 64:
  
 
| 1. Is an installer for the tool available and easy to use? How close does it reach the goal of a fully automated installer?
 
| 1. Is an installer for the tool available and easy to use? How close does it reach the goal of a fully automated installer?
=Yes. A stand-alone executable exists; it installs the files correctly with the corresponding shortcuts in place.
+
= Only checked the linux version -> works as I expected it. Good!
+
  
 
| 2. Is the end user documentation complete, relevant and presented on the OWASP wiki page?
 
| 2. Is the end user documentation complete, relevant and presented on the OWASP wiki page?
 
+
= Good documentation - Nice work! Especially I do like the popup window which answers this question once you start the application. Great idea!
=Yes. Pressing F1 triggers the OWASP ZAP User Guide window to appear. The documentation is also at:
+
=http://code.google.com/p/zaproxy/wiki/HelpReleases1_1_0
+
  
 
|3. Does the tool have an “About box” or similar help item which allows the end user to get an overview of the state of this tool? Is this information readily available and easy to find?
 
|3. Does the tool have an “About box” or similar help item which allows the end user to get an overview of the state of this tool? Is this information readily available and easy to find?
=Yes.
+
= Yes!
  
 
| 4. Does the documentation on building the source provide the necessary information and detail to allow someone to build the tool? Is there sufficient detail and information for the target user? Is there any domain specific knowledge that is assumed and not provided?
 
| 4. Does the documentation on building the source provide the necessary information and detail to allow someone to build the tool? Is there sufficient detail and information for the target user? Is there any domain specific knowledge that is assumed and not provided?
=Yes. It took less than 2 minutes to build after import into eclipse.
+
= To be improved -> I could not find it within the tarball
  
 
| 5. Is the tool's documentation available with the source code and would it readily discoverable by a new user of the tool?
 
| 5. Is the tool's documentation available with the source code and would it readily discoverable by a new user of the tool?
=Yes. Standard JavaDoc format is also present.  
+
= Worked out of the box. Compiling was fine.
  
 
| 6. Is there anything missing that is critical enough to keep the release at a alpha quality?
 
| 6. Is there anything missing that is critical enough to keep the release at a alpha quality?
=No. This is definately a project that should be in beta, if not release!
+
= NO
  
 
| 7. Does the tool substantially address the application security issues it was created to solve?
 
| 7. Does the tool substantially address the application security issues it was created to solve?
=There is room for improvement around key functionality that will make the tool unique in terms of the features that it offers. This is on the roadmap for it's next release.
+
= YES
  
 
| 8. Is the tool reasonably easy to use?
 
| 8. Is the tool reasonably easy to use?
=Yes. Carrying a port of paros also helps in this matter.
+
= YES
 +
 
  
 
| 9. Does the documentation meet the needs of the tool users and is easily found?
 
| 9. Does the documentation meet the needs of the tool users and is easily found?
=Yes.
+
= YES
  
 
| 10. Do the build scripts work as expected? Can you build the tool? The goal is a “One-click” build.
 
| 10. Do the build scripts work as expected? Can you build the tool? The goal is a “One-click” build.
=Yes. A few warning do come back from javac, but they are minor.
+
= YES
  
 
| 11. Is the bug tracking system usable? Is it hosted at the same place as the source code? (e.g. Google Code, Sourceforge)
 
| 11. Is the bug tracking system usable? Is it hosted at the same place as the source code? (e.g. Google Code, Sourceforge)
=Yes. There is 40 or some defects on the list, addressed at a priority, etc.
+
= YES
  
 
| 12. Have you noted any limitations of the tool that are not already documented by the project lead.
 
| 12. Have you noted any limitations of the tool that are not already documented by the project lead.
=A few in terms of memory requirements around proxying and spidering. This is more on the side of "know what you are doing" then "the tool brakes".
+
= no
  
 
| 13. Would you consider using this tool in your day to day work assuming your professional work includes a reason to use this tool? Why or why not?
 
| 13. Would you consider using this tool in your day to day work assuming your professional work includes a reason to use this tool? Why or why not?
=Yes. I want to see more functionality though!
+
= I do recommend it for that and plan to use it for teaching.
 +
 
  
 
| 14. What, if anything, is missing which would make this a more useful tool? Is what is missing critical enough to keep the release at a beta quality?
 
| 14. What, if anything, is missing which would make this a more useful tool? Is what is missing critical enough to keep the release at a beta quality?
=Nothing; this can move to beta.
+
= The current release is ready for a stable release.
  
 
}}
 
}}
  
 
==== Second Reviewer ====
 
==== Second Reviewer ====
'''''[[User:Dr. Markus Maria Miedaner|Markus]]'s Review:'''''<br />
+
'''''[[User:EoinKeary|EoinKeary]]'s Review:'''''<br />
 
<small>It is recommended that an OWASP board member or Global Projects Committee member be the second reviewer on Quality releases. The board has the initial option to review the project, followed by the Global Projects Committee.</small>
 
<small>It is recommended that an OWASP board member or Global Projects Committee member be the second reviewer on Quality releases. The board has the initial option to review the project, followed by the Global Projects Committee.</small>
  
Line 117: Line 116:
  
 
| 1. Is an installer for the tool available and easy to use? How close does it reach the goal of a fully automated installer?       
 
| 1. Is an installer for the tool available and easy to use? How close does it reach the goal of a fully automated installer?       
=It is easy to use and installs smoothly. No Problems here.
+
= YES works well
  
 
| 2. Is the end user documentation complete, relevant and presented on the OWASP wiki page?
 
| 2. Is the end user documentation complete, relevant and presented on the OWASP wiki page?
=Sufficient documentation exists.
+
= Its best i've seen for a while with an open source tool
  
 
|3. Does the tool have an “About box” or similar help item which allows the end user to get an overview of the state of this tool? Is this information readily available and easy to find?
 
|3. Does the tool have an “About box” or similar help item which allows the end user to get an overview of the state of this tool? Is this information readily available and easy to find?
=OK!
+
= Yes
  
 
| 4. Does the documentation on building the source provide the necessary information and detail to allow someone to build the tool? Is there sufficient detail and information for the target user? Is there any domain specific knowledge that is assumed and not provided?
 
| 4. Does the documentation on building the source provide the necessary information and detail to allow someone to build the tool? Is there sufficient detail and information for the target user? Is there any domain specific knowledge that is assumed and not provided?
=No problems to compile it within in eclipse - fine!
+
= This could be improved. Some build script for dummies would be a good idea. This would increase the plugin community. a vidwo on how to build/use would be good also.
  
 
| 5. Is the tool's documentation available with the source code and would it readily discoverable by a new user of the tool?
 
| 5. Is the tool's documentation available with the source code and would it readily discoverable by a new user of the tool?
=JAVADOC
+
=
  
 
| 6. Is there anything missing that is critical enough to keep the release at a alpha quality?
 
| 6. Is there anything missing that is critical enough to keep the release at a alpha quality?
=NO
+
= No at all. Great tool
  
 
| 7. Does the tool substantially address the application security issues it was created to solve?
 
| 7. Does the tool substantially address the application security issues it was created to solve?
=It definitely needs more work - ideas pointing in an interesting direction can be found on the roadmap
+
=Indeed it does. Very well I might add
  
 
| 8. Is the tool reasonably easy to use?
 
| 8. Is the tool reasonably easy to use?
=Yes
+
= yes and stable
  
 
| 9. Does the documentation meet the needs of the tool users and is easily found?
 
| 9. Does the documentation meet the needs of the tool users and is easily found?
Line 144: Line 143:
  
 
| 10. Do the build scripts work as expected? Can you build the tool? The goal is a “One-click” build.
 
| 10. Do the build scripts work as expected? Can you build the tool? The goal is a “One-click” build.
=Yes
+
= yes
  
 
| 11. Is the bug tracking system usable? Is it hosted at the same place as the source code? (e.g. Google Code, Sourceforge)
 
| 11. Is the bug tracking system usable? Is it hosted at the same place as the source code? (e.g. Google Code, Sourceforge)
=Yes (GoogleCode)
+
= yes
  
 
| 12. Have you noted any limitations of the tool that are not already documented by the project lead.
 
| 12. Have you noted any limitations of the tool that are not already documented by the project lead.
=Quite memory consuming sometimes
+
= No
  
 
| 13. Would you consider using this tool in your day to day work assuming your professional work includes a reason to use this tool? Why or why not?
 
| 13. Would you consider using this tool in your day to day work assuming your professional work includes a reason to use this tool? Why or why not?
=Yes
+
= indeed I will
  
 
| 14. What, if anything, is missing which would make this a more useful tool? Is what is missing critical enough to keep the release at a beta quality?
 
| 14. What, if anything, is missing which would make this a more useful tool? Is what is missing critical enough to keep the release at a beta quality?
=Not for moving into BETA. For a release - more functionality would be nice to see.
+
= video of tool usage would be an added value. but overall great stuff!
  
 
}}
 
}}

Latest revision as of 09:54, 13 July 2011

Click here to return to project's main page

Stable Release Review of the OWASP Zed Attack Proxy Project - Release ZAP 1.3.0

Project Leader for this Release

Psiinon's Pre-Assessment Checklist:

(This FORM is EDITED via a template)

Alpha level

1. Is this release associated with a project containing at least the Project Wiki Page Minimum Content information?


I believe so

2. Is your tool licensed under an open source license? Please point out the link(s).


Yes - Apache License 2.0, referenced on both http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project and http://code.google.com/p/zaproxy/

3. Is the source code and any documentation available in an online project repository? (e.g. Google Code or Sourceforge site) Please point out the link(s).


Yes - http://code.google.com/p/zaproxy/source/checkout

4. Is there working code? Please point out the link(s).


Yes - http://code.google.com/p/zaproxy/source/checkout

5. Is there a roadmap for this project release which will take it from Alpha to Stable release? Please point out the link(s).


Yes - http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Roadmap

Beta Level

6. Are the Alpha pre-assessment items complete?


I believe so

7. Is there an installer or stand-alone executable? Please point out the link(s).


Yes, for Windows, Linux and Mac OS (being generated now) - http://code.google.com/p/zaproxy/downloads/list

8. Is there user documentation on the OWASP project wiki page? Please point out the link(s).


There is some documentation on the project page http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project, but this also references the Google Code page which includes the full user guide: http://code.google.com/p/zaproxy/wiki/HelpIntro, the latter is generated from the java help pages - migrating it to the OWASP wiki could prove tricky

9. Is there an "About box" or similar help item which lists the following? Please point out the link(s).

  • Project Name
  • Short Description
  • Project Release Lead and contact information (e.g. email address)
  • Project Release Contributors (if any)
  • Project Release License
  • Project Release Sponsors (if any)
  • Release status and date assessed as Month-Year (e.g. March 2009)
  • Link to OWASP Project Page

Yes - there is an about box which include things like the license and OWASP project page link. The credits are in the help file and online here: http://code.google.com/p/zaproxy/wiki/HelpCredits

10. Is there documentation on how to build the tool from source including obtaining the source from the code repository? Please point out the link(s).


Yes - http://code.google.com/p/zaproxy/wiki/Building

11. Is the tool documentation stored in the same repository as the source code? Please point out the link(s).


Yes - http://code.google.com/p/zaproxy/source/browse/#svn/wiki

Stable Level

12. Are the Alpha and Beta pre-assessment items complete?


I believe so

13. Does the tool include documentation built into the tool? Please point out the link(s).


Yes - a full help file is included which is also available online: http://code.google.com/p/zaproxy/wiki/HelpIntro

14. Does the tool include build scripts to automate builds? Please point out the link(s)


Yes - http://code.google.com/p/zaproxy/source/browse/trunk/build/build.xml

15. Is there a publicly accessible bug tracking system? Please point out the link(s).


Yes - http://code.google.com/p/zaproxy/issues/list

16. Have any existing limitations of the tool been documented? Please point out the link(s).


Yes - all known limitations raised as bugs


First Reviewer

Markus's Review:
Ideally, reviewers should be an existing OWASP project leader or chapter leader.

(This FORM is EDITED via a template)

Beta Release Level Questions

1. Is an installer for the tool available and easy to use? How close does it reach the goal of a fully automated installer?


Only checked the linux version -> works as I expected it. Good!

2. Is the end user documentation complete, relevant and presented on the OWASP wiki page?


Good documentation - Nice work! Especially I do like the popup window which answers this question once you start the application. Great idea!

3. Does the tool have an “About box” or similar help item which allows the end user to get an overview of the state of this tool? Is this information readily available and easy to find?


Yes!

4. Does the documentation on building the source provide the necessary information and detail to allow someone to build the tool? Is there sufficient detail and information for the target user? Is there any domain specific knowledge that is assumed and not provided?


To be improved -> I could not find it within the tarball

5. Is the tool's documentation available with the source code and would it readily discoverable by a new user of the tool?


Worked out of the box. Compiling was fine.

6. Is there anything missing that is critical enough to keep the release at a alpha quality?


NO

Stable Release Level Questions

7. Does the tool substantially address the application security issues it was created to solve?


YES

8. Is the tool reasonably easy to use?


YES

9. Does the documentation meet the needs of the tool users and is easily found?


YES

10. Do the build scripts work as expected? Can you build the tool? The goal is a “One-click” build.


YES

11. Is the bug tracking system usable? Is it hosted at the same place as the source code? (e.g. Google Code, Sourceforge)


YES

12. Have you noted any limitations of the tool that are not already documented by the project lead.


no

13. Would you consider using this tool in your day to day work assuming your professional work includes a reason to use this tool? Why or why not?


I do recommend it for that and plan to use it for teaching.

14. What, if anything, is missing which would make this a more useful tool? Is what is missing critical enough to keep the release at a beta quality?


The current release is ready for a stable release.

Second Reviewer

EoinKeary's Review:
It is recommended that an OWASP board member or Global Projects Committee member be the second reviewer on Quality releases. The board has the initial option to review the project, followed by the Global Projects Committee.

(This FORM is EDITED via a template)

Beta Release Level Questions

1. Is an installer for the tool available and easy to use? How close does it reach the goal of a fully automated installer?


YES works well

2. Is the end user documentation complete, relevant and presented on the OWASP wiki page?


Its best i've seen for a while with an open source tool

3. Does the tool have an “About box” or similar help item which allows the end user to get an overview of the state of this tool? Is this information readily available and easy to find?


Yes

4. Does the documentation on building the source provide the necessary information and detail to allow someone to build the tool? Is there sufficient detail and information for the target user? Is there any domain specific knowledge that is assumed and not provided?


This could be improved. Some build script for dummies would be a good idea. This would increase the plugin community. a vidwo on how to build/use would be good also.

5. Is the tool's documentation available with the source code and would it readily discoverable by a new user of the tool?


6. Is there anything missing that is critical enough to keep the release at a alpha quality?


No at all. Great tool

Stable Release Level Questions

7. Does the tool substantially address the application security issues it was created to solve?


Indeed it does. Very well I might add

8. Is the tool reasonably easy to use?


yes and stable

9. Does the documentation meet the needs of the tool users and is easily found?


Yes

10. Do the build scripts work as expected? Can you build the tool? The goal is a “One-click” build.


yes

11. Is the bug tracking system usable? Is it hosted at the same place as the source code? (e.g. Google Code, Sourceforge)


yes

12. Have you noted any limitations of the tool that are not already documented by the project lead.


No

13. Would you consider using this tool in your day to day work assuming your professional work includes a reason to use this tool? Why or why not?


indeed I will

14. What, if anything, is missing which would make this a more useful tool? Is what is missing critical enough to keep the release at a beta quality?


video of tool usage would be an added value. but overall great stuff!