This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Orizon Project XML"
From OWASP
(New page: == The Orizon check XML schema == A check contained in a safe coding recipe, follows this schema: <check id=''check identifier code'' severity=[info | warning | error] imp...) |
|||
| Line 12: | Line 12: | ||
[method_check | class_check | attribute_check | compare_check | variable_check | source_check] | [method_check | class_check | attribute_check | compare_check | variable_check | source_check] | ||
</check> | </check> | ||
| + | |||
| + | == ... some ideas ... == | ||
| + | Security checks can be divided in: | ||
| + | * design_check | ||
| + | * keyword_check | ||
| + | * execution_check | ||
| + | |||
| + | where: | ||
| + | * design_check, about source file design (how many class are contained in a source? how many methods? what is the scope of the method A?): | ||
| + | <design | ||
| + | subj=[class|field|attribute] | ||
| + | name=''the subject name when appliable'' | ||
| + | verb=[contains|count|has_scope] | ||
| + | value=''the value being checked'' | ||
| + | /> | ||
| + | |||
| + | <design | ||
| + | subj="class" | ||
| + | verb=[extends|implements] | ||
| + | value=''the value being checked'' | ||
| + | /> | ||
| + | |||
| + | * keyword_check, about keyword specific checks | ||
| + | <keyword | ||
| + | name=''keyword name'' | ||
| + | /> | ||
| + | |||
| + | * execution_check: extra care must be taken for parameter in this desing... | ||
| + | <exec | ||
| + | caller_class=''a class name'' | ||
| + | caller_method=''a method name'' | ||
| + | /> | ||
Revision as of 10:38, 29 April 2008
The Orizon check XML schema
A check contained in a safe coding recipe, follows this schema:
<check
id=check identifier code severity=[info | warning | error] impact=[low | medium | high | critical | panic ] description=a short description for this check positive_fail=[yes | no]
>
[method_check | class_check | attribute_check | compare_check | variable_check | source_check]
</check>
... some ideas ...
Security checks can be divided in:
- design_check
- keyword_check
- execution_check
where:
- design_check, about source file design (how many class are contained in a source? how many methods? what is the scope of the method A?):
<design
subj=[class|field|attribute] name=the subject name when appliable verb=[contains|count|has_scope] value=the value being checked
/>
<design
subj="class" verb=[extends|implements] value=the value being checked
/>
- keyword_check, about keyword specific checks
<keyword
name=keyword name
/>
- execution_check: extra care must be taken for parameter in this desing...
<exec
caller_class=a class name caller_method=a method name
/>
