This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Orizon Project XML"
From OWASP
(→... some ideas ...) |
|||
| Line 18: | Line 18: | ||
* keyword_check | * keyword_check | ||
* execution_check | * execution_check | ||
| + | |||
| + | === Design check === | ||
| + | Design checks are about source file design (how many class are contained in a source? how many methods? what is the scope of the method A?). | ||
| + | |||
| + | * source code statistics | ||
| + | |||
| + | <design | ||
| + | subj="stats" | ||
| + | name=[loc | loC] | ||
| + | verb=[lt | gt | le | ge | ne | eq | ratio] | ||
| + | [ direct_object= [loc | loC] ] | ||
| + | value=''numeric value'' | ||
| + | /> | ||
where: | where: | ||
| − | * | + | * name is the statistics name and can be one of the following: |
| + | ** loc: line of code | ||
| + | ** loC: line of Comment | ||
| + | |||
| + | * verb is the boolean comparison operator between the subject and the value: | ||
| + | ** lt: lesser than | ||
| + | ** gt: grater than | ||
| + | ** le: lesser or equal than | ||
| + | ** ge: greater or equal than | ||
| + | ** ne: not equal than | ||
| + | ** eq: equal than | ||
| + | ** ratio: indicates the ratio subj versus direct_object | ||
| + | |||
| + | |||
<design | <design | ||
subj=[class|field|attribute] | subj=[class|field|attribute] | ||
| Line 33: | Line 59: | ||
value=''the value being checked'' | value=''the value being checked'' | ||
/> | /> | ||
| + | |||
* keyword_check, about keyword specific checks | * keyword_check, about keyword specific checks | ||
Revision as of 13:57, 14 May 2008
The Orizon check XML schema
A check contained in a safe coding recipe, follows this schema:
<check
id=check identifier code severity=[info | warning | error] impact=[low | medium | high | critical | panic ] description=a short description for this check positive_fail=[yes | no]
>
[method_check | class_check | attribute_check | compare_check | variable_check | source_check]
</check>
... some ideas ...
Security checks can be divided in:
- design_check
- keyword_check
- execution_check
Design check
Design checks are about source file design (how many class are contained in a source? how many methods? what is the scope of the method A?).
- source code statistics
<design
subj="stats" name=[loc | loC] verb=[lt | gt | le | ge | ne | eq | ratio] [ direct_object= [loc | loC] ] value=numeric value
/>
where:
- name is the statistics name and can be one of the following:
- loc: line of code
- loC: line of Comment
- verb is the boolean comparison operator between the subject and the value:
- lt: lesser than
- gt: grater than
- le: lesser or equal than
- ge: greater or equal than
- ne: not equal than
- eq: equal than
- ratio: indicates the ratio subj versus direct_object
<design
subj=[class|field|attribute] name=the subject name when appliable verb=[contains|count|has_scope] value=the value being checked
/>
<design
subj="class" verb=[extends|implements] value=the value being checked
/>
- keyword_check, about keyword specific checks
<keyword
name=keyword name
/>
- execution_check: extra care must be taken for parameter in this desing...
<exec
caller_class=a class name caller_method=a method name
/>
