This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "SpoC 007 - Orizon Project - Progress Page"
(→SpoC 2007 Goals) |
|||
| (9 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
=== News === | === News === | ||
| + | 15<sup>th</sup> February 2008 - [http://orizon.svn.sourceforge.net/viewvc/orizon/orizon_package/src/org/owasp/orizon/demo/jCrawlerDemo.java?view=markup&pathrev&9 New version of OWASP ORIZON FRAMEWORK TOOL] with the source code crawling APIs available for Java and CSharp. | ||
| + | |||
| + | 3<sup>rd</sup> November 2007 - Orizon version 0.50 is the final deliverable for Spoc 2007. I did not reach all the goals I draw for my self back when Spoc started. After all, I'm really happy seeing the final project status. If I had more support from community may be things would go in a better way... however. | ||
| + | |||
| + | 15<sup>th</sup> October 2007 - Official roadmap is located [http://orizon.sourceforge.net/roadmap.html here]. Please refer to this page for project milestones. I deleted support for C language to milestones because more effort I'm spending to make dawn quite usable. I think having dawn 50% working is more valuable than having partial C language support. | ||
| + | |||
| + | 11<sup>st</sup> October 2007 - Dawn engine is now operative. It creates helper applications from Java methods, it compiles them, it runs them and collecting their output it scans it for XSS attack pattern to appear. | ||
| + | Further improvement will follow asap :) | ||
| + | |||
22<sup>nd</sup> August 2007 - Orizon release 0.40 is available at [http://orizon.sf.net/ sourceforge] site. This is an important milestone in the development process. Safe coding recipes APIs are working and the class handling source code being reviewed is now capable of applying a check over the source code xml representation. In fact, '''static code review''' is possible by now. | 22<sup>nd</sup> August 2007 - Orizon release 0.40 is available at [http://orizon.sf.net/ sourceforge] site. This is an important milestone in the development process. Safe coding recipes APIs are working and the class handling source code being reviewed is now capable of applying a check over the source code xml representation. In fact, '''static code review''' is possible by now. | ||
| Line 48: | Line 57: | ||
<th>Goal</th> | <th>Goal</th> | ||
<th>Completeness (%)</th> | <th>Completeness (%)</th> | ||
| − | |||
| − | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Static analysis</td> | <td>Static analysis</td> | ||
| − | <td> | + | <td>complete</td> |
| − | |||
| − | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Dynamic analysis - codename: ''dawn''</td> | <td>Dynamic analysis - codename: ''dawn''</td> | ||
| − | <td> | + | <td>50%</td> |
| − | |||
| − | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Creating a library with 30 checks included</td> | <td>Creating a library with 30 checks included</td> | ||
| − | <td> | + | <td>66,67% (20 tests out of 30)</td> |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Capability to export results in XML with customizable CSS</td> | <td>Capability to export results in XML with customizable CSS</td> | ||
<td>10%</td> | <td>10%</td> | ||
| − | |||
| − | |||
</tr> | </tr> | ||
</table> | </table> | ||
Latest revision as of 18:00, 18 February 2008
News
15th February 2008 - New version of OWASP ORIZON FRAMEWORK TOOL with the source code crawling APIs available for Java and CSharp.
3rd November 2007 - Orizon version 0.50 is the final deliverable for Spoc 2007. I did not reach all the goals I draw for my self back when Spoc started. After all, I'm really happy seeing the final project status. If I had more support from community may be things would go in a better way... however.
15th October 2007 - Official roadmap is located here. Please refer to this page for project milestones. I deleted support for C language to milestones because more effort I'm spending to make dawn quite usable. I think having dawn 50% working is more valuable than having partial C language support.
11st October 2007 - Dawn engine is now operative. It creates helper applications from Java methods, it compiles them, it runs them and collecting their output it scans it for XSS attack pattern to appear. Further improvement will follow asap :)
22nd August 2007 - Orizon release 0.40 is available at sourceforge site. This is an important milestone in the development process. Safe coding recipes APIs are working and the class handling source code being reviewed is now capable of applying a check over the source code xml representation. In fact, static code review is possible by now.
13th July 2007 - The project status as Spoc 2007 start is summarized in the following:
- java sources are translated into XML using JDK6 APIs;
- Orizon classes are in a refactoring stage in order to reflect a better approach in design phase;
- library containing checks is now a Zip file instead of a plain XML file. The library file will contain "receipts", XML files containing security checks grouped by category.
What is missing by now is some checks. I'm looking the web in order to collect "coding best practices" and trying to formalize them in XML.
Next actions
| Id | Description | Priority | Blocking? |
|---|---|---|---|
| OR-1 | Collecting safe coding best practices | High | No |
| OR-2 | Creating APIs for XML reports | Low | No |
| OR-3 | Creating code to handle dynamic test cases generation | Medium | No |
SpoC 2007 Goals
| Goal | Completeness (%) |
|---|---|
| Static analysis | complete |
| Dynamic analysis - codename: dawn | 50% |
| Creating a library with 30 checks included | 66,67% (20 tests out of 30) |
| Capability to export results in XML with customizable CSS | 10% |
