I just committed version 0.63 in sourceforge subversion repository. I don’t plan to officially release a JAR file… a lot of changes in just a week… It makes more sense to wait for 0.80 release in March… Next 5 Februrary I’ll take a speech at Italian Infosecurity in Milan where I’ll present more in depth Jericho static code review engine features…
@work we are not so busy at the moment, so I can spent some time hacking over orizon and the code I wrote is simply amazing.
I’m refactoring all org.owasp.orizon.core classes to embeded in each core element (such as a class, a method or a variable representation) methods:
Jericho engine is growing faster and Source class is day by day lighter and easy to read and to understand. I’m really excited about these hacking days…
Just 2 days ago I released Orizon 0.60 with a lot of improvements.
First of all the default library reached the psychological limit of 30 security checks (it includes 34 security checks).
I introduced also a reduce() routine that enable people in writing checks based upon method return type or variable data type.
Today I wrote down the piece of code that enable source file line number discovering during translation from Java to XML… I know it is more fancy if Orizon will display also the position inside the source file instead of just complaining about an error.
I’m really fine with the latest 2 weeks work..
The answer is yes if you read a safe coding best practice guide for Java and the answer is still yes if you ask it to Orizon v 0.58.
I added a reduce() method able to write down in the XML file the primitive data type of an operation. By now just for boolean operation. In brief, Orizon when finding a boolean operator, it will write down operand data type in order to check if strings are checked for equality with strings and so on…
In the very next future I will hack over the reduce code in order to having it working also for method invocation…
Yes… Orizon is growing bigger and bigger and bigger…
Merry Xmas for all of you dears.
thesp0nge
This is the version string in my local workspace copy.
I improved java 2 xml translation and introduced some security check. I think this could be enought for the Spoc deadline that is November 5th.
In the very next days I’ll release 0.50 with some documentation included
I succeded… meanwhile trying to find a restaurant for me and Francesca’s wedding I was able to generate an helper that manages all my methods parameters and their data type.
An example will explain better.
Yesterday, during a trip back from my customer I hacked around XSS sanity check inclusion in default library XML format.
A problem arises when I tried to put a XSS attack pattern in the XML check… I would break the XML file itself… unless I’ll encode it:
<check id=”O_XSS_1″ severity=”error” impact=”high” description=”sanitize your input”>
<xss *=”Lz48c2NyaXB0PmFsZXJ0KCd4c3MnKTs8L3NjcmlwdD4=”></xss>
</check>
Thanks to Christian d’Heureuse and its gourgeous Base64 encoding class.
Today, will waiting for my customer, I hacked around dawn classes. The results I achieved are:
I’ll release quickly something useful
I know this is few for a production tool but further improvements will follow shortly…
I can’t remember what is the due date for Spring of Code 2007 
It seems to be real… or at least, it starts to be real. Dawn package is contained in Orizon since 0.45pre1 and it is responsible about dynamic code review services.
How does it work?
It creates an helper program in the same language the source code being assessed is written (Java is the only language supported by now).
The helper is a standalone application built upon a method or function contained in the starting source file. So if your Java class has 3 public methods, Orizon will create 3 helper applications for each method being tested.
The helper is so compiled and executed with a set of well known attack patterns.
The patterns will cover:
Last week I introduced Report class to manage reports. Report class is now the return data type from Source class, apply() method that perform static code review.
As you may see in Milk source code, a Report object works related with an implementation of Formatter class that describe how the output has be organized.
In fact, there is just a PlainFormatter by now that prints report lines over standard output. In the near future I’ll implement XMLFormatter and HTMLFormatter as well.
I’ve to work over the documentation too… and create a fancy web site… a lot of things to do…