I wrote a very basic GUI that will evolve this winter in something more usable and more eyecandy.

The second great news is that for Mac Os X users, now Orizon is released as standalong application so you can download it, put into your Applications folder, double clicking and start reviewing your code.

As you may see, a brand new logo is used for the web site… what do you think about it?

Owasp Orizon is a software engine built to provide facilities for developers who want to write a static analysis tool.
In the first major release, the APIs will be consolidated and it will be possible to use internal object and methods to write your own code review tool.

In this training course you will learn:
• orizon engine architecture
• the core objects to be used to build a code review workflow
• how to write an orizon plugin
• how to use the engine as standalone tool

To achieve these goals you need:
• your laptop
• the latest Owasp Orizon version (1.0RC1 will be ok) source code
• a J2SE 1.6 working environment
• a working Eclipse IDE

We will start creating the project workspace inside Eclipse IDE and than we will start hacking the code.
Bring some fresh ideas with you.

When: Next 3rd November 2008
Where: The Owasp EU Summit 2008, Algrave, Portugal
If interested in further information drop me a line at: thesp0nge_at_owasp_dot_org

–
“stay hungry, stay foolish”

OWASP Orizon project, http://orizon.sourceforge.net
“enjoy your code review experience”

The second Orizon 1.0 pre-release package is available at SourceForge site. I also released source code tarball, in order to let people looking inside the new engine. 

Subversion is still not available, during EU Summit, I’ll commit version 1.0 in a brand new SVN tree using a correct naming convention.

To use this version you need, log4j and swt jar files to be located in the same directory Orizon is. After that, you can call the framework simply as:

java -jar orizon-1.0.jar -o input-name=”java file to be reviewed”

I’m working now to add a GUI for OS X and into adding more checks into the library.

As far from today, SessionInfo called Jericho that called Source that called Jericho again that store results in SessionInfo… a mess.

Yesterday I detached Source class from org.owasp.orizon.xml.Reader. Now Source is a regular class, accessing 5 separated readers’ son that build the real in memory model of the source file.

SessionInfo will call Source constructor and will call Jericho giving the Source to scan as parameter. Jericho as final computation will return a Report object that will be asked from SessionInfo via a getReport() method in Jericho class.

So 

So I designed an auxiliary java source scanner just to make assertions about java source file design and with some intelligence I’m now able to distinguish between:

class fields

method parameters

local variables.

So I can’t now make all security checks about source code design. I’m quite close to releasing Orizon 1.0pre2

Release pre2, that is likely to be released today, has a correct build.xml letting people building Jar file from command line. An issue about library management has been fixed yesterday evening.

The most important feature introduced yesterday night and that I’m working on today (I have some spare time this week…) is a scanner for a fifth XML file concerning source code design.

In this separated fifth XML file, I’ll put all source file related design information such as:

• how many classes are contained
• classes modifiers (scope, extend clause, implement clauses)
• how many methods are contained
• methods modifiers
• the same for the fields

I also renewed Orizon site with a status page describing what’s going on in a Web 2.0 fashion.

Today, finally Orizon build again. Now I have to merge security check from previous library with the ones released from Cigital…

I landed today in Milan from NYC, it was a great stay last week…

Too much has been changed in Orizon architecture and too much is changing day-by-day to move from older architecture to newer one, implementing sessions, the new library, the new XML schema used for security checks, the new XML file format and many things.

Just opened my owasp mailbox and Paulo in a mail said that SPOC deadline is moved to November 4, just before Owasp EU Summit in Portugal.

I discarded my email and moved back to eclipse and writing some docs…

One of the new features of such object is the support for Owasp framework properties. In the same way as regular command line tools do, an user (invoking a tool using Orizon) can enable or disable some framework related features on the fly using “-o” or “—orizon” command line flags.

This means that if a tool is using Orizon won’t be able to use “-o” or “—orizon” command line flags.

In org.owasp.orizon.core.Cons class, there are the constant used as keys in the orizon command line flag format (”-o key=value”). In the 1.0rc1 release, these are the supported features:


/*
* The input to be used as static analysis starting point.
* It is up to org.owasp.orizon.Session class to detect if the input is:
* + a single file
* + a file matching a magic pattern
* + a directory
* The default value is the "noname" string.
*/
public static final String OC_FRAMEWORK_OPTION_INPUT_NAME = "input_name";



/*
* Users won't write this value.
*
* A default value doesn't exist. It will be filled up in Session object
* constructor method right after copying default values.
*
* Its values can be:
* + "file"
* + "dir"
* + "magic" for magic patterns (such as *.java, *.c, ...)
*/
public static final String OC_FRAMEWORK_OPTION_INPUT_KIND = "input_kind";



/*
* The working directory to be used during static analysis. Orizon must have
* writing access in this directory.
*
* The default value is the "user.dir" system properties, the current
* working directory when the properties were initialized.
*/
public static final String OC_FRAMEWORK_OPTION_WORKING_DIR = "working_dir";



/*
* Language option can be:
* + "auto" = source language will be auto-detected (default)
* + "c" = source language will be forced to C language
* + "c++" = source language will be forced to C++ language
* + "c#" = source language will be forced to C# language
* + "java" = source language will be forced to JAVA language
*/
public static final String OC_FRAMEWORK_OPTION_LANGUAGE = "auto";



/*
* A boolean flag that tells Orizon it can be recursive or not over
* directories if the analysis starting point is a directory itself.
*
* It can be:
* + "true" (default)
* + "false"
*/
public static final String OC_FRAMEWORK_OPTION_RECURSIVE = "true";



/*
* The file format to be used for reports. It can be:
* + "txt" = plain text
* + "xml" = XML file (default)
*/
public static final String OC_FRAMEWORK_OPTION_OUTPUT_FORMAT = "output-format";


SkyLine is able to consume command line passed “key=value” pairs in order to fill Owasp Orizon Framework properties.