APIs examples

Translation

Translating the source code being tested is the first step before applying security checks contained in the library. The following code shows how translation works from Java to XML.

import org.owasp.orizon.java.Java2XML;
import org.owasp.orizon.core.Source;
...
// java 2 xml translation...
Java2XML j2xml = new Java2XML(fileName);
if (j2xml.mustTranslate()) {
if (!j2xml.translate()) {
    System.err.println(fileName + ": translation failed");
    System.exit(-1);
  }
  System.out.println(j2xml.getOutputFilename() + " created");
} else
  System.out.println("XML file is up to date, translation is not needed. Good!");

It is pretty simple, isn't it?
Good, after a source file is translated in XML, it is possible to apply Orizon code review engines in order to perform security checks.
This is true after the file has been read and the Source object internal data were filled up. The following snippet of code shows how to read a source code.

// xml file reading
Source s = new Source(j2xml.getOutputFilename());
s.read();

The Library

Security checks are organized as follow. There is a default library, that is a ZIP file containing one or more recipes. A recipe is an XML file containing one or more security checks, as shown in the following examples.

This is the code that describe that a class must contain a clone() method with final scope. This check will be applied during static code review.

<check id="O_CV_2" severity="error"
 impact="high"
 description="Avoid your class for being clonable">
 <class_contains name="clone" scope="final"/>
</check>


This is the code that describe that a pattern as /><script>alert('xss');</script> is to be used during dynamic code review as Cross Site Scripting attack pattern.

<check id="O_XSS_1" severity="error" impact="high"
 description="sanitize your input">
 <xss *="Lz48c2NyaXB0PmFsZXJ0KCd4c3MnKTs8L3NjcmlwdD4="/>
</check>

Inside your code, you can add a security check as shown here:

c = new Check("xss");
c.setId("O_XSS_1");
c.setImpact("high");
c.setSeverity("error");
c.setDescription("sanitize your input");
c.addAttribute("pattern", Base64Coder.encodeString("/><script>alert('xss');</script>"));

r.addCheck(c.toXML());

The following code, shows how to set up a Recipe object and writing it to disk after being populated with security checks.

r = new Recipe("design_violation.xml", false);
r.setFamily("Code design");
r.setCactus(true);
r.setDawn(false);
r.setDescription("Some methods can used by an attacker to overrun class behaviour.");
r.setName("Ensure a class override potentially dangerous methods");
r.setLanguage(OrizonCons.language("java"));
...
...
r.addCheck(c.toXML());
...
if (!r.write()) {
    System.err.println("can't write recipe: design_violation.xml");
    return false;
}
System.out.println("recipe design_violation.xml written successfully");

The Jericho engine

Jericho is the name of the static code review engine. Jericho APIs are used to apply security checks to translated XML file.
The most important line in the following example is:

org.owasp.orizon.report.Report report = s.apply(r);

It applies a Recipe over the source file and returns a Report object with security checks that failed.

// loop for all recipes contained in the library
for (int count = 0; count < recipeCount; count++) {
    String rName = dl.getRecipeName(count);
    if (!dl.extract(rName)) {
        System.err.println("can't extract " + rName);
        System.exit(-1);
    }
    r = new Recipe(rName);
    org.owasp.orizon.report.Report report = s.apply(r);
    if (report != null) {
        PlainFormatter p = new PlainFormatter();
        report.report(p);
    }
    r.dispose();
} // for (int count = 0; count < recipeCount; count++)

Last modified: Wed Jan 2 00:31:14 CET 2008