OWASP Code Crawler 2.5 – Screenshots
It has been a while since I have posted something about Code Crawler, the project I am developing since fall 2007. Our development team, which is now composed by three developers, is in the process of making the magic happen again.
What follows is a list of screenshots of Code Crawler 2.5. Code Crawler is more or less a new project today. We have taken the good and removed the bad. So far we have completed STRIDE automatic classification, DREAD, Improved performances, Enchanted our database in terms of quality and quantity and most of all we said good bye to our previous UI.
Single File Scan new User Interface.
Visual Studio .NET (2005/2008) Integration is now fully working.
Code Crawler can now scan hundreds of files at the same time without leaving nothing behind. In this example Code Crawler has finished scanning a very busy Visual Studio Solution and an external file using single file mode. The user can switch easily between the result at any time.
Dread Calculator is an easy to use tool integrated within Code Crawler which makes Risk Analysis easy.
Code Crawler provides direct links to all OWASP major contents such as Guides and tools.
The single source code file form provides easy accessible options such as:
- Archive (for reporting purposes and further investigations)
- Print Source Code
- Notepad
- Calc
- MSN
- Threats Count.
Download links, next week, hopefully.
OWASP Code Crawler 2.5
During the last two months we have been hardworking on the new upcoming release of OWASP Code Crawler 2.5. In this release, we have been busy making Code Crawler even more stable and fast.
What follows it’s a list of all the new features of Code Crawler.
The source screen has been improved and now supports threat colouring. This means that all threats found in the source code will be highlighted depending on their threat level. (See the screenshot below)
As you can also see the threat analysis box has been moved into the Source Tab. Clicking on any highlighted threat will also show details of the corresponding threat.
The reports feature has also been improved, the code is less prone to throw exceptions and we are confident marking it as “releasable”.
The loading process of a single file is now 80% faster than any previous releases (1.0 to 2.4) this because we have moved the colouring tasks to another thread and have had changed the whole loading’s logic. Just to give you an idea of how much code crawler is fast, loading a source code file of one thousand lines in Code Crawler will take less than half a second (analysis included).
Sasikumar, new developer who has joined the team, is working on the new code crawler’s engine. He has made a powerpoint presentation, available on slideshare.com, which illustrates the details of the new architecture as well as the advantages gained using it. Sasikumar is also responsible for the new code colouring feature.
Code Crawler still supports the OWASP Code Review project providing the Key Pointers scan, but no major updates will be released in the future.
The Visual Studio Integration will also replace the Remote Server Scan in this release. The application is capable of scanning an entire Visual Solution starting from a single csproj file (Visual Studio C# Project file). Code Crawler commence the process analysing the provided project file and digging in for all the source code files which are part of the project. At this stage, the engine will process all the relevant source files and will end up providing all the details while using the new engine.
Code Crawler 2.5 was supposed to be released at the end of September but, because the amount of the new features, it has been postponed to end of October.
OWASP goes Open Source (for real)
Code Crawler is now on CodePlex. It has been classified with the following keywords : CodeReview, C#. At the moment I decided to mark the project as Setup which means that the content that will be illustrated is still not available.
From tomorrow on the development will be shifted to CodePlex. Every file related to CodeCrawler previously hosted on cyphersec.com has already been deleted (Sorry for that had no choice).
Also a new beta release version will be linked from the main page which will include a couple of new features.
- Increase stability
- OWASP Code Guidelines support
- Threat Analysis
Current Development Scenario:
In the next two weeks the Grid control used to list all the threats found in your file will be replaced by a new control (BUGID#931 Priority: Medium).
A new functionality will be also included which will make code crawler and advanced tool capable of crawling web applications affected by traversal path vulnerabilities (FEATUREID#940 Priority:Medium).
The Reporting UI will be redesigned from scratch. There is no reason to replace the reporting engine since it has reached a stable version. CC will keep supporting XSLT as standard for the reports area until new "polished" alternatives are proposed and , from a development prospective , well-integrated.
XML Engine and threats discover to be (20% at least) faster. Cracking the system using .NET 3.5 enhancements 
Enhance Welcome Screen (BUGID#928 Priority:Medium); Code Crawler will be fully refined using a combination of black and gray colours. A mix of BlackBerry Style and Windows Vista Ultimate themes.
OWASP CC 2.3 (two new screenshots)
Improved Code Navigation
Improved Scan Result View Page
New Objects within the solutions:
OWASP.CodeReview.CodeCrawler.Functionalities.Emails.ExceptionsHandling
- NoReportAttached
OWASP.CodeReview.CodeCrawler.Engine.Exceptions
- EngineExceptions (...)
- UnableToLocateDatabaseException
- UnableToLocateReportsDirectoryException
OWASP CC 2.3 (CodeName VoodooPeople) is planned to be released by the end of march.
cc
In the new upcoming release of Code Crawler a new bunch of features where will released.
The Team Management section of the tool has started to work last night and I’m really confident to be able to include new features within next week.
In Code Crawler units of code are rappresented and individually marked as “functionalities”.
As you can see in the screenshot below, each functionality has its own folder and IO structure.
The “Emails” functionality relies on a xml data storage file which expose the place where informations like smpt server, smtp username, server port, and other personal user settings are stored.
1: <?xml version="1.0" encoding="utf-8" ?>
2: <CodeCrawlerFunctionality>
3: <EmailReports>
4: <ServerSettings>
5: <smtpServer>value</smtpServer>
6: <smtpUsername>value</smtpUsername>
7: <smtpPassword>value</smtpPassword>
8: <serverport>25</serverport>
9: <securessl>0</securessl>
10: </ServerSettings>
11: <EmailOptions>
12: <HighPriorityByDefault>0</HighPriorityByDefault>
13: <userEmail>value@value.com</userEmail>
14: </EmailOptions>
15: </EmailReports>
16: </CodeCrawlerFunctionality>
CC will read this values and set the all the relevant variables just a bit before the email is sent, so you can change smtp server, and all other settings “on the fly”.
1: /// <summary>
2: /// Read the content of the /Functionalities/Emails/Settings/EmailSettings.xml file
3: /// </summary>
4: public void ReadUserProfile()
5: {
6: XmlTextReader settingsReader = new XmlTextReader(EmailSettingsFilePath);
7: while (settingsReader.Read())
8: {
9: XmlNodeType nType = settingsReader.NodeType;
10: if (nType == XmlNodeType.Element)
11: {
12: switch (settingsReader.Name.ToLower())
13: {
14: #region Read And Set Variables
15: case "smtpserver":
16: {
17: smtpserver = settingsReader.ReadElementContentAsString();
18: break;
19: }
20:
21: case "useremail":
22: {
23: useremailaddress = settingsReader.ReadElementContentAsString();
24: break;
25: }
26:
27: case "smtpusername":
28: {
29: username = settingsReader.ReadElementContentAsString();
30: break;
31: }
32:
33: case "smtppassword":
34: {
35: password = settingsReader.ReadElementContentAsString();
36: break;
37: }
38:
39: case "securessl":
40: {
41: isSecureSSL = settingsReader.ReadElementContentAsBoolean();
42: break;
43: }
44:
45: case "highprioritybydefault":
46: {
47: isMessageHighPriorityByDefault = settingsReader.ReadElementContentAsBoolean();
48: break;
49: }
50:
51: case "serverport":
52: {
53: serverport = settingsReader.ReadElementContentAsInt();
54: break;
55: }
56: #endregion
57: }
58: }
59: }
60: }
As you can see there’s still some work on the UI but the window is pretty clear.
If the specified server is working and all the information supplied are correct CC will send a pre-formatted and stiled email with the report attached. CC supports all smtp servers with or without SSL support. Each Email teamplate is based on a xslt template, company logos or rebranded teamplates can be used at any time.
The next functionality is Review Manager.
Review Manager (also knows as Calendar in the development), share the Outgoing smtp server settings with the “Emails” functionality, I need feedbacks on this please email or even comment here what settings would you like to send or plan.
Thanks!
Call for Help:
Are you a smart skilled C# developer with serious XML skills which would like to help making CC a better and usefull tool? Please drop a line!
Code Crawler Status and Help request
Hello fellows,
as you know the CC development is still undergoing and most of the features listed in the SOC 2008 are working in a beta status which I'm very happy of.
Code Crawler XML/XSL engine has been coded and I really proud to announce that CC will support custom templates, which will let you build and customize the "look&feel" of your results set.
The structure of the template is quite easy, the xml ouput file is mainly composed of three elements. Threat,Description,Name. I'm half way to release a WFA (Wait for Approval) official owasp template which will be release with CC itself.
As you also may know, the CC keypointers database is in XML format now, and that's why i need your help. The actual database lists around 239 potential keywords.
Here an example
1: <KeyPointer>
2: <k_name>exec sp_executesql</k_name>
3: <k_level>3</k_level>
4: <k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
5: <link>http://www.owasp.org</link>
6: </KeyPointer>
7: <KeyPointer>
8: <k_name>delete from where</k_name>
9: <k_level>3</k_level>
10: <k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
11: <link>http://www.owasp.org</link>
12: </KeyPointer>
As you can see the description tag of every items are pretty the same for most of the categories, and that's where help is needed. If you have some time to spend and want to get involved in the CC development, feel free to add/modify descriptions for keywords. All help will be high appreciated.
The actual database can be found at http://www.cyphersec.com/TestLab/CodeCrawlerDatabase.xml (102kb). Once again, feel free to submit changes and be sure to mail it back to tools@[idontwantspam]cyphersec.com.
Thanks.
A.
Code Crawler 2.1.2
Live from Code Crawler Development offices (lol) :
- Done: XML Database instead of SQL Server Express
- Alessio to implement OWASP Orizon Project
- Almost Done: Result XML/XSLT based
- Almost Done: Scanning Engine Option : Scan Visual Studio's Solution
