OWASP Code Crawler 2.5 Released
OWASP Code Crawler is a .NET Windows Forms application built using Microsoft .NET C#, XML, Linq and few third parties open source components. Its development started in fall 2007 as a very simple prototype from a mail conversation between me (Alessio Marziali) and Eoin Keary (Code Review Project Leader and Board Member). Eoin spotted the hidden power of this tool and asked me if I could be interested in making it open source. Thrilled by the idea of joining OWASP, few months later Code Crawler became an official OWASP Project.
Over the years Code Crawler has substantially grown, mainly with the help of other volunteers around the world, and today I am very pleased to announce we have reached version 2.5. I personally want to thanks Tripurai Rai, Sasikumar Ganesan and Paulo Coimbra for helping me make this happen. In this release we have been focusing mainly on the UI of the application and also improved our database while introducing utilities like STRIDE, DREAD Calculator and ASP.NET ViewState Decoder. For a detailed list of features you can refer to the changelog attached at the end of this post.
License
OWASP Code Crawler 2.5 is a Creative Commons Attribution Share Alike 3.0 open source application which means you are free to copy, distribute, transmit and remix this code as you like. In this case, you must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). If you alter, transform, or build upon this work, you may distribute the resulting work only under the same, similar or a compatible license.
Download
OWASP Code Crawler 2.5 can be downloaded from http://codecrawler.codeplex.com. Please be advised that in order to run Code Crawler requires Microsoft .NET Framework 3.5. You may download it from here (link to Microsoft download website).
Changelog
- Code Crawler Editor
- Find (CTRL+F)
- Mark Findings
- Select All (CTRL+A)
- Copy as RTF (sweet)
- CodeFolding
- SyntaxHighlight
- BracketMatching
- Unlimited Undo/Redo buffer
- Bookmarks
- Go to line (CTRL+G)
- Replace
- Breakpoints
- Single Scan Form
- New User Interface
- STRIDE Classification
- Direct links to MSDN and Google
- Shortcuts to Notepad and Calc
- Threats Count
- Printing
- RTF Report
- Visual Studio .NET (for VS 2005 - 2008)
- Supports ONLY C# Project files (*.csjpro)
- Bigger fonts
- Mainform
- New User Interface
- Links to OWASP content
- WASC Threat Classification 2.0
- Sun Java Guidelines
- Removed OWASP Browser
- Removed Network Scan
- Removed Reporting Frame
- Database
- 286 Keywords
- Multi STRIDE Schema
- Refactoring
- Utilities
- ASP.NET ViewState Decoder
- DREAD Calculator
OWASP Code Crawler 2.5 – Screenshots
It has been a while since I have posted something about Code Crawler, the project I am developing since fall 2007. Our development team, which is now composed by three developers, is in the process of making the magic happen again.
What follows is a list of screenshots of Code Crawler 2.5. Code Crawler is more or less a new project today. We have taken the good and removed the bad. So far we have completed STRIDE automatic classification, DREAD, Improved performances, Enchanted our database in terms of quality and quantity and most of all we said good bye to our previous UI.
Single File Scan new User Interface.
Visual Studio .NET (2005/2008) Integration is now fully working.
Code Crawler can now scan hundreds of files at the same time without leaving nothing behind. In this example Code Crawler has finished scanning a very busy Visual Studio Solution and an external file using single file mode. The user can switch easily between the result at any time.
Dread Calculator is an easy to use tool integrated within Code Crawler which makes Risk Analysis easy.
Code Crawler provides direct links to all OWASP major contents such as Guides and tools.
The single source code file form provides easy accessible options such as:
- Archive (for reporting purposes and further investigations)
- Print Source Code
- Notepad
- Calc
- MSN
- Threats Count.
Download links, next week, hopefully.
OWASP Code Crawler 2.5
During the last two months we have been hardworking on the new upcoming release of OWASP Code Crawler 2.5. In this release, we have been busy making Code Crawler even more stable and fast.
What follows it’s a list of all the new features of Code Crawler.
The source screen has been improved and now supports threat colouring. This means that all threats found in the source code will be highlighted depending on their threat level. (See the screenshot below)
As you can also see the threat analysis box has been moved into the Source Tab. Clicking on any highlighted threat will also show details of the corresponding threat.
The reports feature has also been improved, the code is less prone to throw exceptions and we are confident marking it as “releasable”.
The loading process of a single file is now 80% faster than any previous releases (1.0 to 2.4) this because we have moved the colouring tasks to another thread and have had changed the whole loading’s logic. Just to give you an idea of how much code crawler is fast, loading a source code file of one thousand lines in Code Crawler will take less than half a second (analysis included).
Sasikumar, new developer who has joined the team, is working on the new code crawler’s engine. He has made a powerpoint presentation, available on slideshare.com, which illustrates the details of the new architecture as well as the advantages gained using it. Sasikumar is also responsible for the new code colouring feature.
Code Crawler still supports the OWASP Code Review project providing the Key Pointers scan, but no major updates will be released in the future.
The Visual Studio Integration will also replace the Remote Server Scan in this release. The application is capable of scanning an entire Visual Solution starting from a single csproj file (Visual Studio C# Project file). Code Crawler commence the process analysing the provided project file and digging in for all the source code files which are part of the project. At this stage, the engine will process all the relevant source files and will end up providing all the details while using the new engine.
Code Crawler 2.5 was supposed to be released at the end of September but, because the amount of the new features, it has been postponed to end of October.
