Friday, August 18, 2017

Sitecore YASCA - Code review, inbuild plugin (FindBugs,FxCo and PMD)-Recommendation by OWASP

Sitecore code Review and Security (Automation and Engineering)
Part-1 YASCA Integration

  

1.1     Context

This document is intended to provide the understanding about Sitecore Security, automation, Performace.static and dynamic code analyzer.

1.1  Security

Security thread in an important place to be taken care for the application, considering this OWASP provided complete guidelines.

1.1.1  YASCA Code Review, Open source and recommended by OWASP.

Security thread in an important place to be taken care for the application, considering this OWASP provided complete guidelines.
As per Sitecore consideration – Here we will use the YASCA tool to verify the thread and compliance for the security, below are the details and all steps.
security, below are the details and all steps.

1.1.1  What is YASCA

1.      Yasca is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code. It leverages external open source programs, such as FindBugsPMDJLintJavaScript LintPHPLintCppcheckClamAVRATS, and Pixy to scan specific file types, and also contains many custom scanners developed just for Yasca. It is a command-line tool that generates reports in HTML, CSV, XML, SQLite, and other formats. Yasca is easily extensible via a plugin-based architecture, so scanning any particular file is as simple as coming up with the rules or integrating external tools.
2.      Yasca also features a simple regular-expression plugin that allows new rules to be written in less than a minute.

Reference taken from below link- Please visit for more details.:-
  1. https://www.owasp.org/index.php/Category:OWASP_Yasca_Project
  2. Yasca is hosted on Github and has the main project website at scovetta.github.io/yasca.
  3. Download Link:- http://scovetta.github.io/yasca/
  4. Github code:- https://github.com/scovetta/yasca



Complete security and vulnerability guidelines: -
After download, the file structure will look like below


1.1.2  How to run YASCA and to generate a report.

Go to command prompt and go the root folder of downloaded YASCA folder.
Open command prompt-
Go to the root path: -
Example: - D:\YASCO Folder (Space) YSACA and Path of your source code.
It will generate report in below folder

1.1.3  YASCA – Understanding the report structure.


Default report will be generated in the HTML format and can be easily browsed.


This is shorted by Severity


Click on details button it will provide all details about the Severity and why it’s falling with reference to the OWASP and CWE etc.
Supported plugin through YASCA those can be extended.
1.      CppCheck
2.      FindBugs
3.      FxCop
4.      Pixy
5.      PMD

Happy coding - Will share next details in part2

No comments:

Post a Comment