SkyLine is the org.owasp.orizon object devoted to assist people in starting up a source code security assessment.
One of the new features of such object is the support for Owasp framework properties. In the same way as regular command line tools do, an user (invoking a tool using Orizon) can enable or disable some framework related features on the fly using “-o” or “—orizon” command line flags.
This means that if a tool is using Orizon won’t be able to use “-o” or “—orizon” command line flags.
In org.owasp.orizon.core.Cons class, there are the constant used as keys in the orizon command line flag format (“-o key=value”). In the 1.0rc1 release, these are the supported features:
* The input to be used as static analysis starting point.
* It is up to org.owasp.orizon.Session class to detect if the input is:
* + a single file
* + a file matching a magic pattern
* + a directory
* The default value is the "noname" string.
public static final String OC_FRAMEWORK_OPTION_INPUT_NAME = "input_name";
* Users won't write this value.
* A default value doesn't exist. It will be filled up in Session object
* constructor method right after copying default values.
* Its values can be:
* + "file"
* + "dir"
* + "magic" for magic patterns (such as *.java, *.c, ...)
public static final String OC_FRAMEWORK_OPTION_INPUT_KIND = "input_kind";
* The working directory to be used during static analysis. Orizon must have
* writing access in this directory.
* The default value is the "user.dir" system properties, the current
* working directory when the properties were initialized.
public static final String OC_FRAMEWORK_OPTION_WORKING_DIR = "working_dir";
* Language option can be:
* + "auto" = source language will be auto-detected (default)
* + "c" = source language will be forced to C language
* + "c++" = source language will be forced to C++ language
* + "c#" = source language will be forced to C# language
* + "java" = source language will be forced to JAVA language
public static final String OC_FRAMEWORK_OPTION_LANGUAGE = "auto";
* A boolean flag that tells Orizon it can be recursive or not over
* directories if the analysis starting point is a directory itself.
* It can be:
* + "true" (default)
* + "false"
public static final String OC_FRAMEWORK_OPTION_RECURSIVE = "true";
* The file format to be used for reports. It can be:
* + "txt" = plain text
* + "xml" = XML file (default)
public static final String OC_FRAMEWORK_OPTION_OUTPUT_FORMAT = "output-format";
SkyLine is able to consume command line passed “key=value” pairs in order to fill Owasp Orizon Framework properties.