Well, the most important thing I learnt while working on Owasp Orizon is that drawing a roadmap for a software tool, when you can work on it only on your spare time it’s useless.
It’s better to admit that the overall project development is based on a best effort approach. Everyone has his own personal side projects, everyone has to drive his professional carrier and everyone has a family to take care too, of course.
What am I trying to say? The following:
- Q: Are you, Paolo, going to declare death the Owasp Orizon Project? A: Damn man, are you kidding me? No.
- Q: Are you Paolo going to leave the project in an orphaned state? A: You’re so funny. The answer is still no, I’ll do my best to achieve some valuable results in the very near future.
- Q: When the Owasp Orizon Project will be hitting the ground, helping the world to achieve a more secure code? A: I can’t predict the future. I can say that the updates you’ll find in this post will help me to be more productive in next goals, but I won’t drive a detailed roadmap anymore. It’s a failing action if you can’t work on your code everyday.
The first thing that drives me crazy and some Owasp fellows agreed to be a very key feature is the modeling engine.
The idea Stephen gave about relying on a parser generator is, of course, a winning one. But freecc parser generator seems to stall and the community support isn’t as strong as I supposed to be in a first time.
So, the idea is to rely on the more robust and widely accept as leader the facto parser generator: antlr.
Mirage is going to be completely rewritten from scratch, using antlr and its grammars. It will be a C language program.
I moved mirage to be a standalone project to achieve (I hope) more audience in the opensource developers community. Working on a multi language application modeler can drive on itself the attention by hackers and fellows that can be scared in working over a security static analysis tool. Yes, it seems that the word security keeps away developers. Don’t know why? I’ll check about this later.
So in the next months my energy will be directed to the mirage project. When we will have a reliable source code modeler, writing a security scan engine over it would be a quite affordable task.