One of the most difficult thing, while developing a security tool, is designing the knowledge base.
A good knowledge base must have:
- a high level of maintainability;
- smooth upgrade mechanism;
- a comprehensive grammar.
The latest point is the most difficult to achieve. For the new Orizon tool, I started thinking about using JSON text file format, with a timestamp to be used to check against KB freshness.
For a grammar, I started wondering about using plain English to describe an unsafe pattern.
Check the file owasp-orizon-kb.json and tell me your opinion. Do you think it would be enough to describe a generic unsafe coding pattern?
Tell me yours.