We're just pushing 1.1.3 out the door now. I'll apply the patch
after 1.1.3 is out the door, and it will make it go into 1.1.4.
As far as testing, we do a lot of testing every night, but it isn't
really integrated into the distribution or a standard test harness.
Every night we reanalyze about 20 millions lines of code, and review
any changes in the analysis results.
I'll let you know if the patch introduces any changes.
Bill
On Jan 2, 2007, at 9:18 PM, Matt wrote:
Hi,
I'm going to be using the FindSqlInjection check as one example in
a class
on automated code analysis I'll be giving at RSA 2007 and BlackHat
Europe
2007 (http://wiki.yak.net/712). (I gave the same class at BlackHat USA
last year.) The class focuses on finding exploitable security bugs,
which
is why I chose the FindSqlInjection detector.
To make it easier to walk through in the class, I needed to
refactor the
code a bit. I've attached a diff against current SVN, but in case
it gets
stripped out by the list, here's a link:
http://www.clock.org/~matt/bugreport/sqlinjection-refactor.diff
Most of the changes were to decompose the analyzeMethod() function
into
several smaller, easier to understand (for me) functions. Looking
at other
detectors, I can see how some of these new methods could be reused
(with
few/no modifications) by making Detector an abstract class and pulling
them up. I also fixed up indentation and made use of braces more
consistent, which should help people who work in vi like myself :)
I didn't see any unit tests for individual detectors, nor system
tests to
enhance/run, so I tested on a few applications I work on, and the
number
of Sql Injection bugs remained the same before and after I ran
them. If
there are other tests I should/could run, please let me know as I may
contribute more diffs like this in the future if this goes well :)
Thanks in advance for your kind help in getting the patch applied
to SVN
:)
--
tangled strands of DNA explain the way that I behave.
http://www.clock.org/~matt
<sqlinjection-refactor.diff>
_______________________________________________
Findbugs-discuss mailing list
Findbugs-discuss@xxxxxxxxxxxxxxxxxx
http://mailman.cs.umd.edu/mailman/listinfo/findbugs-discuss
|
| 
