Yasca
Encyclopedia
Yasca is an open source
program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code. It leverages external open source
programs, such as FindBugs
, PMD
, JLint, JavaScript Lint
, PHPLint, Cppcheck
, ClamAV, Pixy, and RATS to scan specific file types, and also contains many custom scanners developed for Yasca. It is a command-line tool that generates reports in HTML, CSV, XML, MySQL
, SQLite
, and other formats. It is listed as a tool at the well-known OWASP
security project, and also in a government software security tools review at the Homeland Security web site.
. Version 2.2 contains some experimental modules, including a TCP packet logger and a rule to scan those logs for sensitive information. Additional rules for this are expected in the next update.
As with prior 2.x releases, Yasca comes packaged as a core bundle, plus separately downloadable plugins. No plugins are required, but best results occur when using all of the necessary plugins.
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code. It leverages external open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
programs, such as FindBugs
FindBugs
FindBugs is an open source program created by Bill Pugh and David Hovemeyer which looks for bugs in Java code. It uses static analysis to identify hundreds of different potential types of errors in Java programs. FindBugs operates on Java bytecode, rather than source code. The software is...
, PMD
PMD (software)
PMD is a static ruleset based Java source code analyzer that identifies potential problems like:* Possible bugs - Empty try/catch/finally/switch blocks.* Dead code - Unused local variables, parameters and private methods....
, JLint, JavaScript Lint
JSLint
JSLint is a static code analysis tool used in software development for checking if JavaScript source code complies with coding rules. It is developed by Douglas Crockford. It is provided primarily as an online tool, but there are also command-line adaptations....
, PHPLint, Cppcheck
Cppcheck
Cppcheck is an open source static code analyzer tool for C/C++ programming languages. It's a versatile tool that can check non-standard code.-Plugins:Plugins for the following IDEs exist* Code::Blocks - integrated.* CodeLite - integrated....
, ClamAV, Pixy, and RATS to scan specific file types, and also contains many custom scanners developed for Yasca. It is a command-line tool that generates reports in HTML, CSV, XML, MySQL
MySQL
MySQL officially, but also commonly "My Sequel") is a relational database management system that runs as a server providing multi-user access to a number of databases. It is named after developer Michael Widenius' daughter, My...
, SQLite
SQLite
SQLite is an ACID-compliant embedded relational database management system contained in a relatively small C programming library. The source code for SQLite is in the public domain and implements most of the SQL standard...
, and other formats. It is listed as a tool at the well-known OWASP
OWASP
The Open Web Application Security Project is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and...
security project, and also in a government software security tools review at the Homeland Security web site.
Languages Scanned
Yasca has at least one scanner for each of the following file types:- .NET (VB.NET, C#, ASP.NET)
- ASP
- C/C++
- COBOL
- ColdFusion
- CSS
- HTML
- Java
- JavaScript
- Perl
- PHP
- Python
- Raw HTTP Traffic
- Visual Basic
Yasca 2.2
Version 2.2 was released in June 2010 and included a large number of minor updates over version 2.1, most notably, natively compiled plugins on Linux, reducing the need to use WineWine (software)
Wine is a free software application that aims to allow computer programs written for Microsoft Windows to run on Unix-like operating systems. Wine also provides a software library, known as Winelib, against which developers can compile Windows applications to help port them to Unix-like...
. Version 2.2 contains some experimental modules, including a TCP packet logger and a rule to scan those logs for sensitive information. Additional rules for this are expected in the next update.
As with prior 2.x releases, Yasca comes packaged as a core bundle, plus separately downloadable plugins. No plugins are required, but best results occur when using all of the necessary plugins.