Project Information:template JSP Testing Tool Project - Final Review - Self Evaluation - B

= Summer of Code 2008 Report =

= Detailed Status Report = The following contains a detailed report on the status of the project. All current code and Java documentation has been updated to the Subversion repository hosted by Google Code.

Project Goals
The goals for the project were as follows:
 * Identify or Create Tag Library Parser (achieved in 50% review goal)
 * Basic Test of Tags (achieved in 50% review goal)
 * Design Report Format (achieved in 50% review goal)
 * Refine Tag Testing (see below)
 * Refine Report Format (see below)
 * Documentation and Release (see below)

In addition, the 50% Review added the following goals:
 * Implement Deployment Method (see below)
 * Implement Invocation Method (see below)

Refine Tag Testing
To improve on the ability to test tags, the concept of a tag properties configuration file was introduced. This allows users to specify values for required attributes or embed tags in the proper context, which reduces the errors in tag execution, improving the test results.

Refine Report Format
Several minor changes were made to the report to improve perceived performance. At the 50% Review, the report waited for all test case iframes to load and executed the results all at once. For an entire tag library report, this could take an extremely long time to load (even when the report files are serialized locally) during which time the report would appear empty. By executing when an test case iframe loads (using the onload event), incremental progress can displayed as the results of each test are populated.

Additionally, JavaScript event handlers were invoked in the 50% Review version without regard to the contents (proactively invoking all events to see if they triggered the attack). This can lead to scripts getting executed that are not related to the test case. As a result, the code exercising event handlers was improved to only invoke event handlers that contained the test case attack.

Finally, given that the full tag library report for the JSF HTML Basic tag library takes an extremely long time to load, the report process also generates sub-reports on individual tags in addition to the full report on the entire library.

Implement Deployment Method
The new code uses an embedded instance of Tomcat to deploy the test cases and serializes them locally by downloading them from the embedded Tomcat instance.

Implement Invocation Method
An Ant Build File encapsulates the tasks of compiling and running the various components that make up the tool.

Documentation and Release
Documentation on the main project page has been updated with the new features and how to invoke them.

Assessment Criteria
(BSD License) (Project Page) (Google Code) (owasp-jsp-testing-tool-project) `(OWASP Project Request P028) (binary JAR is standalone) (included) (included) (Ant build file included) (Documentation @ Googlecode)
 * Agree to OWASP's open source license
 * The "main" page for any OWASP tool must be on the OWASP website. This page must:
 * describe the tool, the project leader, contact info, and include all relevant links, including a download link for the code and the executable version,
 * includes a roadmap/guideline pointing out the steps to achieve the purpose of project.
 * include the Alpha Quality Tool project tag. (Which we still need to define)
 * be placed at OWASP Project page.
 * Have its code and any documentation in Googlecode, or Sourceforge
 * Mailing list for project created
 * Solves a core application security need
 * Have an easy to use installer (Goal: Fully automated installer) (or stand alone executable version)
 * Include user documentation in Project's OWASP Wiki page(s)
 * Add a common About Box or help menu in the tool itself
 * (which lists name of tool, author, e-mail address of author, current version number and/or release date)
 * Include documentation on how to build it from code, starting with getting it directly from the code repository. (Ideally, this would include easy to use build scripts, which is required for Release Quality)
 * This documentation must stored be in the same repository as the code.

Standalone Executable Version
A Windows standalone version was created and distributed to the reviewers for evaluation. However, this standalone is large in size and currently not permitted to be loaded into Google Code. Every effort will be made to make this standalone executable available once storage limitations are no longer an issue.