Nice work Jeff - what do you have planned for future revs?

Aug 13, 2007 at 9:42 PM
This looks like a really useful effort, and I'm sure many will encourage you to help us all simplify the process of generating custom rules (it sounds harder than it ought to be).

What ideas do you have next for this code?
Coordinator
Aug 18, 2007 at 7:10 PM
I had a bunch of custom rules out on GotDotNet and am thinking about moving them over. I had tried to make custom rule development easier by using components. I've been playing with DSL's in Visual Studio for the last month or so and think that would be the obvious way to go. I've just started thinking about it so I'm not sure where this will head.

The next obvious step is to put in some samples of custom rules that use the WinForms stuff. Next I will probably move over some of the other rules I've created and then possibly think about a custom rule DSL.
Jul 20, 2008 at 7:18 PM

JeffLeBert wrote:
I had a bunch of custom rules out on GotDotNet and am thinking about moving them over. I had tried to make custom rule development easier by using components. I've been playing with DSL's in Visual Studio for the last month or so and think that would be the obvious way to go. I've just started thinking about it so I'm not sure where this will head.

The next obvious step is to put in some samples of custom rules that use the WinForms stuff. Next I will probably move over some of the other rules I've created and then possibly think about a custom rule DSL.
Hi Jeff, I've revived my interest in digging into FxCop for custom rules generation - mostly as a result of project at work that demonstrated to me that there are some significant gaps between the security implementation issues that FxCop can currently catch, and some significant security coding issues that were identified by an external code review.

I've spent a few hours tracking down the resources available for an FxCop user or developer, and I've created a page on the OWASP wiki to capture this info.  As a result of my efforts, I've come to the early conclusion that your project has the deepest set of custom rules currently available, and it appears that you're a very motivated developer in this space (at least as measured by your frequent updates to the Source Code tree for this project).

I guess my question is, if I had a few hours here and there to make some useful contribution to your project, what could I do to help?  One thing I wonder is if all the custom rules that you'd published on GotDotNet have been integrated into the current JSL FxCop codebase.  If not, I'd be willing to at least try to take the files that are available through Archive.org (I found a link once, but can't at the moment), do any obvious code conversion that might be necessary, and submit them as Patches to your project.  I'm also wondering if there's any value in attempting to spec out some custom rules based on the book "19 Deadly Sins of Software Security" and submit them as Work Items to your project.

Coordinator
Sep 7, 2008 at 1:26 AM
Sorry I haven't replied eariler. My life has been a little too interesting for a while.$0$0$0$0I am currently playing with another project on CodePlex so I've let my interest in FxCop dip for a bit. I came back because I had a memory leak issue at work this week. It took me a day to figure out that somebody had screwed up the Dispose methods causing forms not to dispose. If you look in the stuff I just checked in there are two new rules for checking the Dispose method. Both of these rules come directly from the problems I found.$0$0$0$0$0I'm a little hesitant to let anybody else in at my code. It's mostly an ego thing. It's also nice to have a single style throughout a code base. As part of that, I've adopted StyleCop and have written a couple rules for it. I'm not sure I will make a JslStyleCop or not.$0$0$0$0$0I haven't looked at the rules I lost moving from GotDotNet to CodePlex. I believe this was my migration to FxCop 1.36 style of rules. To be honest I didn't remember that I forgot some rules. I am going to look at them and see if I want to move any more over.$0$0$0$0$0It seems most of my rules center around finding dumb mistakes. For example, calling ToString on a string. My hope would be that less experienced developers (there's that ego thing) would run my rules and learn a couple simple things. Of course, most less experienced developers don't know about FxCop and don't care or understand when they do hear about it.$0$0$0$0$0The heavy work I try to use FxCop for is to make sure my companies application developers are writing code correctly for our application framework. This is very similar to Microsoft writing rules to make sure developers write code correctly for .Net. Most of my rules are of that type and mean nothing to the rest of the world.$0$0$0$0$0The wife says its time to stop playing with the computer and come eat dinner. In the past, she's made it very clear that she is always right so it must, in fact, be time for dinner.$0$0$0$0$0Let me know any kind of ideas you have for FxCop rules. I might be willing to do the work for free!?!$0$0$0$0$0Type at you later...$0