title: GSoC 2014 - The end author: depierre published: 2014-08-18 categories: Gsoc 2014, Python keywords: gsoc, 2014, project, owasp, owtf, security, pentest, python Every story has an end. The [GSoC 2014](https://www.google-melange.com/gsoc/events/google/gsoc2014) is now over, I sent my final report a couple of hours ago and now I wait for their verdict. If you haven't read [my previous posts of GSoC](/cat/gsoc_2014/), I spent the last couple of months working for [OWASP](https://www.owasp.org/), on their [OWTF project](https://owtf.org). It aims to provide an efficient approach to combine the power of automation with the out-of-the-box thinking that only a human being can provide. My job? Implement an [automated ranking system](https://www.owasp.org/index.php/GSoC2014_Ideas#OWASP_OWTF_-_Automated_Vulnerability_Severity_Rankings) that will help the user to focus her/his attention on the most likely weak areas of a web application or network first. I said that every story has an end but this one hasn't reached it yet! Though the GSoC has come to its end, I am staying around for a while and that is for sure. I realize that a long post is too often boring. I even find difficult to read some of the previous posts relating to the development of my project. Therefore I will try to keep this one short and concise. # What a trip First of all, I want to say that the past week was crazy! I have spent too many hours cleaning my code, writing the documentation and finding a nice way to glue it to OWTF. But I feel lucky to have been able to detach my project into its own repository and develop it as a standalone library (that I baptized [ptp](https://github.com/owtf/ptp) due to a lack of imagination). This GSoC was my first and it was awesome! I worked with great people and I am looking forward to continue to work together. I had never put so much heart into a project and I am glad that it happened with this one! Sure ptp is still at its early development stage and doesn't do much but it is my baby, let him some time to grow older :) Finally that was the first time I felt like doing something useful. Yes I worked on other projects before, some given by [my school](https://github.com/DePierre/re56_pwc), some from my [friends' school](http://k.lse.epita.fr/), some personal and some with the [HackGyver](http://www.hackgyver.org/) hackerspace. But OWTF is used in the real world, by real users! Not just myself or some academic teachers and that is a disturbing truth for me! # The project So what's up since a month and half? Quite a lot in fact but I will focus on the most important parts. ## Get rid of useless code When writing the user documentation, I realized how cumbersome and useless was the Report layer between the [PTP public API](http://owtf.github.io/ptp/ptp.html) and the [Parsers](http://owtf.github.io/ptp/libptp/parser.html). In the early development stage, I thought it was needed and really useful but I have to say that right now, I can't remember why. So I spent a couple of hours [removing this unneeded layer](https://github.com/owtf/ptp/commit/06358b28dcf112aec0481d1043c3ad6d08a341fd). I ended up with a code 600-lines lighter, *247 additions and 869 deletions* to be precise, without breaking a thing! I think these stats illustrate how badly this factorization was needed. Otherwise how could it be still working? ## Online user documentation Also, I wrote the user documentation [using sphinx](http://sphinx-doc.org/). I now realize that [markdown](http://daringfireball.net/projects/markdown/) vs. [rest](http://en.wikipedia.org/wiki/ReStructuredText) is a no match (*spoiler alert: reST wins*) but let's keep that debate for another time. Sphinx is really neat and generates some nice readable html static pages. Except for the fact that it is really painful to write a user documentation, I finally managed to have something that would do the job. Then I wanted to share it online, you know, to have something to show to my mentors. I knew about [http://github.io](http://github.io) but I had never used it until now. It is amazing how easy it has been made for people like you and I to upload such things online. See by yourself: [http://owtf.github.io/ptp/](http://owtf.github.io/ptp/). ## PyPI is handy Finally, I wanted to have something as simple as possible to integrate ptp in OWTF. Until a couple of days ago, I would have run a really-ugly-homemade python script that would copy ptp's *.py* files into *owtf/framework/lib* directory and which would also fix the imports on the fly (e.g ``from libptp import parser`` would become ``from framework.lib.libptp import parser``). The first step was to configure a nice and clean *setup.py* script. I learned more about [setuptools](https://pypi.python.org/pypi/setuptools) and [how to use it](https://pythonhosted.org/setuptools/setuptools.html). I then [learned how easy it was](http://guide.python-distribute.org/creation.html) to have my tiny library uploaded on [PyPI](https://pypi.python.org/pypi) (and that was quite a shock). How awesome is that? I went from a homemade script copying ptp's files into OWTF in a stupid way to only add [a simple extra dependency](https://pypi.python.org/pypi/ptp) in the *owtf.pip* dependencies file! Right now, I really feel like I have done my best to have the cleanest GSoC project that I was capable of doing (unlike some others but let's stay professional) but I have to wait until the verdict. # What's next? Now it might seem like the story has ended. Well no because I want to do so much more both for OWTF, my lover, and ptp, my baby. For the next week I will not code on ptp. I want to take a couple of days far from it and recover some out-of-the-box thoughts. Of course if a bug is reported/found I will fix it but right now I want to work on something else. Maybe focus more on OWTF's code base or improve my C skills by contributing to [radare2](https://github.com/radare/radare2) (if I can but I definitely want for sure). Also I have a lot of ideas for ptp, so many things I want to improve, change, add, etc.! + First I want to move from my homemade unit tests routines and go for a real framework ([unittest](https://docs.python.org/2/library/unittest.html) maybe?). + Second, I want to improve the parsers in order to retrieve/assign more than just the rankings (I focused on that part in order to answer GSoC needs). + I also have an idea for an homogenized report that would cover all supported tools. + Many other ideas will come along the road! # Some links That is long enough, I already feel you are bored. Just a couple of links I want to share: + [https://github.com/owtf/ptp](https://github.com/owtf/ptp): ptp's github repository. + [http://owtf.github.io/ptp/](http://owtf.github.io/ptp/): ptp's documentation. + [https://pypi.python.org/pypi/ptp](https://pypi.python.org/pypi/ptp): ptp's PyPI package. + [https://github.com/owtf/owtf](https://github.com/owtf/owtf): OWTF's github repo (check the lions\_2014 branch) Also, for fun: [https://github.com/owtf/ptp/graphs/code-frequency](https://github.com/owtf/ptp/graphs/code-frequency)