Exporting Checkmarx SAST Database into XML files
Once I added VistaDB support to O2, I was able to export the CWE content from CheckMarx database into TeamMentor (see videos at PoC of integrating TeamMentor with Checkmarx),
This post covers the part where we export the entire Checkmark database into flat XML files (for the script that consumed the CWE.xml see Case Study – Creating a CWE Library from CheckMarx data )
Viewing table data: Configurations
var vistaDB = new API_VistaDB();
vistaDB.ConnectionString = @"data source='C:\Program Files\Checkmarx\Checkmarx Application Server\CxDB.vdb3'";
var dataTable = vistaDB.table("Configurations").dataTable();
panel.clear().add_DataGridView().dataSource(dataTable);
//O2File:API_VistaDB.cs
Viewing table data: CWE
var vistaDB = new API_VistaDB();
var dataTable = vistaDB.table("CWE").dataTable();
panel.clear().add_DataGridView().dataSource(dataTable);
//O2File:API_VistaDB.cs
Get table as XML
var vistaDB = new API_VistaDB();
var xml = vistaDB.table("Configurations").xml();
return xml;
//O2File:API_VistaDB.cs
//O2Tag_DontAddExtraO2Files.
View table in DataGridView
var vistaDB = new API_VistaDB();
var dataTable = vistaDB.table("Configurations").dataTable();
panel.clear().add_DataGridView().dataSource(dataTable);
//O2File:API_VistaDB.cs
//O2Tag_DontAddExtraO2Files
Saving one table as XML file
var vistaDB = new API_VistaDB(); var checkMark_XmlDumps = "_CheckMark_XmlDumps".tempDir(false); var tables = vistaDB.tables(); var table = tables[0]; var targetFile = checkMark_XmlDumps.pathCombine(table.Name + ".xml"); return table.xml().saveAs(targetFile); //O2File:API_VistaDB.cs //O2Tag_DontAddExtraO2Files
Saving all tables
var vistaDB = new API_VistaDB();
var checkMark_XmlDumps = "_CheckMark_XmlDumps".tempDir(false);
foreach(var table in vistaDB.tables())
{
"saving table: {0}".info(table);
var targetFile = checkMark_XmlDumps.pathCombine(table.Name + ".xml");
table.xml().saveAs(targetFile);
}
return "done";
//O2File:API_VistaDB.cs
//O2Tag_DontAddExtraO2Files
Consuming Saved CWE.xml
var checkMark_XmlDumps = "_CheckMark_XmlDumps".tempDir(false);
var cwe = checkMark_XmlDumps.pathCombine("CWE.xml").xRoot();
return cwe.elements().size();
Consuming saved CWE.Xml via cache: (faster)
var checkMark_XmlDumps = "_CheckMark_XmlDumps".tempDir(false);var cwe = "cweData".o2Cache<XElement>(()=> checkMark_XmlDumps.pathCombine("CWE.xml").xRoot());
return cwe.elements().size();
Tool to visualize the CWE data as HTML pages
var vistaDB = new API_VistaDB();
var checkMark_XmlDumps = "_CheckMark_XmlDumps".tempDir(false);
var xRoot = "cweData".o2Cache<XElement>(()=> checkMark_XmlDumps.pathCombine("CWE.xml").xRoot());
var topPanel = panel.clear().add_Panel();
var webBrowser = topPanel.add_WebBrowser_Control();
var treeView= webBrowser.insert_Left(200).add_TreeView();
var codeViewer = webBrowser.insert_Below().add_SourceCodeViewer();
treeView.afterSelect<string>(
(text) =>
{
webBrowser.open(text.saveWithExtension(".html") );
codeViewer.set_Text(text.htmlDecode().tidyHtml() , ".html");
});
foreach(var cweEntry in xRoot.elements().remove(0))
{
var entryData = cweEntry.elements();
treeView.add_Node(entryData[0].value(),entryData[1].value());
}
treeView.selectFirst();
//O2File:API_VistaDB.cs
//O2File:HtmlAgilityPack_ExtensionMethods.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll
No comments yet.
Leave a Reply
About
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.
O2 can also be a very powerful prototyping and fast-development tool for .NET. Most O2 APIs are written using a Fluent API design, and its core has been published as a separate project called FluentSharp (hosted at CodePlex)
Download
Windows ClickOnce Installer:
Mailing List
The best place to keep updated with the lastest news and developers it to subscribe to the OWASP O2 Platform Mailing list (you can read its archives here)
