OWASP O2 Platform Blog

Consuming Veracode Findings File(s) using O2

If you are a veracode customer (or have access to a report created by its static/analysis engine), you can use O2 to analyze, filter and extend those findinds.

Note that this first post covers only the viewing part. There is a much more advanced O2 integration with veracode which will be documented later (namely the ability to consumer veracode’s DWR APIs directly, download the Findings Traces data, and to glue them with the findings in the original XML reports)

The current viewers can be accessed via the Veracode (Custom O2).h2 script:

which looks like this:

There are 3 ways you can see the veracode findings and all can be accessed via the Main Gui to view Veracode Findings button (you can also open these viewers individually via the buttons under  the Raw Views section)

By default the Main Gui to view Veracode Findings looks like this

 

To load the files drop them in the area that says ‘DROP XML FILE HERE…’ (you can also drop them on each of the view’s treeview or table list)

Once you drop a file, in the default view (which is the View in SourceCodeViewer) you will be able to see the findings filtered by: Category Name, Type , File or Severity

 

For example here is what the by Category Name looks like:

 

Other View: TableList

Click on the View in TableList link (top left) to see the data in a TableList view (note that this is not the raw Veracode xml data, this is already a normalization view of that data created by Linq queries inside this O2 Script)

 

Other View: TreeView

The other view that is available is a TreeView visualization of the raw Veracode Xml document (this is what it looks like if you open that XML file in a Xml viewer)

 

Other View: StandAlone TreeView

The TreeView view, (shown below when opened as a stand alone form) as support for loading multiple findings files (just drop a folder and all xml/zip Veracode XML  files will be loaded)

… drop a folder in the TreeView

And see multiple findings file in the save location:

Using C# Linq To filter the findings

Here are a couple (C# Extension methods) examples of how to use C# Linq based queries to quickly process the veracode findings file:

 public static class API_Veracode_DetailedXmlFindings_ExtensionMethods_Linq_Queries
    {
        public static List<FlawType> flaws(this API_Veracode_DetailedXmlFindings apiVeracode)
        {
            if(apiVeracode.DetailedReport.isNull())
                return new List<FlawType>();
               
            var flaws = from severity in apiVeracode.DetailedReport.severity
                        from category in severity.category            
                        from cwe in category.cwe
                        from flaw in cwe.staticflaws.flaw                                    
                        select flaw;
            return flaws.toList();
        }
       
        public static List<FlawType> @fixed(this List<FlawType> flaws)
        {
            return (from flaw in flaws
                    where flaw.remediation_status == "Fixed"
                    select flaw).toList();
        }
       
        public static List<FlawType> notFixed(this List<FlawType> flaws)
        {
            return (from flaw in flaws
                    where flaw.remediation_status != "fixed"
                    select flaw).toList();
        }
    }

 

        public static ascx_TableList show_In_TableList(this List<FlawType> flaws , Control control)
        {       
            control.clear();
            var tableList = control.add_TableList();
            Action showData =
                ()=>{
                       
                        var selectedRows =  from flaw in flaws
                                            select new {flaw.severity, flaw.categoryname, flaw.issueid,
                                                        flaw.module, flaw.type, flaw.description, flaw.cweid, 
                                                        flaw.exploitLevel, flaw.categoryid,
                                                        flaw.sourcefile, flaw.line,  flaw.sourcefilepath,
                                                        flaw.scope, flaw.functionprototype, flaw.functionrelativelocation};
                 
       
                        tableList.show(selectedRows);
                        tableList.makeColumnWidthMatchCellWidth();
                    };
            tableList.onDrop(
                (file)=>{
                            var apiVeracode = new API_Veracode_DetailedXmlFindings().load(file);
                            flaws = apiVeracode.flaws();
                            showData();
                        });
            if (flaws.size()>0)
                showData();
            else
                tableList.add_Column("note")
                         .add_Row("drop a Veracode DetailedFindings Xml (or zip) file to view it")
                         .makeColumnWidthMatchCellWidth();
               
            return tableList;
        }

July 1, 2011 - Posted by | Interoperability, Veracode

1 Comment »

  1. […] This script automates the process off submitting a file to Veracode’s free trial (as of 20/Jul/2011). See also Consuming Veracode Findings File(s) using O2. […]

    Pingback by Submit file to Veracode Trial: using Browser and Windows Automation (WatiN and White APIs) « OWASP O2 Platform Blog | July 21, 2011 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: