OWASP O2 Platform Blog

Fortify FVDL files – Creating .NET classes that map to Fvdl xml structure

I’m still getting my head around how the *.fvdl files are structured, but after looking at the data that they seem to contains (using the fvdl.details() viewer), I’ve created the following classes which (I think) represent the type of data that is contained in the fvdl files (I tried to consolidate the data structures a bit, but I’m sure there is still quite a bit of refectoring and optimization that can be done):

    public class Fortify_Scan
    {
        public FVDL _fvdl;
       
        public string BuildID { get; set; }
        public string LOC { get; set; }
        public string SourceBasePath { get; set; }
        public string CreatedDate { get; set; }
        public string CreatedTime { get; set; }       
        public List<Fortify_Vulnerability> Vulnerabilities { get; set; }
        public List<Fortify_Context> Contexts { get; set; }
        public List<Fortify_Description> Descriptions { get; set; }
        public List<Fortify_Sink> Sinks { get; set; }
        public List<Fortify_Source> Sources { get; set; }
       
        public Fortify_Scan()
        {
            Vulnerabilities = new List<Fortify_Vulnerability>();
            Contexts = new List<Fortify_Context>();
            Descriptions = new List<Fortify_Description>();
            Sinks = new List<Fortify_Sink>();
            Sources = new List<Fortify_Source>();
        }
    }       
           
    public class Fortify_Context
    {
        public string Id { get; set; }
        public Fortify_Function Function { get; set; }
    }
   
    public class Fortify_Function
    {
        public string FunctionName { get; set; }
        public Fortify_CodeLocation CodeLocation { get; set; }       
    }
   
    public class Fortify_CodeLocation
    {
        public string Path { get; set; }
        public string Line { get; set; }
        public string LineEnd { get; set; }
        public string ColStart { get; set; }
        public string ColEnd { get; set; }
    }
   
    public class Fortify_Description
    {
        public string Abstract { get; set; }
        public string ClassID { get; set; }
        public string ContentType { get; set; }
        public string Explanation { get; set; }
        public string Recommendations { get; set; }
        public string Tips { get; set; }       
    }
   
    public class Fortify_Sink
    {
        public string ruleID { get; set; }
        public Fortify_Function Function_Call{ get; set;}               
    }
   
    public class Fortify_Source
    {
        public string ruleID { get; set; }
        public Fortify_Function Function_Call{ get; set;}               
        public Fortify_Function Function_Entry{ get; set;}               
        public List<string> TaintFlags { get; set;}
        public Fortify_Source()
        {
            TaintFlags = new List<string>();
        }
    }       
   
    public class Fortify_Snippet
    {
        public string Id { get; set; }
        public Fortify_CodeLocation CodeLocation { get; set; }       
        public string Text { get; set;}       
    }
    public class Fortify_TraceEntry
    {
        public Fortify_TraceEntryNode Node         { get; set; }
        public string NodeRef                     { get; set; }
    }
    public class Fortify_TraceEntryNode
    {
        public bool IsDefault                             { get; set; }
        public string ActionType                         { get; set; }
        public string ActionValue                         { get; set; }
        public Fortify_CodeLocation SourceLocation         { get; set; }
        public Fortify_CodeLocation SecundaryLocation     { get; set; }
        public Fortify_Snippet Snippet                     { get; set; }
        public string ContextId                            { get; set; }
        public string ReasonRuleId                        { get; set; }
        public string Label                                { get; set; }
        public List<Fortify_TraceEntryFact> Facts        { get; set; }
       
    }
   
    public class Fortify_TraceEntryFact
    {
        public bool Primary {get;set;}
        public string Type {get;set;}
        public string Value {get;set;}
    }
    public class Fortify_Vulnerability
    {
        public string Kingdom { get; set; }                // from ClassInfo
        public string Analyzer { get; set; }
        public string ClassId { get; set; }
        public decimal DefaultSeverity { get; set; }
        public string  Type { get; set; }
        public string  SubType { get; set; }
       
        public decimal Confidence { get; set; }            // from InstanceInfo
        public string InstanceId { get; set; }
        public decimal InstanceSeverity { get; set; }
       
       
        public Fortify_Function Function { get; set; }       
        public Items ReplacementDefinitions { get; set; }
        public List<Fortify_TraceEntry> Traces { get; set; }
    }

(also, the data structures that I’m seeing are directly mapped to the object that was created from the current XSD/C# file, so if you know the inner structure of the *.fvdl files and see missing bits of data that are very useful to have or visualize, please let me know)

To reflect the new Classes (and the fact that the main object is now the Fortify_Scan class), I’ve modified the API_Fortify class (note that there is still quite a bit to go, since the mapping functions are just importing some of the vulnerability data available)

    public class API_Fortify
    {               
        public Fortify_Scan convertToFortifyScan(string fvdlFile)
        {
            var scan = new Fortify_Scan();
            scan._fvdl = loadFvdl_Raw(fvdlFile);
            scan.mapFvdlData();
            return scan;
        }
       
        public FVDL loadFvdl_Raw(string fvdlFile)
        {
            try
            {
                var chachedFvdl = (FVDL)O2LiveObjects.get(fvdlFile);
                if (chachedFvdl.notNull())
                    return chachedFvdl;
            }
            catch { }
            
            var o2Timer = new O2Timer("loading {0} file".format(fvdlFile.fileName())).start();       
             var _fvdl = FVDL.Load(fvdlFile);   
             O2LiveObjects.set(fvdlFile,_fvdl);
             o2Timer.stop();
             return _fvdl; 
        }
    }
   
    public static class Fortify_Scan_ExtensionMethods_MappingFvdl
    {
        public static Fortify_Scan mapFvdlData(this Fortify_Scan fortifyScan)
        {
            fortifyScan.mapVulnerabilities();
            return fortifyScan;
        }
       
        public static Fortify_Scan mapVulnerabilities(this Fortify_Scan fortifyScan)
        {                
                foreach(var vulnerability in fortifyScan._fvdl.Vulnerabilities.Vulnerability)
                {
                      var fortifyVulnerability = new Fortify_Vulnerability
                              {
                                Kingdom = vulnerability.ClassInfo.Kingdom,
                                Analyzer = vulnerability.ClassInfo.AnalyzerName,
                                ClassId = vulnerability.ClassInfo.ClassID,
                                DefaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                InstanceId = vulnerability.InstanceInfo.InstanceID,
                                InstanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                Confidence = vulnerability.InstanceInfo.Confidence,                                          
/*                                Function = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.Function.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.Function.name
                                            : "" ,
                                File = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path
                                            : "" ,
                                Line = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line
                                            : 0
*/                                           
                            };
                    fortifyScan.Vulnerabilities.add(fortifyVulnerability);   
                };                               
                return fortifyScan;
        }
    }       

Here is the updated viewer (that now consumes a Fortify_Scan object)

var topPanel = panel.clear().add_Panel();
//var topPanel = "Util - Simple FVDL viewer".popupWindow(1000,400);</pre>
&nbsp;

var tableList = topPanel.clear().add_TableList().title("Drop an *.fvdl file here to load it");
var propertyGrid = topPanel.insert_Left().add_PropertyGrid();
var apiFortify = new API_Fortify();

Action<List<Fortify_Vulnerability>> showFvdl =
    (vulnerabilities) =>
        {
                 tableList.title("Showing {0} Vulnerabilties".format(vulnerabilities.size()))
                         .show(vulnerabilities);                                                        
        };
 
Action<string> loadAndShowFile =
    (file)=>{
                tableList.title("... loading file: {0}".format(file.fileName()));
                O2Thread.mtaThread(()=>{                                                                                       
                                            var fortifyScan = apiFortify.convertToFortifyScan(file);
                                            showFvdl(fortifyScan.Vulnerabilities);       
                                            propertyGrid.show(fortifyScan);
                                        });
            };

tableList.onDrop(loadAndShowFile);
tableList.getListViewControl().onDrop(loadAndShowFile);
   
var testFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
loadAndShowFile(testFile);
/*(var _fortifyScan = apiFortify.convertToFortifyScan(xmlFile);
propertyGrid.show(_fortifyScan);   
showFvdl(_fortifyScan.Vulnerabilities);*/

return "done"; 

//O2File:C:\O2\O2Scripts_Database\_Scripts\3rdParty_Tools\Fortify\API_Fortify_1_6.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll

Note that I added a PropertyGrid to the left of the GUI which will show the contents of the Fortity_Scan object

July 17, 2011 Posted by | Fortify, Interoperability | 2 Comments

Fortify FVDL files – Creating an API and consumining it

Following from the (Fortify FVDL related) Creating and consuming the schema and CSharp file and Simple TableList Viewer Tool posts, this one shows the next evolutionary step, which is the creation of an API that can be easily consumed by *.h2 scripts.

The script show here will have the same funcionality has the one shown in Simple TableList Viewer Tool, but the its structure will be completely different.

 The data will be stored in a dedicated class (previously we used an anonymous class)

public class Fortify_Vulnerability
    {
        public string Kingdom { get; set; }
        public string Analyzer { get; set; }
        public string ClassId { get; set; }
        public decimal DefaultSeverity { get; set; }
        public string InstanceId { get; set; }
        public decimal InstanceSeverity { get; set; }
        public decimal Confidence { get; set; }
        public string Function { get; set; }
        public string File { get; set; }
        public int Line { get; set; }
    }

And the main functions of loading and parsing are now exposed in an API file called API_Fortify_1_6.cs (which provides the class API_Fortify):

    public class API_Fortify
    {
        public FVDL loadFvdl(string fvdlFile)
        {
            try
            {
                var chachedFvdl = (FVDL)O2LiveObjects.get(fvdlFile);
                if (chachedFvdl.notNull())
                    return chachedFvdl;
            }
            catch { }
            
            var o2Timer = new O2Timer("loading {0} file".format(fvdlFile.fileName())).start();       
             var _fvdl = FVDL.Load(fvdlFile);   
             O2LiveObjects.set(fvdlFile,_fvdl);
             o2Timer.stop();
             return _fvdl; 
        }
       
       
        public List<Fortify_Vulnerability> getVulnerabilities(FVDL fvdl)
        {
                
                 var fortifyVulnerabities = new List<Fortify_Vulnerability>();               
                foreach(var vulnerability in fvdl.Vulnerabilities.Vulnerability)
                {
                      var fortifyVulnerability = new Fortify_Vulnerability
                              {
                                Kingdom = vulnerability.ClassInfo.Kingdom,
                                Analyzer = vulnerability.ClassInfo.AnalyzerName,
                                ClassId = vulnerability.ClassInfo.ClassID,
                                DefaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                InstanceId = vulnerability.InstanceInfo.InstanceID,
                                InstanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                Confidence = vulnerability.InstanceInfo.Confidence,                                          
                                Function = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.Function.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.Function.name
                                            : "" ,
                                File = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path
                                            : "" ,
                                Line = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line
                                            : 0
                            };
                    fortifyVulnerabities.add(fortifyVulnerability);   
                };
                return fortifyVulnerabities;
        }
    }       

The GUI script is now much smaller and is mailly focused on creating the GUI and consuming the API_Fortify class:

//var topPanel = panel.clear().add_Panel();
var topPanel = "Util - Simple FVDL viewer".popupWindow(1000,400);
var tableList = topPanel.clear().add_TableList().title("Drop an *.fvdl file here to load it");

var apiFortify = new API_Fortify();

Action<List<Fortify_Vulnerability>> showFvdl =
    (vulnerabilities) =>
        {
                 tableList.title("Showing {0} Vulnerabilties".format(vulnerabilities.size()))
                         .show(vulnerabilities);                                                        
        };
 
Action<string> loadAndShowFile =
    (file)=>{
                tableList.title("... loading file: {0}".format(file.fileName()));
                O2Thread.mtaThread(()=>{
                                            var fvdl = apiFortify.loadFvdl(file);
                                            showFvdl(apiFortify.getVulnerabilities(fvdl));
                                        });
            };

tableList.onDrop(loadAndShowFile);
tableList.getListViewControl().onDrop(loadAndShowFile);
   
//var xmlFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
//var _fvdl = apiFortify.loadFvdl(xmlFile);
//showFvdl(apiFortify.getVulnerabilities(_fvdl));

return "done"; 

//O2File:C:\O2\O2Scripts_Database\_Scripts\3rdParty_Tools\Fortify\API_Fortify_1_6.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll

The end result is the same as with the script shown in the  Simple TableList Viewer Tool post:

July 17, 2011 Posted by | Fortify, Interoperability | 1 Comment

Fortify FVDL files – Simple TableList Viewer Tool

Following on from the Fortify FVDL files – Creating and consuming the schema and CSharp file  post , let’s now build a generic simple tool to view fvdl files (which as long as they are compliant with the XSD we created, they should load).

Note: These scripts are going to use the demo files referenced in the previous post, and that you can download from http://s3.amazonaws.com/Demo_Files/Fortify-Sate-2008.zip . This zip should had been unziped to the ‘C:\O2\_tempDir\_Fortify-Sate-2008\’ folder (as per the previous scripts) and the C# that I’m going to use is the one that you will find at ‘C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\Fortify.fvdl.1.6.cs’ (this is the same one as created by the previous example, except that is located on a different folder and has a different name)

The first step is to load up a file and view it in a ListView (this is the last example of the previous script)

var topPanel = panel.clear().add_Panel();
var xmlFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
var fvdl = FVDL.Load(xmlFile);
var vulnerabilities = fvdl.Vulnerabilities.Vulnerability; 

var results =  (from vulnerability in vulnerabilities
                  select new  {
                                kingdom = vulnerability.ClassInfo.Kingdom,
                                analyzer = vulnerability.ClassInfo.AnalyzerName,
                                classId = vulnerability.ClassInfo.ClassID,
                                defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                instanceId = vulnerability.InstanceInfo.InstanceID,
                                instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                confidence = vulnerability.InstanceInfo.Confidence,
                                function = vulnerability.AnalysisInfo.Unified.Context.Function.name,
                                file = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path,
                                line = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line,
                                col = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.colStart
                               
                            }).toList();

topPanel.add_TableList("Showing {0} Vulnerabilties".format(results.size()))
        .show(results);                           
return "done";

//using xmlns.www.fortifysoftware.com.schema.fvdl
//O2File:C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\Fortify.fvdl.1.6.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll

 

The first thing to do is to move the loading of the fvdl into a separate Lamdba method:

Func<string, FVDL> loadFvdl =
    (fvdlFile)=>{
                    var o2Timer = new O2Timer("loading {0} file".format(fvdlFile.fileName())).start();       
                     var _fvdl = FVDL.Load(fvdlFile);   
                     o2Timer.stop();
                     return _fvdl;
                };
 
var xmlFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
var fvdl = loadFvdl(xmlFile);

Then also  move the code that shows the results into its own Lambda function

Action<FVDL> showFvdl =
     (_fvdl)=>{
                var vulnerabilities = _fvdl.Vulnerabilities.Vulnerability;
 
                var results =  (from vulnerability in vulnerabilities
                  select new  {
                                kingdom = vulnerability.ClassInfo.Kingdom,
                                analyzer = vulnerability.ClassInfo.AnalyzerName,
                                classId = vulnerability.ClassInfo.ClassID,
                                defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                instanceId = vulnerability.InstanceInfo.InstanceID,
                                instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                confidence = vulnerability.InstanceInfo.Confidence,
                                function = vulnerability.AnalysisInfo.Unified.Context.Function.name,
                                file = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path,
                                line = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line,
                                col = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.colStart
                               
                            }).toList();
                tableList.title("Showing {0} Vulnerabilties".format(results.size()))
                         .show(results);                                       
                
              };

Next add Drag & Drop support so that can just drop an *.fvdl file to see it:

Action<string> loadAndShowFile =
    (file)=>{ 
                 var fvdl = loadFvdl(file);
                 showFvdl(fvdl);
            };

tableList.onDrop(loadAndShowFile);
tableList.getListViewControl().onDrop(loadAndShowFile);

…and show a message to the user (while loading the data in a separate thread)

Action<string> loadAndShowFile =
    (file)=>{
                tableList.title("... loading file: {0}".format(file.fileName()));
                O2Thread.mtaThread(()=>{
                                            var fvdl = loadFvdl(file);
                                            showFvdl(fvdl);
                                        });
            };
tableList.onDrop(loadAndShowFile);
tableList.getListViewControl().onDrop(loadAndShowFile);

Change the getFvdl method to add support for caching the loaded objects (helps when dealing with large files that are loaded more than one time during the same session)

Func<string, FVDL> loadFvdl =
    (fvdlFile)=>{       
                    try
                    {
                        return (FVDL)O2LiveObjects.get(fvdlFile);
                    }
                    catch { }
                    
                    var o2Timer = new O2Timer("loading {0} file".format(fvdlFile.fileName())).start();       
                     var _fvdl = FVDL.Load(fvdlFile);   
                     O2LiveObjects.set(fvdlFile,_fvdl);
                     o2Timer.stop();
                     return _fvdl; 
                };

Change the getFvdl method to detect some cases where there is no data for: function, file or line

Action<FVDL> showFvdl =
     (_fvdl)=>{
                var vulnerabilities = _fvdl.Vulnerabilities.Vulnerability;
 
                var results =  (from vulnerability in vulnerabilities
                  select new  {
                                kingdom = vulnerability.ClassInfo.Kingdom,
                                analyzer = vulnerability.ClassInfo.AnalyzerName,
                                classId = vulnerability.ClassInfo.ClassID,
                                defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                instanceId = vulnerability.InstanceInfo.InstanceID,
                                instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                confidence = vulnerability.InstanceInfo.Confidence,                                          
                                function = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.Function.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.Function.name
                                            : "" ,
                                file = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path
                                            : "" ,
                                line = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line
                                            : 0
                            }).toList();
                tableList.title("Showing {0} Vulnerabilties".format(results.size()))
                         .show(results);                                                        
              };

Make this a generic tool and add a title to the TableList that indicates to the user that he/she needs to drop an *.fvdl file to load it:

//var topPanel = panel.clear().add_Panel();
var topPanel = "Util - Simple FVDL viewer".popupWindow(1000,400);</pre>
&nbsp;

var tableList = topPanel.clear().add_TableList().title("Drop an *.fvdl file here to load it");

Finally, save it as an *.h2 file so that it can be invoked as a stand alone tool:

To execute this script, just double click on it, and the following GUI should appear:

Now drag and drop a *.fvdl file to load it and see detals about its vulnerabilities:

 naim.fvdl

lighttpd.fvdl

nagios.fvdl

mvnforum.fvdl

For reference here is the complete script (available as the Util – Simple FVDL viewer.h2 script):

//var topPanel = panel.clear().add_Panel();
var topPanel = "Util - Simple FVDL viewer".popupWindow(1000,400);

var tableList = topPanel.clear().add_TableList().title("Drop an *.fvdl file here to load it");

Func<string, FVDL> loadFvdl =
    (fvdlFile)=>{       
                    try
                    {
                        var chachedFvdl = (FVDL)O2LiveObjects.get(fvdlFile);
                        if (chachedFvdl.notNull())
                            return chachedFvdl;
                    }
                    catch { }
                    
                    var o2Timer = new O2Timer("loading {0} file".format(fvdlFile.fileName())).start();       
                     var _fvdl = FVDL.Load(fvdlFile);   
                     O2LiveObjects.set(fvdlFile,_fvdl);
                     o2Timer.stop();
                     return _fvdl; 
                };
 
 Action<FVDL> showFvdl =
     (_fvdl)=>{
                var vulnerabilities = _fvdl.Vulnerabilities.Vulnerability;
 
                var results =  (from vulnerability in vulnerabilities
                  select new  {
                                kingdom = vulnerability.ClassInfo.Kingdom,
                                analyzer = vulnerability.ClassInfo.AnalyzerName,
                                classId = vulnerability.ClassInfo.ClassID,
                                defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                instanceId = vulnerability.InstanceInfo.InstanceID,
                                instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                confidence = vulnerability.InstanceInfo.Confidence,                                          
                                function = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.Function.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.Function.name
                                            : "" ,
                                file = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path
                                            : "" ,
                                line = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line
                                            : 0
                            }).toList();
                tableList.title("Showing {0} Vulnerabilties".format(results.size()))
                         .show(results);                                                        
              };
 

Action<string> loadAndShowFile =
    (file)=>{
                tableList.title("... loading file: {0}".format(file.fileName()));
                O2Thread.mtaThread(()=>{
                                            var fvdl = loadFvdl(file);
                                            showFvdl(fvdl);
                                        });
            };

tableList.onDrop(loadAndShowFile);
tableList.getListViewControl().onDrop(loadAndShowFile);
   

return "done"; 

//using xmlns.www.fortifysoftware.com.schema.fvdl
//O2File:C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\Fortify.fvdl.1.6.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll

July 17, 2011 Posted by | Fortify, Interoperability | 2 Comments