OWASP O2 Platform Blog

Fortify FVDL files – Creating an API and consumining it

Following from the (Fortify FVDL related) Creating and consuming the schema and CSharp file and Simple TableList Viewer Tool posts, this one shows the next evolutionary step, which is the creation of an API that can be easily consumed by *.h2 scripts.

The script show here will have the same funcionality has the one shown in Simple TableList Viewer Tool, but the its structure will be completely different.

 The data will be stored in a dedicated class (previously we used an anonymous class)

public class Fortify_Vulnerability
    {
        public string Kingdom { get; set; }
        public string Analyzer { get; set; }
        public string ClassId { get; set; }
        public decimal DefaultSeverity { get; set; }
        public string InstanceId { get; set; }
        public decimal InstanceSeverity { get; set; }
        public decimal Confidence { get; set; }
        public string Function { get; set; }
        public string File { get; set; }
        public int Line { get; set; }
    }

And the main functions of loading and parsing are now exposed in an API file called API_Fortify_1_6.cs (which provides the class API_Fortify):

    public class API_Fortify
    {
        public FVDL loadFvdl(string fvdlFile)
        {
            try
            {
                var chachedFvdl = (FVDL)O2LiveObjects.get(fvdlFile);
                if (chachedFvdl.notNull())
                    return chachedFvdl;
            }
            catch { }
            
            var o2Timer = new O2Timer("loading {0} file".format(fvdlFile.fileName())).start();       
             var _fvdl = FVDL.Load(fvdlFile);   
             O2LiveObjects.set(fvdlFile,_fvdl);
             o2Timer.stop();
             return _fvdl; 
        }
       
       
        public List<Fortify_Vulnerability> getVulnerabilities(FVDL fvdl)
        {
                
                 var fortifyVulnerabities = new List<Fortify_Vulnerability>();               
                foreach(var vulnerability in fvdl.Vulnerabilities.Vulnerability)
                {
                      var fortifyVulnerability = new Fortify_Vulnerability
                              {
                                Kingdom = vulnerability.ClassInfo.Kingdom,
                                Analyzer = vulnerability.ClassInfo.AnalyzerName,
                                ClassId = vulnerability.ClassInfo.ClassID,
                                DefaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                InstanceId = vulnerability.InstanceInfo.InstanceID,
                                InstanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                Confidence = vulnerability.InstanceInfo.Confidence,                                          
                                Function = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.Function.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.Function.name
                                            : "" ,
                                File = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path
                                            : "" ,
                                Line = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line
                                            : 0
                            };
                    fortifyVulnerabities.add(fortifyVulnerability);   
                };
                return fortifyVulnerabities;
        }
    }       

The GUI script is now much smaller and is mailly focused on creating the GUI and consuming the API_Fortify class:

//var topPanel = panel.clear().add_Panel();
var topPanel = "Util - Simple FVDL viewer".popupWindow(1000,400);
var tableList = topPanel.clear().add_TableList().title("Drop an *.fvdl file here to load it");

var apiFortify = new API_Fortify();

Action<List<Fortify_Vulnerability>> showFvdl =
    (vulnerabilities) =>
        {
                 tableList.title("Showing {0} Vulnerabilties".format(vulnerabilities.size()))
                         .show(vulnerabilities);                                                        
        };
 
Action<string> loadAndShowFile =
    (file)=>{
                tableList.title("... loading file: {0}".format(file.fileName()));
                O2Thread.mtaThread(()=>{
                                            var fvdl = apiFortify.loadFvdl(file);
                                            showFvdl(apiFortify.getVulnerabilities(fvdl));
                                        });
            };

tableList.onDrop(loadAndShowFile);
tableList.getListViewControl().onDrop(loadAndShowFile);
   
//var xmlFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
//var _fvdl = apiFortify.loadFvdl(xmlFile);
//showFvdl(apiFortify.getVulnerabilities(_fvdl));

return "done"; 

//O2File:C:\O2\O2Scripts_Database\_Scripts\3rdParty_Tools\Fortify\API_Fortify_1_6.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll

The end result is the same as with the script shown in the  Simple TableList Viewer Tool post:

July 17, 2011 - Posted by | Fortify, Interoperability

1 Comment »

  1. […] the previous Fortify FVDL posts (here,  here, here and here), here is a first working tool that is able to load up *.fvdl files, parse its […]

    Pingback by Fortify FVDL Files – First working Parser and Viewer for *.fvdl files « OWASP O2 Platform Blog | July 18, 2011 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: