OWASP O2 Platform Blog

Fortify FVDL files – Creating .NET classes that map to Fvdl xml structure

I’m still getting my head around how the *.fvdl files are structured, but after looking at the data that they seem to contains (using the fvdl.details() viewer), I’ve created the following classes which (I think) represent the type of data that is contained in the fvdl files (I tried to consolidate the data structures a bit, but I’m sure there is still quite a bit of refectoring and optimization that can be done):

    public class Fortify_Scan
    {
        public FVDL _fvdl;
       
        public string BuildID { get; set; }
        public string LOC { get; set; }
        public string SourceBasePath { get; set; }
        public string CreatedDate { get; set; }
        public string CreatedTime { get; set; }       
        public List<Fortify_Vulnerability> Vulnerabilities { get; set; }
        public List<Fortify_Context> Contexts { get; set; }
        public List<Fortify_Description> Descriptions { get; set; }
        public List<Fortify_Sink> Sinks { get; set; }
        public List<Fortify_Source> Sources { get; set; }
       
        public Fortify_Scan()
        {
            Vulnerabilities = new List<Fortify_Vulnerability>();
            Contexts = new List<Fortify_Context>();
            Descriptions = new List<Fortify_Description>();
            Sinks = new List<Fortify_Sink>();
            Sources = new List<Fortify_Source>();
        }
    }       
           
    public class Fortify_Context
    {
        public string Id { get; set; }
        public Fortify_Function Function { get; set; }
    }
   
    public class Fortify_Function
    {
        public string FunctionName { get; set; }
        public Fortify_CodeLocation CodeLocation { get; set; }       
    }
   
    public class Fortify_CodeLocation
    {
        public string Path { get; set; }
        public string Line { get; set; }
        public string LineEnd { get; set; }
        public string ColStart { get; set; }
        public string ColEnd { get; set; }
    }
   
    public class Fortify_Description
    {
        public string Abstract { get; set; }
        public string ClassID { get; set; }
        public string ContentType { get; set; }
        public string Explanation { get; set; }
        public string Recommendations { get; set; }
        public string Tips { get; set; }       
    }
   
    public class Fortify_Sink
    {
        public string ruleID { get; set; }
        public Fortify_Function Function_Call{ get; set;}               
    }
   
    public class Fortify_Source
    {
        public string ruleID { get; set; }
        public Fortify_Function Function_Call{ get; set;}               
        public Fortify_Function Function_Entry{ get; set;}               
        public List<string> TaintFlags { get; set;}
        public Fortify_Source()
        {
            TaintFlags = new List<string>();
        }
    }       
   
    public class Fortify_Snippet
    {
        public string Id { get; set; }
        public Fortify_CodeLocation CodeLocation { get; set; }       
        public string Text { get; set;}       
    }
    public class Fortify_TraceEntry
    {
        public Fortify_TraceEntryNode Node         { get; set; }
        public string NodeRef                     { get; set; }
    }
    public class Fortify_TraceEntryNode
    {
        public bool IsDefault                             { get; set; }
        public string ActionType                         { get; set; }
        public string ActionValue                         { get; set; }
        public Fortify_CodeLocation SourceLocation         { get; set; }
        public Fortify_CodeLocation SecundaryLocation     { get; set; }
        public Fortify_Snippet Snippet                     { get; set; }
        public string ContextId                            { get; set; }
        public string ReasonRuleId                        { get; set; }
        public string Label                                { get; set; }
        public List<Fortify_TraceEntryFact> Facts        { get; set; }
       
    }
   
    public class Fortify_TraceEntryFact
    {
        public bool Primary {get;set;}
        public string Type {get;set;}
        public string Value {get;set;}
    }
    public class Fortify_Vulnerability
    {
        public string Kingdom { get; set; }                // from ClassInfo
        public string Analyzer { get; set; }
        public string ClassId { get; set; }
        public decimal DefaultSeverity { get; set; }
        public string  Type { get; set; }
        public string  SubType { get; set; }
       
        public decimal Confidence { get; set; }            // from InstanceInfo
        public string InstanceId { get; set; }
        public decimal InstanceSeverity { get; set; }
       
       
        public Fortify_Function Function { get; set; }       
        public Items ReplacementDefinitions { get; set; }
        public List<Fortify_TraceEntry> Traces { get; set; }
    }

(also, the data structures that I’m seeing are directly mapped to the object that was created from the current XSD/C# file, so if you know the inner structure of the *.fvdl files and see missing bits of data that are very useful to have or visualize, please let me know)

To reflect the new Classes (and the fact that the main object is now the Fortify_Scan class), I’ve modified the API_Fortify class (note that there is still quite a bit to go, since the mapping functions are just importing some of the vulnerability data available)

    public class API_Fortify
    {               
        public Fortify_Scan convertToFortifyScan(string fvdlFile)
        {
            var scan = new Fortify_Scan();
            scan._fvdl = loadFvdl_Raw(fvdlFile);
            scan.mapFvdlData();
            return scan;
        }
       
        public FVDL loadFvdl_Raw(string fvdlFile)
        {
            try
            {
                var chachedFvdl = (FVDL)O2LiveObjects.get(fvdlFile);
                if (chachedFvdl.notNull())
                    return chachedFvdl;
            }
            catch { }
            
            var o2Timer = new O2Timer("loading {0} file".format(fvdlFile.fileName())).start();       
             var _fvdl = FVDL.Load(fvdlFile);   
             O2LiveObjects.set(fvdlFile,_fvdl);
             o2Timer.stop();
             return _fvdl; 
        }
    }
   
    public static class Fortify_Scan_ExtensionMethods_MappingFvdl
    {
        public static Fortify_Scan mapFvdlData(this Fortify_Scan fortifyScan)
        {
            fortifyScan.mapVulnerabilities();
            return fortifyScan;
        }
       
        public static Fortify_Scan mapVulnerabilities(this Fortify_Scan fortifyScan)
        {                
                foreach(var vulnerability in fortifyScan._fvdl.Vulnerabilities.Vulnerability)
                {
                      var fortifyVulnerability = new Fortify_Vulnerability
                              {
                                Kingdom = vulnerability.ClassInfo.Kingdom,
                                Analyzer = vulnerability.ClassInfo.AnalyzerName,
                                ClassId = vulnerability.ClassInfo.ClassID,
                                DefaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                InstanceId = vulnerability.InstanceInfo.InstanceID,
                                InstanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                Confidence = vulnerability.InstanceInfo.Confidence,                                          
/*                                Function = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.Function.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.Function.name
                                            : "" ,
                                File = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path
                                            : "" ,
                                Line = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line
                                            : 0
*/                                           
                            };
                    fortifyScan.Vulnerabilities.add(fortifyVulnerability);   
                };                               
                return fortifyScan;
        }
    }       

Here is the updated viewer (that now consumes a Fortify_Scan object)

var topPanel = panel.clear().add_Panel();
//var topPanel = "Util - Simple FVDL viewer".popupWindow(1000,400);</pre>
&nbsp;

var tableList = topPanel.clear().add_TableList().title("Drop an *.fvdl file here to load it");
var propertyGrid = topPanel.insert_Left().add_PropertyGrid();
var apiFortify = new API_Fortify();

Action<List<Fortify_Vulnerability>> showFvdl =
    (vulnerabilities) =>
        {
                 tableList.title("Showing {0} Vulnerabilties".format(vulnerabilities.size()))
                         .show(vulnerabilities);                                                        
        };
 
Action<string> loadAndShowFile =
    (file)=>{
                tableList.title("... loading file: {0}".format(file.fileName()));
                O2Thread.mtaThread(()=>{                                                                                       
                                            var fortifyScan = apiFortify.convertToFortifyScan(file);
                                            showFvdl(fortifyScan.Vulnerabilities);       
                                            propertyGrid.show(fortifyScan);
                                        });
            };

tableList.onDrop(loadAndShowFile);
tableList.getListViewControl().onDrop(loadAndShowFile);
   
var testFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
loadAndShowFile(testFile);
/*(var _fortifyScan = apiFortify.convertToFortifyScan(xmlFile);
propertyGrid.show(_fortifyScan);   
showFvdl(_fortifyScan.Vulnerabilities);*/

return "done"; 

//O2File:C:\O2\O2Scripts_Database\_Scripts\3rdParty_Tools\Fortify\API_Fortify_1_6.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll

Note that I added a PropertyGrid to the left of the GUI which will show the contents of the Fortity_Scan object

July 17, 2011 - Posted by | Fortify, Interoperability

2 Comments »

  1. […] the previous Fortify FVDL posts (here,  here, here and here), here is a first working tool that is able to load up *.fvdl files, parse its relevant data into […]

    Pingback by Fortify FVDL Files – First working Parser and Viewer for *.fvdl files « OWASP O2 Platform Blog | July 18, 2011 | Reply

  2. […] based on  the first version of this API , the data classes have been refactored and expanded, now covering most of the data contained in […]

    Pingback by Fortify FVDL Files – Looking at the API_Fortify classes that parse the fvdl data « OWASP O2 Platform Blog | July 18, 2011 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: