OWASP O2 Platform Blog

Fortify FVDL files – Simple TableList Viewer Tool

Following on from the Fortify FVDL files – Creating and consuming the schema and CSharp file  post , let’s now build a generic simple tool to view fvdl files (which as long as they are compliant with the XSD we created, they should load).

Note: These scripts are going to use the demo files referenced in the previous post, and that you can download from http://s3.amazonaws.com/Demo_Files/Fortify-Sate-2008.zip . This zip should had been unziped to the ‘C:\O2\_tempDir\_Fortify-Sate-2008\’ folder (as per the previous scripts) and the C# that I’m going to use is the one that you will find at ‘C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\Fortify.fvdl.1.6.cs’ (this is the same one as created by the previous example, except that is located on a different folder and has a different name)

The first step is to load up a file and view it in a ListView (this is the last example of the previous script)

var topPanel = panel.clear().add_Panel();
var xmlFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
var fvdl = FVDL.Load(xmlFile);
var vulnerabilities = fvdl.Vulnerabilities.Vulnerability; 

var results =  (from vulnerability in vulnerabilities
                  select new  {
                                kingdom = vulnerability.ClassInfo.Kingdom,
                                analyzer = vulnerability.ClassInfo.AnalyzerName,
                                classId = vulnerability.ClassInfo.ClassID,
                                defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                instanceId = vulnerability.InstanceInfo.InstanceID,
                                instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                confidence = vulnerability.InstanceInfo.Confidence,
                                function = vulnerability.AnalysisInfo.Unified.Context.Function.name,
                                file = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path,
                                line = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line,
                                col = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.colStart
                               
                            }).toList();

topPanel.add_TableList("Showing {0} Vulnerabilties".format(results.size()))
        .show(results);                           
return "done";

//using xmlns.www.fortifysoftware.com.schema.fvdl
//O2File:C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\Fortify.fvdl.1.6.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll

 

The first thing to do is to move the loading of the fvdl into a separate Lamdba method:

Func<string, FVDL> loadFvdl =
    (fvdlFile)=>{
                    var o2Timer = new O2Timer("loading {0} file".format(fvdlFile.fileName())).start();       
                     var _fvdl = FVDL.Load(fvdlFile);   
                     o2Timer.stop();
                     return _fvdl;
                };
 
var xmlFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
var fvdl = loadFvdl(xmlFile);

Then also  move the code that shows the results into its own Lambda function

Action<FVDL> showFvdl =
     (_fvdl)=>{
                var vulnerabilities = _fvdl.Vulnerabilities.Vulnerability;
 
                var results =  (from vulnerability in vulnerabilities
                  select new  {
                                kingdom = vulnerability.ClassInfo.Kingdom,
                                analyzer = vulnerability.ClassInfo.AnalyzerName,
                                classId = vulnerability.ClassInfo.ClassID,
                                defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                instanceId = vulnerability.InstanceInfo.InstanceID,
                                instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                confidence = vulnerability.InstanceInfo.Confidence,
                                function = vulnerability.AnalysisInfo.Unified.Context.Function.name,
                                file = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path,
                                line = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line,
                                col = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.colStart
                               
                            }).toList();
                tableList.title("Showing {0} Vulnerabilties".format(results.size()))
                         .show(results);                                       
                
              };

Next add Drag & Drop support so that can just drop an *.fvdl file to see it:

Action<string> loadAndShowFile =
    (file)=>{ 
                 var fvdl = loadFvdl(file);
                 showFvdl(fvdl);
            };

tableList.onDrop(loadAndShowFile);
tableList.getListViewControl().onDrop(loadAndShowFile);

…and show a message to the user (while loading the data in a separate thread)

Action<string> loadAndShowFile =
    (file)=>{
                tableList.title("... loading file: {0}".format(file.fileName()));
                O2Thread.mtaThread(()=>{
                                            var fvdl = loadFvdl(file);
                                            showFvdl(fvdl);
                                        });
            };
tableList.onDrop(loadAndShowFile);
tableList.getListViewControl().onDrop(loadAndShowFile);

Change the getFvdl method to add support for caching the loaded objects (helps when dealing with large files that are loaded more than one time during the same session)

Func<string, FVDL> loadFvdl =
    (fvdlFile)=>{       
                    try
                    {
                        return (FVDL)O2LiveObjects.get(fvdlFile);
                    }
                    catch { }
                    
                    var o2Timer = new O2Timer("loading {0} file".format(fvdlFile.fileName())).start();       
                     var _fvdl = FVDL.Load(fvdlFile);   
                     O2LiveObjects.set(fvdlFile,_fvdl);
                     o2Timer.stop();
                     return _fvdl; 
                };

Change the getFvdl method to detect some cases where there is no data for: function, file or line

Action<FVDL> showFvdl =
     (_fvdl)=>{
                var vulnerabilities = _fvdl.Vulnerabilities.Vulnerability;
 
                var results =  (from vulnerability in vulnerabilities
                  select new  {
                                kingdom = vulnerability.ClassInfo.Kingdom,
                                analyzer = vulnerability.ClassInfo.AnalyzerName,
                                classId = vulnerability.ClassInfo.ClassID,
                                defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                instanceId = vulnerability.InstanceInfo.InstanceID,
                                instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                confidence = vulnerability.InstanceInfo.Confidence,                                          
                                function = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.Function.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.Function.name
                                            : "" ,
                                file = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path
                                            : "" ,
                                line = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line
                                            : 0
                            }).toList();
                tableList.title("Showing {0} Vulnerabilties".format(results.size()))
                         .show(results);                                                        
              };

Make this a generic tool and add a title to the TableList that indicates to the user that he/she needs to drop an *.fvdl file to load it:

//var topPanel = panel.clear().add_Panel();
var topPanel = "Util - Simple FVDL viewer".popupWindow(1000,400);</pre>
&nbsp;

var tableList = topPanel.clear().add_TableList().title("Drop an *.fvdl file here to load it");

Finally, save it as an *.h2 file so that it can be invoked as a stand alone tool:

To execute this script, just double click on it, and the following GUI should appear:

Now drag and drop a *.fvdl file to load it and see detals about its vulnerabilities:

 naim.fvdl

lighttpd.fvdl

nagios.fvdl

mvnforum.fvdl

For reference here is the complete script (available as the Util – Simple FVDL viewer.h2 script):

//var topPanel = panel.clear().add_Panel();
var topPanel = "Util - Simple FVDL viewer".popupWindow(1000,400);

var tableList = topPanel.clear().add_TableList().title("Drop an *.fvdl file here to load it");

Func<string, FVDL> loadFvdl =
    (fvdlFile)=>{       
                    try
                    {
                        var chachedFvdl = (FVDL)O2LiveObjects.get(fvdlFile);
                        if (chachedFvdl.notNull())
                            return chachedFvdl;
                    }
                    catch { }
                    
                    var o2Timer = new O2Timer("loading {0} file".format(fvdlFile.fileName())).start();       
                     var _fvdl = FVDL.Load(fvdlFile);   
                     O2LiveObjects.set(fvdlFile,_fvdl);
                     o2Timer.stop();
                     return _fvdl; 
                };
 
 Action<FVDL> showFvdl =
     (_fvdl)=>{
                var vulnerabilities = _fvdl.Vulnerabilities.Vulnerability;
 
                var results =  (from vulnerability in vulnerabilities
                  select new  {
                                kingdom = vulnerability.ClassInfo.Kingdom,
                                analyzer = vulnerability.ClassInfo.AnalyzerName,
                                classId = vulnerability.ClassInfo.ClassID,
                                defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                instanceId = vulnerability.InstanceInfo.InstanceID,
                                instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                confidence = vulnerability.InstanceInfo.Confidence,                                          
                                function = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.Function.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.Function.name
                                            : "" ,
                                file = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path
                                            : "" ,
                                line = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line
                                            : 0
                            }).toList();
                tableList.title("Showing {0} Vulnerabilties".format(results.size()))
                         .show(results);                                                        
              };
 

Action<string> loadAndShowFile =
    (file)=>{
                tableList.title("... loading file: {0}".format(file.fileName()));
                O2Thread.mtaThread(()=>{
                                            var fvdl = loadFvdl(file);
                                            showFvdl(fvdl);
                                        });
            };

tableList.onDrop(loadAndShowFile);
tableList.getListViewControl().onDrop(loadAndShowFile);
   

return "done"; 

//using xmlns.www.fortifysoftware.com.schema.fvdl
//O2File:C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\Fortify.fvdl.1.6.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll

July 17, 2011 - Posted by | Fortify, Interoperability

2 Comments »

  1. […] from the (Fortify FVDL related) Creating and consuming the schema and CSharp file and Simple TableList Viewer Tool this post shows the next evolutionary step which is the creation of an API that can be easily […]

    Pingback by Fortify FVDL files – Creating an API and consumining it « OWASP O2 Platform Blog | July 17, 2011 | Reply

  2. […] the previous Fortify FVDL posts (here,  here, here and here), here is a first working tool that is able to load up *.fvdl files, parse its […]

    Pingback by Fortify FVDL Files – First working Parser and Viewer for *.fvdl files « OWASP O2 Platform Blog | July 18, 2011 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: