Fortify FVDL files – Simple TableList Viewer Tool
Following on from the Fortify FVDL files – Creating and consuming the schema and CSharp file post , let’s now build a generic simple tool to view fvdl files (which as long as they are compliant with the XSD we created, they should load).
Note: These scripts are going to use the demo files referenced in the previous post, and that you can download from http://s3.amazonaws.com/Demo_Files/Fortify-Sate-2008.zip . This zip should had been unziped to the ‘C:\O2\_tempDir\_Fortify-Sate-2008\’ folder (as per the previous scripts) and the C# that I’m going to use is the one that you will find at ‘C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\Fortify.fvdl.1.6.cs’ (this is the same one as created by the previous example, except that is located on a different folder and has a different name)
The first step is to load up a file and view it in a ListView (this is the last example of the previous script)
var topPanel = panel.clear().add_Panel();
var xmlFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
var fvdl = FVDL.Load(xmlFile);
var vulnerabilities = fvdl.Vulnerabilities.Vulnerability;
var results = (from vulnerability in vulnerabilities
select new {
kingdom = vulnerability.ClassInfo.Kingdom,
analyzer = vulnerability.ClassInfo.AnalyzerName,
classId = vulnerability.ClassInfo.ClassID,
defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
instanceId = vulnerability.InstanceInfo.InstanceID,
instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
confidence = vulnerability.InstanceInfo.Confidence,
function = vulnerability.AnalysisInfo.Unified.Context.Function.name,
file = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path,
line = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line,
col = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.colStart
}).toList();
topPanel.add_TableList("Showing {0} Vulnerabilties".format(results.size()))
.show(results);
return "done";
//using xmlns.www.fortifysoftware.com.schema.fvdl
//O2File:C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\Fortify.fvdl.1.6.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll
The first thing to do is to move the loading of the fvdl into a separate Lamdba method:
Func<string, FVDL> loadFvdl =
(fvdlFile)=>{
var o2Timer = new O2Timer("loading {0} file".format(fvdlFile.fileName())).start();
var _fvdl = FVDL.Load(fvdlFile);
o2Timer.stop();
return _fvdl;
};
var xmlFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
var fvdl = loadFvdl(xmlFile);
Then also move the code that shows the results into its own Lambda function
Action<FVDL> showFvdl =
(_fvdl)=>{
var vulnerabilities = _fvdl.Vulnerabilities.Vulnerability;
var results = (from vulnerability in vulnerabilities
select new {
kingdom = vulnerability.ClassInfo.Kingdom,
analyzer = vulnerability.ClassInfo.AnalyzerName,
classId = vulnerability.ClassInfo.ClassID,
defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
instanceId = vulnerability.InstanceInfo.InstanceID,
instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
confidence = vulnerability.InstanceInfo.Confidence,
function = vulnerability.AnalysisInfo.Unified.Context.Function.name,
file = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path,
line = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line,
col = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.colStart
}).toList();
tableList.title("Showing {0} Vulnerabilties".format(results.size()))
.show(results);
};
Next add Drag & Drop support so that can just drop an *.fvdl file to see it:
Action<string> loadAndShowFile =
(file)=>{
var fvdl = loadFvdl(file);
showFvdl(fvdl);
};
tableList.onDrop(loadAndShowFile);
tableList.getListViewControl().onDrop(loadAndShowFile);
…and show a message to the user (while loading the data in a separate thread)
Action<string> loadAndShowFile =
(file)=>{
tableList.title("... loading file: {0}".format(file.fileName()));
O2Thread.mtaThread(()=>{
var fvdl = loadFvdl(file);
showFvdl(fvdl);
});
};
tableList.onDrop(loadAndShowFile);
tableList.getListViewControl().onDrop(loadAndShowFile);
Change the getFvdl method to add support for caching the loaded objects (helps when dealing with large files that are loaded more than one time during the same session)
Func<string, FVDL> loadFvdl =
(fvdlFile)=>{
try
{
return (FVDL)O2LiveObjects.get(fvdlFile);
}
catch { }
var o2Timer = new O2Timer("loading {0} file".format(fvdlFile.fileName())).start();
var _fvdl = FVDL.Load(fvdlFile);
O2LiveObjects.set(fvdlFile,_fvdl);
o2Timer.stop();
return _fvdl;
};
Change the getFvdl method to detect some cases where there is no data for: function, file or line
Action<FVDL> showFvdl =
(_fvdl)=>{
var vulnerabilities = _fvdl.Vulnerabilities.Vulnerability;
var results = (from vulnerability in vulnerabilities
select new {
kingdom = vulnerability.ClassInfo.Kingdom,
analyzer = vulnerability.ClassInfo.AnalyzerName,
classId = vulnerability.ClassInfo.ClassID,
defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
instanceId = vulnerability.InstanceInfo.InstanceID,
instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
confidence = vulnerability.InstanceInfo.Confidence,
function = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.Function.notNull()
? vulnerability.AnalysisInfo.Unified.Context.Function.name
: "" ,
file = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path
: "" ,
line = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line
: 0
}).toList();
tableList.title("Showing {0} Vulnerabilties".format(results.size()))
.show(results);
};
Make this a generic tool and add a title to the TableList that indicates to the user that he/she needs to drop an *.fvdl file to load it:
//var topPanel = panel.clear().add_Panel();
var topPanel = "Util - Simple FVDL viewer".popupWindow(1000,400);</pre>
var tableList = topPanel.clear().add_TableList().title("Drop an *.fvdl file here to load it");
Finally, save it as an *.h2 file so that it can be invoked as a stand alone tool:
To execute this script, just double click on it, and the following GUI should appear:
Now drag and drop a *.fvdl file to load it and see detals about its vulnerabilities:
naim.fvdl
lighttpd.fvdl
nagios.fvdl
mvnforum.fvdl
For reference here is the complete script (available as the Util – Simple FVDL viewer.h2 script):
//var topPanel = panel.clear().add_Panel();
var topPanel = "Util - Simple FVDL viewer".popupWindow(1000,400);
var tableList = topPanel.clear().add_TableList().title("Drop an *.fvdl file here to load it");
Func<string, FVDL> loadFvdl =
(fvdlFile)=>{
try
{
var chachedFvdl = (FVDL)O2LiveObjects.get(fvdlFile);
if (chachedFvdl.notNull())
return chachedFvdl;
}
catch { }
var o2Timer = new O2Timer("loading {0} file".format(fvdlFile.fileName())).start();
var _fvdl = FVDL.Load(fvdlFile);
O2LiveObjects.set(fvdlFile,_fvdl);
o2Timer.stop();
return _fvdl;
};
Action<FVDL> showFvdl =
(_fvdl)=>{
var vulnerabilities = _fvdl.Vulnerabilities.Vulnerability;
var results = (from vulnerability in vulnerabilities
select new {
kingdom = vulnerability.ClassInfo.Kingdom,
analyzer = vulnerability.ClassInfo.AnalyzerName,
classId = vulnerability.ClassInfo.ClassID,
defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
instanceId = vulnerability.InstanceInfo.InstanceID,
instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
confidence = vulnerability.InstanceInfo.Confidence,
function = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.Function.notNull()
? vulnerability.AnalysisInfo.Unified.Context.Function.name
: "" ,
file = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path
: "" ,
line = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line
: 0
}).toList();
tableList.title("Showing {0} Vulnerabilties".format(results.size()))
.show(results);
};
Action<string> loadAndShowFile =
(file)=>{
tableList.title("... loading file: {0}".format(file.fileName()));
O2Thread.mtaThread(()=>{
var fvdl = loadFvdl(file);
showFvdl(fvdl);
});
};
tableList.onDrop(loadAndShowFile);
tableList.getListViewControl().onDrop(loadAndShowFile);
return "done";
//using xmlns.www.fortifysoftware.com.schema.fvdl
//O2File:C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\Fortify.fvdl.1.6.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll
2 Comments »
About
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.
O2 can also be a very powerful prototyping and fast-development tool for .NET. Most O2 APIs are written using a Fluent API design, and its core has been published as a separate project called FluentSharp (hosted at CodePlex)
Download
Windows ClickOnce Installer:
Mailing List
The best place to keep updated with the lastest news and developers it to subscribe to the OWASP O2 Platform Mailing list (you can read its archives here)
OWASP O2 Platform Blog 
[…] from the (Fortify FVDL related) Creating and consuming the schema and CSharp file and Simple TableList Viewer Tool this post shows the next evolutionary step which is the creation of an API that can be easily […]
[…] the previous Fortify FVDL posts (here, here, here and here), here is a first working tool that is able to load up *.fvdl files, parse its […]