OWASP O2 Platform Blog

Creating the the “Util – View Fvdl Traces.h2” script (lots of data analysis code samples)

If you are trying to write a script to filter Fortify’s FVDL files, here are a number of code snippets that should give you a good idea of the type of scripting and analysis that you can do with O2.

This workflow represents the creation of a GUI to visualize an FVDL file. You can see the end result in the Util – View Fvdl Traces.h2 script which can be found in the following local O2 scripts folder

This is what the script looks like when executed for the first time

And this is what it looks like after an *.fvdl file is dropped in the top left treeview:

… and (after load)

 

Here is the workflow and code snippets:

Start with:

var topPanel = panel.clear().add_Panel();
var fvdlFile = @"C:\O2\Demos\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
var fortifyScan = fvdlFile.fortifyScan();
topPanel.add_PropertyGrid()
.helpVisible(false)
.show(fortifyScan);
return fortifyScan.typeName();
//O2File:API_Fortify_1_6.cs

add treeview

var fortifyScan = fvdlFile.fortifyScan();
var treeView = topPanel.add_TreeView_with_PropertyGrid(false);

add Vulnerabilities in treeview and show details in propertygrid

var fortifyScan = fvdlFile.fortifyScan();
var treeView = topPanel.add_TreeView_with_PropertyGrid(false);
treeView.add_Nodes(fortifyScan.Vulnerabilities);
treeView.selectFirst();

Get list of unique ‘Confidence’ values

return (from vulnerability in fortifyScan.Vulnerabilities
       select vulnerability.Confidence).Distinct();

Get list of unique ‘InstanceSeverity’ values

return (from vulnerability in fortifyScan.Vulnerabilities 
       select vulnerability.InstanceSeverity).Distinct();

Create dictionary of vulnerabilties mapped by ‘InstanceSeverity’

var fortifyScan = fvdlFile.fortifyScan();
var mappedBySeverity = new Dictionary<decimal, List<Fortify_Vulnerability>>();
foreach(var vulnerability in fortifyScan.Vulnerabilities)
    mappedBySeverity.add(vulnerability.InstanceSeverity, vulnerability);
return mappedBySeverity;

Add dictionary to treeView (loads all data)

foreach(var item in mappedBySeverity)
    treeView.add_Node("{0}        ({1} vulnerabilities)".format(item.Key.str(),item.Value.size()))
            .add_Nodes(item.Value);
treeView.selectFirst();

Add dictionary to treeView (with support for lazy loading of vulnerabilities (beter for bigger files))

foreach(var item in mappedBySeverity)
    treeView.add_Node("{0}        ({1} vulnerabilities)".format(item.Key.str(),item.Value.size()),
                     item.Value,
                     true);
                    
treeView.beforeExpand<List<    Fortify_Vulnerability>>(
    (treeNode,vulnerabilities)=>{
                                    treeNode.add_Nodes(vulnerabilities);
                                });
                               
treeView.selectFirst()
        .selected()
        .expand();
return mappedBySeverity;

populate treeview with two types of dictionaries (first ‘by Severity’ then ‘by Type’)

var mappedBySeverity = new Dictionary<decimal, List<Fortify_Vulnerability>>();
foreach(var vulnerability in fortifyScan.Vulnerabilities)
    mappedBySeverity.add(vulnerability.InstanceSeverity, vulnerability);
 
 
foreach(var bySeverity in mappedBySeverity)
{
    var mappedByType = new Dictionary<string, List<Fortify_Vulnerability>>();
    foreach(var vulnerability in bySeverity.Value)
        mappedByType.add(vulnerability.Type, vulnerability);           
    var severityNode = treeView.add_Node("{0}      ({1}x)".format(bySeverity.Key.str(),bySeverity.Value.size()));
    foreach(var byType in mappedByType)               
         severityNode.add_Node("{0}  ({1}x)".format(byType.Key, byType.Value.size()), byType.Value, true);
}
treeView.beforeExpand<List<    Fortify_Vulnerability>>(
    (treeNode,vulnerabilities)=>{
                                    treeNode.add_Nodes(vulnerabilities);
                                });
                               
treeView.selectFirst()
        .selected()
        .expand();

Move dictionary and treeView creation to Lambda method (same funcionality as previous example)

Action<Fortify_Scan, TreeView> mapScanToTreeView_BySeverityAndType =
    (fortifyScan, treeView)
        =>{
                treeView.clear();
                var mappedBySeverity = new Dictionary<decimal, List<Fortify_Vulnerability>>();
                foreach(var vulnerability in fortifyScan.Vulnerabilities)
                    mappedBySeverity.add(vulnerability.InstanceSeverity, vulnerability);
                              
                foreach(var bySeverity in mappedBySeverity)
                {
                    var mappedByType = new Dictionary<string, List<Fortify_Vulnerability>>();
                    foreach(var vulnerability in bySeverity.Value)
                        mappedByType.add(vulnerability.Type, vulnerability);           
                    var severityNode = treeView.add_Node("{0}      ({1}x)".format(bySeverity.Key.str(),bySeverity.Value.size()));
                    foreach(var byType in mappedByType)                                       
                        severityNode.add_Node("{0}  ({1}x)".format(byType.Key, byType.Value.size()), byType.Value, true);
                }
               
                treeView.beforeExpand<List<    Fortify_Vulnerability>>(
                    (treeNode,vulnerabilities)=>{
                                                    treeNode.add_Nodes(vulnerabilities);
                                                });
        };
var fvdlFile = @"C:\O2\Demos\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
var _treeView = topPanel.add_TreeView_with_PropertyGrid(false).sort();
var _fortifyScan = fvdlFile.fortifyScan();

mapScanToTreeView_BySeverityAndType(_fortifyScan, _treeView);

_treeView.focus()
         .selectFirst()
         .selected()
         .expand();

Add a treeView to right and a source code viewer bellow it

var fvdlFile = @"C:\O2\Demos\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
var _treeView = topPanel.add_GroupBox("Vulnerabilities results").add_TreeView_with_PropertyGrid(true).sort();
var _fortifyScan = fvdlFile.fortifyScan();
var tracesTreeView = topPanel.insert_Right("Traces").add_TreeView();
var codeViewer = tracesTreeView.parent().insert_Below("Source Code View").add_SourceCodeViewer();

mapScanToTreeView_BySeverityAndType(_fortifyScan, _treeView);

Show traces on Vulnerability select , show traces properties on trace select (using the dspace.fvdl file since it is a java scan and it has more traces) 

//var fvdlFile = @"C:\O2\Demos\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
var fvdlFile = @"C:\O2\Demos\Fortify-Sate-2008\sate2008-Fvdl\dspace.fvdl";
var _treeView = topPanel.add_GroupBox("Vulnerabilities results").add_TreeView_with_PropertyGrid(true).sort();
_treeView.add_Node(".... loading file: {0}".format(fvdlFile));
var _fortifyScan = fvdlFile.fortifyScan();
var tracesTreeView = topPanel.insert_Right("Traces").add_TreeView();
var tracesProperties = tracesTreeView.insert_Right().add_PropertyGrid();
var codeViewer = tracesTreeView.parent().insert_Below("Source Code View").add_SourceCodeViewer();

_treeView.afterSelect<Fortify_Vulnerability>(
    (vulnerability)=>{                       
                        tracesTreeView.clear();
                        tracesTreeView.add_Nodes(vulnerability.Traces);
                     });
tracesTreeView.afterSelect<Fortify_TraceEntry>(
    (traceEntry)=>{
                    tracesProperties.show(traceEntry); 
                  });
                
mapScanToTreeView_BySeverityAndType(_fortifyScan, _treeView);
_treeView.focus()
         .selectFirst()
         .selected()
         .expand().nodes()[0].selected()
         .expand().nodes()[0].selected();

tracesTreeView.selectFirst();

Move data loading into a separate thread

O2Thread.mtaThread(
    ()=>{
            var _fortifyScan = fvdlFile.fortifyScan();
            mapScanToTreeView_BySeverityAndType(_fortifyScan, _treeView);
           
            _treeView.focus()
                     .selectFirst()
                     .selected()
                     .expand().nodes()[0].selected()
                     .expand().nodes()[0].selected();
           
            tracesTreeView.selectFirst();       
        });

and move it to a Lambda method (with callback for when data is loaded)

Action<string, TreeView, Action> loadFvdlDataIntoTreeView =
    (fvdlFile, vulnerabilitiesTreeView, loadCompleteCallback)
        =>{
            vulnerabilitiesTreeView.add_Node(".... loading file: {0}".format(fvdlFile));           
            vulnerabilitiesTreeView.pink();
            O2Thread.mtaThread(
                ()=>{                       
                        var _fortifyScan = fvdlFile.fortifyScan();
                        mapScanToTreeView_BySeverityAndType(_fortifyScan, vulnerabilitiesTreeView);
                        loadCompleteCallback();
                        vulnerabilitiesTreeView.white();
                    });
         };
var _fvdlFile = @"C:\O2\Demos\Fortify-Sate-2008\sate2008-Fvdl\dspace.fvdl";
//var fvdlFile = @"C:\O2\Demos\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
loadFvdlDataIntoTreeView(_fvdlFile,_treeView,
        ()=>{
               
                _treeView.focus()
                         .selectFirst()
                         .selected()
                         .expand().nodes()[0].selected()
                         .expand().nodes()[0].selected();               
                tracesTreeView.selectFirst();            
            });

add support for Code Snippets

var codeSnippets = new Dictionary<string, Fortify_Snippet>();
Action<Fortify_Scan> loadCodeSnippets =
    (_fortifyScan)=>{
                        codeSnippets.Clear();
                        foreach(var snippet in _fortifyScan.Snippets)
                            codeSnippets.Add(snippet.Id, snippet);                   
                        show.info(codeSnippets);                   
                    };
...
var _fortifyScan = fvdlFile.fortifyScan();
loadCodeSnippets(_fortifyScan);

Show code snippet when trace is selected

tracesTreeView.afterSelect<Fortify_TraceEntry>(
    (traceEntry)=>{
                    tracesProperties.show(traceEntry); 
                    if (codeSnippets.hasKey(traceEntry.SourceLocation_Snippet))
                        codeViewer.set_Text(codeSnippets[traceEntry.SourceLocation_Snippet].Text);
                    else
                        if (codeSnippets.hasKey(traceEntry.SecundaryLocation_Snippet))
                        codeViewer.set_Text(codeSnippets[traceEntry.SecundaryLocation_Snippet].Text);
                   
                  });

Only show traces that have valid code snippets

_treeView.afterSelect<Fortify_Vulnerability>(
    (vulnerability)=>{                       
                        tracesTreeView.clear();
                        var tracesWithSnippets = (from traceEntry in vulnerability.Traces
                                                where traceEntry.SourceLocation_Snippet.valid() || traceEntry.SecundaryLocation_Snippet.valid()
                                                select traceEntry).Distinct;
                        tracesTreeView.add_Nodes(tracesWithSnippets);
                     });

Add DragAndDrop support

Action<string> loadFvdlFile =
    (fvdlFile)=>{
                    loadFvdlDataIntoTreeView(fvdlFile,_treeView,
                            ()=>{
                                   
                                    _treeView.focus();
                                /*             .selectFirst()
                                             .selected()
                                             .expand().nodes()[0].selected()
                                             .expand().nodes()[0].selected();               
                                    tracesTreeView.selectFirst();             */
                                });
                };
_treeView.onDrop(
    (file)=>{
                loadFvdlFile(file);
            });

and open the GUI in a new window

var topPanel = "Util - View Fvdl Traces".popupWindow(1000,400);

FOR REFERENCE: Here is the complete script:

var topPanel = "Util = View Fvdl Traces".popupWindow(1000,400);
//var topPanel = panel.clear().add_Panel();</pre>
&nbsp;

Action<Fortify_Scan, TreeView> mapScanToTreeView_BySeverityAndType =
    (fortifyScan, treeView)
        =>{
                treeView.clear();
                var mappedBySeverity = new Dictionary<decimal, List<Fortify_Vulnerability>>();
                foreach(var vulnerability in fortifyScan.Vulnerabilities)
                    mappedBySeverity.add(vulnerability.InstanceSeverity, vulnerability);
               
               
                foreach(var bySeverity in mappedBySeverity)
                {
                    var mappedByType = new Dictionary<string, List<Fortify_Vulnerability>>();
                    foreach(var vulnerability in bySeverity.Value)
                        mappedByType.add(vulnerability.Type, vulnerability);           
                    var severityNode = treeView.add_Node("{0}      ({1}x)".format(bySeverity.Key.str(),bySeverity.Value.size()));
                    foreach(var byType in mappedByType)                                       
                        severityNode.add_Node("{0}  ({1}x)".format(byType.Key, byType.Value.size()), byType.Value, true);
                }
               
                treeView.beforeExpand<List<    Fortify_Vulnerability>>(
                    (treeNode,vulnerabilities)=>{
                                                    treeNode.add_Nodes(vulnerabilities);
                                                });
        };                               

var _treeView = topPanel.add_GroupBox("Vulnerabilities results").add_TreeView_with_PropertyGrid(true).sort();
var tracesTreeView = topPanel.insert_Right("Traces").add_TreeView();
var codeViewer = tracesTreeView.parent().insert_Below("Source Code View").add_SourceCodeViewer();
var tracesProperties = tracesTreeView.insert_Right().add_PropertyGrid();

_treeView.afterSelect<Fortify_Vulnerability>(
    (vulnerability)=>{                       
                        tracesTreeView.clear();
                        var tracesWithSnippets = (from traceEntry in vulnerability.Traces
                                                where traceEntry.SourceLocation_Snippet.valid() || traceEntry.SecundaryLocation_Snippet.valid()
                                                select traceEntry);
                        tracesTreeView.add_Nodes(tracesWithSnippets);
                     });

var codeSnippets = new Dictionary<string, Fortify_Snippet>();

Action<Fortify_Scan> loadCodeSnippets =
    (_fortifyScan)=>{
                        codeSnippets.Clear();
                        foreach(var snippet in _fortifyScan.Snippets)
                            codeSnippets.Add(snippet.Id, snippet);                                           
                    };
                   
tracesTreeView.afterSelect<Fortify_TraceEntry>(
    (traceEntry)=>{
                    tracesProperties.show(traceEntry); 
                    if (codeSnippets.hasKey(traceEntry.SourceLocation_Snippet))
                        codeViewer.set_Text(codeSnippets[traceEntry.SourceLocation_Snippet].Text);
                    else
                        if (codeSnippets.hasKey(traceEntry.SecundaryLocation_Snippet))
                        codeViewer.set_Text(codeSnippets[traceEntry.SecundaryLocation_Snippet].Text);
                   
                  });

Action<string, TreeView, Action> loadFvdlDataIntoTreeView =
    (fvdlFile, vulnerabilitiesTreeView, loadCompleteCallback)
        =>{
            vulnerabilitiesTreeView.add_Node(".... loading file: {0}".format(fvdlFile));           
            vulnerabilitiesTreeView.pink();
            O2Thread.mtaThread(
                ()=>{                       
                        var _fortifyScan = fvdlFile.fortifyScan();
                        loadCodeSnippets(_fortifyScan);
                        mapScanToTreeView_BySeverityAndType(_fortifyScan, vulnerabilitiesTreeView);
                        loadCompleteCallback();
                        vulnerabilitiesTreeView.white();
                    });
         };
Action<string> loadFvdlFile =
    (fvdlFile)=>{
                    loadFvdlDataIntoTreeView(fvdlFile,_treeView,
                            ()=>{
                                   
                                    _treeView.focus();
                                /*             .selectFirst()
                                             .selected()
                                             .expand().nodes()[0].selected()
                                             .expand().nodes()[0].selected();               
                                    tracesTreeView.selectFirst();             */
                                });
                };
_treeView.onDrop(
    (file)=>{
                loadFvdlFile(file);
            });

return "ok";

//O2File:API_Fortify_1_6.cs

July 29, 2011 - Posted by | Fortify

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: