OWASP O2 Platform Blog

O2 Scripting Samples: Automating Rational AppScan Standard GUI and adding AppScan Standard Findings

Here are a number of smaller scripts I saved when working on the Showing IBM Rational AppScan Source Findings inside AppScan Standard (1st PoC) script. These are great if you are trying to get around O2’s APIs and get a feel for how a complex scripts ‘evolves’ 🙂

Note that these scripts have to be executed from inside the O2 Scriping environment created via Injecting O2 into IBM Rational AppScan Standard

 

Open up OpenScan dialog: 

var toolScriptButton = (ToolStripButton) MainForm.field("toolStripButtonOpen");
toolScriptButton.PerformClick();

show all values (public and private)  MainForm Fields and Properties

MainForm.details();

Get AppScan Debug Process Information

return AppScan.Diagnostics.Debug.GetProcessInformationLog();
//O2Ref:appscan.exe
//O2Ref:debug.dll

Get Logger

return AppScan.Diagnostics.Debug.Logger;
//O2Ref:appscan.exe
//O2Ref:debug.dll
//O2Ref:Utilities.dll

Get log file

var logger =  AppScan.Diagnostics.Debug.Logger;
var logFile = logger.LogFile;
return logFile;
//O2Ref:appscan.exe
//O2Ref:debug.dll
//O2Ref:Utilities.dll

View log file contents

var logger =  AppScan.Diagnostics.Debug.Logger;
var logFileContents = logger.LogFile.fileContents();
"AppScan Log file Contents".popupWindow()
                           .add_TextArea()
                           .set_Text(logFileContents);
//O2Ref:appscan.exe
//O2Ref:debug.dll
//O2Ref:Utilities.dll

View log file contents in a strongly typed table

var logger =  AppScan.Diagnostics.Debug.Logger;
var logFileContents = logger.LogFile.fileContents();


var logFileData =  (from  line in logFileContents.lines()       
        where line.split("|").size() > 1
       select line.split("|"))
        .Select((items)=>
           new {
                   process = items[0],
                   time = items[1],
                   message = items[2]
               } );
 
"AppScan Log file Contents".popupWindow()
                           .add_TableList()
                           .show(logFileData);                         

return "ok";
//O2Ref:appscan.exe
//O2Ref:debug.dll
//O2Ref:Utilities.dll

 
How to create the AppScan class (which is marked as internal)
Note that this doesn’t return a value (could be because it can only be called once). The constructor is correcly called but there in an internal AppScan error thrown   

var appScan =  "AppScanSDK.dll".assembly()
                               .type("AppScan")
                               .ctor();
                             
return appScan;
return "ok";
//using AppScan.GuiLayerImpl
//O2Ref:appscan.exe
//O2Ref:AppScanSDK.dll

Getting a object reference to an IAppScan object

return AppScan.AppScanFactory.CreateInstance();
//O2Ref:appscan.exe
//O2Ref:AppScanSDK.dll

View all (public & private) fields and properties from the IAppScan object (which is an object of type AppScan.GuiLayerImpl.AppScan)


var appScan =  AppScan.AppScanFactory.CreateInstance();
appScan.details();
//O2Ref:appscan.exe
//O2Ref:AppScanSDK.dll

Getting the scan object and returning it full type name (which is AppScan.GuiLayerImpl.Scan.ScanManager)

var appScan =  AppScan.AppScanFactory.CreateInstance();
var scan = appScan.Scan;
return scan.typeFullName();</pre>
//O2Ref:appscan.exe
//O2Ref:AppScanSDK.dll

 
Load scan (doesn’t work, hangs at 95%) 

var appScan =  AppScan.AppScanFactory.CreateInstance();
var scan = appScan.Scan;

var scanFileToLoad = @"C:\_WorkDir\IBM\Altoro\AltoroJ21.scan";
return scan.LoadScanData(scanFileToLoad);
 
//O2Ref:appscan.exe
//O2Ref:AppScanSDK.dll

 
Load scan ASync  (works)

var appScan =  AppScan.AppScanFactory.CreateInstance();
var scan = appScan.Scan;

var scanFileToLoad = @"C:\_WorkDir\IBM\Altoro\AltoroJ21.scan";
scan.LoadScanDataAsync(scanFileToLoad);
return "ok";

//O2Ref:appscan.exe
//O2Ref:AppScanSDK.dll

 
Get Reference to main TreeView with site tree, expand all nodes, and select the 5th

var scanTreeView = MainForm.controls<TreeView>(true)[0];
scanTreeView.expandAll();
var node = scanTreeView.allNodes()[5].selected();

return node;
//node.details();
//O2Ref:appscan.exe
//O2Ref:AppScanSDK.dll

 
Get the node type (which is AppScan.Gui.UserControls.TreeNodeWithPaint)

return node.typeFullName();

get the Full Path value (which is an AppScan Scan value )


return node.FullPath;</pre>

 
Show in O2’s LogViewer the FullPath value of the selected node 

var scanTreeView = MainForm.controls<TreeView>(true)[0];

scanTreeView.afterSelect<TreeNodeWithPaint>(
    (treeNodeWithPaint)=>
        {
            treeNodeWithPaint.FullPath.info();
        });
 
//using AppScan.Gui.UserControls
//O2Ref:appscan.exe
//O2Ref:UserControls.dll

Show source code of selected treenode in source code viewer (below the TreeView) 

var panelBelowTreeView = scanTreeView.splitContainer().Panel2;
panelBelowTreeView.clear();
var sourceCodeViewer = panelBelowTreeView.add_SourceCodeViewer();
var scanTreeView = MainForm.controls<TreeView>(true)[0];


var sourceFolder = @"C:\....\Altoro\AltoroJ2.1-src\WebContent";

var virtualFile = scanTreeView.selected().FullPath.remove(@"My Application\http://www.altoromutual.com:8080/\altoromutual\");
var pathToFile = sourceFolder.pathCombine(virtualFile); 
sourceCodeViewer.set_Text(pathToFile.fileContents(), ".aspx");
//using AppScan.Gui.UserControls
//O2Ref:appscan.exe
//O2Ref:UserControls.dll

Show source code on TreeNode Click


var sourceFolder = @"C:\...\Altoro\AltoroJ2.1-src\WebContent";

var scanTreeView = MainForm.controls<TreeView>(true)[0];

var panelBelowTreeView = scanTreeView.splitContainer().Panel2;
panelBelowTreeView.clear();
var sourceCodeViewer = panelBelowTreeView.add_SourceCodeViewer();

scanTreeView.afterSelect<TreeNodeWithPaint>(
    (treeNodeWithPaint)=>
        {
            try
            {           
            var virtualFile = scanTreeView.selected().FullPath.remove(@"My Application\http://www.altoromutual.com:8080/\altoromutual\");
            var pathToFile = sourceFolder.pathCombine(virtualFile); 
            if (pathToFile.fileExists())
            {
                sourceCodeViewer.open(pathToFile);
                if (pathToFile.extension(".jsp"))
                    sourceCodeViewer.editor().setDocumentHighlightingStrategy(".aspx");
            }
                else
                    sourceCodeViewer.set_Text("");
        }
        catch()
        {}
        });

return "ok";
//using AppScan.Gui.UserControls
//O2Ref:appscan.exe
//O2Ref:UserControls.dll

Add a top menu (to AppScan) with an menu item to open an *.scan file

Action<string> openScanFile =
    (scanFileToLoad)=>{
                            if (scanFileToLoad.fileExists())
                            {
                                var appScan =  AppScan.AppScanFactory.CreateInstance();
                                appScan.Scan.LoadScanDataAsync(scanFileToLoad);
                            }
                           
                        };

 
var menuStrip =  MainForm.controls<MenuStrip>(); 
var o2Menu = menuStrip.add_MenuItem("AltoroJ"); 
o2Menu.add_MenuItem("Open AltoroJ", ()=>  openScanFile("Where is the AltoroJ *.Scan file".askUser()) );

adding two menu items (one to load the scan file and another to configure the source code mapings)

Action<string> openScanFile =
    (scanFileToLoad)=>{
                            if (scanFileToLoad.fileExists())
                            {
                                var appScan =  AppScan.AppScanFactory.CreateInstance();
                                appScan.Scan.LoadScanDataAsync(scanFileToLoad);
                            }
                           
                        };

//run this only once
Action<string> configureTreeView =
    (sourceFolder)
        =>{
            if (sourceFolder.dirExists().isFalse())
                return;

            var scanTreeView = MainForm.controls<TreeView>(true)[0];
           
            var panelBelowTreeView = scanTreeView.splitContainer().Panel2;
            panelBelowTreeView.clear();
            var sourceCodeViewer = panelBelowTreeView.add_SourceCodeViewer();
           
            scanTreeView.afterSelect<TreeNodeWithPaint>(
                (treeNodeWithPaint)=>
                    {
                        try
                        {           
                            var virtualFile = scanTreeView.selected().FullPath.remove(@"My Application\http://www.altoromutual.com:8080/\altoromutual\");
                            var pathToFile = sourceFolder.pathCombine(virtualFile); 
                            if (pathToFile.fileExists())
                            {
                                sourceCodeViewer.open(pathToFile);
                                if (pathToFile.extension(".jsp"))
                                    sourceCodeViewer.editor().setDocumentHighlightingStrategy(".aspx");
                            }
                                else
                                    sourceCodeViewer.set_Text("");
                        }
                        catch
                        {
                        }
                    });

        };
 
var menuStrip =  MainForm.controls<MenuStrip>(); 
var o2Menu = menuStrip.add_MenuItem("AltoroJ"); 
o2Menu.add_MenuItem("Open AltoroJ", ()=>  openScanFile("Where is the AltoroJ *.Scan file".askUser()) );
o2Menu.add_MenuItem("Configure AltoroJ source code mapping", ()=>  configureTreeView("Where is the AltoroJ source code".askUser()) );

return "ok";

//using AppScan.Gui.UserControls
//O2Ref:appscan.exe
//O2Ref:UserControls.dll
//O2Ref:AppScanSDK.dll

Next step is to add the source code viewer for the AltoroJ AS.Source findings. Lets start by finding the multiple TabControls

return MainForm.controls<TabControl>(true);
//O2Ref:appscan.exe

Adding a test tab to the selected finding TabControl

var selectedFindingTabControl =  MainForm.controls<TabControl>(true)[1];
selectedFindingTabControl.add_Tab("Test");
//O2Ref:appscan.exe

Adding a findings Viewer

var selectedFindingTabControl =  MainForm.controls<TabControl>(true)[1];
var findingsTab = selectedFindingTabControl.add_Tab("SAST Findings");
var findingsViewer = findingsTab.add_FindingsViewer();

//O2Ref:appscan.exe
//using O2.XRules.Database.Findings
//O2File:Findings_ExtensionMethods.cs

load the findings  data and show it

            var o2Findings = ozasmtFile.loadO2Findings();

            var selectedFindingTabControl =  MainForm.controls<TabControl>(true)[1];
            //selectedFindingTabControl.TabPages.Clear();

            var allFindingsViewer =  selectedFindingTabControl.add_Tab("All SAST Findings ")
                                                  .add_FindingsViewer(false);
            var findingsMappedToFileViewer = selectedFindingTabControl.add_Tab("SAST Findings Mapped to Selecteded File")
                                                          .add_FindingsViewer(true);
            allFindingsViewer.show(o2Findings);

            Action<string> showFilteredResults =
                (filter)=>{   
                              var filteredResults = (from o2Finding in o2Findings
                                                     where o2Finding.file.contains(filter)
                                                     select o2Finding).toList();
                              findingsMappedToFileViewer.show(filteredResults);                 
                         };
           

            var scanTreeView = MainForm.controls<TreeView>(true)[0];                     

                scanTreeView.afterSelect<TreeNodeWithPaint>(
                    (treeNodeWithPaint)=>
                        {
                            try
                            {           
                                var virtualFile = scanTreeView.selected().FullPath.remove(@"My Application\http://www.altoromutual.com:8080/\altoromutual\");
                                //var pathToFile = sourceFolder.pathCombine(virtualFile); 
                                showFilteredResults(virtualFile);
                            }
                            catch {}
                        });                   

November 8, 2011 - Posted by | .NET, AppScan

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: