OWASP O2 Platform Blog

Fortify FVDL files – Simple TableList Viewer Tool

Following on from the Fortify FVDL files – Creating and consuming the schema and CSharp file  post , let’s now build a generic simple tool to view fvdl files (which as long as they are compliant with the XSD we created, they should load).

Note: These scripts are going to use the demo files referenced in the previous post, and that you can download from http://s3.amazonaws.com/Demo_Files/Fortify-Sate-2008.zip . This zip should had been unziped to the ‘C:\O2\_tempDir\_Fortify-Sate-2008\’ folder (as per the previous scripts) and the C# that I’m going to use is the one that you will find at ‘C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\Fortify.fvdl.1.6.cs’ (this is the same one as created by the previous example, except that is located on a different folder and has a different name)

The first step is to load up a file and view it in a ListView (this is the last example of the previous script)

var topPanel = panel.clear().add_Panel();
var xmlFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
var fvdl = FVDL.Load(xmlFile);
var vulnerabilities = fvdl.Vulnerabilities.Vulnerability; 

var results =  (from vulnerability in vulnerabilities
                  select new  {
                                kingdom = vulnerability.ClassInfo.Kingdom,
                                analyzer = vulnerability.ClassInfo.AnalyzerName,
                                classId = vulnerability.ClassInfo.ClassID,
                                defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                instanceId = vulnerability.InstanceInfo.InstanceID,
                                instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                confidence = vulnerability.InstanceInfo.Confidence,
                                function = vulnerability.AnalysisInfo.Unified.Context.Function.name,
                                file = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path,
                                line = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line,
                                col = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.colStart
                               
                            }).toList();

topPanel.add_TableList("Showing {0} Vulnerabilties".format(results.size()))
        .show(results);                           
return "done";

//using xmlns.www.fortifysoftware.com.schema.fvdl
//O2File:C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\Fortify.fvdl.1.6.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll

 

The first thing to do is to move the loading of the fvdl into a separate Lamdba method:

Func<string, FVDL> loadFvdl =
    (fvdlFile)=>{
                    var o2Timer = new O2Timer("loading {0} file".format(fvdlFile.fileName())).start();       
                     var _fvdl = FVDL.Load(fvdlFile);   
                     o2Timer.stop();
                     return _fvdl;
                };
 
var xmlFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
var fvdl = loadFvdl(xmlFile);

Then also  move the code that shows the results into its own Lambda function

Action<FVDL> showFvdl =
     (_fvdl)=>{
                var vulnerabilities = _fvdl.Vulnerabilities.Vulnerability;
 
                var results =  (from vulnerability in vulnerabilities
                  select new  {
                                kingdom = vulnerability.ClassInfo.Kingdom,
                                analyzer = vulnerability.ClassInfo.AnalyzerName,
                                classId = vulnerability.ClassInfo.ClassID,
                                defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                instanceId = vulnerability.InstanceInfo.InstanceID,
                                instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                confidence = vulnerability.InstanceInfo.Confidence,
                                function = vulnerability.AnalysisInfo.Unified.Context.Function.name,
                                file = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path,
                                line = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line,
                                col = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.colStart
                               
                            }).toList();
                tableList.title("Showing {0} Vulnerabilties".format(results.size()))
                         .show(results);                                       
                
              };

Next add Drag & Drop support so that can just drop an *.fvdl file to see it:

Action<string> loadAndShowFile =
    (file)=>{ 
                 var fvdl = loadFvdl(file);
                 showFvdl(fvdl);
            };

tableList.onDrop(loadAndShowFile);
tableList.getListViewControl().onDrop(loadAndShowFile);

…and show a message to the user (while loading the data in a separate thread)

Action<string> loadAndShowFile =
    (file)=>{
                tableList.title("... loading file: {0}".format(file.fileName()));
                O2Thread.mtaThread(()=>{
                                            var fvdl = loadFvdl(file);
                                            showFvdl(fvdl);
                                        });
            };
tableList.onDrop(loadAndShowFile);
tableList.getListViewControl().onDrop(loadAndShowFile);

Change the getFvdl method to add support for caching the loaded objects (helps when dealing with large files that are loaded more than one time during the same session)

Func<string, FVDL> loadFvdl =
    (fvdlFile)=>{       
                    try
                    {
                        return (FVDL)O2LiveObjects.get(fvdlFile);
                    }
                    catch { }
                    
                    var o2Timer = new O2Timer("loading {0} file".format(fvdlFile.fileName())).start();       
                     var _fvdl = FVDL.Load(fvdlFile);   
                     O2LiveObjects.set(fvdlFile,_fvdl);
                     o2Timer.stop();
                     return _fvdl; 
                };

Change the getFvdl method to detect some cases where there is no data for: function, file or line

Action<FVDL> showFvdl =
     (_fvdl)=>{
                var vulnerabilities = _fvdl.Vulnerabilities.Vulnerability;
 
                var results =  (from vulnerability in vulnerabilities
                  select new  {
                                kingdom = vulnerability.ClassInfo.Kingdom,
                                analyzer = vulnerability.ClassInfo.AnalyzerName,
                                classId = vulnerability.ClassInfo.ClassID,
                                defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                instanceId = vulnerability.InstanceInfo.InstanceID,
                                instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                confidence = vulnerability.InstanceInfo.Confidence,                                          
                                function = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.Function.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.Function.name
                                            : "" ,
                                file = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path
                                            : "" ,
                                line = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line
                                            : 0
                            }).toList();
                tableList.title("Showing {0} Vulnerabilties".format(results.size()))
                         .show(results);                                                        
              };

Make this a generic tool and add a title to the TableList that indicates to the user that he/she needs to drop an *.fvdl file to load it:

//var topPanel = panel.clear().add_Panel();
var topPanel = "Util - Simple FVDL viewer".popupWindow(1000,400);</pre>
&nbsp;

var tableList = topPanel.clear().add_TableList().title("Drop an *.fvdl file here to load it");

Finally, save it as an *.h2 file so that it can be invoked as a stand alone tool:

To execute this script, just double click on it, and the following GUI should appear:

Now drag and drop a *.fvdl file to load it and see detals about its vulnerabilities:

 naim.fvdl

lighttpd.fvdl

nagios.fvdl

mvnforum.fvdl

For reference here is the complete script (available as the Util – Simple FVDL viewer.h2 script):

//var topPanel = panel.clear().add_Panel();
var topPanel = "Util - Simple FVDL viewer".popupWindow(1000,400);

var tableList = topPanel.clear().add_TableList().title("Drop an *.fvdl file here to load it");

Func<string, FVDL> loadFvdl =
    (fvdlFile)=>{       
                    try
                    {
                        var chachedFvdl = (FVDL)O2LiveObjects.get(fvdlFile);
                        if (chachedFvdl.notNull())
                            return chachedFvdl;
                    }
                    catch { }
                    
                    var o2Timer = new O2Timer("loading {0} file".format(fvdlFile.fileName())).start();       
                     var _fvdl = FVDL.Load(fvdlFile);   
                     O2LiveObjects.set(fvdlFile,_fvdl);
                     o2Timer.stop();
                     return _fvdl; 
                };
 
 Action<FVDL> showFvdl =
     (_fvdl)=>{
                var vulnerabilities = _fvdl.Vulnerabilities.Vulnerability;
 
                var results =  (from vulnerability in vulnerabilities
                  select new  {
                                kingdom = vulnerability.ClassInfo.Kingdom,
                                analyzer = vulnerability.ClassInfo.AnalyzerName,
                                classId = vulnerability.ClassInfo.ClassID,
                                defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                instanceId = vulnerability.InstanceInfo.InstanceID,
                                instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                confidence = vulnerability.InstanceInfo.Confidence,                                          
                                function = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.Function.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.Function.name
                                            : "" ,
                                file = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path
                                            : "" ,
                                line = vulnerability.AnalysisInfo.Unified.notNull() && vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.notNull()
                                            ? vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line
                                            : 0
                            }).toList();
                tableList.title("Showing {0} Vulnerabilties".format(results.size()))
                         .show(results);                                                        
              };
 

Action<string> loadAndShowFile =
    (file)=>{
                tableList.title("... loading file: {0}".format(file.fileName()));
                O2Thread.mtaThread(()=>{
                                            var fvdl = loadFvdl(file);
                                            showFvdl(fvdl);
                                        });
            };

tableList.onDrop(loadAndShowFile);
tableList.getListViewControl().onDrop(loadAndShowFile);
   

return "done"; 

//using xmlns.www.fortifysoftware.com.schema.fvdl
//O2File:C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\Fortify.fvdl.1.6.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll

July 17, 2011 Posted by | Fortify, Interoperability | 2 Comments

Fortify FVDL files – Creating and consuming the schema and CSharp file

An o2 user send me a nice 400Mb Fortify file to see if O2 could do something with it (since Fortify’s GUI was not able to load it).

The next couple posts will document how to go from an XML file to creating an API to consume and to visualize it.

For this demo I will use the Fortify FVDL files that where published by SATE 2008 results (part of NIST SAMATE project) which Fortify participated. You can download the entire SATE 2008 data from their website (which includes the findings files from all participats and SATE’s result), or you can download just the Fortify FVDL (and xsd) from O2’s S3 repository: Fortify-Sate-2008.zip (the scripts below will use this files, but if you have access to *.fvdl files, you can use them)

To start, open an ‘O2 Quick Development Environment GUI’

Then download the demos files and unzip them to a local temp folder:

var demoFileUrl = "http://s3.amazonaws.com/Demo_Files/Fortify-Sate-2008.zip";
var localFile = demoFileUrl.uri().download();

Next step is to unzip the file:

var localFile = "".tempDir().pathCombine("Fortify-Sate-2008.zip");
if (localFile.fileExists().isFalse())
{
    var demoFileUrl = "http://s3.amazonaws.com/Demo_Files/Fortify-Sate-2008.zip";
    demoFileUrl.uri().download();
}   
return localFile.unzip_File();

Then add a check to only unzip if the target folder doesn’t exist and package it in a Lambda method which can be easily consumed by the main script:

Func<string> getFolderWithFvdlDemoFiles =
    ()=>{
            var localFile = "".tempDir().pathCombine("Fortify-Sate-2008.zip");
            if (localFile.fileExists().isFalse())
            {
                var demoFileUrl = "http://s3.amazonaws.com/Demo_Files/Fortify-Sate-2008.zip";
                demoFileUrl.uri().download();
            }    
            var targetFolder = @"..\_Fortify-Sate-2008".tempDir(false).fullPath(); // by default this willl resolve to C:\O2\_tempDir\_Fortify-Sate-2008
            if (targetFolder.dirExists().isFalse())
                localFile.unzip_File(targetFolder);            
            return targetFolder;
        };

var folderWithFvdlFiles = getFolderWithFvdlDemoFiles();       
return folderWithFvdlFiles.files(true,"*.fvdl");

There a number of *.fvdl files available, and since the first thing we need is to create an *.xsd for them, let’s pick the smaller one (in this case naim.fvdl)

var folderWithFvdlFiles = getFolderWithFvdlDemoFiles();        
var naimFvdl = folderWithFvdlFiles.files(true,"naim.fvdl").first();
return naimFvdl;

Usually at this stage we can use the O2 Fluent XML Apis to do this. Basically, in most cases this works:

var folderWithFvdlFiles = getFolderWithFvdlDemoFiles();        
var naimFvdl = folderWithFvdlFiles.files(true,"naim.fvdl").first();


return naimFvdl.xmlCreateXSD(); // creates XSD from Xml file

Unfortunately, for this XML file, we get the error “The table (Node) cannot be the child table to itself in nested relations.” (which is quite a common error when creating XSDs from XML files)

The 2nd usual attempt is to try to use the XSD.exe tool that comes with Visual Studio, But that just returns the same error:

The 3rd attempt is to use VisualStudio 2010 for the conversion. Before we open the file in visual studio, we will need to create a new copy (or rename it) with an .xml extension (ie C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl.xml)

 Then from the XML menu, select the ‘Create Schema’ menu Item

Which this time around should work 🙂 :

Save this file locally

Now go back to the O2 development Gui (or open up a new one), and lets create the CSharp file. Start by making sure you have a correct reference to the file:

var xsdFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl.xsd";
return xsdFile.fileExists();

call the xsdCreateCSharpFile method to create a CSharp file:

var xsdFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl.xsd";
return xsdFile.xsdCreateCSharpFile(); 

This will create a file called ‘C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl.cs’, which you can take look by opening it in a source code editor control

var topPanel = panel.clear().add_Panel();
var xsdFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl.xsd";
var csharpFile = xsdFile.xsdCreateCSharpFile(); 
var codeEditor = topPanel.add_SourceCodeEditor(); // add source code editor to topPanel
codeEditor.invoke("setMaxLoadSize","1000");       // invoke the private method that sets the max size of the file to load using the SharpDevelop control (if bigger the file is opended in a listview)
codeEditor.open(csharpFile);                        // open file

if try to compile this csharp file, you will get a number of “The type of namespace ‘xyz’ could not be found”  errors

This is caused because the CSharp file was created using the Link2Xml Apis which are included in the O2_Misc_Microsoft_MPL_Libs.dll.

The solution is to add this as a reference at the top of the file, which will make the compilation work

Note that this extra reference could had also be introduced programatically like this:

var xsdFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl.xsd";
var csharpFile = xsdFile.xsdCreateCSharpFile(); 

csharpFile.fileContents()
      .insertBefore("//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll".line())
      .saveAs(csharpFile);

The final step, now that we have the CSharp file (‘C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl.cs’), is to use it as a reference and load up the original Xml file using it.

To make it clear, lets do this on a clean O2 Development GUI Environment

If you look at the CSHarp file you should notice that there is namespace

namespace xmlns.www.fortifysoftware.com.schema.fvdl {

…which contains a FVDL class

public partial class FVDL : XTypedElement, IXMetaData {

…which contains a Load static method

        public static FVDL Load(string xmlFile) {
            return XTypedServices.Load<FVDL>(xmlFile);
        }

This is the method that we will need to call , so that we can get a strongly typed version of our XML file

var xmlFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
var fvdl = FVDL.Load(xmlFile);
return fvdl;

//using xmlns.www.fortifysoftware.com.schema.fvdl
//O2File:C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll

 … which finally gives us the object that we want:

…and provides strongly-typed access to the fvdl data, including code-complete support

  ->

As a first exampe,  here is the list of vulnerability objects in the loaded xml file:

Note: one way to see in more details the type of objects that are availble is to call the {object}.details() method:

var xmlFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
var fvdl = FVDL.Load(xmlFile);
var vulnerabilities = fvdl.Vulnerabilities.Vulnerability; 
vulnerabilities.details();

..which opens a popup window that can be navigated by properties or fields (note that the data is only loaded on selection)

Going back into Vulnerability filtering …

… where it gets really powerful is when we use Linq queries to filter the data:

var xmlFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
var fvdl = FVDL.Load(xmlFile);
var vulnerabilities = fvdl.Vulnerabilities.Vulnerability; 

return (from vulnerability in vulnerabilities
        select vulnerability.ClassInfo.Kingdom).Distinct(); 

In this case, here is a distinct list of the vunerability’s Kingdoms

…  or a quick consolidated view of  the vulnerability data:

var topPanel = panel.clear().add_Panel();
var xmlFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
var fvdl = FVDL.Load(xmlFile);
var vulnerabilities = fvdl.Vulnerabilities.Vulnerability; </pre>
&nbsp;

var results =  (from vulnerability in vulnerabilities
                  select new  {
                                kingdom = vulnerability.ClassInfo.Kingdom,
                                analyzer = vulnerability.ClassInfo.AnalyzerName,
                                classId = vulnerability.ClassInfo.ClassID,
                                defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                instanceId = vulnerability.InstanceInfo.InstanceID,
                                instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                confidence = vulnerability.InstanceInfo.Confidence,
                                function = vulnerability.AnalysisInfo.Unified.Context.Function.name,
                                file = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path,
                                line = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line,
                                col = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.colStart
                               
                            });
return results;

 

This  ‘Linq result’ object, is a local C# anonymous class, and is better seen and analyed on a TableList:

var topPanel = panel.clear().add_Panel();
var xmlFile = @"C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl";
var fvdl = FVDL.Load(xmlFile);
var vulnerabilities = fvdl.Vulnerabilities.Vulnerability; </pre>
&nbsp;

var results =  (from vulnerability in vulnerabilities
                  select new  {
                                kingdom = vulnerability.ClassInfo.Kingdom,
                                analyzer = vulnerability.ClassInfo.AnalyzerName,
                                classId = vulnerability.ClassInfo.ClassID,
                                defaultSeverity = vulnerability.ClassInfo.DefaultSeverity,
                                instanceId = vulnerability.InstanceInfo.InstanceID,
                                instanceSeverity = vulnerability.InstanceInfo.InstanceSeverity,
                                confidence = vulnerability.InstanceInfo.Confidence,
                                function = vulnerability.AnalysisInfo.Unified.Context.Function.name,
                                file = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.path,
                                line = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.line,
                                col = vulnerability.AnalysisInfo.Unified.Context.FunctionDeclarationSourceLocation.colStart
                               
                            }).toList();

topPanel.add_TableList("Showing {0} Vulnerabilties".format(results.size()))
        .show(results);                           
return "done";

//using xmlns.www.fortifysoftware.com.schema.fvdl
//O2File:C:\O2\_tempDir\_Fortify-Sate-2008\Fortify-Sate-2008\sate2008-Fvdl\naim.fvdl.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll

That wraps up this example, the next related entries will continue from here 🙂

July 16, 2011 Posted by | Fortify, Interoperability | 3 Comments

Consuming Veracode Findings File(s) using O2

If you are a veracode customer (or have access to a report created by its static/analysis engine), you can use O2 to analyze, filter and extend those findinds.

Note that this first post covers only the viewing part. There is a much more advanced O2 integration with veracode which will be documented later (namely the ability to consumer veracode’s DWR APIs directly, download the Findings Traces data, and to glue them with the findings in the original XML reports)

The current viewers can be accessed via the Veracode (Custom O2).h2 script:

which looks like this:

There are 3 ways you can see the veracode findings and all can be accessed via the Main Gui to view Veracode Findings button (you can also open these viewers individually via the buttons under  the Raw Views section)

By default the Main Gui to view Veracode Findings looks like this

 

To load the files drop them in the area that says ‘DROP XML FILE HERE…’ (you can also drop them on each of the view’s treeview or table list)

Once you drop a file, in the default view (which is the View in SourceCodeViewer) you will be able to see the findings filtered by: Category Name, Type , File or Severity

 

For example here is what the by Category Name looks like:

 

Other View: TableList

Click on the View in TableList link (top left) to see the data in a TableList view (note that this is not the raw Veracode xml data, this is already a normalization view of that data created by Linq queries inside this O2 Script)

 

Other View: TreeView

The other view that is available is a TreeView visualization of the raw Veracode Xml document (this is what it looks like if you open that XML file in a Xml viewer)

 

Other View: StandAlone TreeView

The TreeView view, (shown below when opened as a stand alone form) as support for loading multiple findings files (just drop a folder and all xml/zip Veracode XML  files will be loaded)

… drop a folder in the TreeView

And see multiple findings file in the save location:

Using C# Linq To filter the findings

Here are a couple (C# Extension methods) examples of how to use C# Linq based queries to quickly process the veracode findings file:

 public static class API_Veracode_DetailedXmlFindings_ExtensionMethods_Linq_Queries
    {
        public static List<FlawType> flaws(this API_Veracode_DetailedXmlFindings apiVeracode)
        {
            if(apiVeracode.DetailedReport.isNull())
                return new List<FlawType>();
               
            var flaws = from severity in apiVeracode.DetailedReport.severity
                        from category in severity.category            
                        from cwe in category.cwe
                        from flaw in cwe.staticflaws.flaw                                    
                        select flaw;
            return flaws.toList();
        }
       
        public static List<FlawType> @fixed(this List<FlawType> flaws)
        {
            return (from flaw in flaws
                    where flaw.remediation_status == "Fixed"
                    select flaw).toList();
        }
       
        public static List<FlawType> notFixed(this List<FlawType> flaws)
        {
            return (from flaw in flaws
                    where flaw.remediation_status != "fixed"
                    select flaw).toList();
        }
    }

 

        public static ascx_TableList show_In_TableList(this List<FlawType> flaws , Control control)
        {       
            control.clear();
            var tableList = control.add_TableList();
            Action showData =
                ()=>{
                       
                        var selectedRows =  from flaw in flaws
                                            select new {flaw.severity, flaw.categoryname, flaw.issueid,
                                                        flaw.module, flaw.type, flaw.description, flaw.cweid, 
                                                        flaw.exploitLevel, flaw.categoryid,
                                                        flaw.sourcefile, flaw.line,  flaw.sourcefilepath,
                                                        flaw.scope, flaw.functionprototype, flaw.functionrelativelocation};
                 
       
                        tableList.show(selectedRows);
                        tableList.makeColumnWidthMatchCellWidth();
                    };
            tableList.onDrop(
                (file)=>{
                            var apiVeracode = new API_Veracode_DetailedXmlFindings().load(file);
                            flaws = apiVeracode.flaws();
                            showData();
                        });
            if (flaws.size()>0)
                showData();
            else
                tableList.add_Column("note")
                         .add_Row("drop a Veracode DetailedFindings Xml (or zip) file to view it")
                         .makeColumnWidthMatchCellWidth();
               
            return tableList;
        }

July 1, 2011 Posted by | Interoperability, Veracode | 1 Comment