OWASP O2 Platform Blog

Submit file to Veracode Trial: using Browser and Windows Automation (WatiN and White APIs)

This script automates the process off submitting a file to Veracode’s free trial (as of 20/Jul/2011). See also Consuming Veracode Findings File(s) using O2.

If first provides a settings GUI, where the user can enter the requried data (email and file to upload), then fires up a web brower and uses WatiN (Browser Automation) plus White (Windows UIAutomation) to populate the form fields and to submit the form.

The reason why I had to use UIAutomation (and White API) was because there didn’t seem to be a way to modify the HTML form field of the ‘file upload’ control (even jQuery didn’t seem to be able to modify that value programatially).

The solution was to use UIAutomation to:

  • click on the ‘Browse’ field,
  • then (on the popup file dialog window)
    • enter the file to upload, and
    • click ‘Close’

Here is the ‘settings window:

When the button is clicked the veracode trial page is opened and the ‘Html Form File Upload Button’ is pressed (via UIAutomation) :

When the ‘Choose File to Upload’ window appears, the ‘File Name Text Box’ is populated and the Open Button is pressed (both using UIAutomation (via White API)).

Finally, the email field is populated, the check box is ticked and the ‘Upload’ button is pressed (using Browser Automation (WatiN))

Here is the source code of this script:

var topPanel = O2Gui.open<Panel>("Util - Submit file to Veracode Trial",700,180);    
//var topPanel = panel.clear().add_Panel();
topPanel.insert_LogViewer();
var _email = "o2@o2platform.com";
var _fileToUpload = @"C:\O2\Demos\jPetStore - O2 Demo Pack\apache-tomcat-7.0.16\webapps\jpetstore.war";


Action<string,string> submitFileToVeracode =
	(email, fileToUpload)=>
		{
			var windowName= "Veracode File Upload - {0}".format(10.randomLetters());
			var ie = windowName.popupWindow(1000,500)
							   .add_IE().open("https://trial.veracode.com/freetrials/veracode-free-trial-signup.php");

			var processId = Processes.getCurrentProcessID();
			var apiGuiAutomation = new API_GuiAutomation(processId);
			var window = apiGuiAutomation.window(windowName);
			"got main window".info();
			var buttons = window.buttons();a
			"found {0} buttons".info(buttons.size());
			buttons[1].mouse().click();
			"clicked button".debug();
			var selectFileWindow = apiGuiAutomation.window("Choose File to Upload");
			selectFileWindow.textBoxes()[0].set_Text(fileToUpload);
			selectFileWindow.button("Open").click();
			ie.field("email",email);
			ie.checkBoxes()[0].check();
			ie.button("Upload").click();
			//buttons[2].mouse().click();
		};


topPanel.add_TextBox("Email",_email).top(0)
			.width(100)
			.onTextChange((text)=>_email=text)
		.append_Label("File to upload")
			.autoSize()
			.top(3)
		.append_TextBox(_fileToUpload)
			.onTextChange((text)=>_fileToUpload=text)
			.width(300)
			.align_Right(topPanel);
topPanel.add_Button(24,"Create Account and Upload File")
		.font_bold()
		.align_Right(topPanel)
		.onClick(()=> submitFileToVeracode(_email, _fileToUpload) );

//O2File:WatiN_IE_ExtensionMethods.cs
//using O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll
//O2File:API_GuiAutomation.cs
//O2Ref:White.Core.dll

July 20, 2011 Posted by | Interoperability, JPetStore, Veracode, WatiN, White_UIAutomation | Leave a comment

Consuming Veracode Findings File(s) using O2

If you are a veracode customer (or have access to a report created by its static/analysis engine), you can use O2 to analyze, filter and extend those findinds.

Note that this first post covers only the viewing part. There is a much more advanced O2 integration with veracode which will be documented later (namely the ability to consumer veracode’s DWR APIs directly, download the Findings Traces data, and to glue them with the findings in the original XML reports)

The current viewers can be accessed via the Veracode (Custom O2).h2 script:

which looks like this:

There are 3 ways you can see the veracode findings and all can be accessed via the Main Gui to view Veracode Findings button (you can also open these viewers individually via the buttons under  the Raw Views section)

By default the Main Gui to view Veracode Findings looks like this

 

To load the files drop them in the area that says ‘DROP XML FILE HERE…’ (you can also drop them on each of the view’s treeview or table list)

Once you drop a file, in the default view (which is the View in SourceCodeViewer) you will be able to see the findings filtered by: Category Name, Type , File or Severity

 

For example here is what the by Category Name looks like:

 

Other View: TableList

Click on the View in TableList link (top left) to see the data in a TableList view (note that this is not the raw Veracode xml data, this is already a normalization view of that data created by Linq queries inside this O2 Script)

 

Other View: TreeView

The other view that is available is a TreeView visualization of the raw Veracode Xml document (this is what it looks like if you open that XML file in a Xml viewer)

 

Other View: StandAlone TreeView

The TreeView view, (shown below when opened as a stand alone form) as support for loading multiple findings files (just drop a folder and all xml/zip Veracode XML  files will be loaded)

… drop a folder in the TreeView

And see multiple findings file in the save location:

Using C# Linq To filter the findings

Here are a couple (C# Extension methods) examples of how to use C# Linq based queries to quickly process the veracode findings file:

 public static class API_Veracode_DetailedXmlFindings_ExtensionMethods_Linq_Queries
    {
        public static List<FlawType> flaws(this API_Veracode_DetailedXmlFindings apiVeracode)
        {
            if(apiVeracode.DetailedReport.isNull())
                return new List<FlawType>();
               
            var flaws = from severity in apiVeracode.DetailedReport.severity
                        from category in severity.category            
                        from cwe in category.cwe
                        from flaw in cwe.staticflaws.flaw                                    
                        select flaw;
            return flaws.toList();
        }
       
        public static List<FlawType> @fixed(this List<FlawType> flaws)
        {
            return (from flaw in flaws
                    where flaw.remediation_status == "Fixed"
                    select flaw).toList();
        }
       
        public static List<FlawType> notFixed(this List<FlawType> flaws)
        {
            return (from flaw in flaws
                    where flaw.remediation_status != "fixed"
                    select flaw).toList();
        }
    }

 

        public static ascx_TableList show_In_TableList(this List<FlawType> flaws , Control control)
        {       
            control.clear();
            var tableList = control.add_TableList();
            Action showData =
                ()=>{
                       
                        var selectedRows =  from flaw in flaws
                                            select new {flaw.severity, flaw.categoryname, flaw.issueid,
                                                        flaw.module, flaw.type, flaw.description, flaw.cweid, 
                                                        flaw.exploitLevel, flaw.categoryid,
                                                        flaw.sourcefile, flaw.line,  flaw.sourcefilepath,
                                                        flaw.scope, flaw.functionprototype, flaw.functionrelativelocation};
                 
       
                        tableList.show(selectedRows);
                        tableList.makeColumnWidthMatchCellWidth();
                    };
            tableList.onDrop(
                (file)=>{
                            var apiVeracode = new API_Veracode_DetailedXmlFindings().load(file);
                            flaws = apiVeracode.flaws();
                            showData();
                        });
            if (flaws.size()>0)
                showData();
            else
                tableList.add_Column("note")
                         .add_Row("drop a Veracode DetailedFindings Xml (or zip) file to view it")
                         .makeColumnWidthMatchCellWidth();
               
            return tableList;
        }

July 1, 2011 Posted by | Interoperability, Veracode | 1 Comment