✨ Fortify: Support .fpr format (#9590)

* ✨ fpr format for fortify * 🚧 extract content of fdr * extract audit.fvdl * add unittests * fix bug * update fortify parser * update fortify parser * update fortify parser * fix unittests * flake8 * implement severity * 🐛 fix * add unittest for new severity * flake8 * commit according to review Co-authored-by: Steve Lohr <[email protected]> * commit according to review Co-authored-by: Steve Lohr <[email protected]> * update according to review * update * update documentation * remove docs file as it was moved * flake8 --------- Co-authored-by: Steve Lohr <[email protected]>
DefectDojo · Feb 28, 2024 · 680e7ce · 680e7ce
1 parent a5df4fa
commit 680e7ce
Show file tree

Hide file tree

Showing 8 changed files with 23,165 additions and 30 deletions.
diff --git a/docs/content/en/integrations/parsers/file/fortify.md b/docs/content/en/integrations/parsers/file/fortify.md
@@ -2,7 +2,24 @@
 title: "Fortify"
 toc_hide: true
 ---
-Import Findings from XML file format.
+You can either import the findings in .xml or in .fpr file format. </br>
+If you import a .fpr file, the parser will look for the file 'audit.fvdl' and analyze it. An extracted example can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/fortify/audit.fvdl).
 
 ### Sample Scan Data
-Sample Fortify scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/fortify).
+Sample Fortify scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/fortify).
+
+#### Generate XML Output from Foritfy
+This section describes how to import XML generated from a Fortify FPR. It assumes you 
+already have, or know how to acquire, an FPR file. Once you have the FPR file you will need
+use Fortify's ReportGenerator tool (located in the bin directory of your fortify install).
+```FORTIFY_INSTALL_ROOT/bin/ReportGenerator```
+
+By default, the Report Generator tool does _not_ display all issues, it will only display one
+per category. To get all issues, copy the [DefaultReportDefinitionAllIssues.xml](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/fortify/DefaultReportDefinitionAllIssues.xml) to:  
+```FORTIFY_INSTALL_ROOT/Core/config/reports```
+
+Once this is complete, you can run the following command on your .fpr file to generate the
+required XML:
+```
+./path/to/ReportGenerator -format xml -f /path/to/output.xml -source /path/to/downloaded/artifact.fpr -template DefaultReportDefinitionAllIssues.xml
+```
diff --git a/dojo/tools/fortify/README.md b/dojo/tools/fortify/README.md
diff --git a/dojo/tools/fortify/__init__.py b/dojo/tools/fortify/__init__.py
@@ -1 +1 @@
-__author__ = "Rajarshi333"
+__author__ = "Rajarshi333", "manuel-sommer"
diff --git a/dojo/tools/fortify/parser.py b/dojo/tools/fortify/parser.py
@@ -1,7 +1,7 @@
+import re
 import logging
-
+import zipfile
 from defusedxml import ElementTree
-
 from dojo.models import Finding
 
 logger = logging.getLogger(__name__)
@@ -15,9 +15,15 @@ def get_label_for_scan_types(self, scan_type):
         return scan_type  # no custom label for now
 
     def get_description_for_scan_types(self, scan_type):
-        return "Import Findings from XML file format."
+        return "Import Findings in FPR or XML file format."
 
     def get_findings(self, filename, test):
+        if str(filename.name).endswith('.xml'):
+            return self.parse_xml(filename, test)
+        elif str(filename.name).endswith('.fpr'):
+            return self.parse_fpr(filename, test)
+
+    def parse_xml(self, filename, test):
         fortify_scan = ElementTree.parse(filename)
         root = fortify_scan.getroot()
 
@@ -114,6 +120,79 @@ def get_findings(self, filename, test):
                 dupes.add(title)
         return items
 
+    def fpr_severity(self, Confidence, InstanceSeverity):
+        if float(Confidence) >= 2.5 and float(InstanceSeverity) >= 2.5:
+            severity = "Critical"
+        elif float(Confidence) >= 2.5 and float(InstanceSeverity) < 2.5:
+            severity = "High"
+        elif float(Confidence) < 2.5 and float(InstanceSeverity) >= 2.5:
+            severity = "Medium"
+        elif float(Confidence) < 2.5 and float(InstanceSeverity) < 2.5:
+            severity = "Low"
+        else:
+            severity = "Info"
+        return severity
+
+    def parse_fpr(self, filename, test):
+        if str(filename.__class__) == "<class '_io.TextIOWrapper'>":
+            input_zip = zipfile.ZipFile(filename.name, 'r')
+        else:
+            input_zip = zipfile.ZipFile(filename, 'r')
+        zipdata = {name: input_zip.read(name) for name in input_zip.namelist()}
+        root = ElementTree.fromstring(zipdata["audit.fvdl"].decode('utf-8'))
+        regex = r"{.*}"
+        matches = re.match(regex, root.tag)
+        try:
+            namespace = matches.group(0)
+        except BaseException:
+            namespace = ""
+        items = list()
+        for child in root:
+            if "Vulnerabilities" in child.tag:
+                for vuln in child:
+                    ClassID = vuln.find(f"{namespace}ClassInfo").find(f"{namespace}ClassID").text
+                    Kingdom = vuln.find(f"{namespace}ClassInfo").find(f"{namespace}Kingdom").text
+                    Type = vuln.find(f"{namespace}ClassInfo").find(f"{namespace}Type").text
+                    AnalyzerName = vuln.find(f"{namespace}ClassInfo").find(f"{namespace}AnalyzerName").text
+                    DefaultSeverity = vuln.find(f"{namespace}ClassInfo").find(f"{namespace}DefaultSeverity").text
+                    InstanceID = vuln.find(f"{namespace}InstanceInfo").find(f"{namespace}InstanceID").text
+                    InstanceSeverity = vuln.find(f"{namespace}InstanceInfo").find(f"{namespace}InstanceSeverity").text
+                    Confidence = vuln.find(f"{namespace}InstanceInfo").find(f"{namespace}Confidence").text
+                    SourceLocationpath = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("path")
+                    SourceLocationline = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("line")
+                    SourceLocationlineEnd = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("lineEnd")
+                    SourceLocationcolStart = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("colStart")
+                    SourceLocationcolEnd = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("colEnd")
+                    SourceLocationsnippet = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("snippet")
+                    description = Type + "\n"
+                    severity = self.fpr_severity(Confidence, InstanceSeverity)
+                    description += "**ClassID:** " + ClassID + "\n"
+                    description += "**Kingdom:** " + Kingdom + "\n"
+                    description += "**AnalyzerName:** " + AnalyzerName + "\n"
+                    description += "**DefaultSeverity:** " + DefaultSeverity + "\n"
+                    description += "**InstanceID:** " + InstanceID + "\n"
+                    description += "**InstanceSeverity:** " + InstanceSeverity + "\n"
+                    description += "**Confidence:** " + Confidence + "\n"
+                    description += "**SourceLocationpath:** " + str(SourceLocationpath) + "\n"
+                    description += "**SourceLocationline:** " + str(SourceLocationline) + "\n"
+                    description += "**SourceLocationlineEnd:** " + str(SourceLocationlineEnd) + "\n"
+                    description += "**SourceLocationcolStart:** " + str(SourceLocationcolStart) + "\n"
+                    description += "**SourceLocationcolEnd:** " + str(SourceLocationcolEnd) + "\n"
+                    description += "**SourceLocationsnippet:** " + str(SourceLocationsnippet) + "\n"
+                    items.append(
+                        Finding(
+                            title=Type + " " + ClassID,
+                            severity=severity,
+                            static_finding=True,
+                            test=test,
+                            description=description,
+                            unique_id_from_tool=ClassID,
+                            file_path=SourceLocationpath,
+                            line=SourceLocationline,
+                        )
+                    )
+        return items
+
     def format_title(self, category, filename, line_no):
         """
         Builds the title much like it is represented in Fortify

diff --git a/...tify/DefaultReportDefinitionAllIssues.xml → ...tify/DefaultReportDefinitionAllIssues.xml b/...tify/DefaultReportDefinitionAllIssues.xml → ...tify/DefaultReportDefinitionAllIssues.xml
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		__author__ = "Rajarshi333"
		__author__ = "Rajarshi333", "manuel-sommer"