Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Fortify: Support .fpr format #9590

Merged
merged 21 commits into from
Feb 28, 2024

flake8

89be53e
Select commit
Loading
Failed to load commit list.
Merged

✨ Fortify: Support .fpr format #9590

flake8
89be53e
Select commit
Loading
Failed to load commit list.
DryRunSecurity / Sensitive Functions Analyzer succeeded Feb 26, 2024 in 1s

DryRun Security

Details

Potentially Sensitive Functions: 1 detected

⚠️ Sensitive Function dojo/tools/fortify/parser.py (click for details)
Type Sensitive Function
Description This function is sensitive as it processes and extracts potentially sensitive information from a file.
File Name dojo/tools/fortify/parser.py
Function Name parse_fpr
Code Link

django-DefectDojo/dojo/tools/fortify/parser.py

Lines 120 to 198 in 89be53e

dupes.add(title)
return items
def fpr_severity(self, Confidence, InstanceSeverity):
if float(Confidence) >= 2.5 and float(InstanceSeverity) >= 2.5:
severity = "Critical"
elif float(Confidence) >= 2.5 and float(InstanceSeverity) < 2.5:
severity = "High"
elif float(Confidence) < 2.5 and float(InstanceSeverity) >= 2.5:
severity = "Medium"
elif float(Confidence) < 2.5 and float(InstanceSeverity) < 2.5:
severity = "Low"
else:
severity = "Info"
return severity
def parse_fpr(self, filename, test):
if str(filename.__class__) == "<class '_io.TextIOWrapper'>":
input_zip = zipfile.ZipFile(filename.name, 'r')
else:
input_zip = zipfile.ZipFile(filename, 'r')
zipdata = {name: input_zip.read(name) for name in input_zip.namelist()}
root = ElementTree.fromstring(zipdata["audit.fvdl"].decode('utf-8'))
regex = r"{.*}"
matches = re.match(regex, root.tag)
try:
namespace = matches.group(0)
except BaseException:
namespace = ""
items = list()
for child in root:
if "Vulnerabilities" in child.tag:
for vuln in child:
ClassID = vuln.find(f"{namespace}ClassInfo").find(f"{namespace}ClassID").text
Kingdom = vuln.find(f"{namespace}ClassInfo").find(f"{namespace}Kingdom").text
Type = vuln.find(f"{namespace}ClassInfo").find(f"{namespace}Type").text
AnalyzerName = vuln.find(f"{namespace}ClassInfo").find(f"{namespace}AnalyzerName").text
DefaultSeverity = vuln.find(f"{namespace}ClassInfo").find(f"{namespace}DefaultSeverity").text
InstanceID = vuln.find(f"{namespace}InstanceInfo").find(f"{namespace}InstanceID").text
InstanceSeverity = vuln.find(f"{namespace}InstanceInfo").find(f"{namespace}InstanceSeverity").text
Confidence = vuln.find(f"{namespace}InstanceInfo").find(f"{namespace}Confidence").text
SourceLocationpath = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("path")
SourceLocationline = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("line")
SourceLocationlineEnd = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("lineEnd")
SourceLocationcolStart = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("colStart")
SourceLocationcolEnd = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("colEnd")
SourceLocationsnippet = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("snippet")
description = Type + "\n"
severity = self.fpr_severity(Confidence, InstanceSeverity)
description += "**ClassID:** " + ClassID + "\n"
description += "**Kingdom:** " + Kingdom + "\n"
description += "**AnalyzerName:** " + AnalyzerName + "\n"
description += "**DefaultSeverity:** " + DefaultSeverity + "\n"
description += "**InstanceID:** " + InstanceID + "\n"
description += "**InstanceSeverity:** " + InstanceSeverity + "\n"
description += "**Confidence:** " + Confidence + "\n"
description += "**SourceLocationpath:** " + str(SourceLocationpath) + "\n"
description += "**SourceLocationline:** " + str(SourceLocationline) + "\n"
description += "**SourceLocationlineEnd:** " + str(SourceLocationlineEnd) + "\n"
description += "**SourceLocationcolStart:** " + str(SourceLocationcolStart) + "\n"
description += "**SourceLocationcolEnd:** " + str(SourceLocationcolEnd) + "\n"
description += "**SourceLocationsnippet:** " + str(SourceLocationsnippet) + "\n"
items.append(
Finding(
title=Type + " " + ClassID,
severity=severity,
static_finding=True,
test=test,
description=description,
unique_id_from_tool=ClassID,
file_path=SourceLocationpath,
line=SourceLocationline,
)
)
return items
def format_title(self, category, filename, line_no):
"""
Builds the title much like it is represented in Fortify
View more details on DryRunSecurity