public static void saveWithAssessmentSourceStats(string ozasmtSource, IO2Assessment o2Assessment, string newAssessmentName)
{
if (new O2AssessmentSave_OunceV6().addAssessmentStatsFromSourceToO2AssessmentAndSaveIt(ozasmtSource, o2Assessment, newAssessmentName))
{
O2Cmd.log.write(" File created: {0}", newAssessmentName);
}
}
public static void mapJavaAttributesToTraces(IO2Assessment o2Assessment, Dictionary <string, string> attributesXmlFiles)
{
DI.log.debug("Mapping Java Attributes to Traces");
//var testFindings = from O2Finding finding in o2Assessment.o2Findings where finding.Source.Contains("BugController") select (IO2Finding)finding;
//var testFindings = o2Assessment.o2Findings;
DI.log.debug("There are {0} findings to process", o2Assessment.o2Findings.Count());
foreach (O2Finding finding in o2Assessment.o2Findings)
{
var filteredSignature = new FilteredSignature(finding.Source);
var className = filteredSignature.sFunctionClass;
var fileToFind = string.Format("{0}.class.JavaAttributes.xml", className.Replace(".", "\\"));
if (attributesXmlFiles.ContainsKey(fileToFind))
{
mapJavaAttributesToFinding(finding, attributesXmlFiles[fileToFind]);
}
//DI.log.info("Found: {0} - > {1}", fileToFind , attributesXmlFiles[fileToFind]);
//else
// DI.log.error("could NOT find Xml Attribute file for: {0}", fileToFind);
//DI.log.info(fileToFind);
}
//var findingsWithSpringMVCControllersAsSources = new List<IO2Finding>();
// save temp assessment file
// var o2FindingsOfTypeO2SpringMvcController = (from o2Finding in o2Assessment.o2Findings where o2Finding.vulnType == "O2.SpringMvc.Controller" select o2Finding).ToList();
// DI.log.debug("There are {0} o2FindingsOfTypeO2SpringMvcController");
/* O2.Views.ASCX.O2Findings.ascx_FindingsViewer.openInFloatWindow(o2FindingsOfTypeO2SpringMvcController);
* saveFindingsInNewO2AssessmentFile(o2FindingsOfTypeO2SpringMvcController, pathToOzasmtFile + "_SpringMvcController.ozasmt");
* */
}
public static void saveWithAssessmentSourceStats(string ozasmtSource, IO2Assessment o2Assessment, string newAssessmentName)
{
if (new O2AssessmentSave_OunceV6().addAssessmentStatsFromSourceToO2AssessmentAndSaveIt(ozasmtSource, o2Assessment, newAssessmentName))
O2Cmd.log.write(" File created: {0}", newAssessmentName);
}
public bool importFile(string fileToLoad, IO2Assessment o2Assessment)
{
if (canLoadFile(fileToLoad))
if (OzasmtUtils_OunceV7_0.importOzasmtAssessmentIntoO2Assessment(fileToLoad, o2Assessment))
return true;
return false;
}
public static bool importOzasmtAssessmentIntoO2Assessment(string fileToLoad, IO2Assessment o2Assessment)
{
try
{
AssessmentRun assessmentRunToImport = getAssessmentRunObjectFromXmlFile(fileToLoad);
o2Assessment.name = assessmentRunToImport.name;
if (null != assessmentRunToImport.Assessment.Assessment)
{
foreach (Assessment assessment in assessmentRunToImport.Assessment.Assessment)
{
if (null != assessment.AsmntFile)
{
foreach (AssessmentAsmntFile asmntFile in assessment.AsmntFile)
{
if (asmntFile.Finding != null)
{
foreach (AssessmentAsmntFileFinding finding in asmntFile.Finding)
{
o2Assessment.o2Findings.Add(getO2Finding(finding, assessmentRunToImport));
}
}
}
}
}
}
return(true);
}
catch (Exception ex)
{
ex.log("in OzasmtUtils_OunceV6_1.importOzasmtAssessmentIntoO2Assessment");
}
return(false);
}
private static void removeFindingsFromAssessment(IO2Assessment o2Assessment, List <IO2Finding> findingsToRemove)
{
foreach (var o2FindingToRemove in findingsToRemove)
{
o2Assessment.o2Findings.Remove(o2FindingToRemove);
}
}
public IO2Assessment loadFile(string fileOrFolderToLoad)
{
var scanFile = "";
var tempUnzipFolder = DI.config.getTempFolderInTempDirectory("_AppscanDE_Unzip");
if (Path.GetExtension(fileOrFolderToLoad) == ".xml")
{
scanFile = fileOrFolderToLoad;
}
else
{
var filesToSearch = new List <string>();
if (Directory.Exists(fileOrFolderToLoad))
{
filesToSearch = Files.getFilesFromDir_returnFullPath(fileOrFolderToLoad, "*.xml", true);
}
else
{
//fileToLoad = Files.MoveFile(fileToLoad, (fileToLoad + ".zip"));
// Path.GetFileNameWithoutExtension(fileToLoad));
filesToSearch = new zipUtils().unzipFileAndReturnListOfUnzipedFiles(fileOrFolderToLoad,
tempUnzipFolder);
}
if (filesToSearch.Count == 0)
{
DI.log.error("in O2AssesmentLoad_AppScanDE.loadFile, unzip operation failed for file: {0}", fileOrFolderToLoad);
}
else
{
foreach (var file in filesToSearch)
{
if (
file.IndexOf(@"com.ibm.rational.appscan.ui.security.runnable.codeAnalysis.staticAnalysis\securityResultSet.xml") > -1)
{
scanFile = file;
}
}
}
//scanFile = Path.Combine(tempFolder, @"com.ibm.rational.appscan.ui.security.runnable.codeAnalysis.staticAnalysis\securityResultSet.xml");
}
if (false == File.Exists(scanFile))
{
DI.log.error("Cound not find AppScanDE static analysis file: {0}", scanFile);
return(new O2Assessment());
}
IO2Assessment o2Assessment = null;
var appScanDEResults = Serialize.getDeSerializedObjectFromXmlFile(scanFile, typeof(taintResultSet));
if (appScanDEResults != null && appScanDEResults is taintResultSet)
{
o2Assessment = createO2AssessmentFromCodeCrawlerObject((taintResultSet)appScanDEResults, Path.GetFileNameWithoutExtension(scanFile));
}
Files.deleteFolder(tempUnzipFolder);
return(o2Assessment);
}
private static IEnumerable<IO2Finding> allFindings(IO2Assessment o2Assessment)
{
if (o2Assessment == null)
return null;
O2Cmd.log.write("--> Executing Filter: Create assessment with ALL only Findings (i.e. no filter applied)");
return from IO2Finding finding in o2Assessment.o2Findings select finding;
}
private static IEnumerable<IO2Finding> onlyTraces(IO2Assessment o2Assessment)
{
if (o2Assessment == null)
return null;
O2Cmd.log.write("--> Executing Filter: Create assessment with only Findings with traces");
return from IO2Finding finding in o2Assessment.o2Findings
where finding.o2Traces.Count > 0
select finding;
}
private static void bySeverity(string ozasmtFile, IO2Assessment o2Assessment, int severity, string scanType)
{
O2Cmd.log.write("\n> Filtering by {0} \n", scanType);
var filteredO2Findings = from IO2Finding finding in o2Assessment.o2Findings
where finding.severity == severity
select finding;
OzasmtLinqUtils.saveFindings(filteredO2Findings, ozasmtFile, scanType);
}
private static void byConfidence(string ozasmtFile, IO2Assessment o2Assessment, int confidence, string scanType)
{
O2Cmd.log.write("\n> Filtering by {0} \n", scanType);
var filteredO2Findings = from IO2Finding finding in o2Assessment.o2Findings
where finding.confidence == confidence
select finding;
OzasmtLinqUtils.saveFindings(filteredO2Findings, ozasmtFile, scanType);
}
private static IEnumerable<IO2Finding> allVulnsAndType1(IO2Assessment o2Assessment)
{
if (o2Assessment == null)
return null;
O2Cmd.log.write("--> Executing Ian Custom Filter: Create assessment with only Vulnerabilities and Type 1 ");
return from IO2Finding finding in o2Assessment.o2Findings
where finding.confidence < 3
select finding;
}
private static IEnumerable<IO2Finding> joinCompatibleSinksAndSources(IO2Assessment o2Assessment)
{
loadTestData();
if (o2Assessment == null)
return null;
O2Cmd.log.write("--> Executing Filter: Join Compatible Sinks and Sources");
return from IO2Finding finding in o2Assessment.o2Findings
where finding.o2Traces.Count > 0
select finding;
}
// function consumed from Ozasmt.UniqueFindings function
public static void removeDuplicateTypeIIsFromAssessment(IO2Assessment o2Assessment)
{
O2Cmd.log.write("\n Removing duplicate Type II findings");
var findingsByActionObjectFileAndLineNumber = groupFindingsByActionObjectIdFileNameAndLineNumber(o2Assessment.o2Findings);
var findingsToRemove = getFindingsToRemove(findingsByActionObjectFileAndLineNumber);
removeFindingsFromAssessment(o2Assessment, findingsToRemove);
OzasmtLinqUtils.saveFindings(findingsToRemove, "", "duplicateFindings");
//new O2Assessment(findingsToRemove).save(new O2AssessmentSave_OunceV6(),ozasmtToSaveDuplicatedFindings);
O2Cmd.log.write("");
}
private static IEnumerable <IO2Finding> allFindings(IO2Assessment o2Assessment)
{
if (o2Assessment == null)
{
return(null);
}
O2Cmd.log.write("--> Executing Filter: Create assessment with ALL only Findings (i.e. no filter applied)");
return(from IO2Finding finding in o2Assessment.o2Findings select finding);
}
public bool importFile(string fileToLoad, IO2Assessment o2Assessment)
{
var loadedO2Assessment = loadFile(fileToLoad);
if (loadedO2Assessment!= null)
{
o2Assessment.o2Findings = loadedO2Assessment.o2Findings;
return true;
}
return false;
}
// function consumed from Ozasmt.UniqueFindings function
public static void removeDuplicateTypeIIsFromAssessment(IO2Assessment o2Assessment)
{
O2Cmd.log.write("\n Removing duplicate Type II findings");
var findingsByActionObjectFileAndLineNumber = groupFindingsByActionObjectIdFileNameAndLineNumber(o2Assessment.o2Findings);
var findingsToRemove = getFindingsToRemove(findingsByActionObjectFileAndLineNumber);
removeFindingsFromAssessment(o2Assessment, findingsToRemove);
OzasmtLinqUtils.saveFindings(findingsToRemove, "", "duplicateFindings");
//new O2Assessment(findingsToRemove).save(new O2AssessmentSave_OunceV6(),ozasmtToSaveDuplicatedFindings);
O2Cmd.log.write("");
}
private static IEnumerable <IO2Finding> allVulnsAndType1(IO2Assessment o2Assessment)
{
if (o2Assessment == null)
{
return(null);
}
O2Cmd.log.write("--> Executing Ian Custom Filter: Create assessment with only Vulnerabilities and Type 1 ");
return(from IO2Finding finding in o2Assessment.o2Findings
where finding.confidence < 3
select finding);
}
private static IEnumerable <IO2Finding> onlyTraces(IO2Assessment o2Assessment)
{
if (o2Assessment == null)
{
return(null);
}
O2Cmd.log.write("--> Executing Filter: Create assessment with only Findings with traces");
return(from IO2Finding finding in o2Assessment.o2Findings
where finding.o2Traces.Count > 0
select finding);
}
public bool importFile(string fileToLoad, IO2Assessment o2Assessment)
{
var loadedO2Assessment = loadFile(fileToLoad);
if (loadedO2Assessment != null)
{
o2Assessment.o2Findings = loadedO2Assessment.o2Findings;
return(true);
}
return(false);
}
public bool importFile(string fileToLoad, IO2Assessment o2Assessment)
{
if (canLoadFile(fileToLoad))
{
if (OzasmtUtils_OunceV6_1.importOzasmtAssessmentIntoO2Assessment(fileToLoad, o2Assessment))
{
return(true);
}
}
return(false);
}
public void loadO2Assessment(IO2Assessment o2Assessment)
{
this.invokeOnThread(() =>
{
assessmentName = o2Assessment.name;
if (cbClearOnOzasmtDrop.Checked)
{
clearO2Findings();
}
loadO2Findings(o2Assessment.o2Findings);
});
}
private static IEnumerable <IO2Finding> joinCompatibleSinksAndSources(IO2Assessment o2Assessment)
{
loadTestData();
if (o2Assessment == null)
{
return(null);
}
O2Cmd.log.write("--> Executing Filter: Join Compatible Sinks and Sources");
return(from IO2Finding finding in o2Assessment.o2Findings
where finding.o2Traces.Count > 0
select finding);
}
public bool importFile(string fileToLoad, IO2Assessment o2Assessment)
{
try
{
if (canLoadFile(fileToLoad))
{
//o2Assessment.lastOzasmtImportWasItSucessfull = false;
//o2Assessment.lastOzasmtImportFile = fileToLoad;
//o2Assessment.lastOzasmtImportFileSize = Files.getFileSize(fileToLoad);
//DateTime startImportTime = DateTime.Now;
var timer = new O2Timer("Loaded assessment " + fileToLoad + " ").start();
AssessmentRun assessmentRunToImport = OzasmtUtils_OunceV6.LoadAssessmentRun(fileToLoad);
timer.stop();
/* assessmentRun.AssessmentConfig = assessmentRunToImport.AssessmentConfig;
assessmentRun.AssessmentStats = assessmentRunToImport.AssessmentStats;
assessmentRun.Messages = assessmentRunToImport.Messages;
assessmentRun.name = assessmentRunToImport.name ?? OzasmtUtils_OunceV6.calculateAssessmentNameFromScans(assessmentRunToImport);*/
o2Assessment.name = assessmentRunToImport.name ??
OzasmtUtils_OunceV6.calculateAssessmentNameFromScans(assessmentRunToImport);
// I don't think I need this since the O2Finding objects have the full strings
// map top level objects
/*
assessmentRun.FileIndeces = assessmentRunToImport.FileIndeces;
assessmentRun.StringIndeces = assessmentRunToImport.StringIndeces;*/
// import findings
if (null != assessmentRunToImport.Assessment.Assessment)
foreach (Assessment assessment in assessmentRunToImport.Assessment.Assessment)
if (null != assessment.AssessmentFile)
foreach (AssessmentAssessmentFile assessmentFile in assessment.AssessmentFile)
if (assessmentFile.Finding != null)
foreach (AssessmentAssessmentFileFinding finding in assessmentFile.Finding)
o2Assessment.o2Findings.Add(OzasmtUtils_OunceV6.getO2Finding(finding,
assessmentFile,
assessmentRunToImport));
// if we made it this far all went ok;
//o2Assessment.lastOzasmtImportTimeSpan = DateTime.Now - startImportTime;
//o2Assessment.lastOzasmtImportWasItSucessfull = true;
return true;
}
}
catch
(Exception ex)
{
"in importAssessmentRun: {0}".error(ex.Message);
}
return false;
}
public static void applyFilterToAssessmentFileAndSaveResult(string ozasmtFile, Func <IO2Assessment, IEnumerable <IO2Finding> > filterToApply, string filterType, bool addOriginalOzasmtStats)
{
IO2Assessment o2Assessment = getO2Assessment(ozasmtFile);
var filteredO2Findings = filterToApply(o2Assessment);
var newOzasmtFile = saveFindings(filteredO2Findings, ozasmtFile, filterType);
// O2Cmd.log.write(" newOzasmtFile :{0}", newOzasmtFile);
if (File.Exists(newOzasmtFile) && addOriginalOzasmtStats)
{
PublishToCore.copyAssessmentStats(ozasmtFile, newOzasmtFile);
}
}
public static void oneFilePerConfidence(string ozasmtFile)
{
IO2Assessment o2Assessment = OzasmtLinqUtils.getO2Assessment(ozasmtFile);
if (o2Assessment == null)
{
return;
}
O2Cmd.log.write("--> Executing Filter: Create one assessment file per Vulnerability Type (Vulnerability, Type I and Type II");
byConfidence(ozasmtFile, o2Assessment, 1, "Only Vulnerabilities");
byConfidence(ozasmtFile, o2Assessment, 2, "Only Type I");
byConfidence(ozasmtFile, o2Assessment, 3, "Only TYpe II");
}
public static void onlyVulnerabilities(string ozasmtFile)
{
IO2Assessment o2Assessment = OzasmtLinqUtils.getO2Assessment(ozasmtFile);
if (o2Assessment == null)
{
return;
}
O2Cmd.log.write("#) Executing Filter: : Create assessment with only Findings with Vulnerabilities");
var filteredO2Findings = from IO2Finding finding in o2Assessment.o2Findings
where finding.confidence == 1
select finding;
OzasmtLinqUtils.saveFindings(filteredO2Findings, ozasmtFile, "Only Vulnerabilities");
}
public static void oneFilePerSeverity(string ozasmtFile)
{
IO2Assessment o2Assessment = OzasmtLinqUtils.getO2Assessment(ozasmtFile);
if (o2Assessment == null)
{
return;
}
O2Cmd.log.write("--> Executing Filter: Create one assessment file per Severity Type (High, Medium, Low, Info");
bySeverity(ozasmtFile, o2Assessment, 0, "Only High");
bySeverity(ozasmtFile, o2Assessment, 1, "Only Medium");
bySeverity(ozasmtFile, o2Assessment, 2, "Only Low");
bySeverity(ozasmtFile, o2Assessment, 3, "Only Info");
}
public static bool importOzasmtAssessmentIntoO2Assessment(string fileToLoad, IO2Assessment o2Assessment)
{
try
{
AssessmentRun assessmentRunToImport = getAssessmentRunObjectFromXmlFile(fileToLoad);
o2Assessment.name = assessmentRunToImport.name;
if (null != assessmentRunToImport.Assessment.Assessment)
foreach (Assessment assessment in assessmentRunToImport.Assessment.Assessment)
if (null != assessment.AsmntFile)
foreach (AssessmentAsmntFile asmntFile in assessment.AsmntFile)
if (asmntFile.Finding != null)
foreach (AssessmentAsmntFileFinding finding in asmntFile.Finding)
o2Assessment.o2Findings.Add(getO2Finding(finding, assessmentRunToImport));
return true;
}
catch (Exception ex)
{
DI.log.ex(ex, "in OzasmtUtils_OunceV6_1.importOzasmtAssessmentIntoO2Assessment");
}
return false;
}
public void loadO2Assessment(IO2Assessment o2Assessment)
{
this.invokeOnThread(() =>
{
assessmentName = o2Assessment.name;
if (cbClearOnOzasmtDrop.Checked)
clearO2Findings();
loadO2Findings(o2Assessment.o2Findings);
});
}
public void loadO2Assessment(IO2Assessment o2Assessment)
{
loadedO2Findings.AddRange(o2Assessment.o2Findings);
updateCountOfLoadedFindings();
}
public bool importFile(string fileToLoad, IO2Assessment o2Assessment)
{
try
{
if (canLoadFile(fileToLoad))
{
//o2Assessment.lastOzasmtImportWasItSucessfull = false;
//o2Assessment.lastOzasmtImportFile = fileToLoad;
//o2Assessment.lastOzasmtImportFileSize = Files.getFileSize(fileToLoad);
//DateTime startImportTime = DateTime.Now;
var timer = new O2Timer("Loaded assessment " + fileToLoad + " ").start();
AssessmentRun assessmentRunToImport = OzasmtUtils_OunceV6.LoadAssessmentRun(fileToLoad);
timer.stop();
/* assessmentRun.AssessmentConfig = assessmentRunToImport.AssessmentConfig;
* assessmentRun.AssessmentStats = assessmentRunToImport.AssessmentStats;
* assessmentRun.Messages = assessmentRunToImport.Messages;
* assessmentRun.name = assessmentRunToImport.name ?? OzasmtUtils_OunceV6.calculateAssessmentNameFromScans(assessmentRunToImport);*/
o2Assessment.name = assessmentRunToImport.name ??
OzasmtUtils_OunceV6.calculateAssessmentNameFromScans(assessmentRunToImport);
// I don't think I need this since the O2Finding objects have the full strings
// map top level objects
/*
* assessmentRun.FileIndeces = assessmentRunToImport.FileIndeces;
* assessmentRun.StringIndeces = assessmentRunToImport.StringIndeces;*/
// import findings
if (null != assessmentRunToImport.Assessment.Assessment)
{
foreach (Assessment assessment in assessmentRunToImport.Assessment.Assessment)
{
if (null != assessment.AssessmentFile)
{
foreach (AssessmentAssessmentFile assessmentFile in assessment.AssessmentFile)
{
if (assessmentFile.Finding != null)
{
foreach (AssessmentAssessmentFileFinding finding in assessmentFile.Finding)
{
o2Assessment.o2Findings.Add(OzasmtUtils_OunceV6.getO2Finding(finding,
assessmentFile,
assessmentRunToImport));
}
}
}
}
}
}
// if we made it this far all went ok;
//o2Assessment.lastOzasmtImportTimeSpan = DateTime.Now - startImportTime;
//o2Assessment.lastOzasmtImportWasItSucessfull = true;
return(true);
}
}
catch
(Exception ex)
{
"in importAssessmentRun: {0}".error(ex.Message);
}
return(false);
}
private static IEnumerable<IO2Finding> uniqueTraces(IO2Assessment o2Assessment)
{
if (o2Assessment == null)
return null;
O2Cmd.log.write("--> Executing Filter: UniqueTraces, i.e. 'Unique Findings per Vulnerability Type per File per Line of Code'");
// first remove duplicate findings (since their existence will affect the uniqueTraces calculations:
RemoveDuplicateTypeIIs.removeDuplicateTypeIIsFromAssessment(o2Assessment);
var uniqueVulnerabilities = new Dictionary<String, List<IO2Finding>>();
// first populate a dictionary with all findings mapped to vulnType
foreach (var o2Finding in o2Assessment.o2Findings)
// if (o2Finding.o2Traces.Count > 0)
{
if (false == uniqueVulnerabilities.ContainsKey(o2Finding.vulnType))
uniqueVulnerabilities.Add(o2Finding.vulnType, new List<IO2Finding>());
uniqueVulnerabilities[o2Finding.vulnType].Add(o2Finding);
}
var uniqueFileNameAndLines = new Dictionary<String, List<IO2Finding>>();
// then populate nother dictionary with the file_lineNumber combination
foreach (var type in uniqueVulnerabilities.Keys)
{
foreach (O2Finding o2Finding in uniqueVulnerabilities[type])
{
var uniquename = string.Format("{0}_{1}_{2}_{3}", type, o2Finding.file, o2Finding.lineNumber, o2Finding.Source);
if (false == uniqueFileNameAndLines.ContainsKey(uniquename))
uniqueFileNameAndLines.Add(uniquename, new List<IO2Finding>());
uniqueFileNameAndLines[uniquename].Add(o2Finding);
}
//PublicDI.log.info("vuln name: {0} with {1} entries", type, uniqueVulnerabilities[type].Count);
}
// finally
// a) create a new Assessment file with 1 example each
var o2FindingsToSave = new List<IO2Finding>();
O2Cmd.log.write(" Creating one assessment file with 1 example each");
foreach (var uniqueName in uniqueFileNameAndLines.Keys)
{
var o2SampleO2Finding = uniqueFileNameAndLines[uniqueName][0];
o2SampleO2Finding.context = String.Format("There were {0} similar traces that ended up in this vulntype+file+line combination: {1}",
uniqueFileNameAndLines[uniqueName].Count, uniqueName);
o2FindingsToSave.Add(o2SampleO2Finding);
}
return o2FindingsToSave;
/*OzasmtLinqUtils.saveFindings(o2FindingsToSave, ozasmtFile,"Unique Traces");
// b) create one file per unique combination that matches uniqueName
if (uniqueNameFilter != "")
{
O2Cmd.log.write(
" [Debug mode]Creating one assessment file per unique VulnType_Filename_LineNUmber combination");
// create temp directory to hold files
OzasmtLinqUtils.dirToSaveCreatedFilteredFiles = Path.Combine(OzasmtLinqUtils.dirToSaveCreatedFilteredFiles,
Path.GetFileNameWithoutExtension(ozasmtFile) +
"_all_UniqueTraces");
Files.checkIfDirectoryExistsAndCreateIfNot(OzasmtLinqUtils.dirToSaveCreatedFilteredFiles);
int numberOfFilesCreated = 0;
foreach (var uniqueName in uniqueFileNameAndLines.Keys)
{
if (uniqueNameFilter == "All" || (uniqueName.IndexOf(uniqueNameFilter) > -1 || RegEx.findStringInString(uniqueName,uniqueNameFilter)))
{
var o2FindingsForUniqueName = uniqueFileNameAndLines[uniqueName];
OzasmtLinqUtils.saveFindings(o2FindingsForUniqueName, ozasmtFile,
uniqueName + " ( " + o2FindingsForUniqueName.Count + " Findings )", false);
numberOfFilesCreated++;
if (numberOfFilesCreated % 100 == 0)
O2Cmd.log.write(" {0} files created so far", numberOfFilesCreated);
}
}
O2Cmd.log.write(" {0} files where created and saved to directory {1}", numberOfFilesCreated,OzasmtLinqUtils.dirToSaveCreatedFilteredFiles);
}
*/
}
private AssessmentRun createAssessmentRunObject(IO2Assessment o2Assessment)
{
createAssessmentRunObject(o2Assessment.name, o2Assessment.o2Findings);
return assessmentRun;
}
/// <summary>
/// This function loads up the ozasmtSource file and adds its stats to a new finding called savedCreatedOzasmtAs
/// which will have the fingdings in o2AssessmentTarget
/// </summary>
/// <param name="ozasmtSource"></param>
/// <param name="o2AssessmentTarget"></param>
/// <param name="savedCreatedOzasmtAs"></param>
public bool addAssessmentStatsFromSourceToO2AssessmentAndSaveIt(string ozasmtSource, IO2Assessment o2AssessmentTarget, string savedCreatedOzasmtAs)
{
AssessmentRun assessmentRunToImport = OzasmtUtils_OunceV6.LoadAssessmentRun(ozasmtSource);
var targetAssessmentRun = createAssessmentRunObject(o2AssessmentTarget);
// map assessmentRunToImport to targetAssessmentRun
// add targetAssessmentRun top level data
targetAssessmentRun.AssessmentStats = assessmentRunToImport.AssessmentStats;
targetAssessmentRun.AssessmentConfig = assessmentRunToImport.AssessmentConfig;
targetAssessmentRun.Messages = assessmentRunToImport.Messages;
// add Assessment data
targetAssessmentRun.Assessment.assessee_name = assessmentRunToImport.Assessment.assessee_name;
targetAssessmentRun.Assessment.AssessmentStats = assessmentRunToImport.AssessmentStats;
targetAssessmentRun.Assessment.owner_name = assessmentRunToImport.Assessment.owner_name;
targetAssessmentRun.Assessment.owner_type = assessmentRunToImport.Assessment.owner_type;
// add project and file data
//create backup of current findings
var currentAssessmentDataBackup = targetAssessmentRun.Assessment.Assessment[0]; // there should only be one
// assign current Assessment array to assessmentRunToImport.Assessment.Assessment
targetAssessmentRun.Assessment.Assessment = assessmentRunToImport.Assessment.Assessment;
// remove all findings references (since what we want is the stats
foreach (var assessment in targetAssessmentRun.Assessment.Assessment)
if (assessment.AssessmentFile != null)
foreach (var assessmentFile in assessment.AssessmentFile)
assessmentFile.Finding = null;
// apppend the currentAssessmentDataBackup to the current Assessment Array
var assessments = new List<Assessment>(targetAssessmentRun.Assessment.Assessment);
assessments.Add(currentAssessmentDataBackup);
targetAssessmentRun.Assessment.Assessment = assessments.ToArray();
//targetAssessmentRun.name = "AAAA";
// save it
return OzasmtUtils_OunceV6.SaveAssessmentRun(assessmentRun, savedCreatedOzasmtAs);
}
public AssessmentRun createAssessmentRunObject(IO2Assessment o2Assessment)
{
createAssessmentRunObject(o2Assessment.name, o2Assessment.o2Findings);
return(assessmentRun);
}
private static void saveAssessment(IO2Assessment o2Assessment)
{
var savedAssessmentFile = o2Assessment.save(new O2AssessmentSave_OunceV6());
O2Cmd.log.write("O2Assessment WITHOUT duplicate findings saved to: {0}", savedAssessmentFile);
}
public O2AssessmentLoad_OunceV6(String fileToLoad, IO2Assessment o2Assessment)
: this()
{
importFile(fileToLoad, o2Assessment);
}
private static void byConfidence(string ozasmtFile, IO2Assessment o2Assessment, int confidence, string scanType)
{
O2Cmd.log.write("\n> Filtering by {0} \n", scanType);
var filteredO2Findings = from IO2Finding finding in o2Assessment.o2Findings
where finding.confidence == confidence
select finding;
OzasmtLinqUtils.saveFindings(filteredO2Findings, ozasmtFile, scanType);
}
private static IEnumerable <IO2Finding> uniqueTraces(IO2Assessment o2Assessment)
{
if (o2Assessment == null)
{
return(null);
}
O2Cmd.log.write("--> Executing Filter: UniqueTraces, i.e. 'Unique Findings per Vulnerability Type per File per Line of Code'");
// first remove duplicate findings (since their existence will affect the uniqueTraces calculations:
RemoveDuplicateTypeIIs.removeDuplicateTypeIIsFromAssessment(o2Assessment);
var uniqueVulnerabilities = new Dictionary <String, List <IO2Finding> >();
// first populate a dictionary with all findings mapped to vulnType
foreach (var o2Finding in o2Assessment.o2Findings)
// if (o2Finding.o2Traces.Count > 0)
{
if (false == uniqueVulnerabilities.ContainsKey(o2Finding.vulnType))
{
uniqueVulnerabilities.Add(o2Finding.vulnType, new List <IO2Finding>());
}
uniqueVulnerabilities[o2Finding.vulnType].Add(o2Finding);
}
var uniqueFileNameAndLines = new Dictionary <String, List <IO2Finding> >();
// then populate nother dictionary with the file_lineNumber combination
foreach (var type in uniqueVulnerabilities.Keys)
{
foreach (O2Finding o2Finding in uniqueVulnerabilities[type])
{
var uniquename = string.Format("{0}_{1}_{2}_{3}", type, o2Finding.file, o2Finding.lineNumber, o2Finding.Source);
if (false == uniqueFileNameAndLines.ContainsKey(uniquename))
{
uniqueFileNameAndLines.Add(uniquename, new List <IO2Finding>());
}
uniqueFileNameAndLines[uniquename].Add(o2Finding);
}
//PublicDI.log.info("vuln name: {0} with {1} entries", type, uniqueVulnerabilities[type].Count);
}
// finally
// a) create a new Assessment file with 1 example each
var o2FindingsToSave = new List <IO2Finding>();
O2Cmd.log.write(" Creating one assessment file with 1 example each");
foreach (var uniqueName in uniqueFileNameAndLines.Keys)
{
var o2SampleO2Finding = uniqueFileNameAndLines[uniqueName][0];
o2SampleO2Finding.context = String.Format("There were {0} similar traces that ended up in this vulntype+file+line combination: {1}",
uniqueFileNameAndLines[uniqueName].Count, uniqueName);
o2FindingsToSave.Add(o2SampleO2Finding);
}
return(o2FindingsToSave);
/*OzasmtLinqUtils.saveFindings(o2FindingsToSave, ozasmtFile,"Unique Traces");
*
* // b) create one file per unique combination that matches uniqueName
* if (uniqueNameFilter != "")
* {
* O2Cmd.log.write(
* " [Debug mode]Creating one assessment file per unique VulnType_Filename_LineNUmber combination");
* // create temp directory to hold files
* OzasmtLinqUtils.dirToSaveCreatedFilteredFiles = Path.Combine(OzasmtLinqUtils.dirToSaveCreatedFilteredFiles,
* Path.GetFileNameWithoutExtension(ozasmtFile) +
* "_all_UniqueTraces");
* Files.checkIfDirectoryExistsAndCreateIfNot(OzasmtLinqUtils.dirToSaveCreatedFilteredFiles);
* int numberOfFilesCreated = 0;
* foreach (var uniqueName in uniqueFileNameAndLines.Keys)
* {
* if (uniqueNameFilter == "All" || (uniqueName.IndexOf(uniqueNameFilter) > -1 || RegEx.findStringInString(uniqueName,uniqueNameFilter)))
* {
* var o2FindingsForUniqueName = uniqueFileNameAndLines[uniqueName];
* OzasmtLinqUtils.saveFindings(o2FindingsForUniqueName, ozasmtFile,
* uniqueName + " ( " + o2FindingsForUniqueName.Count + " Findings )", false);
* numberOfFilesCreated++;
* if (numberOfFilesCreated % 100 == 0)
* O2Cmd.log.write(" {0} files created so far", numberOfFilesCreated);
* }
* }
* O2Cmd.log.write(" {0} files where created and saved to directory {1}", numberOfFilesCreated,OzasmtLinqUtils.dirToSaveCreatedFilteredFiles);
* }
*/
}
public void loadO2Assessment(IO2Assessment o2Assessment)
{
loadedO2Findings.AddRange(o2Assessment.o2Findings);
updateCountOfLoadedFindings();
}
private static void removeFindingsFromAssessment(IO2Assessment o2Assessment, List<IO2Finding> findingsToRemove)
{
foreach (var o2FindingToRemove in findingsToRemove)
o2Assessment.o2Findings.Remove(o2FindingToRemove);
}
public O2AssessmentLoad_OunceV6(String fileToLoad, IO2Assessment o2Assessment)
: this()
{
importFile(fileToLoad, o2Assessment);
}
private static void saveAssessment(IO2Assessment o2Assessment)
{
var savedAssessmentFile = o2Assessment.save(new O2AssessmentSave_OunceV6());
O2Cmd.log.write("O2Assessment WITHOUT duplicate findings saved to: {0}", savedAssessmentFile);
}
private static void bySeverity(string ozasmtFile, IO2Assessment o2Assessment, int severity,string scanType)
{
O2Cmd.log.write("\n> Filtering by {0} \n", scanType);
var filteredO2Findings = from IO2Finding finding in o2Assessment.o2Findings
where finding.severity == severity
select finding;
OzasmtLinqUtils.saveFindings(filteredO2Findings, ozasmtFile, scanType);
}
public static void mapJavaAttributesToTraces(IO2Assessment o2Assessment, Dictionary<string, string> attributesXmlFiles)
{
DI.log.debug("Mapping Java Attributes to Traces");
//var testFindings = from O2Finding finding in o2Assessment.o2Findings where finding.Source.Contains("BugController") select (IO2Finding)finding;
//var testFindings = o2Assessment.o2Findings;
DI.log.debug("There are {0} findings to process", o2Assessment.o2Findings.Count());
foreach (O2Finding finding in o2Assessment.o2Findings)
{
var filteredSignature = new FilteredSignature(finding.Source);
var className = filteredSignature.sFunctionClass;
var fileToFind = string.Format("{0}.class.JavaAttributes.xml", className.Replace(".", "\\"));
if (attributesXmlFiles.ContainsKey(fileToFind))
mapJavaAttributesToFinding(finding, attributesXmlFiles[fileToFind]);
//DI.log.info("Found: {0} - > {1}", fileToFind , attributesXmlFiles[fileToFind]);
//else
// DI.log.error("could NOT find Xml Attribute file for: {0}", fileToFind);
//DI.log.info(fileToFind);
}
//var findingsWithSpringMVCControllersAsSources = new List<IO2Finding>();
// save temp assessment file
// var o2FindingsOfTypeO2SpringMvcController = (from o2Finding in o2Assessment.o2Findings where o2Finding.vulnType == "O2.SpringMvc.Controller" select o2Finding).ToList();
// DI.log.debug("There are {0} o2FindingsOfTypeO2SpringMvcController");
/* ascx_FindingsViewer.openInFloatWindow(o2FindingsOfTypeO2SpringMvcController);
saveFindingsInNewO2AssessmentFile(o2FindingsOfTypeO2SpringMvcController, pathToOzasmtFile + "_SpringMvcController.ozasmt");
* */
}
/// <summary>
/// This function loads up the ozasmtSource file and adds its stats to a new finding called savedCreatedOzasmtAs
/// which will have the fingdings in o2AssessmentTarget
/// </summary>
/// <param name="ozasmtSource"></param>
/// <param name="o2AssessmentTarget"></param>
/// <param name="savedCreatedOzasmtAs"></param>
public bool addAssessmentStatsFromSourceToO2AssessmentAndSaveIt(string ozasmtSource, IO2Assessment o2AssessmentTarget, string savedCreatedOzasmtAs)
{
AssessmentRun assessmentRunToImport = OzasmtUtils_OunceV6.LoadAssessmentRun(ozasmtSource);
var targetAssessmentRun = createAssessmentRunObject(o2AssessmentTarget);
// map assessmentRunToImport to targetAssessmentRun
// add targetAssessmentRun top level data
targetAssessmentRun.AssessmentStats = assessmentRunToImport.AssessmentStats;
targetAssessmentRun.AssessmentConfig = assessmentRunToImport.AssessmentConfig;
targetAssessmentRun.Messages = assessmentRunToImport.Messages;
// add Assessment data
targetAssessmentRun.Assessment.assessee_name = assessmentRunToImport.Assessment.assessee_name;
targetAssessmentRun.Assessment.AssessmentStats = assessmentRunToImport.AssessmentStats;
targetAssessmentRun.Assessment.owner_name = assessmentRunToImport.Assessment.owner_name;
targetAssessmentRun.Assessment.owner_type = assessmentRunToImport.Assessment.owner_type;
// add project and file data
//create backup of current findings
var currentAssessmentDataBackup = targetAssessmentRun.Assessment.Assessment[0]; // there should only be one
// assign current Assessment array to assessmentRunToImport.Assessment.Assessment
targetAssessmentRun.Assessment.Assessment = assessmentRunToImport.Assessment.Assessment;
// remove all findings references (since what we want is the stats
foreach (var assessment in targetAssessmentRun.Assessment.Assessment)
{
if (assessment.AssessmentFile != null)
{
foreach (var assessmentFile in assessment.AssessmentFile)
{
assessmentFile.Finding = null;
}
}
}
// apppend the currentAssessmentDataBackup to the current Assessment Array
var assessments = new List <Assessment>(targetAssessmentRun.Assessment.Assessment);
assessments.Add(currentAssessmentDataBackup);
targetAssessmentRun.Assessment.Assessment = assessments.ToArray();
//targetAssessmentRun.name = "AAAA";
// save it
return(OzasmtUtils_OunceV6.SaveAssessmentRun(assessmentRun, savedCreatedOzasmtAs));
}
