public static void copyFindings(List <IO2Finding> o2Findings, string sourceFileName, string targetFolder, string targetFolderName, Func <IO2Finding, bool> condition)
{
targetFolder = Path.Combine(targetFolder, targetFolderName);
Files.checkIfDirectoryExistsAndCreateIfNot(targetFolder);
Assert.That(Directory.Exists(targetFolder), "copyFindings: targetFolder did not exist " + targetFolder);
var findingsWithNoTraces = new List <IO2Finding>();
foreach (var o2Finding in o2Findings)
{
//if (o2Finding.o2Traces.Count == 0)
if (condition(o2Finding))
{
findingsWithNoTraces.Add(o2Finding);
}
}
O2Cmd.log.write("copyFindings: There were {0} findings that matched the criteria ({1}) ", findingsWithNoTraces.Count, targetFolderName);
if (findingsWithNoTraces.Count > 0)
{
var targetFile = Path.Combine(targetFolder, sourceFileName);
XUtils_Findings_v0_1.saveFindings(findingsWithNoTraces, targetFile);
Assert.That(File.Exists(targetFile), "Task 1: targetFile was not saved : " + targetFile);
O2Cmd.log.write("copyFindings: Findings saved to " + targetFile);
}
}
public string invokeStrutsRules_Variation_1_UsingPreCalculatedO2StrutsMappingFile()
{
var strutsMappingsFile = @"...\_OunceApplication\O2Data\....O2StrutsMapping";
var baseO2FindingsFile = @"...\_OunceApplication\O2Data\....ozasmt";
// make sure these files exist
Assert.That(File.Exists(strutsMappingsFile), "Could not find file with strutsMappingsFile:\r\n " + strutsMappingsFile);
Assert.That(File.Exists(baseO2FindingsFile), "Could not find file with baseO2FindingsFile:\r\n " + baseO2FindingsFile);
// load the files
var strutsMapping = XUtils_Struts_v0_1.loadStrutsMappingsFromFile(strutsMappingsFile);
var baseO2Findings = XUtils_Findings_v0_1.loadFindingsFile(baseO2FindingsFile);
// make sure the file where correctly loaded
Assert.That(strutsMapping != null, "strutsMapping was null");
Assert.That(baseO2Findings != null, "baseO2Findings was null");
Assert.That(baseO2Findings.Count > 0, "baseO2Findings had no findings");
// execute the struts rule
var o2Results = XRule_Struts.strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(baseO2Findings, strutsMapping);
// make sure we had results
Assert.That(o2Results.Count > 0, "There were no results");
// save results
var fileWithSavedResults = XUtils_Findings_v0_1.saveFindings(o2Results);
// make sure saved file exists
Assert.That(fileWithSavedResults != null, "fileWithSavedResults was null");
Assert.That(File.Exists(fileWithSavedResults), "fileWithSavedResults did not exist: " + fileWithSavedResults);
return(string.Format("All OK. There were {0} results \r\nsaved to: {1}", o2Results.Count, fileWithSavedResults));
}
public string checkIf_loadMultipleOzasmtFiles_Worked()
{
var o2Findings = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(pathToOzastmFilesToLoad);
Assert.That(o2Findings.Count > 0);
return(string.Format("There were {0} findings loaded", o2Findings.Count));
}
public void task2_AdjustsStrutsFindings()
{
var validatorPatternIDText = "validator: patternid=";
var validatorValidContentText = "validator: valid-content";
O2Cmd.log.write("TASK 2: AdjustsStrutsFindings");
var strutsFindingsFolder = Path.Combine(folderWithArtifacts_Phase3, "Struts Mappings");
if (false == Directory.Exists(strutsFindingsFolder))
{
return;
}
//Assert.That(Directory.Exists(strutsFindingsFolder), "strutsFindingsFolder did not exists: " + strutsFindingsFolder);
foreach (var strutsFindingFile in Files.getFilesFromDir_returnFullPath(strutsFindingsFolder))
{
var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(strutsFindingFile);
foreach (O2Finding o2Finding in o2Findings)
{
var allTraces = OzasmtUtils.getListWithAllTraces(o2Finding);
foreach (var o2Trace in allTraces)
{
if (o2Trace.signature.StartsWith(validatorPatternIDText))
{
var pattern = o2Trace.signature.Replace(validatorPatternIDText, "");
if (pattern == "FREE_TEXT")
{
o2Finding.vulnType = "Struts.CrossSiteScripting.NOT.Validated";
o2Finding.confidence = 1;
o2Finding.severity = 0;
}
else
{
o2Finding.vulnType = "Struts.CrossSiteScripting.Validated";
o2Finding.confidence = 1;
o2Finding.severity = 2;
}
o2Finding.vulnType += " : " + pattern;
break;
}
else if (o2Trace.signature.StartsWith(validatorValidContentText))
{
var pattern = o2Trace.signature.Replace(validatorValidContentText, "");
o2Finding.vulnType = "Struts.CrossSiteScripting.Validated.ValidContent";
o2Finding.confidence = 2;
o2Finding.severity = 2;
}
}
// validator: patternid=
}
//XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings);
var targetFile = Path.Combine(folderWithArtifacts_Phase4, "Struts Mappings - " + Path.GetFileName(strutsFindingFile));
XUtils_Findings_v0_1.saveFindings(o2Findings, targetFile);
O2Cmd.log.write("Struts Mappings saved to: {0}", targetFile);
}
//foreach(var
}
public List <IO2Finding> takeDirectoryAndLoadAllAssessmentsWithStringInName()
{
var targetDirectory = pathToOzastmFilesToLoad;
var filter = "*webgoat*.ozasmt";
var recursiveSearch = true;
return(XUtils_Findings_v0_1.loadMultipleOzasmtFiles(targetDirectory, filter, recursiveSearch));
}
public static void Test()
{
var baseO2Findings = XUtils_Findings_v0_1.loadFindingsFile(baseO2FindingsFile);
var strutsMapping = (KStrutsMappings)Serialize.getDeSerializedObjectFromBinaryFile(strutsMappingsFile, typeof(KStrutsMappings));
var o2Findings = strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(baseO2Findings, strutsMapping);
XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings);
}
public string showFindingsInGUI()
{
var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile);
Assert.That(o2Findings.Count > 0, "There were no findings loaded");
XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings);
return("number of findings loaded:" + o2Findings.Count);
}
public string runPhase5()
{
var testAnalysisArtifacts = KAnalysisArtifacts.load(testAnalysisArtifactsFile);
var result = runPhase5(testAnalysisArtifacts);
var finalO2Findings = XUtils_Findings_v0_1.loadFindingsFile(finalAssessmentFile);
XUtils_Findings_v0_1.openFindingsInNewWindow(finalO2Findings);
return(result);
}
public static List <IO2Finding> getAllTraces_LostSinks(string targetFolder)
{
var folderWith_LostSinks = Path.Combine(targetFolder, "FindingsWith_Traces_LostSinks");
Assert.That(Directory.Exists(folderWith_LostSinks), "directory folderWith_LostSinks did not exist: " + folderWith_LostSinks);
var o2Findings = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(folderWith_LostSinks);
O2Cmd.log.write("Findings with Lost Sinks: {0}", o2Findings.Count);
return(o2Findings);
}
public string onlyShowInfos_Linq()
{
var onlyInfos = from IO2Finding o2Finding in XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile)
where o2Finding.severity == 3
select o2Finding;
XUtils_Findings_v0_1.openFindingsInNewWindow(onlyInfos.ToList());
return("# of Infos: " + onlyInfos.Count());
}
// note this should be the last one to run
public void makeKnownFindingsTypeII(List <IO2Finding> o2Findings)
{
foreach (var o2Finding in o2Findings)
{
o2Finding.confidence = 2;
}
var saveAsTypeII = Path.Combine(folderWithArtifacts_Phase4, "all_Non_Processed_KnownSink_Findings_as_Type_II.ozasmt");
XUtils_Findings_v0_1.saveFindings(o2Findings, saveAsTypeII);
}
public string onlyShowNoTraces()
{
var noTraces = from IO2Finding o2Finding in XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile)
where o2Finding.o2Traces.Count == 0
select o2Finding;
XUtils_Findings_v0_1.openFindingsInNewWindow(noTraces.ToList());
return("# of NoTraces: " + noTraces.Count());
}
public string removeAllNoTraces()
{
var onlyTraces = from IO2Finding o2Finding in XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile)
where o2Finding.o2Traces.Count > 0
select o2Finding;
XUtils_Findings_v0_1.openFindingsInNewWindow(onlyTraces.ToList());
return("# of onlyTraces: " + onlyTraces.Count());
}
public void task4_CalculateStrutsFindings()
{
O2Cmd.log.write("TASK #4: Calculate Struts Findings");
// check if there are Struts Mappings
var folderWithStrutsMappings = Path.Combine(folderWithArtifacts_Phase2, "Struts Mappings");
if (Directory.Exists(folderWithStrutsMappings))
{
//Assert.That(Directory.Exists(folderWithStrutsMappings), "Directory with struts mappings did not exist: " + folderWithStrutsMappings);
// check if we have the filtered findings files required
var findingsWith_KnownSinks = Path.Combine(folderWithArtifacts_Phase3, "Findings with Known Sinks.ozasmt");
Assert.That(File.Exists(findingsWith_KnownSinks), "Could not find findingsWith_KnownSinks: " + findingsWith_KnownSinks);
// load findings
var o2Findings_KnownSinks = XUtils_Findings_v0_1.loadFindingsFile(findingsWith_KnownSinks);
// extract just the ones needed for the struts mappings
var o2Findings = new XRule_Findings_Filter().whereSourceAndSink_ContainsRegex(o2Findings_KnownSinks, "getParameter", "setAttribute");
o2Findings.AddRange(new XRule_Findings_Filter().whereSourceAndSink_ContainsRegex(o2Findings_KnownSinks, "getAttribute", "print"));
foreach (var strutsMappingsFile in Files.getFilesFromDir_returnFullPath(folderWithStrutsMappings))
{
var fileName = Path.GetFileName(strutsMappingsFile);
var projectName = Path.GetFileNameWithoutExtension(strutsMappingsFile);
O2Cmd.log.write("Processing file {0} from project {1}", fileName, projectName);
// load struts mappings
var strutsMapping = XUtils_Struts_v0_1.loadStrutsMappingsFromFile(strutsMappingsFile);
Assert.That(strutsMapping != null, "strutsMapping was null");
// execute the struts rule
var o2Results = XRule_Struts.strutsRule_fromGetParameterToPringViaGetSetAttributeJoins(o2Findings, strutsMapping);
// make sure we had results
//Assert.That(o2Results.Count > 0 , "There were no results");
if (o2Results.Count == 0)
{
O2Cmd.log.error("there were no results in task4_CalculateStrutsFindings");
}
else
{
// save results
var targetFolder = Path.Combine(folderWithArtifacts_Phase3, "Struts Mappings");
Files.checkIfDirectoryExistsAndCreateIfNot(targetFolder);
var fileWithSavedResults = Path.Combine(targetFolder, projectName + ".ozasmt");
XUtils_Findings_v0_1.saveFindings(o2Results, fileWithSavedResults);
// make sure saved file exists
Assert.That(File.Exists(fileWithSavedResults), "fileWithSavedResults did not exist: " + fileWithSavedResults);
O2Cmd.log.write("All OK. There were {0} results \r\nsaved to: {1}", o2Results.Count, fileWithSavedResults);
}
}
}
}
public List <IO2Finding> invokeMultipleXRules()
{
// executing findings from pathToOzastmFilesToLoad
var o2Findings = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(pathToOzastmFilesToLoad);
// run filter that gets only Traces
var onlyTraces = new XRule_Findings_Filter().onlyTraces(o2Findings);
// which have getParameter as source
var results = new XRule_Findings_Filter().whereSource_Contains(onlyTraces, "getParameter");
return(results);
}
public string RemoveAll3nodeGetSetVulns()
{
// Dinis note, if I understand this request correctly, the query is:
// for all vulns that start in a get and end in set
// only show the ones that have more than 3 traces
var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile);
var thread = XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings, "Original list of loaded files");
thread.Join(); // we have to do this to make sure we don't continue before the findings are loaded in the Findings Viewer
// first lets see if this happens in the current list of loaded findings
var getsAndSets = new List <IO2Finding>();
foreach (O2Finding o2Finding in o2Findings) // need to cast to O2Finding in order to have access to the prepopulated version of IO2Finding
{
if (o2Finding.Source.IndexOf("get") > -1 && o2Finding.Sink.IndexOf("set") > -1)
{
getsAndSets.Add(o2Finding);
}
}
Assert.That(getsAndSets.Count > 0, "There are no Get->Set pairs in the current loaded findings"); // Dinis note: on the WebGoat 6.0.ozasmt file I'm using there are 54 matches
// show in GUI getsAndSets
XUtils_Findings_v0_1.openFindingsInNewWindow(getsAndSets, "Findings with GetsAndSets").Join(); // added .Join() to ensure the load thread is completed
// now check if there are findings with 3 traces
var getsAndSetsWith3Traces = new List <IO2Finding>();
foreach (O2Finding o2Finding in getsAndSets)
{
var allTracesFromFinding = OzasmtUtils.getListWithAllTraces(o2Finding);
if (allTracesFromFinding.Count == 3)
{
getsAndSetsWith3Traces.Add(o2Finding);
}
}
Assert.That(getsAndSetsWith3Traces.Count > 0, "There were no getsAndSetsWith3Traces");
// show in GUI getsAndSetsWith3Traces
XUtils_Findings_v0_1.openFindingsInNewWindow(getsAndSetsWith3Traces, "Findings with getsAndSetsWith3Traces").Join(); // Dinis note: I get 4 findings that match this criteria
// finally remove the getsAndSetsWith3Traces from the loaded findings
foreach (var o2FindingToRemove in getsAndSetsWith3Traces)
{
o2Findings.Remove(o2FindingToRemove);
}
// and show the results (note how this window has less 3 findings than the first one that was loaded)
XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings, "Original list without 3nodeGetSetVulns").Join();
return("Number of findings after filter: " + o2Findings.Count);
} // this function could be greatly reduced by using LINQ (I'll do that later :) )
public List <IO2Finding> removeAllInfos_version_3()
{
// LINQ query
var resultsLinq = from IO2Finding o2Finding in XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile)
where OzasmtUtils.getSeverityFromId(o2Finding.severity) != "Info" // o2Finding.severity = 3 maps to "Info"
select o2Finding;
// since we are using List<IO2Fiding> below, lets covert the LINQ result which is IEnumerable<IO2Finding> to List<IO2Finding>
var results = resultsLinq.ToList();
XUtils_Findings_v0_1.openFindingsInNewWindow(results);
return(results);
}
public static void saveDictionaryWithMappedFindingsToFolder(Dictionary <string, List <IO2Finding> > mappedFindings, string targetFolder)
{
Files.checkIfDirectoryExistsAndCreateIfNot(targetFolder);
Assert.That(Directory.Exists(targetFolder), "Directory targetFolder did not exist: " + targetFolder);
foreach (var mappedEntry in mappedFindings)
{
var findingsToSave = mappedEntry.Value;
//var fileName = string.Format("{0} ({1} Findings).ozasmt", mappedEntry.Key , findingsToSave.Count); // can't do this if we wanto to easily consume these findings from the next phase
var fileName = string.Format("{0}.ozasmt", mappedEntry.Key);
O2Cmd.log.write("Creating file {0} with {0} findings", fileName, findingsToSave.Count);
var targetFile = Path.Combine(targetFolder, fileName);
XUtils_Findings_v0_1.saveFindings(findingsToSave, targetFile);
}
}
// run sequence of filters on findings (note that (if 4th param == true) saveQuery will remove the matched
// findings from tracesToFilter
public void task2_filterFindings(KAnalysisArtifacts analysisArtifacts, List <IO2Finding> tracesToFilter, string targetFolder, string fileName)
{
foreach (var sourceSink in analysisArtifacts.phase_3.task2_sourceSink)
{
XUtils_Analysis.saveQuery(tracesToFilter, targetFolder, fileName, sourceSink.Source, sourceSink.Sink, sourceSink.RemoveMatches);
}
// save what was left (i.e. findings that didn't match the above filters) in a separate file
if (tracesToFilter.Count > 0)
{
O2Cmd.log.write("After task2 filters there were {0} findings that matched no filter", tracesToFilter.Count);
var targetFile = Path.Combine(targetFolder, "__NO FILTER__" + " - " + fileName + ".ozasmt");
XUtils_Findings_v0_1.saveFindings(tracesToFilter, targetFile);
}
}
// PHASE 5 : TASKS
public void task1_createFinalAssessmentFile()
{
var o2Findings = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(folderWithArtifacts_Phase4);
O2Cmd.log.write("There are {0} findings for final assessment file", o2Findings.Count);
// make them compatible with OSA
OzasmtCompatibility.makeCompatibleWithOunceV6(o2Findings);
finalAssessmentFile = Path.Combine(folderWithArtifacts_Phase5, "Final Set of Findings.ozasmt");
XUtils_Findings_v0_1.saveFindings(o2Findings, finalAssessmentFile);
O2Cmd.log.write("Final assessment file created: {0}", finalAssessmentFile);
copyFinalAssessmentFileToWorkflowFolder();
}
public List <IO2Finding> removeAllInfos_version_2()
{
var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile);
var results = new List <IO2Finding>();
foreach (O2Finding o2Finding in o2Findings)
{
if (OzasmtUtils.getSeverityFromId(o2Finding.severity) != "Info")
{
results.Add(o2Finding);
}
}
XUtils_Findings_v0_1.openFindingsInNewWindow(results);
return(results);
}
public string runPhase2(IAnalysisArtifacts analysisArtifacts)
{
O2Cmd.log.write("\n\n***** PHASE 2 ***");
// setup expected target folders
workflowFolder = analysisArtifacts.targetFolder;
folderWithArtifacts_Phase1 = Path.Combine(workflowFolder, "Phase 1 - Artifacts");
folderWithArtifacts_Phase2 = Path.Combine(workflowFolder, "Phase 2 - Artifacts");
Files.checkIfDirectoryExistsAndCreateIfNot(folderWithArtifacts_Phase2); // create Phase 2 folder (if required)
// check if required folders exist
Assert.That(Directory.Exists(folderWithArtifacts_Phase1), "folderWithArtifacts_forPhase1 could not be found");
Assert.That(Directory.Exists(folderWithArtifacts_Phase2), "folderWithArtifacts_forPhase2 could not be found");
if (analysisArtifacts.phase_2.task1_SplitFindingsOnTrace)
{
foreach (var file in Files.getFilesFromDir_returnFullPath(folderWithArtifacts_Phase1))
{
var fileName = Path.GetFileName(file);
// load findings
var o2FindingsInFile = XUtils_Findings_v0_1.loadFindingsFile(file);
// check if file was loaded ok
Assert.That(o2FindingsInFile != null, "o2FindingsInFile was null. file loaded :" + file);
// Assert.That(o2FindingsInFile.Count > 0, "There were no findings loaded from file: " + file);
O2Cmd.log.write("Loaded {0} findings from file {1}", o2FindingsInFile.Count, fileName);
task1_FilterFindings(o2FindingsInFile, fileName);
if (onlyRunTasksOnOneFile)
{
break; // during development just use first file
}
}
}
if (analysisArtifacts.phase_2.task2_createStrutsMappings)
{
task2_createStrutsMappings();
}
O2Cmd.log.write("\n\n**** : PHASE 2 Completed\n\n");
return("Phase 1 completed");
}
// PHASE 3 : TASKS
// since there are lot a lot of known sinks move them all into one file
public void task1_handleKnownSinks()
{
// for now save these findings in the root of folderWithArtifacts_Phase3
var folderWithAssessmentFiles = Path.Combine(folderWithArtifacts_Phase2, "FindingsWith_Traces_KnownSinks");
Assert.That(Directory.Exists(folderWithAssessmentFiles), "Directory folderWithAssessmentFiles does not exist: " + folderWithAssessmentFiles);
var o2Findings_WithKnownSinks = XUtils_Findings_v0_1.loadMultipleOzasmtFiles(folderWithAssessmentFiles);
// save as 1 ozasmt file with all findings
var targetFile = Path.Combine(folderWithArtifacts_Phase3, "Findings with Known Sinks.ozasmt");
XUtils_Findings_v0_1.saveFindings(o2Findings_WithKnownSinks, targetFile);
// save as 1 ozasmt file per VulnType
var targetFolder = Path.Combine(folderWithArtifacts_Phase3, "Findings with KnownSinks (by VulnType)");
var mappedFindings = XUtils_Analysis.getDictionaryWithFindingsMappedBy_VulType(o2Findings_WithKnownSinks);
XUtils_Analysis.saveDictionaryWithMappedFindingsToFolder(mappedFindings, targetFolder);
}
// PHASE 4 : TASKS
// Handle the Findings With Knonw Sinks
public void task1_analyseFindingsWithKnownSinks()
{
// check if source findings file is there
var fileWith_Findings_WithKnownSinks = Path.Combine(folderWithArtifacts_Phase3, "Findings with Known Sinks.ozasmt");
Assert.That(File.Exists(fileWith_Findings_WithKnownSinks), "fileWith_Findings_WithKnownSinks file did not exist: " + fileWith_Findings_WithKnownSinks);
// load findings
var o2Findings_WithKnownSinks = XUtils_Findings_v0_1.loadFindingsFile(fileWith_Findings_WithKnownSinks);
Assert.That(o2Findings_WithKnownSinks.Count > 0, "There were no findings in o2Findings_WithKnownSinks object");
// show findingds (while in analysis mode)
//XUtils_Findings_v0_1.openFindingsInNewWindow(o2Findings_WithKnownSinks);
analyzeFindingsOfVulnType_SqlInjection(o2Findings_WithKnownSinks, true);
makeKnownFindingsTypeII(o2Findings_WithKnownSinks);
}
public string RemoveAllMaliciousTriggers()
{
var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile);
var vulnNameToFind = "Vulnerability.Malicious.Trigger";
// check that there are some o2Findings
var withVulnName = from IO2Finding o2Finding in o2Findings
where o2Finding.vulnType == vulnNameToFind
select o2Finding;
Assert.That(withVulnName.Count() > 0, "In the findings loaded, there was no Findings with vulnName = " + vulnNameToFind);
// and since there are create a list of findings without vunlNameToFind
var withoutVulnName = from IO2Finding o2Finding in o2Findings
where o2Finding.vulnType != vulnNameToFind
select o2Finding;
XUtils_Findings_v0_1.openFindingsInNewWindow(withoutVulnName.ToList(), "withoutVulnName").Join();
return("# of Findings without '" + vulnNameToFind + "': " + withoutVulnName.Count());
}
public static List <IO2Finding> saveQuery(List <IO2Finding> o2FindingsInFile, string targetFolder, string fileName, string sourceRegEx, string sinkRegex, string fileNamePrefix, string fileNamePostfix, bool removeFindingsFromSourceList)
{
O2Cmd.log.write("Executing query: Source = {0} Sink = {1}", sourceRegEx, sinkRegex);
var results = new XRule_Findings_Filter().whereSourceAndSink_ContainsRegex(o2FindingsInFile, sourceRegEx, sinkRegex);
O2Cmd.log.write(" Query returned {0} results", results.Count);
var targetFile = Path.Combine(targetFolder, fileNamePrefix + fileName + " - " + fileNamePostfix);
if (false == targetFile.EndsWith(".ozasmt"))
{
targetFile += ".ozasmt";
}
if (results.Count > 0)
{
XUtils_Findings_v0_1.saveFindings(results, targetFile);
if (removeFindingsFromSourceList)
{
removeFindingsFromList(o2FindingsInFile, results);
}
}
return(results);
}
public List <IO2Finding> removeAllInfos_version_1()
{
// load findings to process
var o2Findings = XUtils_Findings_v0_1.loadFindingsFile(sampleOzamtFile);
Assert.That(o2Findings.Count > 0, "There were no findings loaded");
// calculate results
var results = new List <IO2Finding>();
foreach (var o2Finding in o2Findings) // the type of var is IO2Finding
{
if (o2Finding.severity < 3)
{
results.Add(o2Finding);
}
}
// show findings in O2 GUI
XUtils_Findings_v0_1.openFindingsInNewWindow(results);
// return results
return(results);
}
public string invokeStrutsRules_Variation_2_loadAllFiles()
{
string webAppRoot = @"...\_OunceApplication\O2Data\xml config files";
string baseO2FindingsFile = @"...\_OunceApplication\O2Data\OSA - ... 11-3-09 807PM.ozasmt";
string webXml = Path.Combine(webAppRoot, @"web.xml");
string strutsConfigXml = Path.Combine(webAppRoot, @"struts-config.xml");
string tilesDefinitionXml = Path.Combine(webAppRoot, @"tiles-definitions.xml");
string validationXml = Path.Combine(webAppRoot, @"validation.xml");
// make sure webAppRoot directory exists
Assert.That(Directory.Exists(webAppRoot), "Could not find webAppRoot directory:\r\n " + webAppRoot);
// make sure files exist
Assert.That(File.Exists(baseO2FindingsFile), "Could not find file with baseO2FindingsFile:\r\n " + baseO2FindingsFile);
Assert.That(File.Exists(webXml), "Could not find file with webXml:\r\n " + webXml);
Assert.That(File.Exists(strutsConfigXml), "Could not find file with strutsConfig:\r\n " + strutsConfigXml);
Assert.That(File.Exists(tilesDefinitionXml), "Could not find file with tilesDefinitionXml:\r\n " + tilesDefinitionXml);
//Assert.That(File.Exists(validationXml), "Could not find file with validationXml:\r\n " + validationXml); // Dinis note: in my local examples I don't have this file
// load assessment file
var baseO2Findings = XUtils_Findings_v0_1.loadFindingsFile(baseO2FindingsFile);
// make sure there were findings loaded
Assert.That(baseO2Findings != null, "baseO2Findings == null");
Assert.That(baseO2Findings.Count > 0, "there were no findings loaded in baseO2Findings");
// create struts mapping object
var strutsMappings = StrutsMappingsHelpers.calculateStrutsMapping(webXml, strutsConfigXml, tilesDefinitionXml, validationXml);
// make sure struts mapping was loaded ok
Assert.That(strutsMappings != null, "strutsMappings was null");
Assert.That(strutsMappings.actionServlets.Count > 0, "in strutsMappings, actionServlets.Count ==0");
// TaintSources and FinalSinks RegEx
var taintSources_SourceRegEx = @"getParameter\(java.lang.String\)";
var taintSources_SinkRegEx = @"setAttribute\(java.lang.String";
var finalSinks_SourceRegEx = @"getAttribute\(java.lang.String\)";
var finalSinks_SinkRegEx = @"print";
// calcuate struts findings
var xRuleStuts = new XUtils_Struts_Joins_V0_1()
{
findingsWith_BaseO2Findings = baseO2Findings,
StrutsMappings = strutsMappings,
TaintSources_SourceRegEx = taintSources_SourceRegEx,
TaintSources_SinkRegEx = taintSources_SinkRegEx,
FinalSinks_SourceRegEx = finalSinks_SourceRegEx,
FinalSinks_SinkRegEx = finalSinks_SinkRegEx,
JoinPointFilter = XRule_Struts.joinPointFilter
};
xRuleStuts.calculateFindings();
// get list of findings calculated
var results = xRuleStuts.getResults();
// make sure there are findings in the results list
Assert.That(results.Count > 0, " there were no findings in the results list");
return("All OK, number of results calculated: " + results.Count);
}
public void analyzeFindingsOfVulnType_SqlInjection(List <IO2Finding> o2Findings, bool removeFindingsFromSourceList)
{
// extract the Sql Injection ones
var sqlInjectionFindings = XUtils_Analysis.getFindingsWithVulnType(o2Findings, "Vulnerability.Injection.SQL", removeFindingsFromSourceList);
if (sqlInjectionFindings.Count == 0)
{
return;
}
// var fileWithSqlInjections = Path.Combine(folderWithArtifacts_Phase4, "Findings_with_SQL_Injection");
//XUtils_Findings_v0_1.saveFindings(sqlInjectionFindings, fileWithSqlInjections);
//Assert.That(File.Exists(fileWithSqlInjections), "fileWithSqlInjections was not created");
var sqlInjectionValidators = new List <string> {
"java.lang.Integer.<init>(int):void",
"java.lang.Integer.valueOf(int):java.lang.Integer",
"java.lang.String.valueOf(int):java.lang.String",
":java.util.DateTime"
};
var nonExploitable = new List <IO2Finding>();
var maybeExploitable = new List <IO2Finding>();
foreach (O2Finding o2Finding in sqlInjectionFindings)
{
var validatorFound = "";
foreach (var validator in sqlInjectionValidators)
{
if (XUtils_Analysis.doesFindingHasTraceSignature(o2Finding, validator))
{
validatorFound = validator;
break;
}
}
// modify finding
if (validatorFound != "")
{
o2Finding.context = string.Format("found validator: {0} , {1}", validatorFound, o2Finding.context);
nonExploitable.Add(o2Finding);
o2Finding.vulnType += ".NotExploitable";
o2Finding.severity = 3;
o2Finding.confidence = 1;
}
else
{
maybeExploitable.Add(o2Finding);
o2Finding.vulnType += ".MaybeExploitable.InternalMethod";
o2Finding.severity = 0;
o2Finding.confidence = 2;
}
}
var fileWith_NonExploitable = Path.Combine(folderWithArtifacts_Phase4, "NonExploitable_Findings_with_SQL_Injection.ozasmt");
XUtils_Findings_v0_1.saveFindings(nonExploitable, fileWith_NonExploitable);
var fileWith_MaybeExploitable = Path.Combine(folderWithArtifacts_Phase4, "MaybeExploitable_Findings_with_SQL_Injection.ozasmt");
XUtils_Findings_v0_1.saveFindings(maybeExploitable, fileWith_MaybeExploitable);
//XUtils_Findings_v0_1.openFindingsInNewWindow(nonExploitable).Join();
//XUtils_Findings_v0_1.openFindingsInNewWindow(maybeExploitable).Join();
}