private void AutoLoadAsync()
{
#pragma warning disable SecurityIntelliSenseCS // MS Security rules violation
string destFile = Path.Combine(Application.UserAppDataPath, FileName);
#pragma warning restore SecurityIntelliSenseCS // MS Security rules violation
if (File.Exists(destFile))
{
try
{
_threatSource = new ThreatSource(ThreatSourceManager.GetCapecCatalog(destFile));
SuccessAutoLoad();
}
catch
{
#pragma warning disable SCS0018 // Path traversal: injection possible in {1} argument passed to '{0}'
File.Delete(destFile);
#pragma warning restore SCS0018 // Path traversal: injection possible in {1} argument passed to '{0}'
}
FinalizeAutoLoad();
}
else
{
NoAutoload();
}
}
private void AnalyzeRelationships([NotNull] ThreatSource threatSource, [NotNull] Attack_PatternType attack)
{
foreach (var relatedAttack in attack.Related_Attack_Patterns)
{
if (relatedAttack.Relationship_Target_Form == RelationshipTypeRelationship_Target_Form.AttackPattern &&
relatedAttack.Relationship_Nature != null && relatedAttack.Relationship_Nature.Count > 0)
{
switch (relatedAttack.Relationship_Nature[0])
{
case RelationshipTypeRelationship_Nature.ChildOf:
foreach (var view in relatedAttack.Relationship_Views)
{
threatSource.AddParentChild(view.Value, relatedAttack.Relationship_Target_ID, Id);
}
break;
case RelationshipTypeRelationship_Nature.ParentOf:
foreach (var view in relatedAttack.Relationship_Views)
{
threatSource.AddParentChild(view.Value, Id, relatedAttack.Relationship_Target_ID);
}
break;
}
}
}
}
public ThreatSourceNode([NotNull] ThreatSource threatSource, [NotNull] Category category)
{
Id = category.ID;
Name = category.Name;
IsRoot = true;
ThreatSourceType = ThreatSourceType.Capec;
AnalyzeRelationships(threatSource, category);
_properties.Add(new KeyValuePair <string, string>("Name", category.Name));
if (category.Description?.Description_Summary != null)
{
_properties.Add(new KeyValuePair <string, string>("Summary", category.Description.Description_Summary));
}
var prerequisites = Convert(category.Attack_Prerequisites);
if (!string.IsNullOrWhiteSpace(prerequisites))
{
_properties.Add(new KeyValuePair <string, string>("Prerequisites", prerequisites));
}
var resources = Convert(category.Resources_Required);
if (!string.IsNullOrWhiteSpace(resources))
{
_properties.Add(new KeyValuePair <string, string>("Resources Required", resources));
}
}
public ThreatSourceNodeParentChild([NotNull] ThreatSource threatSource,
[Required] string viewId, [NotNull] ThreatSourceNode node)
{
Node = node;
var children = threatSource.GetChildren(viewId, node);
if (children != null)
{
Children = children.Select(x => new ThreatSourceNodeParentChild(threatSource, viewId, x));
}
}
private void AnalyzeRelationships([NotNull] ThreatSource threatSource, [NotNull] Category category)
{
foreach (var relationthip in category.Relationships)
{
if (relationthip.Relationship_Target_Form == RelationshipTypeRelationship_Target_Form.AttackPattern &&
relationthip.Relationship_Nature != null && relationthip.Relationship_Nature.Count > 0)
{
switch (relationthip.Relationship_Nature[0])
{
case RelationshipTypeRelationship_Nature.HasMember:
foreach (var view in relationthip.Relationship_Views)
{
threatSource.AddParentChild(view.Value, Id, relationthip.Relationship_Target_ID);
}
break;
}
}
}
}
private void Download()
{
if (string.IsNullOrWhiteSpace(SourceUrl))
{
throw new InvalidOperationException(string.Format(Resources.MissingParameterError, nameof(SourceUrl)));
}
string fileName = Path.GetFileName(SourceUrl);
#pragma warning disable SecurityIntelliSenseCS // MS Security rules violation
string fileWithPath = Path.Combine(Application.UserAppDataPath, fileName);
string fileNameWithoutExt = Path.GetFileNameWithoutExtension(SourceUrl);
string destFile = Path.Combine(Application.UserAppDataPath, FileName);
#pragma warning restore SecurityIntelliSenseCS // MS Security rules violation
#if CWE
bool cwe = fileNameWithoutExt.StartsWith("cwec_");
#endif
bool capec = fileNameWithoutExt.StartsWith("capec_");
#if CWE
if (!cwe && !capec)
#else
if (!capec)
#endif
{ throw new InvalidOperationException(string.Format(Resources.UnsupportedFileTypeError, fileName)); }
if (!File.Exists(fileWithPath))
{
using (var client = new WebClient())
{
#pragma warning disable SecurityIntelliSenseCS // MS Security rules violation
client.DownloadFile(new Uri(SourceUrl), fileWithPath);
#pragma warning restore SecurityIntelliSenseCS // MS Security rules violation
}
}
if (SourceUrl.EndsWith(".zip"))
{
ZipFile.ExtractToDirectory(fileWithPath, Application.UserAppDataPath);
#pragma warning disable SCS0018 // Path traversal: injection possible in {1} argument passed to '{0}'
#pragma warning disable SecurityIntelliSenseCS // MS Security rules violation
File.Move(Path.Combine(Application.UserAppDataPath, fileNameWithoutExt), destFile);
#pragma warning restore SecurityIntelliSenseCS // MS Security rules violation
#pragma warning restore SCS0018 // Path traversal: injection possible in {1} argument passed to '{0}'
}
else
{
if (string.CompareOrdinal(fileName, FileName) != 0)
{
#pragma warning disable SCS0018 // Path traversal: injection possible in {1} argument passed to '{0}'
#pragma warning disable SecurityIntelliSenseCS // MS Security rules violation
File.Move(Path.Combine(Application.UserAppDataPath, fileName), destFile);
#pragma warning restore SecurityIntelliSenseCS // MS Security rules violation
#pragma warning restore SCS0018 // Path traversal: injection possible in {1} argument passed to '{0}'
}
}
try
{
_threatSource = capec
? new ThreatSource(ThreatSourceManager.GetCapecCatalog(destFile))
:
#if CWE
new ThreatSource(ThreatSourceManager.GetCweCatalog(destFile));
#else
null;
#endif
FinalizeDownload(true);
}
catch (Exception exc)
{
#if DEBUG
Debug.WriteLine(exc.ToString());
#endif
if (File.Exists(destFile))
#pragma warning disable SCS0018 // Path traversal: injection possible in {1} argument passed to '{0}'
{
File.Delete(destFile);
}
#pragma warning restore SCS0018 // Path traversal: injection possible in {1} argument passed to '{0}'
FinalizeDownload(false);
}
}
public ThreatSourceNode([NotNull] ThreatSource threatSource, [NotNull] Attack_PatternType attack)
{
Id = attack.ID;
Name = attack.Name;
IsRoot = false;
ThreatSourceType = ThreatSourceType.Capec;
AnalyzeRelationships(threatSource, attack);
_properties.Add(new KeyValuePair <string, string>("Name", attack.Name));
if (attack.Description?.Summary != null)
{
_properties.Add(new KeyValuePair <string, string>("Summary", Convert(attack.Description.Summary)));
}
var alternate = Convert(attack.Alternate_Terms);
if (!string.IsNullOrWhiteSpace(alternate))
{
_properties.Add(new KeyValuePair <string, string>("Alternate Terms", alternate));
}
var attackSurface = Convert(attack.Target_Attack_Surface);
if (!string.IsNullOrWhiteSpace(attackSurface))
{
_properties.Add(new KeyValuePair <string, string>("Target Attack Surface", attackSurface));
}
var prerequisites = Convert(attack.Attack_Prerequisites);
if (!string.IsNullOrWhiteSpace(prerequisites))
{
_properties.Add(new KeyValuePair <string, string>("Prerequisites", prerequisites));
}
_properties.Add(new KeyValuePair <string, string>("Severity", attack.Typical_Severity.ToString()));
_properties.Add(new KeyValuePair <string, string>("Likelihood of Exploit", attack.Typical_Likelihood_of_Exploit.Likelihood));
var methodsOfAttack = Convert(attack.Methods_of_Attack);
if (!string.IsNullOrWhiteSpace(methodsOfAttack))
{
_properties.Add(new KeyValuePair <string, string>("Methods of Attack", methodsOfAttack));
}
var examples = Convert(attack.ExamplesInstances);
if (!string.IsNullOrWhiteSpace(examples))
{
_properties.Add(new KeyValuePair <string, string>("Examples", examples));
}
var skills = Convert(attack.Attacker_Skills_or_Knowledge_Required);
if (!string.IsNullOrWhiteSpace(skills))
{
_properties.Add(new KeyValuePair <string, string>("Skills or Knowledge Required", skills));
}
var resources = Convert(attack.Resources_Required);
if (!string.IsNullOrWhiteSpace(resources))
{
_properties.Add(new KeyValuePair <string, string>("Resources Required", resources));
}
var probing = Convert(attack.Probing_Techniques);
if (!string.IsNullOrWhiteSpace(probing))
{
_properties.Add(new KeyValuePair <string, string>("Probing Techniques", probing));
}
var warning = Convert(attack.IndicatorsWarnings_of_Attack);
if (!string.IsNullOrWhiteSpace(warning))
{
_properties.Add(new KeyValuePair <string, string>("Warning of Attack", warning));
}
var obfuscation = Convert(attack.Obfuscation_Techniques);
if (!string.IsNullOrWhiteSpace(obfuscation))
{
_properties.Add(new KeyValuePair <string, string>("Obfuscation Techniques", obfuscation));
}
var mitigations = Convert(attack.Solutions_and_Mitigations);
if (!string.IsNullOrWhiteSpace(mitigations))
{
_properties.Add(new KeyValuePair <string, string>("Solutions and Mitigations", mitigations));
}
var injectionVector = Convert(attack.Injection_Vector);
if (!string.IsNullOrWhiteSpace(injectionVector))
{
_properties.Add(new KeyValuePair <string, string>("Injection Vector", injectionVector));
}
var payload = Convert(attack.Payload);
if (!string.IsNullOrWhiteSpace(payload))
{
_properties.Add(new KeyValuePair <string, string>("Payload", payload));
}
var activationZone = Convert(attack.Activation_Zone);
if (!string.IsNullOrWhiteSpace(activationZone))
{
_properties.Add(new KeyValuePair <string, string>("Activation Zone", activationZone));
}
var activationImpact = Convert(attack.Payload_Activation_Impact);
if (!string.IsNullOrWhiteSpace(activationImpact))
{
_properties.Add(new KeyValuePair <string, string>("Payload Activation Impact", activationImpact));
}
var weaknesses = Convert(attack.Related_Weaknesses);
if (!string.IsNullOrWhiteSpace(weaknesses))
{
_properties.Add(new KeyValuePair <string, string>("Related Weaknesses", weaknesses));
}
var vulnerabilities = Convert(attack.Related_Vulnerabilities);
if (!string.IsNullOrWhiteSpace(vulnerabilities))
{
_properties.Add(new KeyValuePair <string, string>("Related Vulnerabilities", vulnerabilities));
}
var requirements = Convert(attack.Relevant_Security_Requirements);
if (!string.IsNullOrWhiteSpace(requirements))
{
_properties.Add(new KeyValuePair <string, string>("Security Requirements", requirements));
}
var principles = Convert(attack.Related_Security_Principles);
if (!string.IsNullOrWhiteSpace(principles))
{
_properties.Add(new KeyValuePair <string, string>("Security Principles", principles));
}
var guidelines = Convert(attack.Related_Guidelines);
if (!string.IsNullOrWhiteSpace(guidelines))
{
_properties.Add(new KeyValuePair <string, string>("Related Guidelines", guidelines));
}
var ciaImpact = Convert(attack.CIA_Impact);
if (!string.IsNullOrWhiteSpace(ciaImpact))
{
_properties.Add(new KeyValuePair <string, string>("CIA Impact", ciaImpact));
}
var context = Convert(attack.Technical_Context);
if (!string.IsNullOrWhiteSpace(context))
{
_properties.Add(new KeyValuePair <string, string>("Technical Context", context));
}
var references = Convert(attack.References);
if (!string.IsNullOrWhiteSpace(references))
{
_properties.Add(new KeyValuePair <string, string>("References", references));
}
var notes = Convert(attack.Other_Notes);
if (!string.IsNullOrWhiteSpace(notes))
{
_properties.Add(new KeyValuePair <string, string>("Other Notes", notes));
}
}
