public void FortifyIssue_CanBeConstructed_WithAllProperties()
{
var uut = new FortifyIssue(
"ruleId",
"iid",
"category",
"kingdom",
"abstract",
"abstractCustom",
"priority",
s_pathElementA,
s_pathElementB,
ImmutableArray.Create(1, 2, 3)
);
Assert.Equal("ruleId", uut.RuleId);
Assert.Equal("iid", uut.InstanceId);
Assert.Equal("category", uut.Category);
Assert.Equal("kingdom", uut.Kingdom);
Assert.Equal("abstract", uut.Abstract);
Assert.Equal("abstractCustom", uut.AbstractCustom);
Assert.Equal("priority", uut.Priority);
Assert.Same(s_pathElementA, uut.PrimaryOrSink);
Assert.Same(s_pathElementB, uut.Source);
uut.CweIds.Should().Equal(new[] { 1, 2, 3 });
}
public void FortifyIssue_CanBeConstructed_WithMinimalProperties()
{
var uut = new FortifyIssue(
null,
null,
"category",
"kingdom",
null,
null,
null,
s_pathElementA,
null,
ImmutableArray <int> .Empty
);
Assert.Null(uut.RuleId);
Assert.Null(uut.InstanceId);
Assert.Equal("category", uut.Category);
Assert.Equal("kingdom", uut.Kingdom);
Assert.Null(uut.Abstract);
Assert.Null(uut.AbstractCustom);
Assert.Null(uut.Priority);
Assert.Same(s_pathElementA, uut.PrimaryOrSink);
Assert.Null(uut.Source);
uut.CweIds.Should().BeEmpty();
}
/// <summary>
/// Interface implementation for converting a stream of Fortify report in XML format to a
/// SARIF json format stream.
/// </summary>
/// <exception cref="ArgumentNullException">Thrown when one or more required arguments are null.</exception>
/// <param name="input">Stream of the Fortify report.</param>
/// <param name="output">Stream of SARIF json.</param>
/// <param name="dataToInsert">Logging options that configure output.</param>
public override void Convert(Stream input, IResultLogWriter output, OptionallyEmittedData dataToInsert)
{
if (input == null)
{
throw new ArgumentNullException(nameof(input));
}
if (output == null)
{
throw new ArgumentNullException(nameof(output));
}
var settings = new XmlReaderSettings
{
DtdProcessing = DtdProcessing.Ignore,
IgnoreWhitespace = true,
NameTable = _nameTable,
XmlResolver = null
};
var results = new List <Result>();
using (XmlReader reader = XmlReader.Create(input, settings))
{
while (reader.Read())
{
while (StringReference.AreEqual(reader.LocalName, _strings.Issue))
{
FortifyIssue fortify = FortifyIssue.Parse(reader, _strings);
results.Add(ConvertFortifyIssueToSarifIssue(fortify));
}
}
}
var tool = new Tool
{
Name = "Fortify"
};
var fileInfoFactory = new FileInfoFactory(MimeType.DetermineFromFileExtension, dataToInsert);
Dictionary <string, FileData> fileDictionary = fileInfoFactory.Create(results);
var run = new Run()
{
Tool = tool
};
output.Initialize(run);
if (fileDictionary != null && fileDictionary.Count > 0)
{
output.WriteFiles(fileDictionary);
}
output.OpenResults();
output.WriteResults(results);
output.CloseResults();
}
public void FortifyIssue_Parse_IgnoresNonCweTypeExternalCategories()
{
XElement xml = XElement.Parse(s_fullIssueXml);
xml.Element("ExternalCategory").Attribute("type").Value = "a_differnt_type";
FortifyIssue result = Parse(xml);
result.CweIds.Should().BeEmpty();
}
/// <summary>
/// Interface implementation for converting a stream of Fortify report in XML format to a
/// SARIF json format stream.
/// </summary>
/// <exception cref="ArgumentNullException">Thrown when one or more required arguments are null.</exception>
/// <param name="input">Stream of the Fortify report.</param>
/// <param name="output">Stream of SARIF json.</param>
public void Convert(Stream input, IResultLogWriter output)
{
if (input == null)
{
throw new ArgumentNullException("input");
}
if (output == null)
{
throw new ArgumentNullException("output");
}
var settings = new XmlReaderSettings
{
DtdProcessing = DtdProcessing.Ignore,
IgnoreWhitespace = true,
NameTable = _nameTable
};
var results = new List <Result>();
using (XmlReader reader = XmlReader.Create(input, settings))
{
while (reader.Read())
{
while (Ref.Equal(reader.LocalName, _strings.Issue))
{
FortifyIssue fortify = FortifyIssue.Parse(reader, _strings);
results.Add(ConvertFortifyIssueToSarifIssue(fortify));
}
}
}
var tool = new Tool
{
Name = "Fortify"
};
var fileInfoFactory = new FileInfoFactory(MimeType.DetermineFromFileExtension);
Dictionary <string, IList <FileData> > fileDictionary = fileInfoFactory.Create(results);
output.WriteTool(tool);
if (fileDictionary != null && fileDictionary.Count > 0)
{
output.WriteFiles(fileDictionary);
}
output.OpenResults();
output.WriteResults(results);
output.CloseResults();
}
public void FortifyIssue_RequiresPrimary()
{
var uut = new FortifyIssue(
null,
null,
"category",
"kingdom",
null,
null,
null,
null,
null,
ImmutableArray <int> .Empty
);
}
public void FortifyIssue_RequiresKingdom()
{
var uut = new FortifyIssue(
null,
null,
"category",
null,
null,
null,
null,
s_pathElementA,
null,
ImmutableArray <int> .Empty
);
}
public void FortifyIssue_Parse_CanParseFullIssue()
{
string xml = "<xml>" + s_fullIssueXml + "<following /></xml>";
using (XmlReader reader = Utilities.CreateWhitespaceSkippingXmlReaderFromString(xml))
{
reader.Read(); //<xml>
reader.Read(); //<Issue>
FortifyIssue result = Parse(reader);
Assert.Equal("following", reader.LocalName);
Assert.Equal("7DDEC64A-9142-4943-BB5C-57D6F09C94DC", result.RuleId);
Assert.Equal("BDC8FC3C5AAE67B07F46EC48B928AA6E", result.InstanceId);
Assert.Equal("Format String", result.Category);
Assert.Equal("Input Validation and Representation", result.Kingdom);
Assert.Equal("An attacker can control the format string argument to vfwprintf() at bannedAPIs.m line 225, allowing an attack much like a buffer overflow.", result.Abstract);
Assert.Equal("A message Bill added for testing purposes.", result.AbstractCustom);
Assert.Equal("High", result.Priority);
Assert.Equal(225, result.PrimaryOrSink.LineStart);
Assert.Equal(238, result.Source.LineStart);
result.CweIds.Should().Equal(new[] { 134 });
}
}
public void FortifyIssue_Parse_CanParseMinimalIssue()
{
string xml = "<xml>" + s_minimalIssueXml + "<following /></xml>";
using (XmlReader reader = Utilities.CreateWhitespaceSkippingXmlReaderFromString(xml))
{
reader.Read(); //<xml>
reader.Read(); //<Issue>
FortifyIssue result = Parse(reader);
Assert.Equal("following", reader.LocalName);
Assert.Null(result.RuleId);
Assert.Null(result.InstanceId);
Assert.Equal("Format String", result.Category);
Assert.Equal("Input Validation and Representation", result.Kingdom);
Assert.Null(result.Abstract);
Assert.Null(result.AbstractCustom);
Assert.Null(result.Priority);
Assert.Equal(225, result.PrimaryOrSink.LineStart);
Assert.Null(result.Source);
result.CweIds.Should().BeEmpty();
}
}
/// <summary>
/// Interface implementation for converting a stream of Fortify report in XML format to a
/// SARIF json format stream.
/// </summary>
/// <exception cref="ArgumentNullException">Thrown when one or more required arguments are null.</exception>
/// <param name="input">Stream of the Fortify report.</param>
/// <param name="output">Stream of SARIF json.</param>
public void Convert(Stream input, IResultLogWriter output)
{
if (input == null)
{
throw new ArgumentNullException("input");
}
if (output == null)
{
throw new ArgumentNullException("output");
}
output.WriteToolAndRunInfo(new ToolInfo
{
Name = "Fortify"
}, null);
var settings = new XmlReaderSettings
{
DtdProcessing = DtdProcessing.Ignore,
IgnoreWhitespace = true,
NameTable = _nameTable
};
using (XmlReader reader = XmlReader.Create(input, settings))
{
while (reader.Read())
{
while (Ref.Equal(reader.LocalName, _strings.Issue))
{
FortifyIssue fortify = FortifyIssue.Parse(reader, _strings);
output.WriteResult(ConvertFortifyIssueToSarifIssue(fortify));
}
}
}
}
/// <summary>
/// Interface implementation for converting a stream of Fortify report in XML format to a
/// SARIF json format stream.
/// </summary>
/// <exception cref="ArgumentNullException">Thrown when one or more required arguments are null.</exception>
/// <param name="input">Stream of the Fortify report.</param>
/// <param name="output">Stream of SARIF json.</param>
/// <param name="dataToInsert">Optionally emitted properties that should be written to log.</param>
public override void Convert(Stream input, IResultLogWriter output, OptionallyEmittedData dataToInsert)
{
if (input == null)
{
throw new ArgumentNullException(nameof(input));
}
if (output == null)
{
throw new ArgumentNullException(nameof(output));
}
var settings = new XmlReaderSettings
{
DtdProcessing = DtdProcessing.Ignore,
IgnoreWhitespace = true,
NameTable = _nameTable,
XmlResolver = null
};
string runDescription = null;
var results = new List <Result>();
using (XmlReader reader = XmlReader.Create(input, settings))
{
while (reader.Read())
{
if (runDescription == null)
{
// Find the executive summary <ReportSection> element
if (StringReference.AreEqual(reader.LocalName, _strings.ReportSection) && reader.IsStartElement())
{
reader.Read(); // Move to Title element
if (reader.ReadElementContentAsString(_strings.Title, String.Empty) == "Executive Summary")
{
reader.Read(); // Move to SubSection element
reader.IgnoreElement(_strings.Title, IgnoreOptions.Required);
reader.IgnoreElement(_strings.Description, IgnoreOptions.Required);
runDescription = reader.ReadElementContentAsString(_strings.Text, String.Empty);
}
}
}
else
{
while (StringReference.AreEqual(reader.LocalName, _strings.Issue))
{
FortifyIssue fortify = FortifyIssue.Parse(reader, _strings);
results.Add(ConvertFortifyIssueToSarifIssue(fortify));
}
}
}
}
var tool = new Tool
{
Name = "Fortify"
};
var fileInfoFactory = new FileInfoFactory(MimeType.DetermineFromFileExtension, dataToInsert);
Dictionary <string, FileData> fileDictionary = fileInfoFactory.Create(results);
var run = new Run()
{
Description = new Message
{
Text = runDescription
},
Tool = tool
};
output.Initialize(run);
if (fileDictionary != null && fileDictionary.Count > 0)
{
output.WriteFiles(fileDictionary);
}
output.OpenResults();
output.WriteResults(results);
output.CloseResults();
}
public void FortifyIssue_CanBeConstructed_WithAllProperties()
{
var uut = new FortifyIssue(
"ruleId",
"iid",
"category",
"kingdom",
"abstract",
"abstractCustom",
"priority",
s_pathElementA,
s_pathElementB,
ImmutableArray.Create(1, 2, 3)
);
Assert.AreEqual("ruleId", uut.RuleId);
Assert.AreEqual("iid", uut.InstanceId);
Assert.AreEqual("category", uut.Category);
Assert.AreEqual("kingdom", uut.Kingdom);
Assert.AreEqual("abstract", uut.Abstract);
Assert.AreEqual("abstractCustom", uut.AbstractCustom);
Assert.AreEqual("priority", uut.Priority);
Assert.AreSame(s_pathElementA, uut.PrimaryOrSink);
Assert.AreSame(s_pathElementB, uut.Source);
uut.CweIds.Should().Equal(new[] { 1, 2, 3 });
}
/// <summary>Converts a Fortify result to a static analysis results interchange format result.</summary>
/// <param name="fortify">The Fortify result convert.</param>
/// <returns>
/// A SARIF result <see cref="Result"/> containing the same content as the supplied
/// <see cref="FortifyIssue"/>.
/// </returns>
public static Result ConvertFortifyIssueToSarifIssue(FortifyIssue fortify)
{
var result = new Result();
result.RuleId = fortify.Category;
result.ToolFingerprint = fortify.InstanceId;
List <string> messageComponents = new List <string>();
if (fortify.Abstract != null)
{
messageComponents.Add(fortify.Abstract);
}
if (fortify.AbstractCustom != null)
{
messageComponents.Add(fortify.AbstractCustom);
}
if (messageComponents.Count == 0)
{
result.Message = String.Format(CultureInfo.InvariantCulture, SarifResources.FortifyFallbackMessage, result.RuleId);
}
else
{
result.Message = String.Join(Environment.NewLine, messageComponents);
}
var extraProperties = new Dictionary <string, string>();
extraProperties.Add("kingdom", fortify.Kingdom);
if (fortify.Priority != null)
{
extraProperties.Add("priority", fortify.Priority);
}
if (!fortify.CweIds.IsDefaultOrEmpty)
{
extraProperties.Add("cwe", String.Join(", ",
fortify.CweIds.Select(id => id.ToString(CultureInfo.InvariantCulture))));
}
if (fortify.RuleId != null)
{
extraProperties.Add("fortifyRuleId", fortify.RuleId);
}
result.Properties = extraProperties;
PhysicalLocation primaryOrSink = ConvertFortifyLocationToPhysicalLocation(fortify.PrimaryOrSink);
result.Locations = new HashSet <Location>
{
new Location
{
ResultFile = primaryOrSink
}
};
if (fortify.Source != null)
{
PhysicalLocation source = ConvertFortifyLocationToPhysicalLocation(fortify.Source);
result.CodeFlows = new HashSet <CodeFlow>
{
new CodeFlow
{
Locations = new List <AnnotatedCodeLocation>
{
new AnnotatedCodeLocation {
PhysicalLocation = source
},
new AnnotatedCodeLocation {
PhysicalLocation = primaryOrSink
}
}
}
};
}
return(result);
}
private static FortifyIssue Parse(XmlReader reader)
{
return(FortifyIssue.Parse(reader, new FortifyStrings(reader.NameTable)));
}
public void FortifyIssue_CanBeConstructed_WithMinimalProperties()
{
var uut = new FortifyIssue(
null,
null,
"category",
"kingdom",
null,
null,
null,
s_pathElementA,
null,
ImmutableArray<int>.Empty
);
Assert.IsNull(uut.RuleId);
Assert.IsNull(uut.InstanceId);
Assert.AreEqual("category", uut.Category);
Assert.AreEqual("kingdom", uut.Kingdom);
Assert.IsNull(uut.Abstract);
Assert.IsNull(uut.AbstractCustom);
Assert.IsNull(uut.Priority);
Assert.AreSame(s_pathElementA, uut.PrimaryOrSink);
Assert.IsNull(uut.Source);
uut.CweIds.Should().BeEmpty();
}
/// <summary>Converts a Fortify result to a static analysis results interchange format result.</summary>
/// <param name="fortify">The Fortify result convert.</param>
/// <returns>
/// A SARIF result <see cref="Result"/> containing the same content as the supplied
/// <see cref="FortifyIssue"/>.
/// </returns>
public static Result ConvertFortifyIssueToSarifIssue(FortifyIssue fortify)
{
var result = new Result();
result.RuleId = fortify.Category;
result.ToolFingerprintContribution = fortify.InstanceId;
List<string> messageComponents = new List<string>();
if (fortify.Abstract != null)
{
messageComponents.Add(fortify.Abstract);
}
if (fortify.AbstractCustom != null)
{
messageComponents.Add(fortify.AbstractCustom);
}
if (messageComponents.Count == 0)
{
result.Message = String.Format(CultureInfo.InvariantCulture, ConverterResources.FortifyFallbackMessage, result.RuleId);
}
else
{
result.Message = String.Join(Environment.NewLine, messageComponents);
}
result.SetProperty("kingdom", fortify.Kingdom);
if (fortify.Priority != null)
{
result.SetProperty("priority", fortify.Priority);
}
if (!fortify.CweIds.IsDefaultOrEmpty)
{
result.SetProperty("cwe", String.Join(", ",
fortify.CweIds.Select(id => id.ToString(CultureInfo.InvariantCulture))));
}
if (fortify.RuleId != null)
{
result.SetProperty("fortifyRuleId", fortify.RuleId);
}
PhysicalLocation primaryOrSink = ConvertFortifyLocationToPhysicalLocation(fortify.PrimaryOrSink);
result.Locations = new List<Location>
{
new Location
{
ResultFile = primaryOrSink
}
};
if (fortify.Source != null)
{
PhysicalLocation source = ConvertFortifyLocationToPhysicalLocation(fortify.Source);
result.CodeFlows = new List<CodeFlow>
{
new CodeFlow
{
Locations = new List<AnnotatedCodeLocation>
{
new AnnotatedCodeLocation
{
PhysicalLocation = source
},
new AnnotatedCodeLocation
{
PhysicalLocation = primaryOrSink
}
}
}
};
}
return result;
}
public void FortifyIssue_ParseCweIds_SortsCweIds()
{
FortifyIssue.ParseCweIds("CWE ID 787, CWE ID 134").Should().Equal(new[] { 134, 787 });
}
public void FortifyIssue_ParseCweIds_UniquesCweIds()
{
FortifyIssue.ParseCweIds("CWE ID 134, CWE ID 134").Should().Equal(new[] { 134 });
}
public void FortifyIssue_ParseCweIds_MultipleCweIds()
{
FortifyIssue.ParseCweIds("CWE ID 134, CWE ID 787").Should().Equal(new[] { 134, 787 });
}
public void FortifyIssue_ParseCweIds_SingleCweId()
{
FortifyIssue.ParseCweIds("CWE ID 476").Should().Equal(new[] { 476 });
}
/// <summary>
/// Interface implementation for converting a stream of Fortify report in XML format to a
/// SARIF json format stream.
/// </summary>
/// <exception cref="ArgumentNullException">Thrown when one or more required arguments are null.</exception>
/// <param name="input">Stream of the Fortify report.</param>
/// <param name="output">Stream of SARIF json.</param>
/// <param name="dataToInsert">Optionally emitted properties that should be written to log.</param>
public override void Convert(Stream input, IResultLogWriter output, OptionallyEmittedData dataToInsert)
{
if (input == null)
{
throw new ArgumentNullException(nameof(input));
}
if (output == null)
{
throw new ArgumentNullException(nameof(output));
}
var settings = new XmlReaderSettings
{
DtdProcessing = DtdProcessing.Ignore,
IgnoreWhitespace = true,
NameTable = _nameTable,
XmlResolver = null
};
string runDescription = null;
var results = new List <Result>();
using (XmlReader reader = XmlReader.Create(input, settings))
{
while (reader.Read())
{
if (runDescription == null)
{
// Find the executive summary <ReportSection> element
if (StringReference.AreEqual(reader.LocalName, _strings.ReportSection) && reader.IsStartElement())
{
reader.Read(); // Move to Title element
if (reader.ReadElementContentAsString(_strings.Title, String.Empty) == "Executive Summary")
{
reader.Read(); // Move to SubSection element
reader.IgnoreElement(_strings.Title, IgnoreOptions.Required);
reader.IgnoreElement(_strings.Description, IgnoreOptions.Required);
runDescription = reader.ReadElementContentAsString(_strings.Text, String.Empty);
}
}
}
else
{
while (StringReference.AreEqual(reader.LocalName, _strings.Issue))
{
FortifyIssue fortify = FortifyIssue.Parse(reader, _strings);
results.Add(ConvertFortifyIssueToSarifIssue(fortify));
}
}
}
}
var run = new Run()
{
AutomationDetails = new RunAutomationDetails
{
Description = new Message
{
Text = runDescription
}
},
Tool = new Tool {
Driver = new ToolComponent {
Name = ToolName
}
}
};
PersistResults(output, results, run);
}
public void FortifyIssue_RequiresKingdom()
{
var uut = new FortifyIssue(
null,
null,
"category",
null,
null,
null,
null,
s_pathElementA,
null,
ImmutableArray<int>.Empty
);
}
public void FortifyIssue_RequiresPrimary()
{
var uut = new FortifyIssue(
null,
null,
"category",
"kingdom",
null,
null,
null,
null,
null,
ImmutableArray<int>.Empty
);
}
/// <summary>Converts a Fortify result to a static analysis results interchange format result.</summary>
/// <param name="fortify">The Fortify result convert.</param>
/// <returns>
/// A SARIF result <see cref="Result"/> containing the same content as the supplied
/// <see cref="FortifyIssue"/>.
/// </returns>
public static Result ConvertFortifyIssueToSarifIssue(FortifyIssue fortify)
{
var result = new Result();
result.RuleId = fortify.Category;
if (!string.IsNullOrWhiteSpace(fortify.InstanceId))
{
if (result.PartialFingerprints == null)
{
result.PartialFingerprints = new Dictionary <string, string>();
}
SarifUtilities.AddOrUpdateDictionaryEntry(result.PartialFingerprints, "InstanceId", fortify.InstanceId);
}
List <string> messageComponents = new List <string>();
if (fortify.Abstract != null)
{
messageComponents.Add(fortify.Abstract);
}
if (fortify.AbstractCustom != null)
{
messageComponents.Add(fortify.AbstractCustom);
}
if (messageComponents.Count == 0)
{
result.Message = new Message
{
Text = String.Format(CultureInfo.InvariantCulture, ConverterResources.FortifyFallbackMessage, result.RuleId)
};
}
else
{
result.Message = new Message
{
Text = String.Join(Environment.NewLine, messageComponents)
};
}
result.SetProperty("kingdom", fortify.Kingdom);
if (fortify.Priority != null)
{
result.SetProperty("priority", fortify.Priority);
}
if (!fortify.CweIds.IsDefaultOrEmpty)
{
result.SetProperty("cwe", String.Join(", ",
fortify.CweIds.Select(id => id.ToString(CultureInfo.InvariantCulture))));
}
if (fortify.RuleId != null)
{
result.SetProperty("fortifyRuleId", fortify.RuleId);
}
PhysicalLocation primaryOrSink = ConvertFortifyLocationToPhysicalLocation(fortify.PrimaryOrSink);
result.Locations = new List <Location>
{
new Location
{
PhysicalLocation = primaryOrSink
}
};
if (fortify.Source != null)
{
PhysicalLocation source = ConvertFortifyLocationToPhysicalLocation(fortify.Source);
var locations = new List <CodeFlowLocation>()
{
new CodeFlowLocation {
Location = new Location {
PhysicalLocation = source
}
},
new CodeFlowLocation {
Location = new Location {
PhysicalLocation = primaryOrSink
}
}
};
result.CodeFlows = new List <CodeFlow>()
{
SarifUtilities.CreateSingleThreadedCodeFlow(locations)
};
}
return(result);
}
public void FortifyIssue_ParseCweIds_NoIds()
{
FortifyIssue.ParseCweIds("1234").Should().BeEmpty();
}
