private static void saveFindingsAsNewAssessment(List <IO2Finding> findingsToRemove) { var tempO2Assessment = new O2Assessment(findingsToRemove); var savedAssessmentFile = tempO2Assessment.save(new O2AssessmentSave_OunceV6()); O2Cmd.log.write("O2Assessment WITH duplicate findings saved to: {0}", savedAssessmentFile); }
public bool convert(String sTargetOzasmtFile) { try { if (catNetXml == null || catNetXml.InnerXml == "") { return(false); } var o2Assessment = new O2Assessment(); addCatNetResultsAsFindings(o2Assessment, catNetXml); if (o2Assessment.o2Findings.Count > 0) { o2Assessment.save(new O2AssessmentSave_OunceV6(), sTargetOzasmtFile); PublicDI.log.info("Converted ozasmt file (with {0} findings) saved to {0}", sTargetOzasmtFile); return(true); } PublicDI.log.info("There were no findings in converted file (from: {0})", sTargetOzasmtFile); } catch (Exception ex) { PublicDI.log.ex(ex, "in CatNetConverted.convert"); } return(false); }
public void findParameterStaticValueInMethodX() { var cirData = CirLoad.loadSerializedO2CirDataObject(cirDataFile_BigOne); var result = AspNetAnalysis.findParameterStaticValueInMethodX(cirData); var createdAssessment = new O2Assessment(); createdAssessment.o2Findings = result; createdAssessment.save(new O2AssessmentSave_OunceV6(), clickButtonMappingOzasmt); Assert.IsNotNull(result, "Result was null"); }
public void findWebControlSources() { Assert.IsTrue(File.Exists(ozasmtHacmeBankScanWithDefaultRules), "ozasmtHacmeBankScanWithDefaultRules could not be found"); var o2Assessment = new O2Assessment(new O2AssessmentLoad_OunceV6(), ozasmtHacmeBankScanWithDefaultRules); o2Assessment.o2Findings = AspNetAnalysis.findWebControlSources(o2Assessment.o2Findings); Assert.IsTrue(o2Assessment.o2Findings.Count > 0, "There were no Findings calculated"); o2Assessment.save(new O2AssessmentSave_OunceV6(), ozasmtWithHacmeBankWebControlMappings); }
public static void saveFindingsAsNewOzasmtFile(string assessmentName, List <IO2Finding> o2Findings, string pathToNewOzasmtFile) { var o2Assessment = new O2Assessment { name = assessmentName, o2Findings = o2Findings }; if (o2Assessment.save(new O2AssessmentSave_OunceV6(), pathToNewOzasmtFile)) { O2Cmd.log.write("Ozasmt file created with {0} findings: {1}", o2Findings.Count, pathToNewOzasmtFile); } }
public void mapTextBoxWebControlsAsSinks() { Assert.IsTrue(File.Exists(resultsFilefor_clickButtonSource_SystemDataSink), "resultsFilefor_clickButtonSource_SystemDataSink doesn't exist"); var findingsToProcess = new O2Assessment(new O2AssessmentLoad_OunceV6(), resultsFilefor_clickButtonSource_SystemDataSink).o2Findings; var results = AspNetAnalysis.mapTextBoxWebControlsAsSinks(findingsToProcess); Assert.IsTrue(results.Count > 0, "no findings calculated"); var assessmentWithResults = new O2Assessment { o2Findings = results }; assessmentWithResults.save(new O2AssessmentSave_OunceV6(), resultsFilefor_clickButtonSource_SystemDataSink_withTexBoxMapping); }
public void CreateCustomAssessmentFile() // Test to see if we can sucessfully create custom findings { const string name = "Test Name"; var o2Assessment = new O2Assessment { name = name }; Assert.IsTrue(o2Assessment.save(o2AssessmentSave, sFileToCreate), "SaveAssessmentRun failed"); var o2AssessmentLoaded = new O2Assessment(o2AssessmentLoad, sFileToCreate); Assert.IsTrue(name == o2AssessmentLoaded.name, "Name matches"); }
public void createClickButtonTraces() { var o2Assessment = new O2Assessment { o2Findings = OzasmtGlue.glueTraceSinkWithSources(new O2AssessmentLoad_OunceV6(), clickButtonMappingOzasmt, bothLayersOzasmt) }; //o2Assessment.o2Findings = AspNetAnalysis.glueClickButtonTraces(clickButtonMappingOzasmt, webLayerOzasmt, webServicesLayerOzasmt); Assert.IsTrue(o2Assessment.o2Findings.Count > 0, "no findings calculated"); o2Assessment.o2Findings = OzasmtFilter.getFindingsWithSink(o2Assessment.o2Findings, "System.Data"); Assert.IsTrue(o2Assessment.o2Findings.Count > 0, "no System.Data Sinks found"); o2Assessment.save(new O2AssessmentSave_OunceV6(), resultsFilefor_clickButtonSource_SystemDataSink); Assert.IsTrue(File.Exists(resultsFilefor_clickButtonSource_SystemDataSink), "resultsFilefor_clickButtonSource_SystemDataSink doesn't exist"); }
public static void filterFindings_usingForEachLoop() { string message = string.Format("Hello O2 World"); var o2Assessment = new O2Assessment(new O2AssessmentLoad_OunceV6(), ozasmtFileToLoad); log.info("Assessment file loaded with {0} findings", o2Assessment.o2Findings.Count); var results = new List<IO2Finding>(); foreach (O2Finding o2Finding in o2Assessment.o2Findings) if (o2Finding._SinkToSource.IndexOf("Attribute") > -1) results.Add(o2Finding); log.info("There are {0} findings that match filter", results.Count); var newAssessmentFile = new O2Assessment(results); var savedFile = newAssessmentFile.save(new O2AssessmentSave_OunceV6()); log.info("Filtered results saved to: {0}", savedFile); ascx_FindingsViewer.openInFloatWindow(results.ToList()); }
public void mapWebInspectMappingsToOzamstFindings() { // process Ounce Assessment file string workOzasmtFile = ozasmtHacmeBankScanWithDefaultRules; Assert.IsTrue(File.Exists(workOzasmtFile), "ozasmtHacmeBankScanWithDefaultRules could not be found"); var o2AssessmentOunceScan = new O2Assessment(new O2AssessmentLoad_OunceV6(), workOzasmtFile); o2AssessmentOunceScan.o2Findings = AspNetAnalysis.findWebControlSources(o2AssessmentOunceScan.o2Findings); Assert.IsTrue(o2AssessmentOunceScan.o2Findings.Count > 0, "There were no Findings calculated"); o2AssessmentOunceScan.save(new O2AssessmentSave_OunceV6(), ozasmtWithHacmeBankWebControlMappings); // process WebInspect file string workWebInspectFile = webInspectFileWithResults; Assert.IsTrue(File.Exists(workWebInspectFile), "webInspectFileWithResults does not exist"); var o2AssessmentWebInspectScan = new O2Assessment() { o2Findings = WebInspectConverter. loadWebInspectResultsAndReturnO2FindingsFor_SqlInjection_PoC2( workWebInspectFile) }; Assert.IsTrue(o2AssessmentWebInspectScan.o2Findings.Count > 0, "No O2 findings created"); o2AssessmentWebInspectScan.save(new O2AssessmentSave_OunceV6(), ozasmtFileWebInspectMappings); var o2AssessmentGluedOnTraceName = new O2Assessment() { o2Findings = OzasmtGlue.glueOnTraceNames(new O2AssessmentLoad_OunceV6(), ozasmtFileWebInspectMappings, ozasmtWithHacmeBankWebControlMappings, "Spring MVC Glue") }; Assert.IsTrue(o2AssessmentGluedOnTraceName.o2Findings.Count > 0, "No Glued Findings created"); o2AssessmentGluedOnTraceName.save(new O2AssessmentSave_OunceV6(), ozasmtWithWebInspectToOunceMappings); Analysis.createAssessmentFileWithAllTraces(true, false, ozasmtWithWebInspectToOunceMappings, // ozasmtWithWebInspectToOunceMappings); ozasmtWithWebInspectToOunceMappings_UniqueTraces); // }
public static string createO2AssessmentWithCallFlowTraces(ICirDataAnalysis cirDataAnalysis) { DI.log.info("Creating O2Assessment With Call Flow Traces"); var timer = new O2Timer("Created list of finding").start(); var cirFunctionsToProcess = cirDataAnalysis.dCirFunction_bySignature.Values; var o2Findings = createO2FindingsFromCirFunctions(cirFunctionsToProcess); timer.stop(); timer = new O2Timer("Saved Assessment").start(); var o2Assessment = new O2Assessment(); o2Assessment.o2Findings = o2Findings; var savedFile = o2Assessment.save(new O2AssessmentSave_OunceV6()); DI.log.info("Saved O2Asssessment file created: {0}", savedFile); timer.stop(); return(savedFile); }
/* public static void loadAssessmentFileAndShowAllFindings() * { * var o2Assessment = new O2Assessment(new O2AssessmentLoad_OunceV6(), ozasmtFileToLoad); * ascx_FindingsViewer.openInFloatWindow(o2Assessment.o2Findings); * }*/ public static void joinTraces() { var sinkFindings = new List <IO2Finding>(); var sourceFindings = new List <IO2Finding>(); findTracesToJoin(sinkFindings, sourceFindings); fixSinkVulnNamesBasedOnSinkContextHashMapKey("Findings_With_HashMap_To_Join_", sinkFindings); fixSourceVulnNamesBasedOnSinkContextHashMapKey("Findings_With_HashMap_To_Join_", sourceFindings); var results = joinTracesWhereSinkMatchesSource(sinkFindings, sourceFindings); var newAssessmentFile = new O2Assessment(results); var savedFile = newAssessmentFile.save(new O2AssessmentSave_OunceV6()); log.info("Filtered results saved to: {0}", savedFile); ascx_FindingsViewer.openInFloatWindow(results); }
private void saveFindings(IEnumerable <IO2Finding> o2FindingsToSave, bool saveIntoO2BinaryFormat) { btSaveFindings.Enabled = false; btSave.Enabled = false; if (o2AssessmentSave == null) { //PublicDI.log.showMessageBox("Aborting save since there is no O2AssessmentSave Engine configured"); PublicDI.log.error("Aborting save since there is no O2AssessmentSave Engine configured"); } { OzasmtCompatibility.makeCompatibleWithOunceV6(o2FindingsToSave); string targetFile = tbSavedFileName.Text; var o2Assessment = new O2Assessment(); o2Assessment.name = assessmentName; o2Assessment.o2Findings.AddRange(o2FindingsToSave); if (saveIntoO2BinaryFormat) { if (Path.GetExtension(targetFile) != PublicDI.config.O2FindingsFileExtension) { targetFile += PublicDI.config.O2FindingsFileExtension; tbSavedFileName.Text = targetFile; } if (o2Assessment.saveAsO2Format(targetFile)) { lbFileSaved.Visible = true; } } else if (o2Assessment.save(o2AssessmentSave, targetFile)) { lbFileSaved.Visible = true; } btSaveFindings.Enabled = true; btSave.Enabled = true; } }
public void CreateFinding_WithTrace() { string sFileToCreate = DI.config.TempFileNameInTempDirectory; const uint line_number = 2; const uint column_number = 3; const uint ordinal = 1; const string context = "TraceContext"; const string signature = "TraceSignature"; const string clazz = "class.this.trace.is.in"; const string file = @"c:\o2\temp\file\trace\is\in.cs"; const string method = "methodExectuted"; const uint taintPropagation = 0; var text = new List <string> { "this is a text inside a trace" }; var o2Assessment = new O2Assessment(); // Finding #1 var o2Finding1 = new O2Finding("vulnName.Testing.TraceCreation", "vulnType.CustomType", "This is the Context", "This is the caller"); o2Finding1.o2Traces.Add(new O2Trace { clazz = clazz, columnNumber = column_number, context = context, file = file, lineNumber = line_number, method = method, ordinal = ordinal, signature = signature, taintPropagation = taintPropagation, text = text, }); o2Assessment.o2Findings.Add(o2Finding1); // Finding #1 const string sinkText = "this is a sink"; const string methodOnSinkPath = "method call on sink path"; const string methodOnSourcePath = "method call on source path"; const string sourceText = "this is a source"; var o2Finding2 = new O2Finding("Vulnerability.Name", "Vulnerability.Type"); var o2Trace = new O2Trace("Class.Signature", "Method executed"); var o2TraceOnSinkPath = new O2Trace(methodOnSinkPath, TraceType.Type_0); o2TraceOnSinkPath.childTraces.Add(new O2Trace(sinkText, TraceType.Known_Sink)); var o2TraceOnSourcePath = new O2Trace(methodOnSourcePath, TraceType.Type_0); o2TraceOnSourcePath.childTraces.Add(new O2Trace(sourceText, TraceType.Source)); o2Trace.childTraces.Add(o2TraceOnSourcePath); o2Trace.childTraces.Add(o2TraceOnSinkPath); o2Finding2.o2Traces = new List <IO2Trace> { o2Trace }; o2Assessment.o2Findings.Add(o2Finding2); // save assessment file o2Assessment.save(o2AssessmentSave, sFileToCreate); // check if data was saved correctly var loadedO2Assessment = new O2Assessment(o2AssessmentLoad, sFileToCreate); List <IO2Finding> loadedO2Findings = loadedO2Assessment.o2Findings; Assert.IsTrue(loadedO2Assessment.o2Findings.Count == 2, "There should be 2 findings in the Assessment File"); // in o2Findings1 Assert.IsTrue(loadedO2Assessment.o2Findings[0].o2Traces.Count == 1, "There should be 1 Trace in the Finding #1"); IO2Trace loadedO2Trace = loadedO2Findings[0].o2Traces[0]; Assert.IsTrue(loadedO2Trace.clazz == clazz, "clazz"); Assert.IsTrue(loadedO2Trace.columnNumber == column_number, "columnNumber"); Assert.IsTrue(loadedO2Trace.context == context, "context"); Assert.IsTrue(loadedO2Trace.file == file, "file"); Assert.IsTrue(loadedO2Trace.lineNumber == line_number, "lineNumber"); Assert.IsTrue(loadedO2Trace.method == method, "method"); Assert.IsTrue(loadedO2Trace.ordinal == ordinal, "ordinal"); Assert.IsTrue(loadedO2Trace.signature == signature, "signature"); Assert.IsTrue(loadedO2Trace.taintPropagation == taintPropagation, "taintPropagation"); Assert.IsTrue(loadedO2Trace.text[0] == text[0], "text"); // in o2Findings2 Assert.IsTrue(loadedO2Assessment.o2Findings[1].o2Traces.Count == 1, "There should be 1 Trace in the Finding #2"); Assert.IsTrue(loadedO2Assessment.o2Findings[1].o2Traces[0].childTraces.Count == 2, "There should be 2 child traces in this trace"); Assert.IsNotNull(OzasmtUtils.getKnownSink(loadedO2Assessment.o2Findings[1].o2Traces), "Could not find Sink"); Assert.IsTrue(OzasmtUtils.getKnownSink(loadedO2Assessment.o2Findings[1].o2Traces).clazz == sinkText, "Sink text didn't match"); Assert.IsTrue(OzasmtUtils.getSource(loadedO2Assessment.o2Findings[1].o2Traces).clazz == sourceText, "Source text didn't match"); }
public void CreateFinding() { string sFileToCreate = DI.config.TempFileNameInTempDirectory; const string file = @"c:\O2\Temp\testFile.cs"; const uint record_id = 1; const uint line_number = 2; const uint column_number = 3; const uint actionobject_id = 4; const byte severity = 3; const byte confidence = 2; const bool exclude = false; const uint ordinal = 1; const string context = "context"; const string vuln_name = "vuln_name"; const string caller_name = "caller_name"; const string vuln_type = "vuln_type"; const string project_name = "project_name"; const string property_ids = "property_ids"; var o2Assessment = new O2Assessment(); // create test O2Finding objects var o2Finding1 = new O2Finding { actionObject = actionobject_id, confidence = confidence, file = file, columnNumber = column_number, exclude = exclude, lineNumber = line_number, ordinal = ordinal, recordId = record_id, severity = severity, context = context, vulnName = vuln_name, callerName = caller_name, vulnType = vuln_type, projectName = project_name, propertyIds = property_ids }; var o2Finding2 = new O2Finding(vuln_name, vuln_type, context, caller_name); // add O2Findings and saved assessment run o2Assessment.o2Findings.Add(o2Finding1); o2Assessment.o2Findings.Add(o2Finding2); o2Assessment.save(o2AssessmentSave, sFileToCreate); // check that file created is ok var loadedO2Assessment = new O2Assessment(o2AssessmentLoad, sFileToCreate); Assert.IsTrue(loadedO2Assessment.o2Findings.Count == 2, "There should be 2 findings saved"); IO2Finding loadedO2Fiding = loadedO2Assessment.o2Findings[0]; Assert.IsTrue(loadedO2Fiding.actionObject == actionobject_id, "actionobject_id"); Assert.IsTrue(loadedO2Fiding.confidence == confidence, "confidence"); Assert.IsTrue(loadedO2Fiding.file == file, "file"); Assert.IsTrue(loadedO2Fiding.columnNumber == column_number, "column_number"); Assert.IsTrue(loadedO2Fiding.exclude == exclude, "exclude"); Assert.IsTrue(loadedO2Fiding.lineNumber == line_number, "line_number"); Assert.IsTrue(loadedO2Fiding.ordinal == ordinal, "ordinal"); Assert.IsTrue(loadedO2Fiding.recordId == record_id, "record_id"); Assert.IsTrue(loadedO2Fiding.severity == severity, "severity"); Assert.IsTrue(loadedO2Fiding.context == context, "context"); Assert.IsTrue(loadedO2Fiding.vulnName == vuln_name, "vuln_name"); Assert.IsTrue(loadedO2Fiding.callerName == caller_name, "caller_name"); Assert.IsTrue(loadedO2Fiding.vulnType == vuln_type, "vuln_type"); Assert.IsTrue(loadedO2Fiding.projectName == project_name, "project_name"); Assert.IsTrue(loadedO2Fiding.propertyIds == property_ids, "property_ids"); }