public static string saveFindings(this List <IO2Finding> o2Findings)
{
var savedFile = new O2Assessment(o2Findings).save(new O2AssessmentSave_OunceV6());
"Assessemnt File saved with {0} findings: {1}".info(o2Findings.Count, savedFile);
return(savedFile);
}
public bool convert(String sTargetOzasmtFile)
{
try
{
if (catNetXml == null || catNetXml.InnerXml == "")
{
return(false);
}
var o2Assessment = new O2Assessment();
addCatNetResultsAsFindings(o2Assessment, catNetXml);
if (o2Assessment.o2Findings.Count > 0)
{
o2Assessment.save(new O2AssessmentSave_OunceV6(), sTargetOzasmtFile);
PublicDI.log.info("Converted ozasmt file (with {0} findings) saved to {0}", sTargetOzasmtFile);
return(true);
}
PublicDI.log.info("There were no findings in converted file (from: {0})", sTargetOzasmtFile);
}
catch (Exception ex)
{
PublicDI.log.ex(ex, "in CatNetConverted.convert");
}
return(false);
}
public static void copyAssessmentStats(string ozasmtWithStats, string ozasmtToUpdate)
{
O2Cmd.log.write("\n Adding stats from file {0} to file {1}", ozasmtWithStats, ozasmtToUpdate);
IO2Assessment o2Assessment = new O2Assessment(new O2AssessmentLoad_OunceV6(), ozasmtToUpdate);
saveWithAssessmentSourceStats(ozasmtWithStats, o2Assessment, ozasmtToUpdate);
}
public IO2Assessment loadFile(string fileToLoad)
{
var o2Assessment = new O2Assessment();
if (importFile(fileToLoad, o2Assessment))
return o2Assessment;
return null;
}
private static void saveFindingsAsNewAssessment(List <IO2Finding> findingsToRemove)
{
var tempO2Assessment = new O2Assessment(findingsToRemove);
var savedAssessmentFile = tempO2Assessment.save(new O2AssessmentSave_OunceV6());
O2Cmd.log.write("O2Assessment WITH duplicate findings saved to: {0}", savedAssessmentFile);
}
public static void mapXmlFilesToFindings(string pathToClassFiles, string pathToRootClassFolder, string pathToOzasmtFile, IO2AssessmentLoad o2AssessmentLoad)
{
var attributeXmlFiles = getAttributeXmlFiles(pathToClassFiles, pathToRootClassFolder);
var o2Assessment = new O2Assessment(o2AssessmentLoad, pathToOzasmtFile);
mapJavaAttributesToTraces(o2Assessment, attributeXmlFiles);
}
public override bool execute()
{
if (sourceObject == null)
{
DI.log.error("source object was null");
}
else
if (sourceObject.GetType() != sourceType)
{
DI.log.error("source object type was not List<string> is was " + sourceObject.GetType().FullName);
}
else
{
var filesToProcess = (List <string>)sourceObject;
setProgressBarValue(filesToProcess.Count);
var o2Assessment = new O2Assessment();
foreach (string file in filesToProcess)
{
DI.log.info("Importing file {0}", file);
if (false == o2AssessmentLoad.importFile(file, o2Assessment))
{
return(false);
}
DI.log.info("There are {0} Findings loaded ", o2Assessment.o2Findings.Count);
incProgressBarValue();
}
resultsObject = o2Assessment;
return(true);
}
return(false);
}
private IO2Assessment createO2AssessmentFromCodeCrawlerObject(taintResultSet appScanDEResultsFile, String fileName)
{
var o2Assessment = new O2Assessment();
o2Assessment.name = "AppScan Import of: " + fileName;
var o2Findings = new List <IO2Finding>();
foreach (taintResultSetTaintResult resultSet in appScanDEResultsFile.TaintResult)
{
//log.info(" id: {0} {1} {2}", resultSet.id, resultSet.issueID, resultSet.userSeverity);
var o2Finding = new O2Finding();
o2Finding.vulnName = resultSet.issueID;
o2Finding.vulnType = resultSet.issueID;
//o2Finding.severity = resultSet.userSeverity;
var sourceNode = new O2Trace(resultSet.taintSource.className + "." + resultSet.taintSource.methodName + resultSet.taintSource.methodSignature);
sourceNode.traceType = TraceType.Source;
//sourceNode.file = resultSet.taintSource.fileName;
var lastNode = sourceNode;
foreach (var taintStep in resultSet.taintStep)
{
var stepNode = new O2Trace(taintStep.className + "." + taintStep.methodName + taintStep.methodSignature);
// set filename and line number for step trace:
stepNode.file = taintStep.fileName;
stepNode.lineNumber = taintStep.highlight.lineNumber;
if (taintStep.snippetText != null)
{
var splittedText = taintStep.snippetText.Split(new[] { '\n' });
var lineIndex = taintStep.highlight.lineNumber - taintStep.snippetStartLine;
if (taintStep.snippetText != "")
{
stepNode.context = (lineIndex > -1) ? splittedText[lineIndex - 1] : taintStep.snippetText;
stepNode.context = "> " + stepNode.context.Replace("\t", " ").Trim() + " \n\n -------- \n\n" + taintStep.snippetText;
}
}
// make the finding have the values of the last taitstep
o2Finding.file = taintStep.fileName;
o2Finding.lineNumber = taintStep.highlight.lineNumber;
// set childnodes
lastNode.childTraces.Add(stepNode);
lastNode = stepNode;
}
var sinkNode = new O2Trace(resultSet.taintSink.className + "." + resultSet.taintSink.methodName + resultSet.taintSink.methodSignature);
sinkNode.traceType = TraceType.Known_Sink;
//sinkNode.file = resultSet.taintSink.fileName;
lastNode.childTraces.Add(sinkNode);
o2Finding.o2Traces.Add(sourceNode);
o2Findings.Add(o2Finding);
o2Assessment.o2Findings.Add(o2Finding);
}
return(o2Assessment);
}
public Thread loadO2Assessment(IO2AssessmentLoad o2AssessmentLoad, string pathToFileToLoad)
{
if (o2AssessmentLoad == null || false == File.Exists(pathToFileToLoad))
{
this.invokeOnThread(() => laLoadingDroppedFile.Visible = false);
return(null);
}
return(O2Thread.mtaThread(() =>
{
this.invokeOnThread(() => laLoadingDroppedFile.Visible = true);
var o2Assemment = new O2Assessment(o2AssessmentLoad, pathToFileToLoad);
// load this on another thread
var sync = new AutoResetEvent(false);
this.invokeOnThread(() => // and then complete it on the controls thread
{
loadO2Assessment(o2Assemment);
tbSavedFileName.Text =
(cbClearOnOzasmtDrop.Checked)
? pathToFileToLoad
: PublicDI.config.TempFileNameInTempDirectory + "_" + Path.GetFileName(pathToFileToLoad);
laLoadingDroppedFile.Visible = false;
sync.Set();
});
sync.WaitOne();
}));
}
public static List <IO2Finding> glueClickButtonTraces(String ClickButtonMappingOzasmt, String webLayerOzasmt, String webServicesLayerOzasmt)
{
var results = new List <IO2Finding>();
var clickButton = new O2Assessment(new O2AssessmentLoad_OunceV6(), ClickButtonMappingOzasmt);
var webLayer = new O2Assessment(new O2AssessmentLoad_OunceV6(), webLayerOzasmt);
// var webServices = new O2Assessment(new O2AssessmentLoad_OunceV6(), webServicesLayerOzasmt);
var webLayerAllTraces = OzasmtUtils.getDictionaryWithO2AllSubTraces(webLayer);
var count = webLayerAllTraces.Count;
foreach (var clickButtonFinding in clickButton.o2Findings)
{
var sinkToFind = OzasmtUtils.getKnownSink(clickButtonFinding.o2Traces).signature;
if (webLayerAllTraces.ContainsKey(sinkToFind))
{
foreach (var webLayerO2Trace in webLayerAllTraces[sinkToFind])
{
results.Add(OzasmtGlue.createCopyAndGlueTraceSinkWithSource(clickButtonFinding, webLayerO2Trace));
}
}
}
DI.log.debug(" {0} findings in result ", results.Count);
return(results);
}
public static void findTracesToJoin(string ozasmtFileToLoad, string sinkMethodToFind, string sourceMethodToFind,
List <IO2Finding> sinkFindings, List <IO2Finding> sourceFindings)
{
try
{
var o2Assessment = new O2Assessment(new O2AssessmentLoad_OunceV6(), ozasmtFileToLoad);
foreach (O2Finding o2Finding in o2Assessment.o2Findings)
{
if (o2Finding.Sink.IndexOf(sinkMethodToFind) > -1)
{
sinkFindings.Add(o2Finding);
}
else if (o2Finding.SourceContext.IndexOf(sourceMethodToFind) > -1)
{
sourceFindings.Add(o2Finding);
}
}
PublicDI.log.info("There are {0} sinkFindings ( sink ~= {1} )", sinkFindings.Count, sinkMethodToFind);
PublicDI.log.info("There are {0} sourceFindings ( source ~= {1})", sourceFindings.Count, sourceMethodToFind);
}
catch (Exception ex)
{
ex.log("in findTracesToJoin");
}
//ascx_FindingsViewer.openInFloatWindow(results.ToList());
}
public static List <IO2Finding> loadFindingsFile(this string fileToLoad)
{
var o2Assessment = new O2Assessment(new O2AssessmentLoad_OunceV6(), fileToLoad);
"there are {0} findings loaded in this file".info(o2Assessment.o2Findings.Count);
return(o2Assessment.o2Findings);
}
public static O2Assessment createO2Assessment()
{
var o2Assessment = new O2Assessment();
o2Assessment.o2Findings.Add(CreateFinding_WithTrace());
o2Assessment.o2Findings.Add(CreateFinding_WithNoTrace());
return(o2Assessment);
}
public static void addCatNetResultsAsFindings(O2Assessment o2Assessment, XmlDocument catNetXml)
{
//var results = catNetXml.GetElementsByTagName("Resultsss");
PublicDI.log.info(" -------------------- ");
foreach (XmlElement rule in catNetXml.GetElementsByTagName("Rule"))
{
try
{
XmlElement ruleNameXmlElement = rule["Name"];
string ruleName = (ruleNameXmlElement == null) ? "Unknown Rule Name" : ruleNameXmlElement.InnerText;
foreach (XmlNode result in rule.GetElementsByTagName("Result"))
{
// ReSharper disable PossibleNullReferenceException
string signature = getSignatureFromEntryPoint(result["EntryPoint"].InnerText);
var o2Finding = new O2Finding();
o2Finding.context = (result["EntryPoint"] == null) ? "" : result["EntryPoint"].InnerText;
o2Finding.confidence = (result["ConfidenceLevel"] == null)
? (byte)0
: getConfidence(result["ConfidenceLevel"].InnerText);
o2Finding.callerName = getMethodNameFromSignature(signature);
o2Finding.lineNumber = (result["Transformations"] == null &&
result["Transformations"]["Origin"] != null)
? 0
: uint.Parse(
result["Transformations"]["Origin"].GetAttribute("line"));
o2Finding.file = (result["Transformations"] == null &&
result["Transformations"]["Origin"] != null)
? ""
: result["Transformations"]["Origin"].GetAttribute("file");
o2Finding.severity = 2;
o2Finding.vulnName = signature;
o2Finding.vulnType = ruleName;
// };
o2Finding.text.Add(result["Resolution"].InnerText);
o2Finding.text.Add(result["ProblemDescription"].InnerText);
addCatNetTransformationsAsO2Traces(o2Finding, result["Transformations"]);
// ReSharper restore PossibleNullReferenceException
o2Assessment.o2Findings.Add(o2Finding);
}
}
catch (Exception ex)
{
PublicDI.log.ex(ex, "in addCatNetResultsAsFindings, while processing rule: " + rule.InnerXml);
}
}
}
public static void copyAssessmentStats(string ozasmtSource)//, string ozasmtTarget)
{
IO2Assessment o2Assessment = new O2Assessment(new O2AssessmentLoad_OunceV6(), ozasmtSource);
O2Cmd.log.write("Assessment loaded had {0} findings", o2Assessment.o2Findings.Count);
var newAssessmentName = "O2 v.5 - " + ozasmtSource;
saveWithAssessmentSourceStats(ozasmtSource, o2Assessment, newAssessmentName);
}
public void findParameterStaticValueInMethodX()
{
var cirData = CirLoad.loadSerializedO2CirDataObject(cirDataFile_BigOne);
var result = AspNetAnalysis.findParameterStaticValueInMethodX(cirData);
var createdAssessment = new O2Assessment();
createdAssessment.o2Findings = result;
createdAssessment.save(new O2AssessmentSave_OunceV6(), clickButtonMappingOzasmt);
Assert.IsNotNull(result, "Result was null");
}
public IO2Assessment loadFile(string fileToLoad)
{
var o2Assessment = new O2Assessment();
if (importFile(fileToLoad, o2Assessment))
{
return(o2Assessment);
}
return(null);
}
public static void addAssessmentToTreeview(TreeView treeView, O2Assessment o2Assessment, bool showStats)
{
TreeNode newNode = O2Forms.newTreeNode(o2Assessment.name, o2Assessment.name, 0, o2Assessment);
if (showStats)
{
OzasmtStats.populateTreeNodeWithAssessmentStats(newNode, o2Assessment, 1);
}
treeView.Nodes.Add(newNode);
}
public static IO2Assessment loadOzasmt(string ozasmtFileToLoad)
{
if (File.Exists(ozasmtFileToLoad))
{
var o2Assessment = new O2Assessment(new O2AssessmentLoad_OunceV6(), ozasmtFileToLoad);
O2Cmd.log.write("The Ozasmt file loaded has: {0} findings", o2Assessment.o2Findings.Count);
return(o2Assessment);
}
return(null);
}
public void loadOunceOzasmtFile(string fileToLoad)
{
var o2AssessmentOunceScan = new O2Assessment(new O2AssessmentLoad_OunceV6(), fileToLoad);
o2AssessmentOunceScan.o2Findings = AspNetAnalysis.findWebControlSources(o2AssessmentOunceScan.o2Findings);
if (o2AssessmentOunceScan.o2Findings.Count > 0)
{
fidingsViewer_OunceOzasmt.loadO2Assessment(o2AssessmentOunceScan);
}
glueTrace();
}
public void findWebControlSources()
{
Assert.IsTrue(File.Exists(ozasmtHacmeBankScanWithDefaultRules),
"ozasmtHacmeBankScanWithDefaultRules could not be found");
var o2Assessment = new O2Assessment(new O2AssessmentLoad_OunceV6(), ozasmtHacmeBankScanWithDefaultRules);
o2Assessment.o2Findings = AspNetAnalysis.findWebControlSources(o2Assessment.o2Findings);
Assert.IsTrue(o2Assessment.o2Findings.Count > 0, "There were no Findings calculated");
o2Assessment.save(new O2AssessmentSave_OunceV6(), ozasmtWithHacmeBankWebControlMappings);
}
public static void filterFindings_usingLinq()
{
string message = string.Format("Hello O2 World");
var o2Assessment = new O2Assessment(new O2AssessmentLoad_OunceV6(), ozasmtFileToLoad);
log.info("Assessment file loaded with {0} findings", o2Assessment.o2Findings.Count);
var results = from O2Finding finding in o2Assessment.o2Findings
where finding._SinkToSource.IndexOf("Attribute") > -1
select (IO2Finding)finding;
log.info("There are {0} findings that match filter", results.ToList().Count);
ascx_FindingsViewer.openInFloatWindow(results.ToList());
}
public void mapTextBoxWebControlsAsSinks()
{
Assert.IsTrue(File.Exists(resultsFilefor_clickButtonSource_SystemDataSink), "resultsFilefor_clickButtonSource_SystemDataSink doesn't exist");
var findingsToProcess = new O2Assessment(new O2AssessmentLoad_OunceV6(), resultsFilefor_clickButtonSource_SystemDataSink).o2Findings;
var results = AspNetAnalysis.mapTextBoxWebControlsAsSinks(findingsToProcess);
Assert.IsTrue(results.Count > 0, "no findings calculated");
var assessmentWithResults = new O2Assessment {
o2Findings = results
};
assessmentWithResults.save(new O2AssessmentSave_OunceV6(), resultsFilefor_clickButtonSource_SystemDataSink_withTexBoxMapping);
}
public static void saveFindingsAsNewOzasmtFile(string assessmentName, List <IO2Finding> o2Findings, string pathToNewOzasmtFile)
{
var o2Assessment = new O2Assessment
{
name = assessmentName,
o2Findings = o2Findings
};
if (o2Assessment.save(new O2AssessmentSave_OunceV6(), pathToNewOzasmtFile))
{
O2Cmd.log.write("Ozasmt file created with {0} findings: {1}", o2Findings.Count, pathToNewOzasmtFile);
}
}
public static Thread openInFloatWindow(string ozasmtFile, string controlName)
{
var o2AssessmentLoadEngine = OzasmtUtils.getO2AssessmentLoadEngine(ozasmtFile, o2AssessmentLoadEngines);
if (o2AssessmentLoadEngine != null)
{
var o2Assessment = new O2Assessment(o2AssessmentLoadEngine, ozasmtFile);
if (o2Assessment.o2Findings.Count > 0)
{
return(openInFloatWindow(o2Assessment.o2Findings, controlName));
}
}
return(null);
}
public void CreateCustomAssessmentFile() // Test to see if we can sucessfully create custom findings
{
const string name = "Test Name";
var o2Assessment = new O2Assessment {
name = name
};
Assert.IsTrue(o2Assessment.save(o2AssessmentSave, sFileToCreate), "SaveAssessmentRun failed");
var o2AssessmentLoaded = new O2Assessment(o2AssessmentLoad, sFileToCreate);
Assert.IsTrue(name == o2AssessmentLoaded.name, "Name matches");
}
public static void filterFindings_usingForEachLoop()
{
string message = string.Format("Hello O2 World");
var o2Assessment = new O2Assessment(new O2AssessmentLoad_OunceV6(), ozasmtFileToLoad);
log.info("Assessment file loaded with {0} findings", o2Assessment.o2Findings.Count);
var results = new List<IO2Finding>();
foreach (O2Finding o2Finding in o2Assessment.o2Findings)
if (o2Finding._SinkToSource.IndexOf("Attribute") > -1)
results.Add(o2Finding);
log.info("There are {0} findings that match filter", results.Count);
var newAssessmentFile = new O2Assessment(results);
var savedFile = newAssessmentFile.save(new O2AssessmentSave_OunceV6());
log.info("Filtered results saved to: {0}", savedFile);
ascx_FindingsViewer.openInFloatWindow(results.ToList());
}
public void createClickButtonTraces()
{
var o2Assessment = new O2Assessment
{
o2Findings = OzasmtGlue.glueTraceSinkWithSources(new O2AssessmentLoad_OunceV6(), clickButtonMappingOzasmt,
bothLayersOzasmt)
};
//o2Assessment.o2Findings = AspNetAnalysis.glueClickButtonTraces(clickButtonMappingOzasmt, webLayerOzasmt, webServicesLayerOzasmt);
Assert.IsTrue(o2Assessment.o2Findings.Count > 0, "no findings calculated");
o2Assessment.o2Findings = OzasmtFilter.getFindingsWithSink(o2Assessment.o2Findings, "System.Data");
Assert.IsTrue(o2Assessment.o2Findings.Count > 0, "no System.Data Sinks found");
o2Assessment.save(new O2AssessmentSave_OunceV6(), resultsFilefor_clickButtonSource_SystemDataSink);
Assert.IsTrue(File.Exists(resultsFilefor_clickButtonSource_SystemDataSink), "resultsFilefor_clickButtonSource_SystemDataSink doesn't exist");
}
public void WasConversionSuccessfull()
{
if (File.Exists(sOzasmtFileToCreate))
{
File.Delete(sOzasmtFileToCreate);
}
var cnConverter = new CatNetConverter(sCatFileToConvert);
Assert.IsTrue(cnConverter.convert(sOzasmtFileToCreate), "Converter failed");
Assert.IsTrue(File.Exists(sOzasmtFileToCreate), "sCatFileToConvert file was not created");
// Check if Ozasmt file is ok
var o2Assessment = new O2Assessment(new O2AssessmentLoad_OunceV6(), sOzasmtFileToCreate);
Assert.IsTrue(o2Assessment.o2Findings.Count > 0, "There are no findings in created ozasmt file");
}
public static IO2Assessment createO2AssessmentFromWebScarabFile(string conversationFile)
{
O2Assessment o2Assessment = new O2Assessment();
try
{
o2Assessment.name = "Webscarab Import of: " + conversationFile;
var webScarabConversations = new API_WebScarab().loadConversationsFile(conversationFile);
List <IO2Finding> o2Findings = createFindingsFromConversation(webScarabConversations);
o2Assessment.o2Findings = o2Findings;
}
catch (Exception ex)
{
ex.log("in createO2AssessmentFromWebScarabFile");
}
return(o2Assessment);
}
