private static void saveFindingsAsNewAssessment(List <IO2Finding> findingsToRemove)
{
var tempO2Assessment = new O2Assessment(findingsToRemove);
var savedAssessmentFile = tempO2Assessment.save(new O2AssessmentSave_OunceV6());
O2Cmd.log.write("O2Assessment WITH duplicate findings saved to: {0}", savedAssessmentFile);
}
public bool convert(String sTargetOzasmtFile)
{
try
{
if (catNetXml == null || catNetXml.InnerXml == "")
{
return(false);
}
var o2Assessment = new O2Assessment();
addCatNetResultsAsFindings(o2Assessment, catNetXml);
if (o2Assessment.o2Findings.Count > 0)
{
o2Assessment.save(new O2AssessmentSave_OunceV6(), sTargetOzasmtFile);
PublicDI.log.info("Converted ozasmt file (with {0} findings) saved to {0}", sTargetOzasmtFile);
return(true);
}
PublicDI.log.info("There were no findings in converted file (from: {0})", sTargetOzasmtFile);
}
catch (Exception ex)
{
PublicDI.log.ex(ex, "in CatNetConverted.convert");
}
return(false);
}
public void findParameterStaticValueInMethodX()
{
var cirData = CirLoad.loadSerializedO2CirDataObject(cirDataFile_BigOne);
var result = AspNetAnalysis.findParameterStaticValueInMethodX(cirData);
var createdAssessment = new O2Assessment();
createdAssessment.o2Findings = result;
createdAssessment.save(new O2AssessmentSave_OunceV6(), clickButtonMappingOzasmt);
Assert.IsNotNull(result, "Result was null");
}
public void findWebControlSources()
{
Assert.IsTrue(File.Exists(ozasmtHacmeBankScanWithDefaultRules),
"ozasmtHacmeBankScanWithDefaultRules could not be found");
var o2Assessment = new O2Assessment(new O2AssessmentLoad_OunceV6(), ozasmtHacmeBankScanWithDefaultRules);
o2Assessment.o2Findings = AspNetAnalysis.findWebControlSources(o2Assessment.o2Findings);
Assert.IsTrue(o2Assessment.o2Findings.Count > 0, "There were no Findings calculated");
o2Assessment.save(new O2AssessmentSave_OunceV6(), ozasmtWithHacmeBankWebControlMappings);
}
public static void saveFindingsAsNewOzasmtFile(string assessmentName, List <IO2Finding> o2Findings, string pathToNewOzasmtFile)
{
var o2Assessment = new O2Assessment
{
name = assessmentName,
o2Findings = o2Findings
};
if (o2Assessment.save(new O2AssessmentSave_OunceV6(), pathToNewOzasmtFile))
{
O2Cmd.log.write("Ozasmt file created with {0} findings: {1}", o2Findings.Count, pathToNewOzasmtFile);
}
}
public void mapTextBoxWebControlsAsSinks()
{
Assert.IsTrue(File.Exists(resultsFilefor_clickButtonSource_SystemDataSink), "resultsFilefor_clickButtonSource_SystemDataSink doesn't exist");
var findingsToProcess = new O2Assessment(new O2AssessmentLoad_OunceV6(), resultsFilefor_clickButtonSource_SystemDataSink).o2Findings;
var results = AspNetAnalysis.mapTextBoxWebControlsAsSinks(findingsToProcess);
Assert.IsTrue(results.Count > 0, "no findings calculated");
var assessmentWithResults = new O2Assessment {
o2Findings = results
};
assessmentWithResults.save(new O2AssessmentSave_OunceV6(), resultsFilefor_clickButtonSource_SystemDataSink_withTexBoxMapping);
}
public void CreateCustomAssessmentFile() // Test to see if we can sucessfully create custom findings
{
const string name = "Test Name";
var o2Assessment = new O2Assessment {
name = name
};
Assert.IsTrue(o2Assessment.save(o2AssessmentSave, sFileToCreate), "SaveAssessmentRun failed");
var o2AssessmentLoaded = new O2Assessment(o2AssessmentLoad, sFileToCreate);
Assert.IsTrue(name == o2AssessmentLoaded.name, "Name matches");
}
public void createClickButtonTraces()
{
var o2Assessment = new O2Assessment
{
o2Findings = OzasmtGlue.glueTraceSinkWithSources(new O2AssessmentLoad_OunceV6(), clickButtonMappingOzasmt,
bothLayersOzasmt)
};
//o2Assessment.o2Findings = AspNetAnalysis.glueClickButtonTraces(clickButtonMappingOzasmt, webLayerOzasmt, webServicesLayerOzasmt);
Assert.IsTrue(o2Assessment.o2Findings.Count > 0, "no findings calculated");
o2Assessment.o2Findings = OzasmtFilter.getFindingsWithSink(o2Assessment.o2Findings, "System.Data");
Assert.IsTrue(o2Assessment.o2Findings.Count > 0, "no System.Data Sinks found");
o2Assessment.save(new O2AssessmentSave_OunceV6(), resultsFilefor_clickButtonSource_SystemDataSink);
Assert.IsTrue(File.Exists(resultsFilefor_clickButtonSource_SystemDataSink), "resultsFilefor_clickButtonSource_SystemDataSink doesn't exist");
}
public static void filterFindings_usingForEachLoop()
{
string message = string.Format("Hello O2 World");
var o2Assessment = new O2Assessment(new O2AssessmentLoad_OunceV6(), ozasmtFileToLoad);
log.info("Assessment file loaded with {0} findings", o2Assessment.o2Findings.Count);
var results = new List<IO2Finding>();
foreach (O2Finding o2Finding in o2Assessment.o2Findings)
if (o2Finding._SinkToSource.IndexOf("Attribute") > -1)
results.Add(o2Finding);
log.info("There are {0} findings that match filter", results.Count);
var newAssessmentFile = new O2Assessment(results);
var savedFile = newAssessmentFile.save(new O2AssessmentSave_OunceV6());
log.info("Filtered results saved to: {0}", savedFile);
ascx_FindingsViewer.openInFloatWindow(results.ToList());
}
public void mapWebInspectMappingsToOzamstFindings()
{
// process Ounce Assessment file
string workOzasmtFile = ozasmtHacmeBankScanWithDefaultRules;
Assert.IsTrue(File.Exists(workOzasmtFile), "ozasmtHacmeBankScanWithDefaultRules could not be found");
var o2AssessmentOunceScan = new O2Assessment(new O2AssessmentLoad_OunceV6(), workOzasmtFile);
o2AssessmentOunceScan.o2Findings = AspNetAnalysis.findWebControlSources(o2AssessmentOunceScan.o2Findings);
Assert.IsTrue(o2AssessmentOunceScan.o2Findings.Count > 0, "There were no Findings calculated");
o2AssessmentOunceScan.save(new O2AssessmentSave_OunceV6(), ozasmtWithHacmeBankWebControlMappings);
// process WebInspect file
string workWebInspectFile = webInspectFileWithResults;
Assert.IsTrue(File.Exists(workWebInspectFile), "webInspectFileWithResults does not exist");
var o2AssessmentWebInspectScan = new O2Assessment()
{
o2Findings =
WebInspectConverter.
loadWebInspectResultsAndReturnO2FindingsFor_SqlInjection_PoC2(
workWebInspectFile)
};
Assert.IsTrue(o2AssessmentWebInspectScan.o2Findings.Count > 0, "No O2 findings created");
o2AssessmentWebInspectScan.save(new O2AssessmentSave_OunceV6(), ozasmtFileWebInspectMappings);
var o2AssessmentGluedOnTraceName = new O2Assessment()
{
o2Findings =
OzasmtGlue.glueOnTraceNames(new O2AssessmentLoad_OunceV6(), ozasmtFileWebInspectMappings,
ozasmtWithHacmeBankWebControlMappings,
"Spring MVC Glue")
};
Assert.IsTrue(o2AssessmentGluedOnTraceName.o2Findings.Count > 0, "No Glued Findings created");
o2AssessmentGluedOnTraceName.save(new O2AssessmentSave_OunceV6(), ozasmtWithWebInspectToOunceMappings);
Analysis.createAssessmentFileWithAllTraces(true, false, ozasmtWithWebInspectToOunceMappings,
// ozasmtWithWebInspectToOunceMappings);
ozasmtWithWebInspectToOunceMappings_UniqueTraces);
//
}
public static string createO2AssessmentWithCallFlowTraces(ICirDataAnalysis cirDataAnalysis)
{
DI.log.info("Creating O2Assessment With Call Flow Traces");
var timer = new O2Timer("Created list of finding").start();
var cirFunctionsToProcess = cirDataAnalysis.dCirFunction_bySignature.Values;
var o2Findings = createO2FindingsFromCirFunctions(cirFunctionsToProcess);
timer.stop();
timer = new O2Timer("Saved Assessment").start();
var o2Assessment = new O2Assessment();
o2Assessment.o2Findings = o2Findings;
var savedFile = o2Assessment.save(new O2AssessmentSave_OunceV6());
DI.log.info("Saved O2Asssessment file created: {0}", savedFile);
timer.stop();
return(savedFile);
}
/* public static void loadAssessmentFileAndShowAllFindings()
* {
* var o2Assessment = new O2Assessment(new O2AssessmentLoad_OunceV6(), ozasmtFileToLoad);
* ascx_FindingsViewer.openInFloatWindow(o2Assessment.o2Findings);
* }*/
public static void joinTraces()
{
var sinkFindings = new List <IO2Finding>();
var sourceFindings = new List <IO2Finding>();
findTracesToJoin(sinkFindings, sourceFindings);
fixSinkVulnNamesBasedOnSinkContextHashMapKey("Findings_With_HashMap_To_Join_", sinkFindings);
fixSourceVulnNamesBasedOnSinkContextHashMapKey("Findings_With_HashMap_To_Join_", sourceFindings);
var results = joinTracesWhereSinkMatchesSource(sinkFindings, sourceFindings);
var newAssessmentFile = new O2Assessment(results);
var savedFile = newAssessmentFile.save(new O2AssessmentSave_OunceV6());
log.info("Filtered results saved to: {0}", savedFile);
ascx_FindingsViewer.openInFloatWindow(results);
}
private void saveFindings(IEnumerable <IO2Finding> o2FindingsToSave, bool saveIntoO2BinaryFormat)
{
btSaveFindings.Enabled = false;
btSave.Enabled = false;
if (o2AssessmentSave == null)
{
//PublicDI.log.showMessageBox("Aborting save since there is no O2AssessmentSave Engine configured");
PublicDI.log.error("Aborting save since there is no O2AssessmentSave Engine configured");
}
{
OzasmtCompatibility.makeCompatibleWithOunceV6(o2FindingsToSave);
string targetFile = tbSavedFileName.Text;
var o2Assessment = new O2Assessment();
o2Assessment.name = assessmentName;
o2Assessment.o2Findings.AddRange(o2FindingsToSave);
if (saveIntoO2BinaryFormat)
{
if (Path.GetExtension(targetFile) != PublicDI.config.O2FindingsFileExtension)
{
targetFile += PublicDI.config.O2FindingsFileExtension;
tbSavedFileName.Text = targetFile;
}
if (o2Assessment.saveAsO2Format(targetFile))
{
lbFileSaved.Visible = true;
}
}
else
if (o2Assessment.save(o2AssessmentSave, targetFile))
{
lbFileSaved.Visible = true;
}
btSaveFindings.Enabled = true;
btSave.Enabled = true;
}
}
public void CreateFinding_WithTrace()
{
string sFileToCreate = DI.config.TempFileNameInTempDirectory;
const uint line_number = 2;
const uint column_number = 3;
const uint ordinal = 1;
const string context = "TraceContext";
const string signature = "TraceSignature";
const string clazz = "class.this.trace.is.in";
const string file = @"c:\o2\temp\file\trace\is\in.cs";
const string method = "methodExectuted";
const uint taintPropagation = 0;
var text = new List <string> {
"this is a text inside a trace"
};
var o2Assessment = new O2Assessment();
// Finding #1
var o2Finding1 = new O2Finding("vulnName.Testing.TraceCreation", "vulnType.CustomType",
"This is the Context",
"This is the caller");
o2Finding1.o2Traces.Add(new O2Trace
{
clazz = clazz,
columnNumber = column_number,
context = context,
file = file,
lineNumber = line_number,
method = method,
ordinal = ordinal,
signature = signature,
taintPropagation = taintPropagation,
text = text,
});
o2Assessment.o2Findings.Add(o2Finding1);
// Finding #1
const string sinkText = "this is a sink";
const string methodOnSinkPath = "method call on sink path";
const string methodOnSourcePath = "method call on source path";
const string sourceText = "this is a source";
var o2Finding2 = new O2Finding("Vulnerability.Name", "Vulnerability.Type");
var o2Trace = new O2Trace("Class.Signature", "Method executed");
var o2TraceOnSinkPath = new O2Trace(methodOnSinkPath, TraceType.Type_0);
o2TraceOnSinkPath.childTraces.Add(new O2Trace(sinkText, TraceType.Known_Sink));
var o2TraceOnSourcePath = new O2Trace(methodOnSourcePath, TraceType.Type_0);
o2TraceOnSourcePath.childTraces.Add(new O2Trace(sourceText, TraceType.Source));
o2Trace.childTraces.Add(o2TraceOnSourcePath);
o2Trace.childTraces.Add(o2TraceOnSinkPath);
o2Finding2.o2Traces = new List <IO2Trace> {
o2Trace
};
o2Assessment.o2Findings.Add(o2Finding2);
// save assessment file
o2Assessment.save(o2AssessmentSave, sFileToCreate);
// check if data was saved correctly
var loadedO2Assessment = new O2Assessment(o2AssessmentLoad, sFileToCreate);
List <IO2Finding> loadedO2Findings = loadedO2Assessment.o2Findings;
Assert.IsTrue(loadedO2Assessment.o2Findings.Count == 2, "There should be 2 findings in the Assessment File");
// in o2Findings1
Assert.IsTrue(loadedO2Assessment.o2Findings[0].o2Traces.Count == 1,
"There should be 1 Trace in the Finding #1");
IO2Trace loadedO2Trace = loadedO2Findings[0].o2Traces[0];
Assert.IsTrue(loadedO2Trace.clazz == clazz, "clazz");
Assert.IsTrue(loadedO2Trace.columnNumber == column_number, "columnNumber");
Assert.IsTrue(loadedO2Trace.context == context, "context");
Assert.IsTrue(loadedO2Trace.file == file, "file");
Assert.IsTrue(loadedO2Trace.lineNumber == line_number, "lineNumber");
Assert.IsTrue(loadedO2Trace.method == method, "method");
Assert.IsTrue(loadedO2Trace.ordinal == ordinal, "ordinal");
Assert.IsTrue(loadedO2Trace.signature == signature, "signature");
Assert.IsTrue(loadedO2Trace.taintPropagation == taintPropagation, "taintPropagation");
Assert.IsTrue(loadedO2Trace.text[0] == text[0], "text");
// in o2Findings2
Assert.IsTrue(loadedO2Assessment.o2Findings[1].o2Traces.Count == 1,
"There should be 1 Trace in the Finding #2");
Assert.IsTrue(loadedO2Assessment.o2Findings[1].o2Traces[0].childTraces.Count == 2,
"There should be 2 child traces in this trace");
Assert.IsNotNull(OzasmtUtils.getKnownSink(loadedO2Assessment.o2Findings[1].o2Traces), "Could not find Sink");
Assert.IsTrue(OzasmtUtils.getKnownSink(loadedO2Assessment.o2Findings[1].o2Traces).clazz == sinkText,
"Sink text didn't match");
Assert.IsTrue(OzasmtUtils.getSource(loadedO2Assessment.o2Findings[1].o2Traces).clazz == sourceText,
"Source text didn't match");
}
public void CreateFinding()
{
string sFileToCreate = DI.config.TempFileNameInTempDirectory;
const string file = @"c:\O2\Temp\testFile.cs";
const uint record_id = 1;
const uint line_number = 2;
const uint column_number = 3;
const uint actionobject_id = 4;
const byte severity = 3;
const byte confidence = 2;
const bool exclude = false;
const uint ordinal = 1;
const string context = "context";
const string vuln_name = "vuln_name";
const string caller_name = "caller_name";
const string vuln_type = "vuln_type";
const string project_name = "project_name";
const string property_ids = "property_ids";
var o2Assessment = new O2Assessment();
// create test O2Finding objects
var o2Finding1 = new O2Finding
{
actionObject = actionobject_id,
confidence = confidence,
file = file,
columnNumber = column_number,
exclude = exclude,
lineNumber = line_number,
ordinal = ordinal,
recordId = record_id,
severity = severity,
context = context,
vulnName = vuln_name,
callerName = caller_name,
vulnType = vuln_type,
projectName = project_name,
propertyIds = property_ids
};
var o2Finding2 = new O2Finding(vuln_name, vuln_type, context, caller_name);
// add O2Findings and saved assessment run
o2Assessment.o2Findings.Add(o2Finding1);
o2Assessment.o2Findings.Add(o2Finding2);
o2Assessment.save(o2AssessmentSave, sFileToCreate);
// check that file created is ok
var loadedO2Assessment = new O2Assessment(o2AssessmentLoad, sFileToCreate);
Assert.IsTrue(loadedO2Assessment.o2Findings.Count == 2, "There should be 2 findings saved");
IO2Finding loadedO2Fiding = loadedO2Assessment.o2Findings[0];
Assert.IsTrue(loadedO2Fiding.actionObject == actionobject_id, "actionobject_id");
Assert.IsTrue(loadedO2Fiding.confidence == confidence, "confidence");
Assert.IsTrue(loadedO2Fiding.file == file, "file");
Assert.IsTrue(loadedO2Fiding.columnNumber == column_number, "column_number");
Assert.IsTrue(loadedO2Fiding.exclude == exclude, "exclude");
Assert.IsTrue(loadedO2Fiding.lineNumber == line_number, "line_number");
Assert.IsTrue(loadedO2Fiding.ordinal == ordinal, "ordinal");
Assert.IsTrue(loadedO2Fiding.recordId == record_id, "record_id");
Assert.IsTrue(loadedO2Fiding.severity == severity, "severity");
Assert.IsTrue(loadedO2Fiding.context == context, "context");
Assert.IsTrue(loadedO2Fiding.vulnName == vuln_name, "vuln_name");
Assert.IsTrue(loadedO2Fiding.callerName == caller_name, "caller_name");
Assert.IsTrue(loadedO2Fiding.vulnType == vuln_type, "vuln_type");
Assert.IsTrue(loadedO2Fiding.projectName == project_name, "project_name");
Assert.IsTrue(loadedO2Fiding.propertyIds == property_ids, "property_ids");
}
