public void FortifyIssue_CanBeConstructed_WithAllProperties() { var uut = new FortifyIssue( "ruleId", "iid", "category", "kingdom", "abstract", "abstractCustom", "priority", s_pathElementA, s_pathElementB, ImmutableArray.Create(1, 2, 3) ); Assert.Equal("ruleId", uut.RuleId); Assert.Equal("iid", uut.InstanceId); Assert.Equal("category", uut.Category); Assert.Equal("kingdom", uut.Kingdom); Assert.Equal("abstract", uut.Abstract); Assert.Equal("abstractCustom", uut.AbstractCustom); Assert.Equal("priority", uut.Priority); Assert.Same(s_pathElementA, uut.PrimaryOrSink); Assert.Same(s_pathElementB, uut.Source); uut.CweIds.Should().Equal(new[] { 1, 2, 3 }); }
public void FortifyIssue_CanBeConstructed_WithMinimalProperties() { var uut = new FortifyIssue( null, null, "category", "kingdom", null, null, null, s_pathElementA, null, ImmutableArray <int> .Empty ); Assert.Null(uut.RuleId); Assert.Null(uut.InstanceId); Assert.Equal("category", uut.Category); Assert.Equal("kingdom", uut.Kingdom); Assert.Null(uut.Abstract); Assert.Null(uut.AbstractCustom); Assert.Null(uut.Priority); Assert.Same(s_pathElementA, uut.PrimaryOrSink); Assert.Null(uut.Source); uut.CweIds.Should().BeEmpty(); }
/// <summary> /// Interface implementation for converting a stream of Fortify report in XML format to a /// SARIF json format stream. /// </summary> /// <exception cref="ArgumentNullException">Thrown when one or more required arguments are null.</exception> /// <param name="input">Stream of the Fortify report.</param> /// <param name="output">Stream of SARIF json.</param> /// <param name="dataToInsert">Logging options that configure output.</param> public override void Convert(Stream input, IResultLogWriter output, OptionallyEmittedData dataToInsert) { if (input == null) { throw new ArgumentNullException(nameof(input)); } if (output == null) { throw new ArgumentNullException(nameof(output)); } var settings = new XmlReaderSettings { DtdProcessing = DtdProcessing.Ignore, IgnoreWhitespace = true, NameTable = _nameTable, XmlResolver = null }; var results = new List <Result>(); using (XmlReader reader = XmlReader.Create(input, settings)) { while (reader.Read()) { while (StringReference.AreEqual(reader.LocalName, _strings.Issue)) { FortifyIssue fortify = FortifyIssue.Parse(reader, _strings); results.Add(ConvertFortifyIssueToSarifIssue(fortify)); } } } var tool = new Tool { Name = "Fortify" }; var fileInfoFactory = new FileInfoFactory(MimeType.DetermineFromFileExtension, dataToInsert); Dictionary <string, FileData> fileDictionary = fileInfoFactory.Create(results); var run = new Run() { Tool = tool }; output.Initialize(run); if (fileDictionary != null && fileDictionary.Count > 0) { output.WriteFiles(fileDictionary); } output.OpenResults(); output.WriteResults(results); output.CloseResults(); }
public void FortifyIssue_Parse_IgnoresNonCweTypeExternalCategories() { XElement xml = XElement.Parse(s_fullIssueXml); xml.Element("ExternalCategory").Attribute("type").Value = "a_differnt_type"; FortifyIssue result = Parse(xml); result.CweIds.Should().BeEmpty(); }
/// <summary> /// Interface implementation for converting a stream of Fortify report in XML format to a /// SARIF json format stream. /// </summary> /// <exception cref="ArgumentNullException">Thrown when one or more required arguments are null.</exception> /// <param name="input">Stream of the Fortify report.</param> /// <param name="output">Stream of SARIF json.</param> public void Convert(Stream input, IResultLogWriter output) { if (input == null) { throw new ArgumentNullException("input"); } if (output == null) { throw new ArgumentNullException("output"); } var settings = new XmlReaderSettings { DtdProcessing = DtdProcessing.Ignore, IgnoreWhitespace = true, NameTable = _nameTable }; var results = new List <Result>(); using (XmlReader reader = XmlReader.Create(input, settings)) { while (reader.Read()) { while (Ref.Equal(reader.LocalName, _strings.Issue)) { FortifyIssue fortify = FortifyIssue.Parse(reader, _strings); results.Add(ConvertFortifyIssueToSarifIssue(fortify)); } } } var tool = new Tool { Name = "Fortify" }; var fileInfoFactory = new FileInfoFactory(MimeType.DetermineFromFileExtension); Dictionary <string, IList <FileData> > fileDictionary = fileInfoFactory.Create(results); output.WriteTool(tool); if (fileDictionary != null && fileDictionary.Count > 0) { output.WriteFiles(fileDictionary); } output.OpenResults(); output.WriteResults(results); output.CloseResults(); }
public void FortifyIssue_RequiresPrimary() { var uut = new FortifyIssue( null, null, "category", "kingdom", null, null, null, null, null, ImmutableArray <int> .Empty ); }
public void FortifyIssue_RequiresKingdom() { var uut = new FortifyIssue( null, null, "category", null, null, null, null, s_pathElementA, null, ImmutableArray <int> .Empty ); }
public void FortifyIssue_Parse_CanParseFullIssue() { string xml = "<xml>" + s_fullIssueXml + "<following /></xml>"; using (XmlReader reader = Utilities.CreateWhitespaceSkippingXmlReaderFromString(xml)) { reader.Read(); //<xml> reader.Read(); //<Issue> FortifyIssue result = Parse(reader); Assert.Equal("following", reader.LocalName); Assert.Equal("7DDEC64A-9142-4943-BB5C-57D6F09C94DC", result.RuleId); Assert.Equal("BDC8FC3C5AAE67B07F46EC48B928AA6E", result.InstanceId); Assert.Equal("Format String", result.Category); Assert.Equal("Input Validation and Representation", result.Kingdom); Assert.Equal("An attacker can control the format string argument to vfwprintf() at bannedAPIs.m line 225, allowing an attack much like a buffer overflow.", result.Abstract); Assert.Equal("A message Bill added for testing purposes.", result.AbstractCustom); Assert.Equal("High", result.Priority); Assert.Equal(225, result.PrimaryOrSink.LineStart); Assert.Equal(238, result.Source.LineStart); result.CweIds.Should().Equal(new[] { 134 }); } }
public void FortifyIssue_Parse_CanParseMinimalIssue() { string xml = "<xml>" + s_minimalIssueXml + "<following /></xml>"; using (XmlReader reader = Utilities.CreateWhitespaceSkippingXmlReaderFromString(xml)) { reader.Read(); //<xml> reader.Read(); //<Issue> FortifyIssue result = Parse(reader); Assert.Equal("following", reader.LocalName); Assert.Null(result.RuleId); Assert.Null(result.InstanceId); Assert.Equal("Format String", result.Category); Assert.Equal("Input Validation and Representation", result.Kingdom); Assert.Null(result.Abstract); Assert.Null(result.AbstractCustom); Assert.Null(result.Priority); Assert.Equal(225, result.PrimaryOrSink.LineStart); Assert.Null(result.Source); result.CweIds.Should().BeEmpty(); } }
/// <summary> /// Interface implementation for converting a stream of Fortify report in XML format to a /// SARIF json format stream. /// </summary> /// <exception cref="ArgumentNullException">Thrown when one or more required arguments are null.</exception> /// <param name="input">Stream of the Fortify report.</param> /// <param name="output">Stream of SARIF json.</param> public void Convert(Stream input, IResultLogWriter output) { if (input == null) { throw new ArgumentNullException("input"); } if (output == null) { throw new ArgumentNullException("output"); } output.WriteToolAndRunInfo(new ToolInfo { Name = "Fortify" }, null); var settings = new XmlReaderSettings { DtdProcessing = DtdProcessing.Ignore, IgnoreWhitespace = true, NameTable = _nameTable }; using (XmlReader reader = XmlReader.Create(input, settings)) { while (reader.Read()) { while (Ref.Equal(reader.LocalName, _strings.Issue)) { FortifyIssue fortify = FortifyIssue.Parse(reader, _strings); output.WriteResult(ConvertFortifyIssueToSarifIssue(fortify)); } } } }
/// <summary> /// Interface implementation for converting a stream of Fortify report in XML format to a /// SARIF json format stream. /// </summary> /// <exception cref="ArgumentNullException">Thrown when one or more required arguments are null.</exception> /// <param name="input">Stream of the Fortify report.</param> /// <param name="output">Stream of SARIF json.</param> /// <param name="dataToInsert">Optionally emitted properties that should be written to log.</param> public override void Convert(Stream input, IResultLogWriter output, OptionallyEmittedData dataToInsert) { if (input == null) { throw new ArgumentNullException(nameof(input)); } if (output == null) { throw new ArgumentNullException(nameof(output)); } var settings = new XmlReaderSettings { DtdProcessing = DtdProcessing.Ignore, IgnoreWhitespace = true, NameTable = _nameTable, XmlResolver = null }; string runDescription = null; var results = new List <Result>(); using (XmlReader reader = XmlReader.Create(input, settings)) { while (reader.Read()) { if (runDescription == null) { // Find the executive summary <ReportSection> element if (StringReference.AreEqual(reader.LocalName, _strings.ReportSection) && reader.IsStartElement()) { reader.Read(); // Move to Title element if (reader.ReadElementContentAsString(_strings.Title, String.Empty) == "Executive Summary") { reader.Read(); // Move to SubSection element reader.IgnoreElement(_strings.Title, IgnoreOptions.Required); reader.IgnoreElement(_strings.Description, IgnoreOptions.Required); runDescription = reader.ReadElementContentAsString(_strings.Text, String.Empty); } } } else { while (StringReference.AreEqual(reader.LocalName, _strings.Issue)) { FortifyIssue fortify = FortifyIssue.Parse(reader, _strings); results.Add(ConvertFortifyIssueToSarifIssue(fortify)); } } } } var tool = new Tool { Name = "Fortify" }; var fileInfoFactory = new FileInfoFactory(MimeType.DetermineFromFileExtension, dataToInsert); Dictionary <string, FileData> fileDictionary = fileInfoFactory.Create(results); var run = new Run() { Description = new Message { Text = runDescription }, Tool = tool }; output.Initialize(run); if (fileDictionary != null && fileDictionary.Count > 0) { output.WriteFiles(fileDictionary); } output.OpenResults(); output.WriteResults(results); output.CloseResults(); }
public void FortifyIssue_CanBeConstructed_WithAllProperties() { var uut = new FortifyIssue( "ruleId", "iid", "category", "kingdom", "abstract", "abstractCustom", "priority", s_pathElementA, s_pathElementB, ImmutableArray.Create(1, 2, 3) ); Assert.AreEqual("ruleId", uut.RuleId); Assert.AreEqual("iid", uut.InstanceId); Assert.AreEqual("category", uut.Category); Assert.AreEqual("kingdom", uut.Kingdom); Assert.AreEqual("abstract", uut.Abstract); Assert.AreEqual("abstractCustom", uut.AbstractCustom); Assert.AreEqual("priority", uut.Priority); Assert.AreSame(s_pathElementA, uut.PrimaryOrSink); Assert.AreSame(s_pathElementB, uut.Source); uut.CweIds.Should().Equal(new[] { 1, 2, 3 }); }
/// <summary>Converts a Fortify result to a static analysis results interchange format result.</summary> /// <param name="fortify">The Fortify result convert.</param> /// <returns> /// A SARIF result <see cref="Result"/> containing the same content as the supplied /// <see cref="FortifyIssue"/>. /// </returns> public static Result ConvertFortifyIssueToSarifIssue(FortifyIssue fortify) { var result = new Result(); result.RuleId = fortify.Category; result.ToolFingerprint = fortify.InstanceId; List <string> messageComponents = new List <string>(); if (fortify.Abstract != null) { messageComponents.Add(fortify.Abstract); } if (fortify.AbstractCustom != null) { messageComponents.Add(fortify.AbstractCustom); } if (messageComponents.Count == 0) { result.Message = String.Format(CultureInfo.InvariantCulture, SarifResources.FortifyFallbackMessage, result.RuleId); } else { result.Message = String.Join(Environment.NewLine, messageComponents); } var extraProperties = new Dictionary <string, string>(); extraProperties.Add("kingdom", fortify.Kingdom); if (fortify.Priority != null) { extraProperties.Add("priority", fortify.Priority); } if (!fortify.CweIds.IsDefaultOrEmpty) { extraProperties.Add("cwe", String.Join(", ", fortify.CweIds.Select(id => id.ToString(CultureInfo.InvariantCulture)))); } if (fortify.RuleId != null) { extraProperties.Add("fortifyRuleId", fortify.RuleId); } result.Properties = extraProperties; PhysicalLocation primaryOrSink = ConvertFortifyLocationToPhysicalLocation(fortify.PrimaryOrSink); result.Locations = new HashSet <Location> { new Location { ResultFile = primaryOrSink } }; if (fortify.Source != null) { PhysicalLocation source = ConvertFortifyLocationToPhysicalLocation(fortify.Source); result.CodeFlows = new HashSet <CodeFlow> { new CodeFlow { Locations = new List <AnnotatedCodeLocation> { new AnnotatedCodeLocation { PhysicalLocation = source }, new AnnotatedCodeLocation { PhysicalLocation = primaryOrSink } } } }; } return(result); }
private static FortifyIssue Parse(XmlReader reader) { return(FortifyIssue.Parse(reader, new FortifyStrings(reader.NameTable))); }
public void FortifyIssue_CanBeConstructed_WithMinimalProperties() { var uut = new FortifyIssue( null, null, "category", "kingdom", null, null, null, s_pathElementA, null, ImmutableArray<int>.Empty ); Assert.IsNull(uut.RuleId); Assert.IsNull(uut.InstanceId); Assert.AreEqual("category", uut.Category); Assert.AreEqual("kingdom", uut.Kingdom); Assert.IsNull(uut.Abstract); Assert.IsNull(uut.AbstractCustom); Assert.IsNull(uut.Priority); Assert.AreSame(s_pathElementA, uut.PrimaryOrSink); Assert.IsNull(uut.Source); uut.CweIds.Should().BeEmpty(); }
/// <summary>Converts a Fortify result to a static analysis results interchange format result.</summary> /// <param name="fortify">The Fortify result convert.</param> /// <returns> /// A SARIF result <see cref="Result"/> containing the same content as the supplied /// <see cref="FortifyIssue"/>. /// </returns> public static Result ConvertFortifyIssueToSarifIssue(FortifyIssue fortify) { var result = new Result(); result.RuleId = fortify.Category; result.ToolFingerprintContribution = fortify.InstanceId; List<string> messageComponents = new List<string>(); if (fortify.Abstract != null) { messageComponents.Add(fortify.Abstract); } if (fortify.AbstractCustom != null) { messageComponents.Add(fortify.AbstractCustom); } if (messageComponents.Count == 0) { result.Message = String.Format(CultureInfo.InvariantCulture, ConverterResources.FortifyFallbackMessage, result.RuleId); } else { result.Message = String.Join(Environment.NewLine, messageComponents); } result.SetProperty("kingdom", fortify.Kingdom); if (fortify.Priority != null) { result.SetProperty("priority", fortify.Priority); } if (!fortify.CweIds.IsDefaultOrEmpty) { result.SetProperty("cwe", String.Join(", ", fortify.CweIds.Select(id => id.ToString(CultureInfo.InvariantCulture)))); } if (fortify.RuleId != null) { result.SetProperty("fortifyRuleId", fortify.RuleId); } PhysicalLocation primaryOrSink = ConvertFortifyLocationToPhysicalLocation(fortify.PrimaryOrSink); result.Locations = new List<Location> { new Location { ResultFile = primaryOrSink } }; if (fortify.Source != null) { PhysicalLocation source = ConvertFortifyLocationToPhysicalLocation(fortify.Source); result.CodeFlows = new List<CodeFlow> { new CodeFlow { Locations = new List<AnnotatedCodeLocation> { new AnnotatedCodeLocation { PhysicalLocation = source }, new AnnotatedCodeLocation { PhysicalLocation = primaryOrSink } } } }; } return result; }
public void FortifyIssue_ParseCweIds_SortsCweIds() { FortifyIssue.ParseCweIds("CWE ID 787, CWE ID 134").Should().Equal(new[] { 134, 787 }); }
public void FortifyIssue_ParseCweIds_UniquesCweIds() { FortifyIssue.ParseCweIds("CWE ID 134, CWE ID 134").Should().Equal(new[] { 134 }); }
public void FortifyIssue_ParseCweIds_MultipleCweIds() { FortifyIssue.ParseCweIds("CWE ID 134, CWE ID 787").Should().Equal(new[] { 134, 787 }); }
public void FortifyIssue_ParseCweIds_SingleCweId() { FortifyIssue.ParseCweIds("CWE ID 476").Should().Equal(new[] { 476 }); }
/// <summary> /// Interface implementation for converting a stream of Fortify report in XML format to a /// SARIF json format stream. /// </summary> /// <exception cref="ArgumentNullException">Thrown when one or more required arguments are null.</exception> /// <param name="input">Stream of the Fortify report.</param> /// <param name="output">Stream of SARIF json.</param> /// <param name="dataToInsert">Optionally emitted properties that should be written to log.</param> public override void Convert(Stream input, IResultLogWriter output, OptionallyEmittedData dataToInsert) { if (input == null) { throw new ArgumentNullException(nameof(input)); } if (output == null) { throw new ArgumentNullException(nameof(output)); } var settings = new XmlReaderSettings { DtdProcessing = DtdProcessing.Ignore, IgnoreWhitespace = true, NameTable = _nameTable, XmlResolver = null }; string runDescription = null; var results = new List <Result>(); using (XmlReader reader = XmlReader.Create(input, settings)) { while (reader.Read()) { if (runDescription == null) { // Find the executive summary <ReportSection> element if (StringReference.AreEqual(reader.LocalName, _strings.ReportSection) && reader.IsStartElement()) { reader.Read(); // Move to Title element if (reader.ReadElementContentAsString(_strings.Title, String.Empty) == "Executive Summary") { reader.Read(); // Move to SubSection element reader.IgnoreElement(_strings.Title, IgnoreOptions.Required); reader.IgnoreElement(_strings.Description, IgnoreOptions.Required); runDescription = reader.ReadElementContentAsString(_strings.Text, String.Empty); } } } else { while (StringReference.AreEqual(reader.LocalName, _strings.Issue)) { FortifyIssue fortify = FortifyIssue.Parse(reader, _strings); results.Add(ConvertFortifyIssueToSarifIssue(fortify)); } } } } var run = new Run() { AutomationDetails = new RunAutomationDetails { Description = new Message { Text = runDescription } }, Tool = new Tool { Driver = new ToolComponent { Name = ToolName } } }; PersistResults(output, results, run); }
public void FortifyIssue_RequiresKingdom() { var uut = new FortifyIssue( null, null, "category", null, null, null, null, s_pathElementA, null, ImmutableArray<int>.Empty ); }
public void FortifyIssue_RequiresPrimary() { var uut = new FortifyIssue( null, null, "category", "kingdom", null, null, null, null, null, ImmutableArray<int>.Empty ); }
/// <summary>Converts a Fortify result to a static analysis results interchange format result.</summary> /// <param name="fortify">The Fortify result convert.</param> /// <returns> /// A SARIF result <see cref="Result"/> containing the same content as the supplied /// <see cref="FortifyIssue"/>. /// </returns> public static Result ConvertFortifyIssueToSarifIssue(FortifyIssue fortify) { var result = new Result(); result.RuleId = fortify.Category; if (!string.IsNullOrWhiteSpace(fortify.InstanceId)) { if (result.PartialFingerprints == null) { result.PartialFingerprints = new Dictionary <string, string>(); } SarifUtilities.AddOrUpdateDictionaryEntry(result.PartialFingerprints, "InstanceId", fortify.InstanceId); } List <string> messageComponents = new List <string>(); if (fortify.Abstract != null) { messageComponents.Add(fortify.Abstract); } if (fortify.AbstractCustom != null) { messageComponents.Add(fortify.AbstractCustom); } if (messageComponents.Count == 0) { result.Message = new Message { Text = String.Format(CultureInfo.InvariantCulture, ConverterResources.FortifyFallbackMessage, result.RuleId) }; } else { result.Message = new Message { Text = String.Join(Environment.NewLine, messageComponents) }; } result.SetProperty("kingdom", fortify.Kingdom); if (fortify.Priority != null) { result.SetProperty("priority", fortify.Priority); } if (!fortify.CweIds.IsDefaultOrEmpty) { result.SetProperty("cwe", String.Join(", ", fortify.CweIds.Select(id => id.ToString(CultureInfo.InvariantCulture)))); } if (fortify.RuleId != null) { result.SetProperty("fortifyRuleId", fortify.RuleId); } PhysicalLocation primaryOrSink = ConvertFortifyLocationToPhysicalLocation(fortify.PrimaryOrSink); result.Locations = new List <Location> { new Location { PhysicalLocation = primaryOrSink } }; if (fortify.Source != null) { PhysicalLocation source = ConvertFortifyLocationToPhysicalLocation(fortify.Source); var locations = new List <CodeFlowLocation>() { new CodeFlowLocation { Location = new Location { PhysicalLocation = source } }, new CodeFlowLocation { Location = new Location { PhysicalLocation = primaryOrSink } } }; result.CodeFlows = new List <CodeFlow>() { SarifUtilities.CreateSingleThreadedCodeFlow(locations) }; } return(result); }
public void FortifyIssue_ParseCweIds_NoIds() { FortifyIssue.ParseCweIds("1234").Should().BeEmpty(); }