public static AssessmentRun getDefaultAssessmentRunObject()
{
// this is what we need to create a default assessment
var arNewAssessmentRun = new AssessmentRun
{
name = "DefaultAssessmentRun",
AssessmentStats = new AssessmentStats(),
FileIndeces = new AssessmentRunFileIndex[] { },
StringIndeces = new AssessmentRunStringIndex[] { }
};
var armMessage = new AssessmentRunMessage
{
id = 0,
message =
("Custom Assessment Run File created on " +
DateTime.Now)
};
arNewAssessmentRun.Messages = new[] { armMessage };
arNewAssessmentRun.Assessment = new AssessmentRunAssessment {
Assessment = new[] { new Assessment() }
};
// need to populate the date
arNewAssessmentRun.AssessmentStats.date =
(uint)(DateTime.Now.Minute * 1000 + DateTime.Now.Second * 50 + DateTime.Now.Millisecond);
// This should be enough to create unique timestamps
return(arNewAssessmentRun);
}
public static string getFileIndexValue(UInt32 uFileIndexId, AssessmentRun assessmentRun)
{
if (uFileIndexId > 0 && uFileIndexId <= assessmentRun.FileIndeces.Length)
{
return(assessmentRun.FileIndeces[uFileIndexId - 1].value);
}
return("");
}
public virtual bool applyFilterAndPopulateList(AssessmentRun arAssessmentRun,
AssessmentAssessmentFileFinding fFinding,
List<AssessmentAssessmentFileFinding>
lfFindingsThatMatchCriteria,
List<AssessmentAssessmentFile> lafFilteredAssessmentFiles)
{
return false;
}
/// <summary>
/// Legacy method to add a text to string indexes (_note that is it a very inneficient process)
/// </summary>
/// <param name="sTextToAdd"></param>
/// <param name="assessmentRun"></param>
/// <returns></returns>
public static UInt32 addTextToStringIndexes(String sTextToAdd, AssessmentRun assessmentRun)
{
var dStringIndexes = new Dictionary <string, uint>();
foreach (AssessmentRunStringIndex stringIndex in assessmentRun.StringIndeces)
{
dStringIndexes.Add(stringIndex.value, stringIndex.id);
}
var index = addTextToStringIndexes(sTextToAdd, assessmentRun);
assessmentRun.StringIndeces = createStringIndexArrayFromDictionary(dStringIndexes);
return(index);
}
/* public static UInt32 addTextToStringIndexes(String sTextToAdd, AssessmentRun arAssessmentRun)
* {
* try
* {
* //return 0;
* if (sTextToAdd == null)
* return 0;
* var dStringIndexes = new Dictionary<string, uint>();
* foreach (AssessmentRunStringIndex siStringIndex in arAssessmentRun.StringIndeces)
* dStringIndexes.Add(siStringIndex.value, siStringIndex.id);
* // if the text already exists return it
* if (dStringIndexes.ContainsKey(sTextToAdd))
* return dStringIndexes[sTextToAdd];
* // if not add it at the end
* UInt32 uNewId = (UInt32)dStringIndexes.Count + 1;
* dStringIndexes.Add(sTextToAdd, uNewId);
* // and update the main string indexes
* //arAssessmentRun.StringIndeces = createStringIndexArrayFromDictionary(dStringIndexes);
* return uNewId;
* }
* catch (Exception ex)
* {
* DI.log.ex(ex, "in addTextToStringIndexes ");
* return 0;
* }
* }*/
/// <summary>
/// Legacy method to add a text to string indexes (_note that is it a very inneficient process)
/// </summary>
/// <param name="sTextToAdd"></param>
/// <param name="assessmentRun"></param>
/// <returns></returns>
public static UInt32 addTextToFileIndexes(String sTextToAdd, AssessmentRun assessmentRun)
{
var dFilesIndexes = new Dictionary <string, uint>();
foreach (AssessmentRunFileIndex siFileIndexes in assessmentRun.FileIndeces)
{
dFilesIndexes.Add(siFileIndexes.value, siFileIndexes.id);
}
var index = addTextToStringIndexes(sTextToAdd, assessmentRun);
assessmentRun.FileIndeces = createFileIndexArrayFromDictionary(dFilesIndexes);
return(index);
}
/// <summary>
/// This function loads up the ozasmtSource file and adds its stats to a new finding called savedCreatedOzasmtAs
/// which will have the fingdings in o2AssessmentTarget
/// </summary>
/// <param name="ozasmtSource"></param>
/// <param name="o2AssessmentTarget"></param>
/// <param name="savedCreatedOzasmtAs"></param>
public bool addAssessmentStatsFromSourceToO2AssessmentAndSaveIt(string ozasmtSource, IO2Assessment o2AssessmentTarget, string savedCreatedOzasmtAs)
{
AssessmentRun assessmentRunToImport = OzasmtUtils_OunceV6.LoadAssessmentRun(ozasmtSource);
var targetAssessmentRun = createAssessmentRunObject(o2AssessmentTarget);
// map assessmentRunToImport to targetAssessmentRun
// add targetAssessmentRun top level data
targetAssessmentRun.AssessmentStats = assessmentRunToImport.AssessmentStats;
targetAssessmentRun.AssessmentConfig = assessmentRunToImport.AssessmentConfig;
targetAssessmentRun.Messages = assessmentRunToImport.Messages;
// add Assessment data
targetAssessmentRun.Assessment.assessee_name = assessmentRunToImport.Assessment.assessee_name;
targetAssessmentRun.Assessment.AssessmentStats = assessmentRunToImport.AssessmentStats;
targetAssessmentRun.Assessment.owner_name = assessmentRunToImport.Assessment.owner_name;
targetAssessmentRun.Assessment.owner_type = assessmentRunToImport.Assessment.owner_type;
// add project and file data
//create backup of current findings
var currentAssessmentDataBackup = targetAssessmentRun.Assessment.Assessment[0]; // there should only be one
// assign current Assessment array to assessmentRunToImport.Assessment.Assessment
targetAssessmentRun.Assessment.Assessment = assessmentRunToImport.Assessment.Assessment;
// remove all findings references (since what we want is the stats
foreach (var assessment in targetAssessmentRun.Assessment.Assessment)
{
if (assessment.AssessmentFile != null)
{
foreach (var assessmentFile in assessment.AssessmentFile)
{
assessmentFile.Finding = null;
}
}
}
// apppend the currentAssessmentDataBackup to the current Assessment Array
var assessments = new List <Assessment>(targetAssessmentRun.Assessment.Assessment);
assessments.Add(currentAssessmentDataBackup);
targetAssessmentRun.Assessment.Assessment = assessments.ToArray();
//targetAssessmentRun.name = "AAAA";
// save it
return(OzasmtUtils_OunceV6.SaveAssessmentRun(assessmentRun, savedCreatedOzasmtAs));
}
public static List <IO2Trace> getO2TraceFromCallInvocation(CallInvocation[] callInvocations,
AssessmentRun assessmentRun)
{
var o2Traces = new List <IO2Trace>();
if (callInvocations != null)
{
foreach (CallInvocation callInvocation in callInvocations)
{
var o2Trace = new O2Trace
{
clazz = getStringIndexValue(callInvocation.cn_id, assessmentRun),
columnNumber = callInvocation.column_number,
context = getStringIndexValue(callInvocation.cxt_id, assessmentRun),
file = getFileIndexValue(callInvocation.fn_id, assessmentRun),
lineNumber = callInvocation.line_number,
method = getStringIndexValue(callInvocation.mn_id, assessmentRun),
ordinal = callInvocation.ordinal,
// for the signature try to use the sig_id and if that is 0 then use mn_id
signature = getStringIndexValue((callInvocation.sig_id != 0) ? callInvocation.sig_id : callInvocation.mn_id, assessmentRun),
taintPropagation = callInvocation.taint_propagation,
traceType =
(TraceType)
Enum.Parse(typeof(TraceType),
callInvocation.trace_type.ToString())
};
if (callInvocation.Text != null)
{
o2Trace.text = new List <string>(callInvocation.Text);
}
//if (callInvocation.CallInvocation1 != null) // means there are child traces
//{
o2Trace.childTraces = getO2TraceFromCallInvocation(callInvocation.CallInvocation1, assessmentRun);
/*new List<O2Trace>();
*
* foreach (CallInvocation childCallInvocation in callInvocation.CallInvocation1)
* o2Trace.childTraces.Add(getO2TraceFromCallInvocation(childCallInvocation, assessmentRun));*/
//}
o2Traces.Add(o2Trace);
}
}
return(o2Traces);
}
internal static string calculateAssessmentNameFromScans(AssessmentRun assessmentRun)
{
string assessmentName = "";
//if (null != assessmentRun != null && null != assessmentRun.Assessment != null && null != assessmentRun.Assessment.Assessment)
// foreach (Assessment assessment in assessmentRun.Assessment.Assessment)
var results = from assessment in assessmentRun.Assessment.Assessment
select new { assessment.assessee_name, assessment.owner_name };
//var assessmentNames = from AssessmentRunAssessment assessment in assessmentRun.Assessment.Assessment select assessment;
foreach (var result in results)
{
assessmentName +=
(string.IsNullOrEmpty(result.assessee_name) == false) ? result.assessee_name : (
(string.IsNullOrEmpty(result.owner_name) == false) ? Path.GetFileNameWithoutExtension(result.owner_name) : "") + " : ";
}
//if (assessmentName.Length > 0)
// assessmentName = assessmentName.Substring(0, assessmentName.Length - 3);
return(assessmentName);
}
public static List<IO2Trace> getO2TraceFromCallInvocation(CallInvocation[] callInvocations,
AssessmentRun assessmentRun)
{
var o2Traces = new List<IO2Trace>();
if (callInvocations != null)
{
foreach (CallInvocation callInvocation in callInvocations)
{
var o2Trace = new O2Trace
{
clazz = getStringIndexValue(callInvocation.cn_id, assessmentRun),
columnNumber = callInvocation.column_number,
context = getStringIndexValue(callInvocation.cxt_id, assessmentRun),
file = getFileIndexValue(callInvocation.fn_id, assessmentRun),
lineNumber = callInvocation.line_number,
method = getStringIndexValue(callInvocation.mn_id, assessmentRun),
ordinal = callInvocation.ordinal,
// for the signature try to use the sig_id and if that is 0 then use mn_id
signature = getStringIndexValue((callInvocation.sig_id != 0) ? callInvocation.sig_id : callInvocation.mn_id, assessmentRun),
taintPropagation = callInvocation.taint_propagation,
traceType =
(TraceType)
Enum.Parse(typeof(TraceType),
callInvocation.trace_type.ToString())
};
if (callInvocation.Text != null)
o2Trace.text = new List<string>(callInvocation.Text);
//if (callInvocation.CallInvocation1 != null) // means there are child traces
//{
o2Trace.childTraces = getO2TraceFromCallInvocation(callInvocation.CallInvocation1, assessmentRun);
/*new List<O2Trace>();
foreach (CallInvocation childCallInvocation in callInvocation.CallInvocation1)
o2Trace.childTraces.Add(getO2TraceFromCallInvocation(childCallInvocation, assessmentRun));*/
//}
o2Traces.Add(o2Trace);
}
}
return o2Traces;
}
public static IO2Finding getO2Finding(AssessmentAssessmentFileFinding finding,
AssessmentAssessmentFile assessmentFile, AssessmentRun assessmentRun)
{
var o2Finding = new O2Finding
{
actionObject = finding.actionobject_id,
columnNumber = finding.column_number,
confidence = finding.confidence,
exclude = finding.exclude,
file = assessmentFile.filename,
lineNumber = finding.line_number,
ordinal = finding.ordinal,
propertyIds = finding.property_ids,
recordId = finding.record_id,
severity = finding.severity,
o2Traces = getO2TraceFromCallInvocation(finding.Trace, assessmentRun),
};
if (finding.cxt_id != null)
o2Finding.context = getStringIndexValue(UInt32.Parse(finding.cxt_id), assessmentRun);
o2Finding.callerName = finding.caller_name;
if (o2Finding.callerName == null && finding.caller_name_id != null)
o2Finding.callerName = getStringIndexValue(UInt32.Parse(finding.caller_name_id), assessmentRun);
o2Finding.projectName = finding.project_name;
if (o2Finding.projectName == null && finding.project_name_id != null)
o2Finding.projectName = getStringIndexValue(UInt32.Parse(finding.project_name_id), assessmentRun);
o2Finding.vulnName = finding.vuln_name;
if (o2Finding.vulnName == null && finding.vuln_name_id != null)
o2Finding.vulnName = getStringIndexValue(UInt32.Parse(finding.vuln_name_id), assessmentRun);
o2Finding.vulnType = finding.vuln_type;
if (o2Finding.vulnType == null && finding.vuln_type_id != null)
o2Finding.vulnType = getStringIndexValue(UInt32.Parse(finding.vuln_type_id), assessmentRun);
if (finding.Text != null)
o2Finding.text = new List<string>(finding.Text);
OzasmtUtils.fixExternalSourceSourceMappingProblem(o2Finding);
return o2Finding;
}
/// <summary>
/// Legacy method to add a text to string indexes (_note that is it a very inneficient process)
/// </summary>
/// <param name="sTextToAdd"></param>
/// <param name="assessmentRun"></param>
/// <returns></returns>
public static UInt32 addTextToStringIndexes(String sTextToAdd, AssessmentRun assessmentRun)
{
var dStringIndexes = new Dictionary<string, uint>();
foreach (AssessmentRunStringIndex stringIndex in assessmentRun.StringIndeces)
dStringIndexes.Add(stringIndex.value, stringIndex.id);
var index = addTextToStringIndexes(sTextToAdd, assessmentRun);
assessmentRun.StringIndeces = createStringIndexArrayFromDictionary(dStringIndexes);
return index;
}
/* public static UInt32 addTextToStringIndexes(String sTextToAdd, AssessmentRun arAssessmentRun)
{
try
{
//return 0;
if (sTextToAdd == null)
return 0;
var dStringIndexes = new Dictionary<string, uint>();
foreach (AssessmentRunStringIndex siStringIndex in arAssessmentRun.StringIndeces)
dStringIndexes.Add(siStringIndex.value, siStringIndex.id);
// if the text already exists return it
if (dStringIndexes.ContainsKey(sTextToAdd))
return dStringIndexes[sTextToAdd];
// if not add it at the end
UInt32 uNewId = (UInt32)dStringIndexes.Count + 1;
dStringIndexes.Add(sTextToAdd, uNewId);
// and update the main string indexes
//arAssessmentRun.StringIndeces = createStringIndexArrayFromDictionary(dStringIndexes);
return uNewId;
}
catch (Exception ex)
{
DI.log.ex(ex, "in addTextToStringIndexes ");
return 0;
}
}*/
/// <summary>
/// Legacy method to add a text to string indexes (_note that is it a very inneficient process)
/// </summary>
/// <param name="sTextToAdd"></param>
/// <param name="assessmentRun"></param>
/// <returns></returns>
public static UInt32 addTextToFileIndexes(String sTextToAdd, AssessmentRun assessmentRun)
{
var dFilesIndexes = new Dictionary<string, uint>();
foreach (AssessmentRunFileIndex siFileIndexes in assessmentRun.FileIndeces)
dFilesIndexes.Add(siFileIndexes.value, siFileIndexes.id);
var index = addTextToStringIndexes(sTextToAdd, assessmentRun);
assessmentRun.FileIndeces = createFileIndexArrayFromDictionary(dFilesIndexes);
return index;
}
private String resolveSink(AssessmentRun arAssessmentRun, CallInvocation[] cCallInvocation)
{
String sSink = getSmartTraceCallName(arAssessmentRun, cCallInvocation, TraceType.Known_Sink);
if (sSink != "") // LostSink case
sSink = "Sink: " + sSink;
else
sSink = "LostSink: " +
getSmartTraceCallName(arAssessmentRun, cCallInvocation, TraceType.Lost_Sink);
return sSink;
}
public override bool applyFilterAndPopulateList(AssessmentRun arAssessmentRun,
AssessmentAssessmentFileFinding fFinding,
List<AssessmentAssessmentFileFinding>
lfFindingsThatMatchCriteria,
List<AssessmentAssessmentFile> lafFilteredAssessmentFiles)
{
if (fFinding.Trace != null)
{
int iLostSinkId = AnalysisSearch.findTraceTypeInSmartTrace_Recursive_returnSigId(fFinding.Trace,
TraceType.
Lost_Sink);
if (iLostSinkId > 0) // need to figure out what happens when iLostSinkId =0
{
if (false == iLostSinksProcessed.Contains(iLostSinkId))
{
if (bChangeFindingData) // if required changed the name of this finding
applyFindingNameFormat(arAssessmentRun, fFinding, ffnFindingNameFormat);
lfFindingsThatMatchCriteria.Add(fFinding);
iLostSinksProcessed.Add(iLostSinkId);
return true;
}
}
}
return false;
}
public static bool createSerializedXmlFileFromAssessmentRunObject(AssessmentRun arAssessmentRunObjectToProcess,
String sTargetFile)
{
return Serialize.createSerializedXmlFileFromObject(arAssessmentRunObjectToProcess, sTargetFile, null);
}
public static void saveFilteredAssessmentRun(AssessmentRun arFilteredAssessmentRun, String sTargetFileName,
O2AssessmentData_OunceV6 fadO2AssessmentDataOunceV6)
{
if (arFilteredAssessmentRun.Assessment.Assessment[0].AssessmentFile == null)
DI.log.error(
" .There were no AssessmentFiles (with Fidings) using the current filter, so no file will be created");
else
{
// add the stringIndeces and FileIndexes from the original file (ideally these should be filtered so that only the ones that are used are include
arFilteredAssessmentRun.StringIndeces = fadO2AssessmentDataOunceV6.arAssessmentRun.StringIndeces;
arFilteredAssessmentRun.FileIndeces = fadO2AssessmentDataOunceV6.arAssessmentRun.FileIndeces;
// so that we can apply change back to the original project
arFilteredAssessmentRun.Assessment.owner_name =
fadO2AssessmentDataOunceV6.arAssessmentRun.Assessment.owner_name;
arFilteredAssessmentRun.Assessment.owner_type =
fadO2AssessmentDataOunceV6.arAssessmentRun.Assessment.owner_type;
arFilteredAssessmentRun.Assessment.Assessment[0].owner_name =
fadO2AssessmentDataOunceV6.arAssessmentRun.Assessment.Assessment[0].owner_name;
arFilteredAssessmentRun.Assessment.Assessment[0].owner_type =
fadO2AssessmentDataOunceV6.arAssessmentRun.Assessment.Assessment[0].owner_type;
// and save the serialized object as an Xml file
OzasmtUtils_OunceV6.createSerializedXmlFileFromAssessmentRunObject(arFilteredAssessmentRun, sTargetFileName);
// and display a quick analysis
outputQuickAnalysisOfAssessmentRunObject(arFilteredAssessmentRun);
}
}
public static void calculateSmartTraceCallStatistics(AssessmentRun arAssessmentRunToAnalyze, UInt32 uKey,
TraceType tTraceType, ref int iSmartTraces,
ref int iNonDuplicated, ref int iIgnoreRoot)
{
if (arAssessmentRunToAnalyze == null)
return;
FindingNameFormat ffnFindingNameFormat = FindingNameFormat.FindingType;
// using default value (we are not going to need this value here (since we are only calculating statistics))
bool bChangeFindingData = false; // this is the value that prevents changes
bool bDropDuplicateSmartTraces = false;
bool bIgnoreRootCallInvocation = false;
var ffsmSmartTraces = new AnalysisFilters.filter_FindSmartTrace_byID(uKey, tTraceType,
bDropDuplicateSmartTraces,
bIgnoreRootCallInvocation,
ffnFindingNameFormat,
bChangeFindingData);
bDropDuplicateSmartTraces = true;
var ffsmSmartTraces_NotDuplicated = new AnalysisFilters.filter_FindSmartTrace_byID(uKey, tTraceType,
bDropDuplicateSmartTraces,
bIgnoreRootCallInvocation,
ffnFindingNameFormat,
bChangeFindingData);
bIgnoreRootCallInvocation = true;
var ffsmSmartTraces_NotDuplicated_IgnoreRoot = new AnalysisFilters.filter_FindSmartTrace_byID(uKey,
tTraceType,
bDropDuplicateSmartTraces,
bIgnoreRootCallInvocation,
ffnFindingNameFormat,
bChangeFindingData);
// create lists to hold results
var lfFindingsThatMatchCriteria_SmartTraces = new List<AssessmentAssessmentFileFinding>();
var lfFindingsThatMatchCriteria_SmartTraces_NotDuplicated = new List<AssessmentAssessmentFileFinding>();
var lfFindingsThatMatchCriteria_SmartTraces_NotDuplicated_IgnoreRoot =
new List<AssessmentAssessmentFileFinding>();
if (StringsAndLists.notNull(arAssessmentRunToAnalyze, typeof (AssessmentRun).Name) &&
null != arAssessmentRunToAnalyze.Assessment.Assessment)
foreach (Assessment aAssessment in arAssessmentRunToAnalyze.Assessment.Assessment)
{
foreach (AssessmentAssessmentFile afAssessmentFile in aAssessment.AssessmentFile)
if (null != afAssessmentFile.Finding)
foreach (AssessmentAssessmentFileFinding fFinding in afAssessmentFile.Finding)
if (null != fFinding.Trace)
{
applyFilter(ffsmSmartTraces, lfFindingsThatMatchCriteria_SmartTraces, fFinding,
arAssessmentRunToAnalyze);
applyFilter(ffsmSmartTraces_NotDuplicated,
lfFindingsThatMatchCriteria_SmartTraces_NotDuplicated, fFinding,
arAssessmentRunToAnalyze);
applyFilter(ffsmSmartTraces_NotDuplicated_IgnoreRoot,
lfFindingsThatMatchCriteria_SmartTraces_NotDuplicated_IgnoreRoot,
fFinding, arAssessmentRunToAnalyze);
}
}
iSmartTraces = lfFindingsThatMatchCriteria_SmartTraces.Count;
iNonDuplicated = lfFindingsThatMatchCriteria_SmartTraces_NotDuplicated.Count;
iIgnoreRoot = lfFindingsThatMatchCriteria_SmartTraces_NotDuplicated_IgnoreRoot.Count;
}
public static bool applyFilter(AnalysisFilters.filter fFilterToApply,
List<AssessmentAssessmentFileFinding> lfTargetList,
AssessmentAssessmentFileFinding fFinding, AssessmentRun arAssessmentRunToAnalyze)
{
List<AssessmentAssessmentFile> lafFilteredAssessmentFiles = null;
// we are not using this here so make it null (all findings to analyze are provided one by one)
// invoke filter
return fFilterToApply.applyFilterAndPopulateList(arAssessmentRunToAnalyze, fFinding, lfTargetList,
lafFilteredAssessmentFiles);
}
public static void calculateFindingsStatistics(AssessmentRun arAssessmentRunToAnalyze, UInt32 iActionObjectId,
bool bMatchActionObjectId,
ref int iFindings, ref int iAssessmentFiles,
ref int iSmartTraces, ref int iLostSinks,
ref int iSmartTraces_NotDuplicate,
ref int iSmartTraces_NotDuplicate_IgnoreRoot,
ref int iLostSinks_NotDuplicate,
ref int iLostSinks_NotDuplicate_IgnoreRoot)
{
try
{
if (arAssessmentRunToAnalyze == null)
return;
FindingNameFormat ffnFindingNameFormat = FindingNameFormat.FindingType;
// using default value (we are not going to need this value here (since we are only calculating statistics))
bool bChangeFindingData = false; // this is the value that prevents changes
bool bIgnoreRootCallInvocation = false;
bool bDropDuplicateSmartTraces = false;
// filters to find all SmartTraces and Lost Sinks
var ffsmSmartTraces = new AnalysisFilters.filter_FindSmartTraces(bDropDuplicateSmartTraces,
bIgnoreRootCallInvocation,
ffnFindingNameFormat,
bChangeFindingData);
var fflLostSinks = new AnalysisFilters.filter_FindLostSinks(bDropDuplicateSmartTraces,
bIgnoreRootCallInvocation,
ffnFindingNameFormat, bChangeFindingData);
//filters to find SmartTraces and Lost Sinks when droping duplicate smart traces (bDropDuplicateSmartTraces = true;)
bDropDuplicateSmartTraces = true;
var ffsmSmartTraces_NotDuplicated = new AnalysisFilters.filter_FindSmartTraces(
bDropDuplicateSmartTraces, bIgnoreRootCallInvocation, ffnFindingNameFormat, bChangeFindingData);
var fflLostSinks_NotDuplicated = new AnalysisFilters.filter_FindLostSinks(bDropDuplicateSmartTraces,
bIgnoreRootCallInvocation,
ffnFindingNameFormat,
bChangeFindingData);
//filters to find SmartTraces and Lost Sinks when droping duplicate smart traces AND Ignoring the root call invocation (bIgnoreRootCallInvocation = true;)
bIgnoreRootCallInvocation = true;
var ffsmSmartTraces_NotDuplicated_IgnoreRoot =
new AnalysisFilters.filter_FindSmartTraces(bDropDuplicateSmartTraces, bIgnoreRootCallInvocation,
ffnFindingNameFormat, bChangeFindingData);
var fflLostSinks_NotDuplicated_IgnoreRoot =
new AnalysisFilters.filter_FindLostSinks(bDropDuplicateSmartTraces, bIgnoreRootCallInvocation,
ffnFindingNameFormat, bChangeFindingData);
// create lists to hold results
var lfFindingsThatMatchCriteria_SmartTraces = new List<AssessmentAssessmentFileFinding>();
var lfFindingsThatMatchCriteria_SmartTraces_NotDuplicated = new List<AssessmentAssessmentFileFinding>();
var lfFindingsThatMatchCriteria_SmartTraces_NotDuplicated_IgnoreRoot =
new List<AssessmentAssessmentFileFinding>();
var lfFindingsThatMatchCriteria_LostSinks = new List<AssessmentAssessmentFileFinding>();
var lfFindingsThatMatchCriteria_LostSinks_NotDuplicated = new List<AssessmentAssessmentFileFinding>();
var lfFindingsThatMatchCriteria_LostSinks_NotDuplicated_IgnoreRoot =
new List<AssessmentAssessmentFileFinding>();
if (StringsAndLists.notNull(arAssessmentRunToAnalyze, typeof (AssessmentRun).Name) &&
null != arAssessmentRunToAnalyze.Assessment.Assessment)
foreach (Assessment aAssessment in arAssessmentRunToAnalyze.Assessment.Assessment)
{
foreach (AssessmentAssessmentFile afAssessmentFile in aAssessment.AssessmentFile)
{
iAssessmentFiles++;
if (null != afAssessmentFile.Finding)
foreach (AssessmentAssessmentFileFinding fFinding in afAssessmentFile.Finding)
{
if (false == bMatchActionObjectId || fFinding.actionobject_id == iActionObjectId)
// bMatchActionObjectId decides if we filter the results by actionObjectID
{
iFindings++;
if (null != fFinding.Trace)
{
applyFilter(ffsmSmartTraces, lfFindingsThatMatchCriteria_SmartTraces,
fFinding, arAssessmentRunToAnalyze);
applyFilter(ffsmSmartTraces_NotDuplicated,
lfFindingsThatMatchCriteria_SmartTraces_NotDuplicated, fFinding,
arAssessmentRunToAnalyze);
applyFilter(ffsmSmartTraces_NotDuplicated_IgnoreRoot,
lfFindingsThatMatchCriteria_SmartTraces_NotDuplicated_IgnoreRoot,
fFinding, arAssessmentRunToAnalyze);
applyFilter(fflLostSinks, lfFindingsThatMatchCriteria_LostSinks, fFinding,
arAssessmentRunToAnalyze);
applyFilter(fflLostSinks_NotDuplicated,
lfFindingsThatMatchCriteria_LostSinks_NotDuplicated, fFinding,
arAssessmentRunToAnalyze);
applyFilter(fflLostSinks_NotDuplicated_IgnoreRoot,
lfFindingsThatMatchCriteria_LostSinks_NotDuplicated_IgnoreRoot,
fFinding, arAssessmentRunToAnalyze);
}
}
}
}
}
iSmartTraces = lfFindingsThatMatchCriteria_SmartTraces.Count;
iSmartTraces_NotDuplicate = lfFindingsThatMatchCriteria_SmartTraces_NotDuplicated.Count;
iSmartTraces_NotDuplicate_IgnoreRoot =
lfFindingsThatMatchCriteria_SmartTraces_NotDuplicated_IgnoreRoot.Count;
iLostSinks = lfFindingsThatMatchCriteria_LostSinks.Count;
iLostSinks_NotDuplicate = lfFindingsThatMatchCriteria_LostSinks_NotDuplicated.Count;
iLostSinks_NotDuplicate_IgnoreRoot =
lfFindingsThatMatchCriteria_LostSinks_NotDuplicated_IgnoreRoot.Count;
}
catch (Exception e)
{
DI.log.error("In calculateFindingsStatistics: {0}", e.Message);
}
}
// use this one for global queries (since we are not going to filter by ActionObjectID);
public static void calculateFindingsStatistics(AssessmentRun arAssessmentRunToAnalyze,
ref int iFindings, ref int iAssessmentFiles,
ref int iSmartTraces, ref int iLostSinks,
ref int iSmartTraces_NotDuplicate,
ref int iSmartTraces_NotDuplicate_IgnoreRoot,
ref int iLostSinks_NotDuplicate,
ref int iLostSinks_NotDuplicate_IgnoreRoot)
{
UInt32 iActionObjectId = 0; // this could be any number since it is bMatchActionObjectId that decides
bool bMatchActionObjectId = false;
calculateFindingsStatistics(arAssessmentRunToAnalyze, iActionObjectId, bMatchActionObjectId,
ref iFindings, ref iAssessmentFiles,
ref iSmartTraces, ref iLostSinks,
ref iSmartTraces_NotDuplicate, ref iSmartTraces_NotDuplicate_IgnoreRoot,
ref iLostSinks_NotDuplicate, ref iLostSinks_NotDuplicate_IgnoreRoot);
}
/*
public static void findLostSinks_into_DataGridView(DataGridView dgvDataGridView)
{
List<String> lsLostSinks = new List<string>();
Dictionary<Int32, Int32> dLostSinks = new Dictionary<Int32, Int32>();
dgvDataGridView.Columns.Clear();
dgvDataGridView.Columns.Add("ID", "LostSink ID");
dgvDataGridView.Columns.Add("LostSink", "LostSink Name");
dgvDataGridView.Columns.Add("Number of Occurences", "Number of Occurences");
dgvDataGridView.Columns.Add("Number of Occurences ND", "Number of Occurences ND");
dgvDataGridView.Columns.Add("Number of Occurences IR", "Number of Occurences IR");
int iLostSinksFound = 0, iTracesFound = 0, iFindings = 0 ;
if (o2.core.Utils.notNull(arAssessmentRun,typeof(AssessmentRun).Name))
if (null != arAssessmentRun.Assessment.Assessment)
foreach (Assessment aAssessment in arAssessmentRun.Assessment.Assessment)
{
foreach (AssessmentAssessmentFile afAssessmentFile in aAssessment.AssessmentFile)
if (null != afAssessmentFile.Finding)
foreach (AssessmentAssessmentFileFinding fFinding in afAssessmentFile.Finding)
{
iFindings++;
if (fFinding.Trace != null)
{
iTracesFound++;
int iLostSink_SigId = findInSmartTrace_Recursive(fFinding.Trace[0].CallInvocation1,TraceType.Lost_Sink);
if (iLostSink_SigId != -1)
{
iLostSinksFound++;
if (dLostSinks.ContainsKey(iLostSink_SigId))
dLostSinks[iLostSink_SigId]++;
else
dLostSinks[iLostSink_SigId] = 1;
}
}
}
}
dgvDataGridView.DataSource = null;
foreach (int iKey in dLostSinks.Keys)
if (iKey > -1)
{
int iSmartTrace = 0, iNonDuplicated = 0, iIgnoreRoot = 0;
calculateSmartTraceCallStatistics(arAssessmentRun, (UInt32)iKey, ref tTraceType, iSmartTrace, ref iNonDuplicated, ref iIgnoreRoot);
dgvDataGridView.Rows.Add(new Object[] {
iKey,
arAssessmentRun.StringIndeces[iKey - 1].value, //iKey-1 because of the way StringIndeces is populated
//dLostSinks[iKey],
iSmartTrace,
iNonDuplicated,
iIgnoreRoot
});
}
else
dgvDataGridView.Rows.Add(new Object[] { "_NOT RECOGNIZED STRINGS", dLostSinks[iKey] });
// reset DataGridView Column width
forms.dataGridView_Utils_MaxColumnsWidth(dgvDataGridView);
DI.log.info("Found {0} Unique Lost Sinks , out of {1} Lost Sinks, out of {2} Traces, out of {3} Findings",
dLostSinks.Keys.Count.ToString(), iLostSinksFound.ToString(), iTracesFound.ToString(), iFindings.ToString());
}*/
public static void outputQuickAnalysisOfAssessmentRunObject(AssessmentRun arAssessmentRunToAnalyze)
{
int iFindings = 0,
iAssessmentFiles = 0,
iSmartTraces = 0,
iLostSinks = 0,
iSmartTraces_NotDuplicate = 0,
iSmartTraces_NotDuplicate_IgnoreRoot = 0,
iLostSinks_NotDuplicate = 0,
iLostSinks_NotDuplicate_IgnoreRoot = 0;
calculateFindingsStatistics(arAssessmentRunToAnalyze,
ref iFindings, ref iAssessmentFiles,
ref iSmartTraces, ref iLostSinks,
ref iSmartTraces_NotDuplicate, ref iSmartTraces_NotDuplicate_IgnoreRoot,
ref iLostSinks_NotDuplicate, ref iLostSinks_NotDuplicate_IgnoreRoot);
DI.log.info(
" .AssessmentRun Stats: {0} Assesment files, {1} Findings, {2} Smart traces (DD={3} - IR={4}) , {5} Lost Sinks (ND={6} - IR={7})",
iAssessmentFiles.ToString(), iFindings.ToString()
, iSmartTraces.ToString(), iSmartTraces_NotDuplicate.ToString(),
iSmartTraces_NotDuplicate_IgnoreRoot.ToString()
, iLostSinks.ToString(), iLostSinks_NotDuplicate.ToString(),
iLostSinks_NotDuplicate_IgnoreRoot.ToString());
}
public static AssessmentRun getDefaultAssessmentRunObject()
{
// this is what we need to create a default assessment
var arNewAssessmentRun = new AssessmentRun
{
name = "DefaultAssessmentRun",
AssessmentStats = new AssessmentStats(),
FileIndeces = new AssessmentRunFileIndex[] { },
StringIndeces = new AssessmentRunStringIndex[] { }
};
var armMessage = new AssessmentRunMessage
{
id = 0,
message =
("Custom Assessment Run File created on " +
DateTime.Now)
};
arNewAssessmentRun.Messages = new[] { armMessage };
arNewAssessmentRun.Assessment = new AssessmentRunAssessment { Assessment = new[] { new Assessment() } };
// need to populate the date
arNewAssessmentRun.AssessmentStats.date =
(uint)(DateTime.Now.Minute * 1000 + DateTime.Now.Second * 50 + DateTime.Now.Millisecond);
// This should be enough to create unique timestamps
return arNewAssessmentRun;
}
public bool importFile(string fileToLoad, IO2Assessment o2Assessment)
{
try
{
if (canLoadFile(fileToLoad))
{
//o2Assessment.lastOzasmtImportWasItSucessfull = false;
//o2Assessment.lastOzasmtImportFile = fileToLoad;
//o2Assessment.lastOzasmtImportFileSize = Files.getFileSize(fileToLoad);
//DateTime startImportTime = DateTime.Now;
var timer = new O2Timer("Loaded assessment " + fileToLoad + " ").start();
AssessmentRun assessmentRunToImport = OzasmtUtils_OunceV6.LoadAssessmentRun(fileToLoad);
timer.stop();
/* assessmentRun.AssessmentConfig = assessmentRunToImport.AssessmentConfig;
* assessmentRun.AssessmentStats = assessmentRunToImport.AssessmentStats;
* assessmentRun.Messages = assessmentRunToImport.Messages;
* assessmentRun.name = assessmentRunToImport.name ?? OzasmtUtils_OunceV6.calculateAssessmentNameFromScans(assessmentRunToImport);*/
o2Assessment.name = assessmentRunToImport.name ??
OzasmtUtils_OunceV6.calculateAssessmentNameFromScans(assessmentRunToImport);
// I don't think I need this since the O2Finding objects have the full strings
// map top level objects
/*
* assessmentRun.FileIndeces = assessmentRunToImport.FileIndeces;
* assessmentRun.StringIndeces = assessmentRunToImport.StringIndeces;*/
// import findings
if (null != assessmentRunToImport.Assessment.Assessment)
{
foreach (Assessment assessment in assessmentRunToImport.Assessment.Assessment)
{
if (null != assessment.AssessmentFile)
{
foreach (AssessmentAssessmentFile assessmentFile in assessment.AssessmentFile)
{
if (assessmentFile.Finding != null)
{
foreach (AssessmentAssessmentFileFinding finding in assessmentFile.Finding)
{
o2Assessment.o2Findings.Add(OzasmtUtils_OunceV6.getO2Finding(finding,
assessmentFile,
assessmentRunToImport));
}
}
}
}
}
}
// if we made it this far all went ok;
//o2Assessment.lastOzasmtImportTimeSpan = DateTime.Now - startImportTime;
//o2Assessment.lastOzasmtImportWasItSucessfull = true;
return(true);
}
}
catch
(Exception ex)
{
"in importAssessmentRun: {0}".error(ex.Message);
}
return(false);
}
public static bool SaveAssessmentRun(AssessmentRun arAssessmentRun, String sTargetFile)
{
return createSerializedXmlFileFromAssessmentRunObject(arAssessmentRun, sTargetFile);
}
public override bool applyFilterAndPopulateList(AssessmentRun arAssessmentRun,
AssessmentAssessmentFileFinding fFinding,
List<AssessmentAssessmentFileFinding>
lfFindingsThatMatchCriteria,
List<AssessmentAssessmentFile> lafFilteredAssessmentFiles)
{
if (fFinding.Trace != null)
{
int iLostSinkId = AnalysisSearch.findTraceTypeInSmartTrace_Recursive_returnSigId(fFinding.Trace,
TraceType.
Lost_Sink);
if (iLostSinkId > 0) // need to figure out what happens when iLostSinkId =0
{
if (bChangeFindingData) // if required changed the name of this finding
applyFindingNameFormat(arAssessmentRun, fFinding, ffnFindingNameFormat);
if (bDropDuplicateSmartTraces)
return filterDuplicateFindings(lafFilteredAssessmentFiles, lfFindingsThatMatchCriteria,
fFinding, bIgnoreRootCallInvocation);
else
{
lfFindingsThatMatchCriteria.Add(fFinding);
return true;
}
}
}
return false;
}
internal static string calculateAssessmentNameFromScans(AssessmentRun assessmentRun)
{
string assessmentName = "";
//if (null != assessmentRun != null && null != assessmentRun.Assessment != null && null != assessmentRun.Assessment.Assessment)
// foreach (Assessment assessment in assessmentRun.Assessment.Assessment)
var results = from assessment in assessmentRun.Assessment.Assessment
select new {assessment.assessee_name, assessment.owner_name};
//var assessmentNames = from AssessmentRunAssessment assessment in assessmentRun.Assessment.Assessment select assessment;
foreach (var result in results)
assessmentName +=
(string.IsNullOrEmpty(result.assessee_name) == false) ? result.assessee_name : (
(string.IsNullOrEmpty(result.owner_name) == false) ? Path.GetFileNameWithoutExtension(result.owner_name) : "") + " : ";
//if (assessmentName.Length > 0)
// assessmentName = assessmentName.Substring(0, assessmentName.Length - 3);
return assessmentName;
}
public override bool applyFilterAndPopulateList(AssessmentRun arAssessmentRun,
AssessmentAssessmentFileFinding fFinding,
List<AssessmentAssessmentFileFinding>
lfFindingsThatMatchCriteria,
List<AssessmentAssessmentFile> lafFilteredAssessmentFiles)
{
if (sActionObjectIdToFind == fFinding.actionobject_id.ToString())
// and the actionObject matches the filter
{
if (false == bDropFindingsWithNoTraces)
{
lfFindingsThatMatchCriteria.Add(fFinding);
// always add to the list when bDropFindingsWithNoTraces is false
return true;
}
else if (null != fFinding.Trace)
// when bDropFindingsWithNoTraces only add the ones with traces
{
if (bChangeFindingData) // if required changed the name of this finding
applyFindingNameFormat(arAssessmentRun, fFinding, ffnFindingNameFormat);
if (bFilterDuplicateFindings)
// and if bFilterDuplicateFindings is true, consolidate the Trace into similar ones
return filterDuplicateFindings(lafFilteredAssessmentFiles, lfFindingsThatMatchCriteria,
fFinding, bIgnoreRootCallInvocation);
else
{
lfFindingsThatMatchCriteria.Add(fFinding);
return true;
}
}
}
return false;
}
private String getSmartTraceCallName(AssessmentRun arAssessmentRun, CallInvocation[] cCallInvocation,
TraceType tTraceType)
{
int iSmartTraceIndex = AnalysisSearch.findTraceTypeInSmartTrace_Recursive_returnSigId(cCallInvocation,
tTraceType);
if (iSmartTraceIndex > 0)
return arAssessmentRun.StringIndeces[iSmartTraceIndex - 1].value;
else
return "";
}
public static bool createSerializedXmlFileFromAssessmentRunObject(AssessmentRun arAssessmentRunObjectToProcess,
String sTargetFile)
{
return(Serialize.createSerializedXmlFileFromObject(arAssessmentRunObjectToProcess, sTargetFile, null));
}
private String resolveSource(AssessmentRun arAssessmentRun, CallInvocation[] cCallInvocation)
{
String sSource = "Source: " +
getSmartTraceCallName(arAssessmentRun, cCallInvocation, TraceType.Source);
return sSource;
}
public override bool applyFilterAndPopulateList(AssessmentRun arAssessmentRun,
AssessmentAssessmentFileFinding fFinding,
List<AssessmentAssessmentFileFinding>
lfFindingsThatMatchCriteria,
List<AssessmentAssessmentFile> lafFilteredAssessmentFiles)
{
if (fFinding.Trace != null)
{
if (bChangeFindingData) // if required changed the name of this finding
applyFindingNameFormat(arAssessmentRun, fFinding, ffnFindingNameFormat);
if (bDropDuplicateSmartTraces)
return filterDuplicateFindings(lafFilteredAssessmentFiles, lfFindingsThatMatchCriteria, fFinding,
bIgnoreRootCallInvocation);
else
{
lfFindingsThatMatchCriteria.Add(fFinding);
return true;
}
}
return false;
}
public static IO2Finding getO2Finding(AssessmentAssessmentFileFinding finding,
AssessmentAssessmentFile assessmentFile, AssessmentRun assessmentRun)
{
var o2Finding = new O2Finding
{
actionObject = finding.actionobject_id,
columnNumber = finding.column_number,
confidence = finding.confidence,
exclude = finding.exclude,
file = assessmentFile.filename,
lineNumber = finding.line_number,
ordinal = finding.ordinal,
propertyIds = finding.property_ids,
recordId = finding.record_id,
severity = finding.severity,
o2Traces = getO2TraceFromCallInvocation(finding.Trace, assessmentRun),
};
if (finding.cxt_id != null)
{
o2Finding.context = getStringIndexValue(UInt32.Parse(finding.cxt_id), assessmentRun);
}
o2Finding.callerName = finding.caller_name;
if (o2Finding.callerName == null && finding.caller_name_id != null)
{
o2Finding.callerName = getStringIndexValue(UInt32.Parse(finding.caller_name_id), assessmentRun);
}
o2Finding.projectName = finding.project_name;
if (o2Finding.projectName == null && finding.project_name_id != null)
{
o2Finding.projectName = getStringIndexValue(UInt32.Parse(finding.project_name_id), assessmentRun);
}
o2Finding.vulnName = finding.vuln_name;
if (o2Finding.vulnName == null && finding.vuln_name_id != null)
{
o2Finding.vulnName = getStringIndexValue(UInt32.Parse(finding.vuln_name_id), assessmentRun);
}
o2Finding.vulnType = finding.vuln_type;
if (o2Finding.vulnType == null && finding.vuln_type_id != null)
{
o2Finding.vulnType = getStringIndexValue(UInt32.Parse(finding.vuln_type_id), assessmentRun);
}
if (finding.Text != null)
{
o2Finding.text = new List <string>(finding.Text);
}
OzasmtUtils.fixExternalSourceSourceMappingProblem(o2Finding);
return(o2Finding);
}
public O2AssessmentSave_OunceV6()
{
engineName = "O2AssessmentSave_OunceV6";
assessmentRun = OzasmtUtils_OunceV6.getDefaultAssessmentRunObject();
}
public static bool SaveAssessmentRun(AssessmentRun arAssessmentRun, String sTargetFile)
{
return(createSerializedXmlFileFromAssessmentRunObject(arAssessmentRun, sTargetFile));
}
public O2AssessmentSave_OunceV6()
{
engineName = "O2AssessmentSave_OunceV6";
assessmentRun = OzasmtUtils_OunceV6.getDefaultAssessmentRunObject();
}
public static string getFileIndexValue(UInt32 uFileIndexId, AssessmentRun assessmentRun)
{
if (uFileIndexId > 0 && uFileIndexId <= assessmentRun.FileIndeces.Length)
return assessmentRun.FileIndeces[uFileIndexId - 1].value;
return "";
}
public void applyFindingNameFormat(AssessmentRun arAssessmentRun, AssessmentAssessmentFileFinding fFinding,
Analysis.FindingNameFormat ffnFindingNameFormat)
{
switch (ffnFindingNameFormat)
{
case Analysis.FindingNameFormat.FindingType: // do nothing in these cases
break;
case Analysis.FindingNameFormat.FindingType_Sink:
fFinding.vuln_type += " " +
resolveSink(arAssessmentRun, fFinding.Trace[0].CallInvocation1);
break;
case Analysis.FindingNameFormat.FindingType_Source:
fFinding.vuln_type += " " +
resolveSource(arAssessmentRun, fFinding.Trace[0].CallInvocation1);
break;
case Analysis.FindingNameFormat.Sink:
fFinding.vuln_type = " " +
resolveSink(arAssessmentRun, fFinding.Trace[0].CallInvocation1);
break;
case Analysis.FindingNameFormat.Source:
fFinding.vuln_type = " " +
resolveSource(arAssessmentRun, fFinding.Trace[0].CallInvocation1);
break;
case Analysis.FindingNameFormat.Sink_Source:
fFinding.vuln_type = resolveSink(arAssessmentRun, fFinding.Trace[0].CallInvocation1) +
" " +
resolveSource(arAssessmentRun, fFinding.Trace[0].CallInvocation1);
break;
case Analysis.FindingNameFormat.Source_Sink:
fFinding.vuln_type = resolveSource(arAssessmentRun, fFinding.Trace[0].CallInvocation1) +
" " +
resolveSink(arAssessmentRun, fFinding.Trace[0].CallInvocation1);
break;
}
}
