[Owasp-o2-platform] [SC-L] Static Analysis Findings

Dinis Cruz dinis at ddplus.net
Mon Nov 16 16:31:25 EST 2009


The OWASP O2 Platform (see http://www.owasp.org/index.php/OWASP_O2_Platformand
http://www.o2-ounceopen.com/ ) already is able to import into its internal
Findings format (defined by the C# interfaces IO2Finding and IO2Trace (see
OWASP_O2_Platform/Docs/O2Findings_Schema<http://www.owasp.org/index.php/OWASP_O2_Platform/Docs/O2Findings_Schema>))
artifacts from:

   - Ounce Labs *.ozasmt format version 5.x and 6.x
   - Ounce Labs *.ozasmt format version 7.x
   - AppScan Developer Edition (latest version)
   - Cat.NET v1.0 (not the version released last week, but the one before)
   - FindBugs
   - CodeCrawler
   - Fortify *.fvdl v1.3 format (very basic mapping from the only sample
   assessment file I could find on google (stunnel.fvdl))
   - WebScarab logs (the main release not the NG one)

Note that most of the 'converters' above were written as PoC to show O2's
interoperability, and they really need some users of those tools to take a
good look at the conversion and provide feedback on the best way to
represent/convert that data.

The key factor of the O2 Platform, is that it was designed to make it easy
and fast to add new filters. For XML formats, my process is usually:

   - step 1) grab the XSD (if not available use Visual Studio to create it),
   and use the XSD.EXE tool (Visual Studio SDK) to create a C# object
   representation of it
   - step 2) Use C# Serializer to convert the source file into this C#
   object
   - step 3) figure out how the XML file works and write a transformation C#
   script into the O2 Findings format
   - step 4) I usually write steps 1 to 3 using the O2 Tool -
Scripts<http://deploy.o2-ounceopen.com/O2_Tool_O2Scripts/>module
(since that allows for easy interaction with other O2 controls (like
   the Findings Viewer)) and when the script is mature, I add it as a core O2
   feature (usually to the O2_ImportExport_Misc project)

I'm pushing the O2 Platform to support as many file formats as possible, and
*my plan is to eventually cover ALL OWASP tools and ALL major WebAppSec and
Network tools. *

In the short term, I (or other O2 developers) can write these converters
(since all we need is an XSD and somebody who knows how that file works),
but ideally, *in the future, each tool developed should be responsible for
maintaining and updating their O2 Converters (since we will need to support
ALL published versions of their tools).*

And if you don't like to write in C#, you can write it in Python (
O2_Tool_Python <http://deploy.o2-ounceopen.com/O2_Tool_Python/>) or in Java
(O2_Tool_JavaExecution<http://deploy.o2-ounceopen.com/O2_Tool_JavaExecution/>
)

For reference I added to
http://www.owasp.org/index.php/O2#tab=O2_Documentation WIKI pages, a copy of
the current O2 Import functions and schemas (XSD). Here are the main links:

   - OWASP_O2_Platform/Docs/O2Findings_Schema<http://www.owasp.org/index.php/OWASP_O2_Platform/Docs/O2Findings_Schema>
      - OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssessmentLoad_OunceV6<http://www.owasp.org/index.php/OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssessmentLoad_OunceV6>
      - OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssessmentLoad_OunceV6_1<http://www.owasp.org/index.php/OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssessmentLoad_OunceV6_1>
      - OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssesmentLoad_AppScanDE<http://www.owasp.org/index.php/OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssesmentLoad_AppScanDE>
      - OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssesmentLoad_CodeCrawler<http://www.owasp.org/index.php/OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssesmentLoad_CodeCrawler>
      - OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssesmentLoad_FindBugs<http://www.owasp.org/index.php/OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssesmentLoad_FindBugs>
      - OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssesmentLoad_Fortify<http://www.owasp.org/index.php/OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssesmentLoad_Fortify>
      - OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssesmentLoad_WebScarab<http://www.owasp.org/index.php/OWASP_O2_Platform/Docs/O2Findings_Schema/O2AssesmentLoad_WebScarab>

I have swapped several times ideas with John Steven from Cigital and he is
doing an similar effort internally (at Cigital) which is very similar to
O2's approach. The idea (when John is able to publish his stuff) is to
create a number of open standards which would merge our ideas (and others
from the community) into a bunch of unified schemas:

   - OFs - Open Findings schema
   - ORs - Open Rules schema
   - OCRs - Open Code Representation schema
   - OAWs - Open Assessment Workflow schema

Finally, since the cat is finally out of the bag with O2, * I would like to
formally invite the other vendors in this space (**Fortify, Klocwork,
Coverity, HPl, Cenzic, etc...) to embrace O2, and write the converters
from/to their file formats.*

Thanks

Dinis Cruz

On Mon, Nov 16, 2009 at 2:16 PM, McGovern, James F. (eBusiness) <
James.McGovern at thehartford.com> wrote:

>  I spent some time over the weekend looking at the Ounce Findings file
> (OZASMT) and wonder if the community at large should push Ounce, Fortify,
> Klocwork, Coverity, etc to come up with an interoperable XML-based way of
> exchanging findings?
>
> ************************************************************
> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
> ************************************************************
>
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091116/19607af5/attachment.html 


More information about the Owasp-o2-platform mailing list