[Owasp-o2-platform] Using O2 to Parse and Visualize Fortify's FVDL files

dinis cruz dinis.cruz at owasp.org
Tue Jul 19 01:39:48 EDT 2011

Following a request from an O2 user that needed to parse an 430Mb FVDL file
(which Fortify's own tool couldn't open), during the last weekend I created
a parser and couple visualizing tools so that now we can use O2 to consume
FVDL files (as sample files, I used the data published by NIST
SAMATE<http://samate.nist.gov/> on
its SATE 2008 <http://samate.nist.gov/SATE2008.html> project)

I took the time to document my process and workflow on a series of blogs
posts. These posts show how to go from a raw XML file into a
easily consumable and highly scalable solution/toolkit. They are a good
example of the type of workflows that O2 has been designed to enable.

Here are the blog posts (with the newest on top since those are the ones
with the final result)

   - Fortify FVDL Files – First working Parser and Viewer for *.fvdl

   - Fortify FVDL Files – Simple Viewer based on

   - Fortify FVDL Files – Looking at the API_Fortify classes that parse the
   fvdl data<http://o2platform.wordpress.com/2011/07/18/fortify-fvdl-files-looking-at-the-api_fortify-classes-that-parse-the-fvdl-data/>

   - Fortify FVDL files – Creating .NET classes that map to Fvdl xml
   - Fortify FVDL files – Creating an API and consumining
   - Fortify FVDL files – Simple TableList Viewer

   - Fortify FVDL files – Creating and consuming the schema and CSharp

I'm pretty happy with the end result, since it was quite easy to write the
parser, and the end solution scales very nicely. Also as you will see, there
is a LOT of great data that is included inside the original XML file, so the
next step is to build a couple more tools to filter/view/visualize it (for
example: a view that filters the vulnerabilities by type/severity and shows
the traces using the included code-snippets)

If you have access to Fortify FVDL files, please give this tool a test-drive
and see if you can spot any issues with the XSD that was created (we also
will most likely need to create special parsing methods to deal with the
variations between the multiple versions of FVDL files).

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20110719/9261bfe9/attachment.html 

More information about the Owasp-o2-platform mailing list