Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fortify fpr-parser is not adding all finding information #11903

Open
GeofoxCoding opened this issue Feb 26, 2025 · 1 comment
Open

Fortify fpr-parser is not adding all finding information #11903

GeofoxCoding opened this issue Feb 26, 2025 · 1 comment
Labels
enhancement

Comments

@GeofoxCoding
Copy link

GeofoxCoding commented Feb 26, 2025
edited
Loading

Hello,

our teams recognized that the newer fpr-parser for Fortify is not reading and transfering all available information from the *.fpr/audit.fvdl into DefectDojo.

We compared two imports.

  1. XML
    with example file: https://github.com/DefectDojo/django-DefectDojo/blob/master/unittests/scans/fortify/fortify_many_findings.xml

In the result both description and mitigation have clear content:
Image

  1. FPR
    with example file: https://github.com/DefectDojo/django-DefectDojo/blob/master/unittests/scans/fortify/many_findings.fpr

The result shows only a minimum of information in the description and no mitigation information. This makes it hard to impossible to do a rating of the finding in DefectDojo.
Image

It should be possible to enhance this. Lets take an example finding from audit.fvdl

<Vulnerability>
  <ClassInfo>
    <ClassID>78E0700E-56FE-45A2-A11B-6A560F730576</ClassID>
    <Kingdom>Encapsulation</Kingdom>
    <Type>Cross-Site Request Forgery</Type>
    <AnalyzerName>content</AnalyzerName>
    <DefaultSeverity>2.0</DefaultSeverity>
  </ClassInfo>
  <InstanceInfo>
    <InstanceID>C85783901853490631AC2FDCE6AC9175</InstanceID>
    <InstanceSeverity>2.0</InstanceSeverity>
    <Confidence>5.0</Confidence>
  </InstanceInfo>
  <AnalysisInfo>
    <Unified>
      <Context/>
      <ReplacementDefinitions>
        <Def key="PrimaryLocation.file" value="checkout4.html"/>
        <Def key="PrimaryLocation.line" value="505"/>
      </ReplacementDefinitions>
      <Trace>
        <Primary>
          <Entry>
            <Node isDefault="true">
              <SourceLocation path="public/checkout4.html" line="505" lineEnd="592" colStart="21" colEnd="0" snippet="8AB8B486BA201077815CD26372AD96C7#public/checkout4.html:505:592"/>
            </Node>
          </Entry>
        </Primary>
      </Trace>
    </Unified>
  </AnalysisInfo>
</Vulnerability>

Both the snippet id 8AB8B486BA201077815CD26372AD96C7 and class id 78E0700E-56FE-45A2-A11B-6A560F730576 can be used to get other nodes in the same file to get more information. The class id points to a Description node and a Rule node.

The description can be splitted by "Additional mitigation techniques include:" where the second part can move into DefectDojo mitigation section. Abstract, source and mitigation can then be included the same way as in xml-parser output.

It would be great if you could improve this feature.
@valentijnscholten
Copy link
Member

Linking to #11901 where it is suggested to use (or copy from) https://github.com/jaxley/python-fortify.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@valentijnscholten @GeofoxCoding