DefectDojo
fortify fpr instead of xml
Scanner Name currently defect dojo expects a xml report for fortify "Fortify Scan - Import Findings from XML file format", the default report format is the fpr file, this should be used instead
Sample File fpr, had to zip it to upload it fortify_sast_front_end_20240220_629_9_1361_6018341.zip
Hi @schdief, I guess fpr format is the wrong format to be able to parse within DefectDojo as it looks to me that fpr file formats can't be parsed in a decent way. If I open your pfr file in vscode, I can't view the content.
What is your opinion @mtesauro ? Can we close this?
@manuel-sommer the fpr is a zip itself, you can just unzip it and then parse it (audit.fvdl)
we currently parse it ourselves like this with kotlin:
fun parseFortifyArchive(inputStream: InputStream): Pair<FortifyTestResult, List<String>> {
var report: FortifyTestResult? = null
val suppressions: MutableList<String> = mutableListOf()
ZipInputStream(inputStream).use { zipInputStream ->
generateSequence { zipInputStream.nextEntry }
.filter { entry -> entry.name.matches(Regex(".*filters/.*txt|audit.fvdl")) }
.mapNotNull { entry ->
when {
entry.name.endsWith("fvdl") -> parseFortifyXML(
zipInputStream.bufferedReader().readText()
)
entry.name.endsWith(".txt") -> zipInputStream.bufferedReader().readText()
.split("\n")
.filter { (!it.startsWith("#")) && it.isNotEmpty() }
else -> null
}
}.forEach {
@Suppress("UNCHECKED_CAST") //Only ever adds strings
when (it) {
is FortifyTestResult -> report = it
is List<*> -> suppressions.addAll(it as List<String>)
}
}
}
report?.let {
return it to suppressions.toList()
}
throw NoSuchElementException("Couldn't parse audit.fvdl.")
}
Hi @schdief, what benefit does this change introduce? Is xml export of Fortify not available anymore or is relevant information missing in the xml export?
@manuel-sommer the xml report can only be generated with the legacy fortify reporter (page 26): https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/2310/SCA_Apps_Tools_23.1.0.pdf, as the current reporter can not export xml (page 23): https://www.microfocus.com/documentation/fortify-static-code-analyzer-and-tools/2310/SCA_Apps_Tools_23.1.0.pdf
additionally, the result of a fortify scan is a fpr file, so creating a xml report, is an additional step, that requires configuration, consumes resources and takes time
lastly the fpr format is also used outside of CI/CD pipelines to manage fortify vulnerabilities inside fortify ssc, keeping the format will help the teams to switch to defect dojo
Got it, thank you for the insights @schdief . One more question: the relevant file to parse within fdr is always audit.fvdl ?
Got it, thank you for the insights @schdief . One more question: the relevant file to parse within fdr is always audit.fvdl ?
yes, that is the one we are currently processing to automatically check the report for critical or high CVEs
Hi @schdief, I guess fpr format is the wrong format to be able to parse within DefectDojo as it looks to me that fpr file formats can't be parsed in a decent way. If I open your pfr file in vscode, I can't view the content.
@manuel-sommer Fortify FPR files are 'parse-able' after you de-compress them into the various files inside the compressed .fpr file. I think the reason this hasn't had a parser created for it is that:
- .fpr files are more 'interesting' to parse since you have to decompress the file before you can even parse anything
- XML is rather easy to parse and we had examples provided by the community
- I know I've asked community members who've put in issues for .fpr support over the years for a sample but this is the first time I'm aware where one was provided.
So, I don't see any problem with the current Fortify parser being updated to handle .fpr files ~ or ~ creating a new parser just for .fpr Fortify files now that we have a sample we can work from.
@schdief Thanks for providing a sample, that's very critical for adding a parser especially with commercial tools.
@schdief: How can I translate the Default Severity to DefectDojo severity ranking (Low, Medium, High, Critical) ?
@schdief could you please review the PR if all required information is within the findings?
@schdief: How can I translate the Default Severity to DefectDojo severity ranking (Low, Medium, High, Critical) ?
this is our current implementation
val severity = when {
(impact >= 2.5) and (likelihood >= 2.5) -> Severity.CRITICAL
(impact >= 2.5) and (likelihood < 2.5) -> Severity.HIGH
(impact < 2.5) and (likelihood >= 2.5) -> Severity.MEDIUM
(impact < 2.5) and (likelihood < 2.5) -> Severity.LOW
else -> Severity.UNKNOWN
Could we close this issue please @schdief and @mtesauro ?
yeah sure, thanks a lot for implementing it that fast ❤️ The next release will be on March 4th, right? will it be part of that?
@schdief Correct it will be part of 2.32.0 which will happen early next week - likely Monday.
I tried to use the import of fpr-reports, but i get some internal server error. Can you have a look at my issue: https://github.com/DefectDojo/django-DefectDojo/issues/9958
