Fortify Parser: Fortification of the the FPR parsing

[Maffooch]

The fortify parser made a lot of assumptions on the exact structure of the XML, and did not leave much room for error. This PR accommodates the absences of some data, as well as supporting some variance in formats

[sc-7434]

[dryrunsecurity]

DryRun Security Summary

This pull request focuses on improving the security and robustness of the Fortify parser functionality within the Dojo application security platform, including adding validation for file extensions, refactoring and enhancing the FortifyFPRParser class to handle different file formats, extract more detailed vulnerability information, and calculate accurate severity levels, thereby strengthening the overall security and reliability of the Fortify parsing capabilities.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the security and robustness of the Fortify parser functionality within the Dojo application security platform. The changes include adding validation for file extensions in the FortifyParser class to prevent parsing of potentially malicious files, as well as refactoring and enhancing the FortifyFPRParser class to handle different file formats, extract more detailed vulnerability information, and calculate accurate severity levels. These improvements help to strengthen the overall security and reliability of the Fortify parsing capabilities within the Dojo application.

Files Changed:

1. dojo/tools/fortify/parser.py:

   • The get_findings method now includes an else block that raises a ValueError if the provided filename does not have a .xml or .fpr extension. This is a security enhancement that ensures the parser only accepts files with the expected extensions, preventing the parsing of potentially malicious files with unsupported extensions.

2. dojo/tools/fortify/fpr_parser.py:

   • The code now handles the case where the filename parameter is a file-like object (TextIOWrapper) instead of just a file path, and reads all the files from the zip archive into a dictionary for easier processing.
   • The code identifies the namespace (if any) used in the XML file and stores it in a class variable, allowing the use of the correct namespace when parsing the XML elements.
   • The code has been refactored to separate the parsing of different types of information (class, instance, and analysis) into separate methods, making the code more modular and easier to maintain.
   • The code now has a dedicated method parse_severity_and_convert that converts the numeric severity and confidence values into a string severity level (Critical, High, Medium, Low, or Info).
   • The code now extracts more detailed information about the source location of the vulnerability, including the file path, line number, column numbers, and a code snippet.
   • The use of the defusedxml library helps to mitigate potential security risks associated with XML parsing.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[mtesauro]

Approved

[cneill]

Just a tiny suggestion to clarify that we don't want .xml.fpr but .xml or .fpr