Tuesday, 19 July 2011

Using O2 to Parse and Visualize Fortify's FVDL files

Following a request from an O2 user that needed to parse an 430Mb FVDL file (which Fortify's own tool couldn't open), during the last weekend I created a parser and couple visualizing tools so that now we can use O2 to consume FVDL files (as sample files, I used the data published by NIST SAMATE on its SATE 2008 project)

I took the time to document my process and workflow on a series of blogs posts. These posts show how to go from a raw XML file into a easily consumable and highly scalable solution/toolkit. They are a good example of the type of workflows that O2 has been designed to enable.

Here are the blog posts (with the newest on top since those are the ones with the final result)
I'm pretty happy with the end result, since it was quite easy to write the parser, and the end solution scales very nicely. Also as you will see, there is a LOT of great data that is included inside the original XML file, so the next step is to build a couple more tools to filter/view/visualize it (for example: a view that filters the vulnerabilities by type/severity and shows the traces using the included code-snippets)

If you have access to Fortify FVDL files, please give this tool a test-drive and see if you can spot any issues with the XSD that was created (we also will most likely need to create special parsing methods to deal with the variations between the multiple versions of FVDL files).