Skip to content

Fortify fpr-parser is not adding all finding information #11903

New issue
New issue
Closed
Closed
Fortify fpr-parser is not adding all finding information#11903
Assignees
valentijnscholten
Labels
enhancement
@GeofoxCoding

Description

@GeofoxCoding
GeofoxCoding
opened on Feb 26, 2025

Hello,

our teams recognized that the newer fpr-parser for Fortify is not reading and transfering all available information from the *.fpr/audit.fvdl into DefectDojo.

We compared two imports.

  1. XML
    with example file: https://github.com/DefectDojo/django-DefectDojo/blob/master/unittests/scans/fortify/fortify_many_findings.xml

In the result both description and mitigation have clear content:
Image

  1. FPR
    with example file: https://github.com/DefectDojo/django-DefectDojo/blob/master/unittests/scans/fortify/many_findings.fpr

The result shows only a minimum of information in the description and no mitigation information. This makes it hard to impossible to do a rating of the finding in DefectDojo.
Image

It should be possible to enhance this. Lets take an example finding from audit.fvdl

<Vulnerability>
  <ClassInfo>
    <ClassID>78E0700E-56FE-45A2-A11B-6A560F730576</ClassID>
    <Kingdom>Encapsulation</Kingdom>
    <Type>Cross-Site Request Forgery</Type>
    <AnalyzerName>content</AnalyzerName>
    <DefaultSeverity>2.0</DefaultSeverity>
  </ClassInfo>
  <InstanceInfo>
    <InstanceID>C85783901853490631AC2FDCE6AC9175</InstanceID>
    <InstanceSeverity>2.0</InstanceSeverity>
    <Confidence>5.0</Confidence>
  </InstanceInfo>
  <AnalysisInfo>
    <Unified>
      <Context/>
      <ReplacementDefinitions>
        <Def key="PrimaryLocation.file" value="checkout4.html"/>
        <Def key="PrimaryLocation.line" value="505"/>
      </ReplacementDefinitions>
      <Trace>
        <Primary>
          <Entry>
            <Node isDefault="true">
              <SourceLocation path="public/checkout4.html" line="505" lineEnd="592" colStart="21" colEnd="0" snippet="8AB8B486BA201077815CD26372AD96C7#public/checkout4.html:505:592"/>
            </Node>
          </Entry>
        </Primary>
      </Trace>
    </Unified>
  </AnalysisInfo>
</Vulnerability>

Both the snippet id 8AB8B486BA201077815CD26372AD96C7 and class id 78E0700E-56FE-45A2-A11B-6A560F730576 can be used to get other nodes in the same file to get more information. The class id points to a Description node and a Rule node.

The description can be splitted by "Additional mitigation techniques include:" where the second part can move into DefectDojo mitigation section. Abstract, source and mitigation can then be included the same way as in xml-parser output.

It would be great if you could improve this feature.

Metadata

Metadata

Assignees

Labels

enhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions