logo

한국어

[Fortify] FPR Report 스크립트

관리자 2019.05.15 18:27 조회 수 : 47

#!/bin/bash
#####################################################################
#
# Fortify SCA FPR파일 분석 스크립트
#
# 이 스크립트는 FPR파일을 분석하여 아래의 파일을 출력한다.
# 1. CSV포맷의 요약,상세 리포트
# 2. TXT포맷의 Suppressed된 취약점의 IID 리스트
#
# 윈도우에서 실행 시:
# bash -c "./fpr_report.sh webgoat.fpr"
#
# by 이존석(hasu0707@esvali.com)
#
#####################################################################
DEBUG_ON=1
VERSION=0.2
FILTER_SET="Security Auditor View"
#FILTER_SET="Quick View"
WIN_MINGW_DIR="/cygdrive/c/PortableApps/cmd_cygwin_x86_64"
FPR_TMP_DIR=./fpr_tmp
REPORT_TEMPLATE=./my_report_template.xml
SUPPRESSED_LIST_SUFFIX=suppressed_list.txt
TMP_FILE1=./tmpfile.txt

#####################################################################
#
# 사용방법 출력
#
#####################################################################
func_usage() {
  echo "$0 ver.${VERSION}"
  echo
  echo "usage: $0 "
}

#####################################################################
#
# 초기화
# $1 : FPR 파일명
#
#####################################################################
func_init() {
  if [ ${DEBUG_ON} -eq 1 ]
  then
    echo ">> func_init()"
  fi

  if [ -z "${WINDIR}" ]; then
    IS_WINDOWS=0
  else
    IS_WINDOWS=1
  fi

  if [ ${IS_WINDOWS} -eq 1 ]; then
    DEVNULL=null.dev
    WINCMD="/cygdrive/c/Windows/System32/cmd.exe /C"
    FORTIFY_HOME="/cygdrive/c/Program Files/Fortify/Fortify_SCA_and_Apps_18.10"
    REPORT_GENERATOR="ReportGenerator.bat"
    PATH=${FORTIFY_HOME}/bin:${WIN_MINGW_DIR}/bin:${PATH}
  else
    DEVNULL=/dev/null
    WINCMD=""
    FORTIFY_HOME="/opt/Fortify/Fortify_SCA_and_Apps_18.20"
    REPORT_GENERATOR="ReportGenerator"
    PATH=${FORTIFY_HOME}/bin:${PATH}
  fi

  BUILD_ID=$(basename $1 .fpr)
}

#####################################################################
#
# 필요한 유틸리티가 있는지 검사
#
#####################################################################
func_check_utils() {
  if [ ${DEBUG_ON} -eq 1 ]
  then
    echo ">> func_check_utils()"
  fi

  local IS_EXIT=0;
  UTILNAMES=( "xmllint" "unzip" "sed" "basename")

  # 윈도우 유틸리티 체킹
  if [ ${IS_WINDOWS} -eq 1 ]; then
    if [ ! -e ${WIN_MINGW_DIR}/bin/xmllint ] || [ ! -e ${WIN_MINGW_DIR}/bin/unzip ] || [ ! -e ${WIN_MINGW_DIR}/bin/sed ] || [ ! -e ${WIN_MINGW_DIR}/bin/basename ]; then
      echo "ERROR: ${WIN_MINGW_DIR} not found !"
      IS_EXIT=1
    fi

    if [ ${IS_EXIT} -ne 0 ]; then
      exit 1
    fi
    return
  fi

  # 리눅스 유틸리티 체킹
  for LOOP1 in "${UTILNAMES[@]}"
  do
    which ${LOOP1} > ${DEVNULL}
    if [ $? -ne 0 ]; then
      echo "ERROR: ${LOOP1} not found !"
      IS_EXIT=1
    fi
  done

  # ReportGenerator 체크
  if [ ! -e ${FORTIFY_HOME}/bin/${REPORT_GENERATOR} ]; then
    echo "ERROR: ${REPORT_GENERATOR} not found !"
    IS_EXIT=1
  fi

  # Fortify Report Template 체크
  if [ ! -e ${REPORT_TEMPLATE} ]; then
    echo "ERROR: ${REPORT_TEMPLATE} not found !"
    IS_EXIT=1
  fi

  # 없는 유틸리티가 있으면 스크립트 종료
  if [ ${IS_EXIT} -ne 0 ]; then
    exit 1
  fi

  unset UTILNAMES
}

#####################################################################
#
# 임시 및 불필요한 파일 삭제
#
#####################################################################
func_clean() {
  if [ ${DEBUG_ON} -eq 1 ]
  then
    echo ">> func_clean()"
  fi

  if [ ${IS_WINDOWS} -eq 1 ]; then
    rm -f ${DEVNULL}
  fi

  rm -rf ${FPR_TMP_DIR}
  rm -f ${TMP_FILE1}
  rm -f ${BUILD_ID}.xml
}

#####################################################################
#
# FPR파일 unzip
# $1 : fpr 파일명
#
#####################################################################
func_unzip() {
  if [ ${DEBUG_ON} -eq 1 ]
  then
    echo ">> func_unzip()"
  fi

  if [ -d ${FPR_TMP_DIR} ]
  then
    rm -rf ${FPR_TMP_DIR}
  fi
  mkdir ${FPR_TMP_DIR}
  unzip $1 -d ${FPR_TMP_DIR} audit.fvdl audit.xml filtertemplate.xml &> ${DEVNULL}
}

#####################################################################
#
# FPR파일에서 Suppressed된 취약점들의 IID를 뽑아서 저장한다.
# $1 : suppressed 목록이 기록될 파일명
#
#####################################################################
func_write_suppressed_list() {
  local S_COUNT=1
  local RET_VAL=0

  if [ ${DEBUG_ON} -eq 1 ]
  then
    echo ">> func_write_suppressed_list()"
  fi

  rm -f ${1}
  while [ ${RET_VAL} -eq 0 ]
  do
    xmllint \
--encode UTF-8 --nowarning --noblanks \
--xpath "//*[local-name()='Audit']/*[local-name()='IssueList']/*[local-name()='Issue'][${S_COUNT}]/@instanceId" \
./fpr_tmp/audit.xml \
>> ${1} 2> ${DEVNULL}
    RET_VAL=$?
    if [ ${RET_VAL} -eq 0 ]
    then
      S_COUNT=$((S_COUNT + 1))
    fi
    echo >> ${1}
  done

  # 불필요한 문자열 및 빈줄 삭제
  sed -i "s/ instanceId=\"//g" ${1}
  sed -i "s/\"$//g" ${1}
  sed -i "/^$/d" ${1}

  # Suppressed된 갯수 출력
  if [ ${DEBUG_ON} -eq 1 ]
  then
    echo ">> suppressed count: $((S_COUNT - 1))"
  fi

  return $((S_COUNT - 1))
}

#####################################################################
#
# ReportGenerator를 사용하여 XML 리포트를 뽑는다.
# $1 : 입력 FPR 파일명
# $2 : 출력 XML 파일명
#
#####################################################################
func_reportgenerator() {
  if [ ${DEBUG_ON} -eq 1 ]
  then
    echo ">> func_reportgenerator()"
  fi

  ${WINCMD} "${REPORT_GENERATOR}" \
-format xml \
-template ${REPORT_TEMPLATE} \
-filterSet "${FILTER_SET}" \
-showSuppressed -source $1 -f $2
}

#####################################################################
#
# ReportGenerator로 만든 XML을 파싱하여 상세 CSV 리포트를 만든다
# $1 : 입력 XML 파일명
# $2 : 출력 CSV 파일명
#
#####################################################################
func_xml_to_csv_detail() {
  if [ ${DEBUG_ON} -eq 1 ]
  then
    echo ">> func_xml_to_csv_detail()"
  fi

  xmllint --encode UTF-8 --xpath \
"/ReportDefinition/ReportSection[3]/SubSection[2]/IssueListing/Chart/GroupingSection/Issue/@iid|//Folder|//Kingdom|//Category|//Primary/FilePath|//Primary/LineStart" \
$1 > ${TMP_FILE1}

  sed -i \
-e "s/<\/LineStart>/\n/g" -e "s///g" \
-e "s/<\/Category>/,/g" -e "s///g" \
-e "s/<\/Folder>/,/g" -e "s///g" \
-e "s/<\/Kingdom>/,/g" -e "s///g" \
-e "s/<\/FilePath>/,/g" -e "s///g" \
-e "s/ iid=\"//g" -e "s/<>//g" \
-e 's/\"/,/g' \
${TMP_FILE1}

  echo "IID,CATEGORY,FOLDER,KINGDOM,FILE_PATH,LINE_NO" > $2
  cat ${TMP_FILE1} >> $2
  rm -f ${TMP_FILE1}
}

#####################################################################
#
# ReportGenerator로 만든 XML을 파싱하여 요약 CSV 리포트를 만든다
# $1 : 입력 XML 파일명
# $2 : 출력 CSV 파일명
#
#####################################################################
func_xml_to_csv_summary() {
  if [ ${DEBUG_ON} -eq 1 ]
  then
    echo ">> func_xml_to_csv_summary()"
  fi

  xmllint --encode UTF-8 --xpath \
"/ReportDefinition/ReportSection[1]/SubSection[2]/IssueListing/Chart/GroupingSection/groupTitle" \
$1 > ${TMP_FILE1}
  echo >> ${TMP_FILE1}
  xmllint --encode UTF-8 --xpath \
"/ReportDefinition/ReportSection[1]/SubSection[2]/IssueListing/Chart/GroupingSection/@count" \
$1 >> ${TMP_FILE1}

  sed -i \
-e "s/<\/groupTitle>/,/g" -e "s///g" \
-e 's/ count=\"//g' -e 's/\"/,/g' -e "s/,$//g" \
${TMP_FILE1}

  cat ${TMP_FILE1} > $2
  rm -f ${TMP_FILE1}
}

#####################################################################
#
# main
#
#####################################################################

# 명령행 인수가 없으면 사용방법 출력하고 끝냄
if [ $# -lt 1 ]; then
  func_usage
  exit 3
fi

# FPR 파일 존재 여부 체크
if [ ! -e ${1} ]; then
  echo "ERROR: ${1} not found !"
  func_usage
  exit 2
fi

func_init ${1}
func_check_utils
func_unzip ${1}
func_write_suppressed_list ${BUILD_ID}_${SUPPRESSED_LIST_SUFFIX}
func_reportgenerator webgoat.fpr ${BUILD_ID}.xml
func_xml_to_csv_detail ${BUILD_ID}.xml ${BUILD_ID}_detail.csv
func_xml_to_csv_summary ${BUILD_ID}.xml ${BUILD_ID}_summary.csv
func_clean