On 6/26/07 5:00 PM, "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]> wrote:
Would there be value in terms of defining an XML schema that all tools could emit audit information to? You might want to take a look at what the Fortify guys already do. Their "FVDL" (Fortify Vulnerability Description Language) is XML written to a specific schema. Here's a snippet: <?xml version="1.0" encoding="UTF-8"?> <FVDL xmlns="xmlns://www.fortifysoftware.com/schema/fvdl" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.5" xsi:type="FVDL"> <CreatedTS xmlns="xmlns://www.fortifysoftware.com/schema/fvdl" date="2007-06-27" time="16:27:37"/> <Build xmlns="xmlns://www.fortifysoftware.com/schema/fvdl"> <BuildID>curl-7.11.1</BuildID> <NumberFiles>42</NumberFiles> <LOC>23572</LOC> <SourceBasePath>/Users/paco/Documents/Fortify/curl-7.11.1/lib</SourceBasePath> <SourceFiles> <File size="20098" timestamp="1079527605000">connect.c</File> <File size="11584" timestamp="1077710136000">krb4.c</File> [..snip..] <Vulnerability xmlns="xmlns://www.fortifysoftware.com/schema/fvdl"> <ClassInfo> <ClassID>28424EC3-FFAC-40C0-94D9-3D8283B2F57C</ClassID> <Kingdom>Input Validation and Representation</Kingdom> <Type>Buffer Overflow</Type> <AnalyzerName>dataflow</AnalyzerName> <DefaultSeverity>4.0</DefaultSeverity> </ClassInfo> <InstanceInfo> <InstanceID>005542ED81D54F3C72BF3669EA8D130A</InstanceID> <InstanceSeverity>4.0</InstanceSeverity> <Confidence>3.4</Confidence> </InstanceInfo> [..snip..] Some of their XML seems quite reusable to me, and some of it seems pretty proprietary. It doesn't seem like they share a DTD or a schema publicly. Perhaps a little coaxing would get them to release it. Paco -- Paco Hope, CISSP Technical Manager, Cigital, Inc http://www.cigital.com/ * +1.703.585.7868 Software Confidence. Achieved. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________