Re: [SC-L] The Next Frontier

Wed, 27 Jun 2007 13:58:05 -0700 

On 6/26/07 5:00 PM, "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]> wrote:

Would there be value in terms of defining an XML schema that all tools could 
emit audit information to?

You might want to take a look at what the Fortify guys already do. Their "FVDL" 
(Fortify Vulnerability Description Language) is XML written to a specific 
schema. Here's a snippet:

<?xml version="1.0" encoding="UTF-8"?>
<FVDL xmlns="xmlns://www.fortifysoftware.com/schema/fvdl" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; version="1.5" 
xsi:type="FVDL">
<CreatedTS xmlns="xmlns://www.fortifysoftware.com/schema/fvdl" 
date="2007-06-27" time="16:27:37"/>
<Build xmlns="xmlns://www.fortifysoftware.com/schema/fvdl">
    <BuildID>curl-7.11.1</BuildID>
    <NumberFiles>42</NumberFiles>
    <LOC>23572</LOC>
    
<SourceBasePath>/Users/paco/Documents/Fortify/curl-7.11.1/lib</SourceBasePath>
    <SourceFiles>
        <File size="20098" timestamp="1079527605000">connect.c</File>
        <File size="11584" timestamp="1077710136000">krb4.c</File>
[..snip..]
<Vulnerability xmlns="xmlns://www.fortifysoftware.com/schema/fvdl">
    <ClassInfo>
        <ClassID>28424EC3-FFAC-40C0-94D9-3D8283B2F57C</ClassID>
        <Kingdom>Input Validation and Representation</Kingdom>
        <Type>Buffer Overflow</Type>
        <AnalyzerName>dataflow</AnalyzerName>
        <DefaultSeverity>4.0</DefaultSeverity>
    </ClassInfo>
    <InstanceInfo>
        <InstanceID>005542ED81D54F3C72BF3669EA8D130A</InstanceID>
        <InstanceSeverity>4.0</InstanceSeverity>
        <Confidence>3.4</Confidence>
    </InstanceInfo>
[..snip..]

Some of their XML seems quite reusable to me, and some of it seems pretty 
proprietary. It doesn't seem like they share a DTD or a schema publicly. 
Perhaps a little coaxing would get them to release it.

Paco
--
Paco Hope, CISSP
Technical Manager, Cigital, Inc
http://www.cigital.com/ * +1.703.585.7868
Software Confidence. Achieved.

_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

Reply via email to