Would Fortify consider making their schema open source and donating it to OWASP? Likewise, would Ouncelabs, coverity and others be willing to adapt their product to it?
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paco Hope Sent: Wednesday, June 27, 2007 4:38 PM To: Secure Coding Subject: Re: [SC-L] The Next Frontier On 6/26/07 5:00 PM, "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]> wrote: Would there be value in terms of defining an XML schema that all tools could emit audit information to? You might want to take a look at what the Fortify guys already do. Their "FVDL" (Fortify Vulnerability Description Language) is XML written to a specific schema. Here's a snippet: <?xml version="1.0" encoding="UTF-8"?> <FVDL xmlns="xmlns://www.fortifysoftware.com/schema/fvdl" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; version="1.5" xsi:type="FVDL"> <CreatedTS xmlns="xmlns://www.fortifysoftware.com/schema/fvdl" date="2007-06-27" time="16:27:37"/> <Build xmlns="xmlns://www.fortifysoftware.com/schema/fvdl"> <BuildID>curl-7.11.1</BuildID> <NumberFiles>42</NumberFiles> <LOC>23572</LOC> <SourceBasePath>/Users/paco/Documents/Fortify/curl-7.11.1/lib</SourceBas ePath> <SourceFiles> <File size="20098" timestamp="1079527605000">connect.c</File> <File size="11584" timestamp="1077710136000">krb4.c</File> [..snip..] <Vulnerability xmlns="xmlns://www.fortifysoftware.com/schema/fvdl"> <ClassInfo> <ClassID>28424EC3-FFAC-40C0-94D9-3D8283B2F57C</ClassID> <Kingdom>Input Validation and Representation</Kingdom> <Type>Buffer Overflow</Type> <AnalyzerName>dataflow</AnalyzerName> <DefaultSeverity>4.0</DefaultSeverity> </ClassInfo> <InstanceInfo> <InstanceID>005542ED81D54F3C72BF3669EA8D130A</InstanceID> <InstanceSeverity>4.0</InstanceSeverity> <Confidence>3.4</Confidence> </InstanceInfo> [..snip..] Some of their XML seems quite reusable to me, and some of it seems pretty proprietary. It doesn't seem like they share a DTD or a schema publicly. Perhaps a little coaxing would get them to release it. Paco -- Paco Hope, CISSP Technical Manager, Cigital, Inc http://www.cigital.com/ * +1.703.585.7868 Software Confidence. Achieved. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
