Would Fortify consider making their schema open source and donating it
to OWASP? Likewise, would Ouncelabs, coverity and others be willing to
adapt their product to it?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paco Hope
Sent: Wednesday, June 27, 2007 4:38 PM
To: Secure Coding
Subject: Re: [SC-L] The Next Frontier
On 6/26/07 5:00 PM, McGovern, James F (HTSC, IT)
[EMAIL PROTECTED] wrote:
Would there be value in terms of defining an XML schema that all tools
could emit audit information to?
You might want to take a look at what the Fortify guys already do. Their
FVDL (Fortify Vulnerability Description Language) is XML written to a
specific schema. Here's a snippet:
?xml version=1.0 encoding=UTF-8?
FVDL xmlns=xmlns://www.fortifysoftware.com/schema/fvdl
xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; version=1.5
xsi:type=FVDL CreatedTS
xmlns=xmlns://www.fortifysoftware.com/schema/fvdl date=2007-06-27
time=16:27:37/ Build
xmlns=xmlns://www.fortifysoftware.com/schema/fvdl
BuildIDcurl-7.11.1/BuildID
NumberFiles42/NumberFiles
LOC23572/LOC
SourceBasePath/Users/paco/Documents/Fortify/curl-7.11.1/lib/SourceBas
ePath
SourceFiles
File size=20098 timestamp=1079527605000connect.c/File
File size=11584 timestamp=1077710136000krb4.c/File
[..snip..]
Vulnerability xmlns=xmlns://www.fortifysoftware.com/schema/fvdl
ClassInfo
ClassID28424EC3-FFAC-40C0-94D9-3D8283B2F57C/ClassID
KingdomInput Validation and Representation/Kingdom
TypeBuffer Overflow/Type
AnalyzerNamedataflow/AnalyzerName
DefaultSeverity4.0/DefaultSeverity
/ClassInfo
InstanceInfo
InstanceID005542ED81D54F3C72BF3669EA8D130A/InstanceID
InstanceSeverity4.0/InstanceSeverity
Confidence3.4/Confidence
/InstanceInfo
[..snip..]
Some of their XML seems quite reusable to me, and some of it seems
pretty proprietary. It doesn't seem like they share a DTD or a schema
publicly. Perhaps a little coaxing would get them to release it.
Paco
--
Paco Hope, CISSP
Technical Manager, Cigital, Inc
http://www.cigital.com/ * +1.703.585.7868 Software Confidence. Achieved.
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org List
information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com) as a free, non-commercial service to the software
security community.
___
*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information. If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited. If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___
