Marvin-static-Analyzer/VulnerabilityAnalyzer.py at master · programa-stic/Marvin-static-Analyzer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# Copyright (c) 2015, Fundacion Dr. Manuel Sadosky
# All rights reserved.

# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:

# 1. Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.

# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.

# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


import Utils
import json
import settings


class VulnerabilityAnalyzer(object):
    def __init__(self):
        self.report = {}

    def add_vulnerability(self, vuln_code, description, confidence=1, dynamic_test=False,
                          dynamic_test_params={}, reference_class=None, reference_method=None):
        if not vuln_code:
            raise Exception("Null Vulnerability ID")
        if not self.report.has_key(vuln_code):
            self.report[vuln_code] = []
        normalized_reference_class = Utils.normalize_class_name(reference_class)
        # comparing vulnerabilities description so if hardcoded values call same method for example
        if not any(description == vuln['description'] and vuln['reference_class'] == normalized_reference_class and
                                   vuln['reference_method'] == reference_method for vuln in self.report[vuln_code]):
            self.report[vuln_code].append(
                {"description": description, "confidence": confidence,
                 "severity": settings.STATIC_VULN_TYPES.get(vuln_code,5),
                 "dynamic_test": dynamic_test, 'reference_class': normalized_reference_class,
                 'reference_method': reference_method,
                 "dynamic_test_params": json.dumps(dynamic_test_params),
                 # "dynamic_test_results": {"status": "UNKNOWN", "count": 0, "description": {}}
                 })

    def get_vulnerability_description(self, vuln):
        return vuln["description"]

    def get_vulnerability_reference_class(self, vuln):
        return vuln["reference_class"].replace(".java", "")

    def get_vulnerability_reference_method(self, vuln):
        return vuln["reference_method"]

    def get_report_for_type(self, report, type):
        return report.get(type, None)

    def get_report(self):
        return self.report