abide_dev_utils 0.5.0 → 0.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a27976b9f740b67261fa080eeba927bc6fc98e73ffb592fafdd91d4d612cc51f
-  data.tar.gz: 64778a0d476e2f96d70a14ab318b517c597aa3c5e33afd8939173385b013fe6c
+  metadata.gz: 550d53a5583b4befefc9cb5b2cd2ae41dab12dac51d6fe564067d8ad6113daf4
+  data.tar.gz: 62edfb6d0145ec674ad2cf70eb09b37008075bbe7215c3aba7b0c82988b49cb7
 SHA512:
-  metadata.gz: e31df40e6dd34a57156ff517d39fcc036f5655ce2f31bf86b1ebb66754304575b7379e0a3751ae378bc81bc1520dbe095255012dc7e10b24e4f6c3f4a85e6551
-  data.tar.gz: c9dd204d55a37d389c0c8a4d3d281310b87241cbbd149ca029a3fa6a38fd8414bcb350467cd348cdd330fe946e6ee75625bfe2828319ad25d9eb8ed5cc37a9a3
+  metadata.gz: 336b80d3b41db5c839de238d7b3308bcd02b4cad1e339fb2b5879cbb7e132cbf3b8b8432f2ba6c0c2fa0825491fb042817a6225594433fba058eacfdeb6f510c
+  data.tar.gz: a8e34b36f2bdd51d4d7bf467b91c3f01e7507ea5315a864a564f4c830d43768f98de88075569643205d8c5c43ea8113a1c0afed011a708367a3c66771e10534f

data/.gitignore

@@ -6,7 +6,8 @@
 /pkg/
 /spec/reports/
 /tmp/
-
+w10_20h2.xml
+w10_2004.xml
 # rspec failure tracking
 .rspec_status
 Gemfile.lock

data/.rubocop.yml

@@ -12,7 +12,7 @@ AllCops:
     - 'tmp/**/*'
     - '.git/**/*'
     - 'bin/*'
-  TargetRubyVersion: 2.5
+  TargetRubyVersion: 2.7
   SuggestExtensions: false
 
 Naming/PredicateName:

data/CODEOWNERS

@@ -0,0 +1 @@
+* @puppetlabs/abide-team

data/README.md

@@ -88,6 +88,8 @@ Install the gem:
 
 ### Overview of Commands
 
+* `abide comply` - Command namespace for Puppet Comply commands
+  * `abide comply report` - Creates a scan report in YAML format by scraping Puppet Comply
 * `abide jira` - Command namespace for Jira commands
   * `abide jira auth` - Authenticate with Jira. Only useful as a stand-alone command to test authentication
   * `abide jira from_coverage` - Creates a parent issue with subtasks from a Puppet coverage report
@@ -100,6 +102,34 @@ Install the gem:
 * `abide xccdf` - Command namespace for XCCDF commands
   * `abide xccdf to_hiera` - Converts a benchmark XCCDF file to a Hiera yaml file
 
+### Comply Command Reference
+
+#### report
+
+* Required positional parameters:
+  * `COMPLY_URL` - The URL of Puppet Comply
+  * `COMPLY_PASSWORD` - The password for the Puppet Comply user
+* Options:
+  * `--out-file`, `-o` - The path to save the scan report. Defaults to `./comply_scan_report.yaml`
+  * `--username`, `-u` - The Puppet Comply username. Defaults to `comply`
+  * `--status`, `-s` - A comma-separated list of check statuses to ONLY include in the report. Valid statuses are: `pass`, `fail`, `error`, `notapplicable`, `notchecked`, `unknown`, `informational`
+  * `--only`, `-O` - A comma-separated list of node certnames to ONLY build reports for. No other nodes will have reports built for them except the ones specified. This option is mutually exclusive with `--ignore` and, if both are set, this options will take precedence over `--ignore`.
+  * `--ignore`, `-I` - A comma-separated list of node certnames to ignore building reports for. This options is mutually exclusive with `--only` and, if both are set, `--only` will take precedence over this option.
+
+Examples:
+
+Generating a report of all failed and err'd scan checks
+
+```sh
+abide comply report https://comply.my.instance 'my_comply_password!' -s fail,error
+```
+
+Generating a report for certain nodes only
+
+```sh
+abide comply report https://comply.my.instance 'my_comply_password!' -O specific-node.my.instance
+```
+
 ### Jira Command Reference
 
 #### from_coverage

data/abide_dev_utils.gemspec

@@ -7,14 +7,14 @@ require "abide_dev_utils/version"
 Gem::Specification.new do |spec|
   spec.name          = "abide_dev_utils"
   spec.version       = AbideDevUtils::VERSION
-  spec.authors       = ["Heston Snodgrass"]
-  spec.email         = ["hsnodgrass3@gmail.com"]
+  spec.authors       = ["abide-team"]
+  spec.email         = ["abide-team@puppet.com"]
 
-  spec.summary       = "Helper utilities for developing Abide"
-  spec.description   = "Provides a CLI with helpful utilities for developing Abide"
-  spec.homepage      = "https://github.com/hsnodgrass/abide_dev_utils"
+  spec.summary       = "Helper utilities for developing compliance Puppet code"
+  spec.description   = "Provides a CLI with helpful utilities for developing compliance Puppet code"
+  spec.homepage      = "https://github.com/puppetlabs/abide_dev_utils"
   spec.license       = "MIT"
-  spec.required_ruby_version = Gem::Requirement.new(">= 2.5.0")
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.7.0")
 
   # spec.metadata["allowed_push_host"] = "TODO: Set to 'http://mygemserver.com'"
 
@@ -34,10 +34,12 @@ Gem::Specification.new do |spec|
   # Prod dependencies
   spec.add_dependency 'nokogiri', '~> 1.11'
   spec.add_dependency 'cmdparse', '~> 3.0'
-  spec.add_dependency 'puppet', '>= 6.19'
+  spec.add_dependency 'puppet', '>= 6.23'
   spec.add_dependency 'jira-ruby', '~> 2.1'
   spec.add_dependency 'ruby-progressbar', '~> 1.11'
   spec.add_dependency 'selenium-webdriver', '~> 4.0.0.beta4'
+  spec.add_dependency 'google-cloud-storage', '~> 1.34'
+  spec.add_dependency 'hashdiff', '~> 1.0'
 
   # Dev dependencies
   spec.add_development_dependency 'bundler'
@@ -45,6 +47,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'console'
   spec.add_development_dependency 'github_changelog_generator'
   spec.add_development_dependency 'gem-release'
+  spec.add_development_dependency 'pry'
   spec.add_development_dependency 'rspec', '~> 3.10'
   spec.add_development_dependency 'rubocop', '~> 1.8'
   spec.add_development_dependency 'rubocop-rspec', '~> 2.1'

data/itests.rb

@@ -0,0 +1,138 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'json'
+require 'yaml'
+require 'abide_dev_utils/comply'
+require 'abide_dev_utils/ppt/api'
+
+OS_BENCHMARK_MAP = {
+  'centos-7' => 'CIS_CentOS_Linux_7_Benchmark_v3.1.1-xccdf.xml',
+  'centos-8' => 'CIS_CentOS_Linux_8_Benchmark_v1.0.1-xccdf.xml',
+  'rhel-7' => 'CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v3.1.1-xccdf.xml',
+  'rhel-8' => 'CIS_Red_Hat_Enterprise_Linux_8_Benchmark_v1.0.1-xccdf.xml',
+  'serv-2016' => 'CIS_Microsoft_Windows_Server_2016_RTM_(Release_1607)_Benchmark_v1.3.0-xccdf.xml',
+  'serv-2019' => 'CIS_Microsoft_Windows_Server_2019_Benchmark_v1.2.1-xccdf.xml'
+}
+EL_PROFILE_1_SERVER = 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
+WIN_PROFILE_1_MS = 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Member_Server'
+NIX_SCAN_HASH = {
+  'nix-centos-7.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['centos-7'],
+    'profile' => EL_PROFILE_1_SERVER
+  },
+  'nix-centos-8.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['centos-8'],
+    'profile' => EL_PROFILE_1_SERVER
+  },
+  'nix-rhel-7.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['rhel-7'],
+    'profile' => EL_PROFILE_1_SERVER
+  },
+  'nix-rhel-8.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['rhel-8'],
+    'profile' => EL_PROFILE_1_SERVER
+  }
+}.freeze
+WIN_SCAN_HASH = {
+  'win-server-2016.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['serv-2016'],
+    'profile' => EL_PROFILE_1_SERVER
+  },
+  'win-serv-2019.c.team-sse.internal' => {
+    'benchmark' => OS_BENCHMARK_MAP['serv-2019'],
+    'profile' => WIN_PROFILE_1_MS
+  }
+}.freeze
+
+scan_hash = ENV['ABIDE_OS'] == 'nix' ? NIX_SCAN_HASH : WIN_SCAN_HASH
+node_group_name = ENV['ABIDE_OS'] == 'nix' ? 'CEM Linux Nodes' : 'CEM Windows Nodes'
+
+puts 'Creating client...'
+client = AbideDevUtils::Ppt::ApiClient.new(ENV['PUPPET_HOST'], auth_token: ENV['PE_ACCESS_TOKEN'])
+puts 'Starting code deploy...'
+code_manager_deploy = client.post_codemanager_deploys('environments' => ['production'], 'wait' => true)
+raise 'Code manager deployment failed!' unless code_manager_deploy['status'] == 'complete'
+
+puts 'Code deploy successful...'
+puts 'Gathering node group ID...'
+node_groups = client.get_classifier1_groups
+node_group_id = nil
+node_groups.each { |x| node_group_id = x['id'] if x['name'] == node_group_name }
+raise 'Failed to find requested node group!' if node_group_id.nil?
+
+puts 'Running Puppet on nodes...'
+puppet_run = client.post_orchestrator_command_deploy('environment' => 'production', 'scope' => { 'node_group' => node_group_id })
+puts "Started job #{puppet_run['job']['name']}..."
+timeout = 0
+run_complete = false
+until run_complete || timeout >= 30
+  puts "Waiting on job #{puppet_run['job']['name']} to complete..."
+  status = client.get_orchestrator_jobs(puppet_run['job']['name'])
+  case status['state']
+  when 'failed'
+    raise "Job #{puppet_run['job']['name']} finished with failures!"
+  when 'finished'
+    run_complete = true
+    break
+  else
+    timeout += 1
+    sleep(10)
+  end
+end
+raise 'Job timed out waiting for completion' unless run_complete
+
+puts 'Starting node scans...'
+scan_job = client.post_orchestrator_command_task(
+  'environment' => 'production',
+  'task' => 'comply::ciscat_scan',
+  'params' => {
+    'comply_port' => '443',
+    'comply_server' => ENV['COMPLY_FQDN'],
+    'ssl_verify_mode' => 'none',
+    'scan_type' => 'desired',
+    'scan_hash' => JSON.generate(scan_hash)
+  },
+  'scope' => {
+    'node_group' => node_group_id
+  }
+)
+puts "Started scan #{scan_job['job']['name']}..."
+timeout = 0
+scan_complete = false
+until scan_complete || timeout >= 30
+  puts "Waiting on scan #{scan_job['job']['name']} to complete..."
+  status = client.get_orchestrator_jobs(scan_job['job']['name'])
+  case status['state']
+  when 'failed'
+    raise "Task #{scan_job['job']['name']} finished with failures!"
+  when 'finished'
+    scan_complete = true
+    break
+  else
+    timeout += 1
+    sleep(10)
+  end
+end
+raise 'Job timed out waiting for completion' unless scan_complete
+
+puts 'Collecting scan report from Comply...'
+onlylist = scan_hash.keys
+scan_report = AbideDevUtils::Comply.build_report("https://#{ENV['COMPLY_FQDN']}", ENV['COMPLY_PASSWORD'], nil, onlylist: onlylist)
+puts 'Saving report to nix_report.yaml...'
+File.open('nix_report.yaml', 'w') { |f| f.write(scan_report.to_yaml) }
+
+puts 'Comparing current report to last report...'
+opts = {
+  report_name: 'nix_report.yaml',
+  remote_storage: 'gcloud',
+  upload: true
+}
+result = AbideDevUtils::Comply.compare_reports(File.expand_path('./nix_report.yaml'), 'nix_report.yaml', opts)
+if result
+  puts 'Success!'
+  exit(0)
+else
+  puts 'Failure!'
+  exit(1)
+end

data/lib/abide_dev_utils/cli/comply.rb

@@ -12,6 +12,7 @@ module Abide
       def initialize
         super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: true)
         add_command(ComplyReportCommand.new)
+        add_command(ComplyCompareReportCommand.new)
       end
     end
 
@@ -28,6 +29,10 @@ module Abide
       LONGCMD
       CMD_COMPLY_URL = 'The URL (including https://) of Puppet Comply'
       CMD_COMPLY_PASSWORD = 'The password for Puppet Comply'
+      OPT_TIMEOUT_DESC = <<~EOTO
+        The number of seconds you would like requests to wait before timing out. Defaults
+        to 10 seconds.
+      EOTO
       OPT_STATUS_DESC = <<~EODESC
         A comma-separated list of check statuses to ONLY include in the report.
         Valid statuses are: pass, fail, error, notapplicable, notchecked, unknown, informational
@@ -50,18 +55,21 @@ module Abide
         options.on('-u [USERNAME]', '--username [USERNAME]', 'The username for Comply (defaults to comply)') do |u|
           @data[:username] = u
         end
-        options.on('-s [STATUS]', '--status [STATUS]', OPT_STATUS_DESC) do |s|
-          status_array = s.nil? ? nil : s.split(',').map(&:downcase)
-          status_array&.map! { |i| i == 'notchecked' ? 'not checked' : i }
-          @data[:status] = status_array
+        options.on('-t [SECONDS]', '--timeout [SECONDS]', OPT_TIMEOUT_DESC) do |t|
+          @data[:timeout] = t
         end
-        options.on('-O [CERTNAME]', '--only [CERTNAME]', OPT_ONLY_NODES) do |o|
-          only_array = o.nil? ? nil : s.split(',').map(&:downcase)
-          @data[:only] = only_array
+        options.on('-s [X,Y,Z]', '--status [X,Y,Z]',
+                   %w[pass fail error notapplicable notchecked unknown informational],
+                   Array,
+                   OPT_STATUS_DESC) do |s|
+          s&.map! { |i| i == 'notchecked' ? 'not checked' : i }
+          @data[:status] = s
         end
-        options.on('-I [CERTNAME]', '--ignore [CERTNAME]', OPT_IGNORE_NODES) do |i|
-          ignore_array = i.nil? ? nil : i.split(',').map(&:downcase)
-          @data[:ignore] = ignore_array
+        options.on('--only [X,Y,Z]', Array, OPT_ONLY_NODES) do |o|
+          @data[:onlylist] = o
+        end
+        options.on('--ignore [X,Y,Z]', Array, OPT_IGNORE_NODES) do |i|
+          @data[:ignorelist] = i
         end
       end
 
@@ -79,19 +87,29 @@ module Abide
         conf = config_section('comply')
         comply_url = conf.fetch(:url) if comply_url.nil?
         comply_password = comply_password.nil? ? conf.fetch(:password, Abide::CLI::PROMPT.password) : comply_password
-        username = @data.fetch(:username, nil).nil? ? conf.fetch(:username, 'comply') : @data[:username]
-        status = @data.fetch(:status, nil).nil? ? conf.fecth(:status, nil) : @data[:status]
-        ignorelist = @data.fetch(:ignore, nil).nil? ? conf.fetch(:ignore, nil) : @data[:ignore]
-        onlylist = @data.fetch(:only, nil).nil? ? conf.fetch(:only, nil) : @data[:only]
-        report = AbideDevUtils::Comply.scan_report(comply_url,
-                                                   comply_password,
-                                                   username: username,
-                                                   status: status,
-                                                   ignorelist: ignorelist,
-                                                   onlylist: onlylist)
+        report = AbideDevUtils::Comply.build_report(comply_url, comply_password, conf, **@data)
         outfile = @data.fetch(:file, nil).nil? ? conf.fetch(:report_path, 'comply_scan_report.yaml') : @data[:file]
         Abide::CLI::OUTPUT.yaml(report, file: outfile)
       end
     end
+
+    class ComplyCompareReportCommand < AbideCommand
+      CMD_NAME = 'compare-report'
+      CMD_SHORT = 'Compare two Comply reports and get the differences.'
+      CMD_LONG = 'Compare two Comply reports and get the differences. Report A is compared to report B, showing what changes it would take for A to equal B.'
+      CMD_REPORT_A = 'The current Comply report yaml file'
+      CMD_REPORT_B = 'The old Comply report yaml file name or full path'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        argument_desc(REPORT_A: CMD_REPORT_A, REPORT_B: CMD_REPORT_B)
+        options.on('-u', '--upload-new', 'If you want to upload the new scan report') { @data[:upload] = true }
+        options.on('-s [STORAGE]', '--remote-storage [STORAGE]', 'Remote storage to upload the report to. (Only supports "gcloud")') { |x| @data[:remote_storage] = x }
+        options.on('-r [NAME]', '--name [NAME]', 'The name to upload the report as') { |x| @data[:report_name] = x }
+      end
+
+      def execute(report_a, report_b)
+        AbideDevUtils::Comply.compare_reports(report_a, report_b, @data)
+      end
+    end
   end
 end

data/lib/abide_dev_utils/cli/puppet.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 require 'abide_dev_utils/cli/abstract'
+require 'abide_dev_utils/output'
+require 'abide_dev_utils/ppt'
 
 module Abide
   module CLI
@@ -12,6 +14,10 @@ module Abide
         super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: true)
         add_command(PuppetCoverageCommand.new)
         add_command(PuppetNewCommand.new)
+        add_command(PuppetRenameCommand.new)
+        add_command(PuppetFixClassNamesCommand.new)
+        add_command(PuppetAuditClassNamesCommand.new)
+        add_command(PuppetAddCISCommentCommand.new)
       end
     end
 
@@ -38,12 +44,12 @@ module Abide
       end
 
       def execute(class_dir, hiera_file)
-        require 'abide_dev_utils/ppt'
+        require 'abide_dev_utils/ppt/coverage'
         Abide::CLI::VALIDATE.directory(class_dir)
         Abide::CLI::VALIDATE.file(hiera_file)
-        coverage = AbideDevUtils::Ppt::CoverageReport.generate(class_dir, hiera_file, @data[:profile])
+        coverage = AbideDevUtils::Ppt.generate_coverage_report(class_dir, hiera_file, @data[:profile])
         coverage.each do |k, v|
-          next if ['classes', 'benchmark'].include?(k)
+          next if k.match?(/classes|benchmark/)
 
           Abide::CLI::OUTPUT.simple("#{k} coverage: #{v[:coverage]}%")
         end
@@ -100,14 +106,133 @@ module Abide
       end
 
       def execute(type, name)
-        require 'abide_dev_utils/ppt/new_obj'
-        builder = AbideDevUtils::Ppt::NewObjectBuilder.new(
-          type,
-          name,
-          opts: @data,
-          vars: @data.fetch(:vars, '').split(',').map { |i| i.split('=') }.to_h # makes the str a hash
-        )
-        builder.build
+        AbideDevUtils::Ppt.build_new_object(type, name, @data)
+      end
+    end
+
+    class PuppetRenameCommand < AbideCommand
+      CMD_NAME = 'rename'
+      CMD_SHORT = 'Renames a Puppet class'
+      CMD_LONG = 'Renames a Puppet class. It does this by renaming the file and also the class name in the file. This command can also move class files based on the new class name.'
+      CMD_FROM_ARG = 'The current full class name'
+      CMD_TO_ARG = 'The new full class name'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        argument_desc(FROM: CMD_FROM_ARG, TO: CMD_TO_ARG)
+        options.on(
+          '-d',
+          '--declaration-only',
+          'Will not rename the class file, only the class declaration in the file'
+        ) { @data[:declaration_only] = true }
+        options.on(
+          '-t',
+          '--declaration-in-to-file',
+          'Use the path derived from the TO class name as the existing file path when renaming class declaration'
+        ) { @data[:declaration_in_to_file] = true }
+        options.on(
+          '-f',
+          '--force',
+          'Forces file move operations'
+        ) { @data[:force] = true }
+        options.on(
+          '-v',
+          '--verbose',
+          'Sets verbose mode on file operations'
+        ) { @data[:verbose] = true }
+      end
+
+      def execute(from, to)
+        AbideDevUtils::Ppt.rename_puppet_class(from, to, **@data)
+      end
+    end
+
+    class PuppetFixClassNamesCommand < AbideCommand
+      CMD_NAME = 'fix-class-names'
+      CMD_SHORT = 'Fixes Puppet class names that are mismatched'
+      CMD_LONG = 'Fixes Puppet class names that are mismatched'
+      CMD_MODE_ARG = '"file" or "class". If "file", the file names will be changed to match their class declarations. If "class", the class declarations will be changed to match the file names.'
+      CMD_DIR_ARG = 'The directory containing the Puppet class files'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        argument_desc(MODE: CMD_MODE_ARG, DIR: CMD_DIR_ARG)
+        options.on(
+          '-f',
+          '--force',
+          'Forces file move operations'
+        ) { @data[:force] = true }
+        options.on(
+          '-v',
+          '--verbose',
+          'Sets verbose mode on file operations'
+        ) { @data[:verbose] = true }
+      end
+
+      def execute(mode, dir)
+        case mode
+        when /^f.*/
+          AbideDevUtils::Ppt.fix_class_names_file_rename(dir, **@data)
+        when /^c.*/
+          AbideDevUtils::Ppt.fix_class_names_class_rename(dir, **@data)
+        else
+          raise ::ArgumentError, "Invalid mode. Mode:#{mode}"
+        end
+      end
+    end
+
+    class PuppetAuditClassNamesCommand < AbideCommand
+      CMD_NAME = 'audit-class-names'
+      CMD_SHORT = 'Finds Puppet classes in a directory that have names that do not match their path'
+      CMD_LONG = 'Finds Puppet classes in a directory that have names that do not match their path. This is helpful because class names that do not match their path structure break Puppet autoloading.'
+      CMD_DIR_ARG = 'The directory containing the Puppet class files'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        argument_desc(DIR: CMD_DIR_ARG)
+        options.on('-o [FILE]', '--out-file [FILE]', 'Save results to a file') { |f| @data[:file] = f }
+        options.on('-q', '--quiet', 'Do not print results to console') { @data[:quiet] = true }
+      end
+
+      def execute(dir)
+        if @data.fetch(:quiet, false) && !@data.key?(:file)
+          AbideDevUtils::Output.simple('ERROR: Specifying --quiet without --out-file is useless.', stream: $stderr)
+          exit 1
+        end
+
+        AbideDevUtils::Ppt.audit_class_names(dir, **@data)
+      end
+    end
+
+    class PuppetAddCISCommentCommand < AbideCommand
+      CMD_NAME = 'add-cis-comment'
+      CMD_SHORT = 'Adds the CIS recommendation name to the top of a .pp file'
+      CMD_LONG = 'Adds the CIS recommendation name to the top of a .pp file. Finds CIS recommendation by pattern-matching the class name against XCCDF recommendations.'
+      CMD_PATH_ARG = 'Path to a .pp file or to a directory containing .pp files'
+      CMD_XCCDF_ARG = 'Path to XCCDF file to source recommendation names from'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        argument_desc(PATH: CMD_PATH_ARG, XCCDF: CMD_XCCDF_ARG)
+        options.on('-N', '--number-format', 'Matches based on number-formatted control class names') { @data[:number_format] = true }
+      end
+
+      def execute(path, xccdf)
+        AbideDevUtils::Ppt.add_cis_comment(path, xccdf, number_format: @data.fetch(:number_format, false))
+      end
+    end
+
+    class PuppetScoreModuleCommand < AbideCommand
+      CMD_NAME = 'score'
+      CMD_SHORT = 'Scores a Puppet module just like Puppet Forge'
+      CMD_LONG = 'Scores a Puppet module just like Puppet Forge. This is a useful quality-check before publishing a module.'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        options.on('-o [PATH]', '--outfile [PATH]', 'Save results to a file') { |x| @data[:outfile] = x }
+        options.on('-q', '--quiet', FalseClass, 'Do not print results to console') { |x| @data[:quiet] = x }
+        options.on('-c', '--checks', Array, 'Comma-separated list of individual checks to run. Defaults to running all checks.') { |x| @data[:check] = x }
+        options.on('-m [PATH]', '--module [PATH]', 'Path to a Puppet module to score. Defaults to using the current directory.') { |x| @data[:module] = x }
+      end
+
+      def execute
+        module_path = @data.fetch(:module, nil)
+        AbideDevUtils::Ppt.score_module(module_path, **@data)
       end
     end
   end

data/lib/abide_dev_utils/cli/xccdf.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'abide_dev_utils/cli/abstract'
 require 'abide_dev_utils/xccdf'
 
 module Abide
@@ -14,11 +15,12 @@ module Abide
         long_desc(CMD_LONG)
         add_command(CmdParse::HelpCommand.new, default: true)
         add_command(XccdfToHieraCommand.new)
+        add_command(XccdfDiffCommand.new)
       end
     end
 
     class XccdfToHieraCommand < CmdParse::Command
-      CMD_NAME = 'to_hiera'
+      CMD_NAME = 'to-hiera'
       CMD_SHORT = 'Generates control coverage report'
       CMD_LONG = 'Generates report of valid Puppet classes that match with Hiera controls'
       def initialize
@@ -37,15 +39,32 @@ module Abide
 
       def execute(xccdf_file)
         @data[:type] = 'cis' if @data[:type].nil?
-
-        to_hiera(xccdf_file)
+        hfile = AbideDevUtils::XCCDF.to_hiera(xccdf_file, @data)
+        AbideDevUtils::Output.yaml(hfile, console: @data[:file].nil?, file: @data[:file])
       end
+    end
 
-      private
+    class XccdfDiffCommand < AbideCommand
+      CMD_NAME = 'diff'
+      CMD_SHORT = 'Generates a diff report between two XCCDF files'
+      CMD_LONG = 'Generates a diff report between two XCCDF files'
+      CMD_FILE1_ARG = 'path to first XCCDF file'
+      CMD_FILE2_ARG = 'path to second XCCDF file'
+      def initialize
+        super(CMD_NAME, CMD_SHORT, CMD_LONG, takes_commands: false)
+        argument_desc(FILE1: CMD_FILE1_ARG, FILE2: CMD_FILE2_ARG)
+        options.on('-o [PATH]', '--out-file', 'Save the report as a yaml file') { |x| @data[:outfile] = x }
+        options.on('-p [PROFILE]', '--profile', 'Only diff and specific profile in the benchmarks') do |x|
+          @data[:profile] = x
+        end
+        options.on('-q', '--quiet', 'Show no output in the terminal') { @data[:quiet] = false }
+        options.on('--no-diff-profiles', 'Do not diff the profiles in the XCCDF files') { @data[:diff_profiles] = false }
+        options.on('--no-diff-controls', 'Do not diff the controls in the XCCDF files') { @data[:diff_controls] = false }
+      end
 
-      def to_hiera(xccdf_file)
-        xfile = AbideDevUtils::XCCDF.to_hiera(xccdf_file, @data)
-        Abide::CLI::OUTPUT.yaml(xfile, console: @data[:file].nil?, file: @data[:file])
+      def execute(file1, file2)
+        diffreport = AbideDevUtils::XCCDF.diff(file1, file2, @data)
+        AbideDevUtils::Output.yaml(diffreport, console: @data.fetch(:quiet, true), file: @data.fetch(:outfile, nil))
       end
     end
   end