cyber_trackr_live 1.0.0

data/cyber_trackr_live.gemspec

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'cyber_trackr_client/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'cyber_trackr_live'
+  spec.version       = CyberTrackrClient::VERSION
+  spec.authors       = ['MITRE Corporation']
+  spec.email         = ['saf@mitre.org']
+  spec.summary       = 'OpenAPI specification and Ruby client for cyber.trackr.live API'
+  spec.description   = 'Provides OpenAPI 3.1.1 specification and Ruby client for accessing DISA STIGs, SRGs, RMF controls, CCIs, and SCAP data via the cyber.trackr.live API'
+  spec.homepage      = 'https://github.com/mitre/cyber-trackr-live'
+  spec.license       = 'Apache-2.0'
+
+  spec.metadata = {
+    'bug_tracker_uri' => 'https://github.com/mitre/cyber-trackr-live/issues',
+    'changelog_uri' => 'https://github.com/mitre/cyber-trackr-live/blob/main/CHANGELOG-GEM.md',
+    'documentation_uri' => 'https://mitre.github.io/cyber-trackr-live/',
+    'homepage_uri' => 'https://github.com/mitre/cyber-trackr-live',
+    'source_code_uri' => 'https://github.com/mitre/cyber-trackr-live',
+    'rubygems_mfa_required' => 'true'
+  }
+
+  spec.files = %w[
+    README-GEM.md cyber_trackr_live.gemspec LICENSE.md NOTICE.md CHANGELOG-GEM.md
+    CODE_OF_CONDUCT.md CONTRIBUTING.md SECURITY.md
+  ] + Dir.glob('lib/**/*', File::FNM_DOTMATCH).reject { |f| File.directory?(f) } +
+               Dir.glob('openapi/**/*', File::FNM_DOTMATCH).reject { |f| File.directory?(f) } +
+               Dir.glob('examples/**/*', File::FNM_DOTMATCH).reject { |f| File.directory?(f) }
+
+  spec.require_paths = ['lib']
+  spec.required_ruby_version = '>= 3.2.0'
+
+  # Use the gem-specific README for RubyGems.org
+  spec.extra_rdoc_files = ['README-GEM.md']
+  spec.rdoc_options = ['--main', 'README-GEM.md']
+
+  # Runtime dependencies
+  spec.add_dependency 'faraday', '~> 2.0'
+  spec.add_dependency 'faraday-follow_redirects', '~> 0.3'
+  spec.add_dependency 'faraday-multipart', '~> 1.0'
+  spec.add_dependency 'marcel', '~> 1.0'
+  spec.add_dependency 'yard', '~> 0.9'
+
+  # Development dependencies
+  spec.add_development_dependency 'bundler', '~> 2.0'
+  spec.add_development_dependency 'bundler-audit', '~> 0.9'
+  spec.add_development_dependency 'minitest', '~> 5.0'
+  spec.add_development_dependency 'rake', '~> 13.0'
+  spec.add_development_dependency 'rubocop', '~> 1.50'
+  spec.add_development_dependency 'rubocop-ast', '~> 1.28'
+  spec.add_development_dependency 'simplecov', '~> 0.22'
+  spec.add_development_dependency 'webmock', '~> 3.0'
+end

data/examples/cyber_trackr_client.rb

@@ -0,0 +1,208 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'uri'
+require 'json'
+
+module InspecXccdfMapper
+  # Client for cyber.trackr.live API
+  # Based on the OpenAPI specification in docs/cyber-trackr-openapi.yaml
+  class CyberTrackrClient
+    BASE_URL = 'https://cyber.trackr.live/api'
+    DEFAULT_TIMEOUT = 30
+    RATE_LIMIT_DELAY = 0.1 # 100ms between requests
+
+    attr_reader :rate_limit_delay, :timeout
+
+    def initialize(rate_limit_delay: RATE_LIMIT_DELAY, timeout: DEFAULT_TIMEOUT)
+      @rate_limit_delay = rate_limit_delay
+      @timeout = timeout
+      @last_request_time = Time.now - rate_limit_delay
+    end
+
+    # Get API documentation
+    def api_info
+      get('/')
+    end
+
+    # List all STIGs and SRGs (mixed in API)
+    # Returns hash with STIG/SRG names as keys, version arrays as values
+    def list_all_documents
+      get('/stig')
+    end
+
+    # List only STIGs (filters out SRGs)
+    def list_stigs
+      all_docs = list_all_documents
+      all_docs.reject { |name, _| is_srg?(name) }
+    end
+
+    # List only SRGs (filters out STIGs)  
+    def list_srgs
+      all_docs = list_all_documents
+      all_docs.select { |name, _| is_srg?(name) }
+    end
+
+    # Get STIG details with all requirements
+    def get_stig(title, version, release)
+      get("/stig/#{encode_path(title)}/#{version}/#{release}")
+    end
+
+    # Get detailed control information
+    def get_control(title, version, release, vuln_id)
+      get("/stig/#{encode_path(title)}/#{version}/#{release}/#{vuln_id}")
+    end
+
+    # List RMF controls
+    def list_rmf_controls(revision = 5)
+      get("/rmf/#{revision}")
+    end
+
+    # Get RMF control details
+    def get_rmf_control(revision, control)
+      get("/rmf/#{revision}/#{control}")
+    end
+
+    # List CCIs
+    def list_ccis
+      get('/cci')
+    end
+
+    # Get CCI details
+    def get_cci(item)
+      get("/cci/#{item}")
+    end
+
+    # Fetch complete STIG with all control details
+    def fetch_complete_stig(title, version, release, &block)
+      stig = get_stig(title, version, release)
+      return nil unless stig && stig['requirements']
+
+      total = stig['requirements'].size
+      completed_requirements = {}
+
+      stig['requirements'].each_with_index do |(vuln_id, summary), index|
+        yield(index + 1, total, vuln_id) if block_given?
+        
+        begin
+          control_details = get_control(title, version, release, vuln_id)
+          completed_requirements[vuln_id] = summary.merge(control_details)
+        rescue => e
+          # Keep original summary if fetch fails
+          completed_requirements[vuln_id] = summary.merge('_error' => e.message)
+        end
+      end
+
+      stig.merge('requirements' => completed_requirements)
+    end
+
+    private
+
+    def get(path)
+      enforce_rate_limit
+      
+      uri = URI.join(BASE_URL, path)
+      
+      response = Net::HTTP.start(uri.host, uri.port, 
+                                use_ssl: true, 
+                                read_timeout: timeout,
+                                open_timeout: timeout) do |http|
+        request = Net::HTTP::Get.new(uri)
+        request['Accept'] = 'application/json'
+        request['User-Agent'] = 'InSpec-XCCDF-Mapper/1.0'
+        http.request(request)
+      end
+
+      case response.code
+      when '200'
+        JSON.parse(response.body)
+      when '404'
+        raise NotFoundError, "Resource not found: #{path}"
+      when '500'
+        error = JSON.parse(response.body) rescue {}
+        raise ServerError, error['detail'] || "Server error: #{response.code}"
+      else
+        raise ApiError, "HTTP #{response.code}: #{response.message}"
+      end
+    rescue Net::ReadTimeout, Net::OpenTimeout
+      raise TimeoutError, "Request timed out after #{timeout} seconds"
+    end
+
+    def enforce_rate_limit
+      elapsed = Time.now - @last_request_time
+      sleep_time = rate_limit_delay - elapsed
+      sleep(sleep_time) if sleep_time > 0
+      @last_request_time = Time.now
+    end
+
+    def encode_path(component)
+      # URL encode but keep forward slashes
+      component.gsub(' ', '_').gsub('/', '_')
+    end
+
+    # Determine if a document name is an SRG vs STIG
+    def is_srg?(document_name)
+      srg_patterns = [
+        /Security.*Requirements.*Guide/i,
+        /\(SRG\)/,
+        /_SRG$/,
+        # Specific known SRG patterns
+        /^Application_Layer_Gateway.*Security_Requirements_Guide/,
+        /^Application_Server_Security_Requirements_Guide/,
+        /^Database_Security_Requirements_Guide/,
+        /^Network_Device_Management_Security_Requirements_Guide/,
+        /^Operating_System_Security_Requirements_Guide/,
+        /^AAA.*Security_Requirements_Guide/,
+        /^Central_Log_Server_Security_Requirements_Guide/,
+        /^DNS_Server_Security_Requirements_Guide/,
+        /^Email_Services_Security_Requirements_Guide/,
+        /^General_Purpose_Operating_System_Security_Requirements_Guide/,
+        /^Multifunction_Device_or_Network_Function_Virtualization_Security_Requirements_Guide/,
+        /^Network_Infrastructure_Security_Requirements_Guide/,
+        /^Traditional_Security_Requirements_Guide/,
+        /^VPN_Gateway_Security_Requirements_Guide/,
+        /^Web_Server_Security_Requirements_Guide/
+      ]
+      
+      srg_patterns.any? { |pattern| document_name.match?(pattern) }
+    end
+
+    # Classify a requirement as technology-generic (SRG) vs vendor-specific (STIG)
+    def is_generic_requirement?(control_detail)
+      # SRG requirements have SRG- group patterns and generic language
+      group = control_detail['group']
+      check_text = control_detail['check-text'] || ''
+      fix_text = control_detail['fix-text'] || ''
+      
+      return true if group&.start_with?('SRG-')
+      
+      # Generic language patterns (no vendor-specific commands)
+      generic_patterns = [
+        /configure the \w+ to/i,
+        /verify the \w+ is configured/i,
+        /the \w+ must be configured/i
+      ]
+      
+      vendor_specific_patterns = [
+        /show configuration/i,
+        /set \w+/i,
+        /\$ \w+/,  # Shell commands
+        />\s*\w+/,  # CLI prompts
+        /\/etc\//,   # File paths
+        /systemctl/,
+        /grep/
+      ]
+      
+      has_generic = generic_patterns.any? { |p| check_text.match?(p) || fix_text.match?(p) }
+      has_vendor_specific = vendor_specific_patterns.any? { |p| check_text.match?(p) || fix_text.match?(p) }
+      
+      has_generic && !has_vendor_specific
+    end
+
+    # Custom error classes
+    class ApiError < StandardError; end
+    class NotFoundError < ApiError; end
+    class ServerError < ApiError; end
+    class TimeoutError < ApiError; end
+  end
+end

data/examples/fetch-complete-stig

@@ -0,0 +1,174 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'json'
+require 'net/http'
+require 'uri'
+require 'fileutils'
+require 'optparse'
+require 'logger'
+
+# Script to fetch complete STIG data with all control details
+class CompleteStigFetcher
+  BASE_URL = 'https://cyber.trackr.live'
+  RATE_LIMIT_DELAY = 0.1 # 100ms between requests
+
+  def initialize(logger: Logger.new($stdout))
+    @logger = logger
+  end
+
+  def fetch_complete_stig(input_file, output_file = nil)
+    @logger.info "Loading STIG from: #{input_file}"
+    
+    # Load the base STIG file
+    stig_data = JSON.parse(File.read(input_file))
+    
+    # Determine output filename
+    output_file ||= input_file.sub('.json', '_complete.json')
+    
+    # Check if we have requirements to process
+    unless stig_data['requirements']
+      @logger.warn "No requirements found in STIG file"
+      return
+    end
+    
+    @logger.info "Found #{stig_data['requirements'].size} controls to fetch"
+    
+    # Fetch detailed data for each control
+    completed_controls = []
+    failed_controls = []
+    
+    stig_data['requirements'].each_with_index do |control, index|
+      @logger.info "[#{index + 1}/#{stig_data['requirements'].size}] Fetching control #{control['id']}"
+      
+      begin
+        # Fetch detailed control data
+        detailed_control = fetch_control_details(control)
+        
+        # Merge the detailed data with the base control
+        completed_control = control.merge(detailed_control)
+        completed_controls << completed_control
+        
+        # Rate limiting
+        sleep RATE_LIMIT_DELAY
+      rescue => e
+        @logger.error "Failed to fetch control #{control['id']}: #{e.message}"
+        failed_controls << control['id']
+        # Keep the original control data even if fetch fails
+        completed_controls << control
+      end
+    end
+    
+    # Update the STIG data with complete controls
+    complete_stig = stig_data.dup
+    complete_stig['requirements'] = completed_controls
+    complete_stig['_metadata'] = {
+      'fetched_at' => Time.now.utc.iso8601,
+      'total_controls' => stig_data['requirements'].size,
+      'successfully_fetched' => stig_data['requirements'].size - failed_controls.size,
+      'failed_controls' => failed_controls
+    }
+    
+    # Write the complete STIG file
+    @logger.info "Writing complete STIG to: #{output_file}"
+    File.write(output_file, JSON.pretty_generate(complete_stig))
+    
+    # Summary
+    @logger.info "Complete! Fetched #{stig_data['requirements'].size - failed_controls.size}/#{stig_data['requirements'].size} controls"
+    @logger.warn "Failed to fetch #{failed_controls.size} controls: #{failed_controls.join(', ')}" unless failed_controls.empty?
+    
+    output_file
+  end
+
+  private
+
+  def fetch_control_details(control)
+    return {} unless control['link']
+    
+    uri = URI.join(BASE_URL, control['link'])
+    
+    response = Net::HTTP.start(uri.host, uri.port, use_ssl: true) do |http|
+      request = Net::HTTP::Get.new(uri)
+      request['Accept'] = 'application/json'
+      http.request(request)
+    end
+    
+    if response.code == '200'
+      control_data = JSON.parse(response.body)
+      
+      # Map the actual API response fields to our expected structure
+      {
+        'title' => control_data['requirement-title'],
+        'description' => control_data['requirement-description'],
+        'check_text' => control_data['check-text'],
+        'fix_text' => control_data['fix-text'],
+        'severity' => control_data['severity'],
+        'version' => control_data['version'],
+        'rule' => control_data['rule'],
+        'group' => control_data['group'],
+        'check_id' => control_data['check-id'],
+        'fix_id' => control_data['fix-id'],
+        'identifiers' => control_data['identifiers'],
+        'mitigation_statement' => control_data['mitigation-statement']
+      }.compact
+    else
+      raise "HTTP #{response.code}: #{response.message}"
+    end
+  end
+end
+
+# CLI interface
+if __FILE__ == $0
+  options = {
+    output: nil,
+    verbose: false
+  }
+
+  OptionParser.new do |opts|
+    opts.banner = "Usage: fetch-complete-stig [options] <stig_file>"
+    
+    opts.on("-o", "--output FILE", "Output file (default: <input>_complete.json)") do |o|
+      options[:output] = o
+    end
+    
+    opts.on("-v", "--verbose", "Verbose output") do
+      options[:verbose] = true
+    end
+    
+    opts.on("-h", "--help", "Show this help") do
+      puts opts
+      exit
+    end
+  end.parse!
+
+  if ARGV.empty?
+    puts "Error: Please specify a STIG JSON file"
+    puts "Usage: fetch-complete-stig <stig_file>"
+    exit 1
+  end
+
+  input_file = ARGV[0]
+  
+  unless File.exist?(input_file)
+    puts "Error: File not found: #{input_file}"
+    exit 1
+  end
+
+  # Set up logger
+  logger = Logger.new($stdout)
+  logger.level = options[:verbose] ? Logger::DEBUG : Logger::INFO
+  logger.formatter = proc do |severity, datetime, progname, msg|
+    "#{severity}: #{msg}\n"
+  end
+
+  # Fetch the complete STIG
+  fetcher = CompleteStigFetcher.new(logger: logger)
+  begin
+    output_file = fetcher.fetch_complete_stig(input_file, options[:output])
+    puts "\nComplete STIG saved to: #{output_file}"
+  rescue => e
+    logger.error "Failed to fetch complete STIG: #{e.message}"
+    exit 1
+  end
+end

data/examples/fetch-stig-complete

@@ -0,0 +1,67 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'json'
+require 'optparse'
+require_relative 'cyber_trackr_client'
+
+# Script to fetch complete STIG data directly from API
+options = {}
+OptionParser.new do |opts|
+  opts.banner = "Usage: fetch-stig-complete [options]"
+  
+  opts.on("-n", "--name NAME", "STIG name (e.g., 'Juniper_SRX_Services_Gateway_ALG')") do |n|
+    options[:name] = n
+  end
+  
+  opts.on("-v", "--version VERSION", "STIG version (e.g., '3')") do |v|
+    options[:version] = v
+  end
+  
+  opts.on("-r", "--release RELEASE", "STIG release (e.g., '3')") do |r|
+    options[:release] = r
+  end
+  
+  opts.on("-o", "--output FILE", "Output file (default: NAME_v{VERSION}r{RELEASE}_complete.json)") do |o|
+    options[:output] = o
+  end
+  
+  opts.on("-h", "--help", "Show this help message") do
+    puts opts
+    exit
+  end
+end.parse!
+
+# Validate required options
+unless options[:name] && options[:version] && options[:release]
+  puts "Error: --name, --version, and --release are required"
+  puts "Example: ./fetch-stig-complete -n Juniper_SRX_Services_Gateway_ALG -v 3 -r 3"
+  exit 1
+end
+
+# Set default output filename
+options[:output] ||= "#{options[:name]}_v#{options[:version]}r#{options[:release]}_complete.json"
+
+# Create client instance
+client = InspecXccdfMapper::CyberTrackrClient.new
+
+puts "Fetching complete STIG: #{options[:name]} v#{options[:version]}r#{options[:release]}"
+puts "This will make multiple API calls and may take a minute..."
+
+begin
+  # Fetch complete STIG with all control details
+  complete_stig = client.fetch_complete_stig(options[:name], options[:version], options[:release]) do |current, total, vuln_id|
+    print "\rFetching control #{current}/#{total}: #{vuln_id}    "
+  end
+  
+  puts "\nSuccessfully fetched #{complete_stig['requirements'].size} controls"
+  
+  # Write to output file
+  File.write(options[:output], JSON.pretty_generate(complete_stig))
+  puts "Saved complete STIG to: #{options[:output]}"
+  
+rescue => e
+  puts "\nError: #{e.message}"
+  exit 1
+end

data/examples/fetch-stig-direct

@@ -0,0 +1,99 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'json'
+require 'optparse'
+require_relative '../generated-client/lib/cyber_trackr_client'
+
+# Script to fetch complete STIG data directly from API using generated client
+options = {}
+OptionParser.new do |opts|
+  opts.banner = "Usage: fetch-stig-direct [options]"
+  
+  opts.on("-n", "--name NAME", "STIG name (e.g., 'Juniper_SRX_Services_Gateway_ALG')") do |n|
+    options[:name] = n
+  end
+  
+  opts.on("-v", "--version VERSION", "STIG version (e.g., '3')") do |v|
+    options[:version] = v
+  end
+  
+  opts.on("-r", "--release RELEASE", "STIG release (e.g., '3')") do |r|
+    options[:release] = r
+  end
+  
+  opts.on("-o", "--output FILE", "Output file (default: NAME_VERSION_RELEASE_complete.json)") do |o|
+    options[:output] = o
+  end
+  
+  opts.on("-h", "--help", "Show this help message") do
+    puts opts
+    exit
+  end
+end.parse!
+
+# Validate required options
+unless options[:name] && options[:version] && options[:release]
+  puts "Error: --name, --version, and --release are required"
+  puts "Example: ./fetch-stig-direct -n Juniper_SRX_Services_Gateway_ALG -v 3 -r 3"
+  exit 1
+end
+
+# Configure client
+CyberTrackrClient.configure do |config|
+  config.host = 'cyber.trackr.live'
+  config.base_path = '/api'
+end
+
+# Create API instance
+api = CyberTrackrClient::STIGSRGApi.new
+
+# Set default output filename
+options[:output] ||= "#{options[:name]}_#{options[:version]}_#{options[:release]}_complete.json"
+
+puts "Fetching STIG: #{options[:name]} v#{options[:version]}r#{options[:release]}"
+
+begin
+  # Fetch the STIG with all requirements
+  stig = api.stig_title_version_release_get(options[:name], options[:version], options[:release])
+  
+  # Check if we got requirements
+  if stig.requirements.nil? || stig.requirements.empty?
+    puts "Warning: No requirements found in STIG"
+  else
+    puts "Found #{stig.requirements.size} requirements"
+    
+    # Fetch detailed data for each requirement
+    stig.requirements.each_with_index do |req, index|
+      print "\rFetching control details: #{index + 1}/#{stig.requirements.size}"
+      
+      begin
+        # Fetch detailed control data
+        detailed = api.stig_title_version_release_vuln_get(
+          options[:name], 
+          options[:version], 
+          options[:release], 
+          req.id
+        )
+        
+        # Update the requirement with detailed data
+        # (The detailed response should already include all fields)
+        
+        # Small delay to be respectful to the API
+        sleep 0.1
+      rescue => e
+        puts "\nWarning: Failed to fetch details for #{req.id}: #{e.message}"
+      end
+    end
+    puts "\nCompleted fetching all control details"
+  end
+  
+  # Write to output file
+  File.write(options[:output], JSON.pretty_generate(stig.to_hash))
+  puts "Saved complete STIG to: #{options[:output]}"
+  
+rescue => e
+  puts "Error: #{e.message}"
+  exit 1
+end

data/examples/use_helper.rb

@@ -0,0 +1,50 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require_relative '../cyber_trackr_helper'
+
+# Example: Using the Cyber Trackr Helper
+client = CyberTrackrHelper::Client.new
+
+# 1. Search for specific STIGs
+puts "=== Searching for Juniper STIGs ==="
+juniper_docs = client.search_documents('juniper')
+juniper_docs.each do |name, versions|
+  type = client.is_srg?(name) ? 'SRG' : 'STIG'
+  puts "#{name} (#{type}): #{versions.size} versions"
+end
+
+# 2. Get the latest version
+puts "\n=== Latest Juniper ALG STIG ==="
+latest = client.get_latest_version('Juniper_SRX_Services_Gateway_ALG')
+if latest
+  puts "Latest version: v#{latest['version']}r#{latest['release']} (#{latest['release_date']})"
+end
+
+# 3. Generate compliance summary
+puts "\n=== Compliance Summary ==="
+summary = client.generate_compliance_summary('Juniper_SRX_Services_Gateway_ALG', '3', '3')
+puts "Total controls: #{summary[:total]}"
+puts "By severity:"
+summary[:by_severity].each do |severity, count|
+  puts "  #{severity.capitalize}: #{count}"
+end
+
+# 4. Fetch controls by severity
+puts "\n=== High Severity Controls ==="
+high_controls = client.fetch_controls_by_severity('Juniper_SRX_Services_Gateway_ALG', '3', '3', 'high')
+high_controls.each do |control|
+  puts "#{control.id}: #{control.requirement_title[0..60]}..."
+end
+
+# 5. Download complete STIG with progress
+puts "\n=== Downloading Complete STIG ==="
+complete_stig = client.fetch_complete_stig('Juniper_SRX_Services_Gateway_ALG', '3', '3') do |current, total, vuln_id|
+  print "\rFetching control #{current}/#{total}: #{vuln_id}    "
+end
+puts "\nDownloaded #{complete_stig[:requirements].size} complete controls"
+
+# Save to file
+require 'json'
+File.write('juniper_alg_complete.json', JSON.pretty_generate(complete_stig))
+puts "Saved to: juniper_alg_complete.json"