heimdall_tools 1.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 16faf735e553864867f8e551ea92b96621eeb415
+  data.tar.gz: 2baa94079e6561d38c5c8511e39691a15d360619
+SHA512:
+  metadata.gz: ba635075511c4299786f38a763625197da934bf3aa72d992c9da464bdfc8f992f7734d26907aaf67aa71c40c9f37f22232e32173e44e7302d06254a788c7a618
+  data.tar.gz: 7dbe62ad30fef7ed3a6eef4570ad5e4500345947013b2d152842c024fbffb4a5bf640f431861443ad49d1d5d99c429db7d39d8149c05c97a2b0e3b69480c2563

data/CHANGELOG.md

@@ -0,0 +1,7 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
+
+## [1.0.1]
+- Initial internal release.

data/Guardfile

@@ -0,0 +1,4 @@
+guard 'bundler', cmd: 'bundle' do
+  watch('Gemfile')
+  watch(/^.+\.gemspec/)
+end

data/LICENSE.md

@@ -0,0 +1,9 @@
+Licensed under the Apache 2.0 license.  
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright/ digital rights legend, this list of conditions and the following Notice.
+
+* Redistributions in binary form must reproduce the above copyright copyright/ digital rights legend, this list of conditions and the following Notice in the documentation and/or other materials provided with the distribution.
+
+* Neither the name of The MITRE Corporation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

data/README.md

@@ -0,0 +1,122 @@
+# WIP - ALPHA
+
+# HeimdallTools
+
+HeimdallTools supplies several methods to convert output from various tools to "Heimdall Data Format"(HDF) format to be viewable in Heimdall. The converters in version 1.1.1 are from:
+
+* __sonarqube_mapper__ - open-source static code analysis tool
+* __fortify_mapper__ - commercial static code analysis tool
+* __zap_mapper__ - OWASP ZAP - open-source dynamic code analysis tool
+
+# Installation
+
+Add this line to your application's Gemfile:
+
+```
+gem 'heimdall_tools', :git => "https://github.com/mitre/heimdall_tools"
+```
+
+And then execute:
+
+```
+    $ bundle
+```
+
+Clone the repo and install it yourself as:
+
+```
+    $ gem install heimdall_tools
+```
+
+## Command line Usage
+
+On the Command Line, `heimdall_tools help` will print a listing of all the command with a short description.
+For detailed help on any command, run `heimdall_tools help [COMMAND]`. Help can also be called with the `-h, --help` flags after any command, like `heimdall_tools fortify_mapper -h`.
+
+## sonarqube_mapper
+
+sonarqube_mapper pulls SonarQube results, for the specified project, from the API and outputs in HDF format Json to be viewed on Heimdall
+
+```
+USAGE: heimdall_tools sonarqube_mapper [OPTIONS] -n <project-name> -u <api-url> -o <scan-results.json>
+
+FLAGS:
+    -n --name <project-name>         : name of the project in SonarQube, aka Project Key
+    -u --api_url <api-url>           : url of the SonarQube Server API. Typically ends with /api.
+    -o --output <scan-results>       : path to output scan-results json.
+    -V --verbose                     : verbose run [optional].
+
+example: heimdall_tools sonarqube_mapper -n sonar_project -u http://sonar:9000/api -o scan_results.json
+```
+
+## fortify_mapper
+
+fortify_mapper translates an Fortify results FVDL file into HDF format json to be viewable in Heimdall
+
+```
+USAGE: heimdall_tools fortify_mapper [OPTIONS] -f <fortify-fvdl> -o <scan-results.json>
+
+FLAGS:
+	-f --fvdl <fortify-fvdl>         : path to Fortify Scan FVDL file.
+	-o --output <scan-results>       : path to output scan-results json.
+	-V --verbose                     : verbose run [optional].
+
+example: heimdall_tools fortify_mapper -f audit.fvdl -o scan_results.json
+```
+
+## zap_mapper
+
+zap_mapper translates OWASP ZAP results Json to HDF format Json be viewed on Heimdall
+
+```
+USAGE: heimdall_tools zap_mapper [OPTIONS] -j <zap-json> -n <site-name> -o <scan-results.json>
+
+FLAGS:
+    -j --json <zap-json>             : path to OWASP ZAP results JSON file.
+    -n --name <site-name>            : URL of the site being evaluated.
+    -o --output <scan-results>       : path to output scan-results json.
+    -V --verbose                     : verbose run [optional].
+
+example: heimdall_tools zap_mapper -j zap_results.json -n site_name -o scan_results.json
+```
+
+## version  
+
+Prints out the gem version
+
+```
+USAGE: heimdall_tools version
+```
+
+# Development
+
+This gem was developed using the [CLI Template](https://github.com/tongueroo/cli-template), a generator tool that builds a starter CLI project.
+
+There are a set of unit tests. Run `rake test` to run the tests.
+
+To release a new version, update the version number in `version.rb` according to the [Semantic Versioning Policy](https://semver.org/). Then, run `bundle exec rake release` which will create a git tag for the specified version, push git commits and tags, and push the `.gem` file to [github.com](https://github.com/mitre/heimdall_tools).
+
+
+# License and Author
+
+### Authors
+
+- Author:: Rony Xavier [rx294](https://github.com/rx294)
+- Author:: Dan Mirsky [mirskiy](https://github.com/mirskiy)
+
+### NOTICE   
+
+© 2018 The MITRE Corporation.  
+
+Approved for Public Release; Distribution Unlimited. Case Number 18-3678.  
+
+### NOTICE
+MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project.
+
+### NOTICE  
+
+This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General.  
+
+No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.   
+
+For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA  22102-7539, (703) 983-6000.  

data/Rakefile

@@ -0,0 +1,24 @@
+
+
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList['test/**/*_test.rb']
+end
+
+namespace :test do
+  Rake::TestTask.new(:windows) do |t|
+    t.libs << 'test'
+    t.libs << "lib"
+    t.test_files = Dir.glob([
+      'test/unit/heimdall_tools/zap_mapper_test.rb',
+    ])
+  end
+end
+
+task :default => :test
+
+

data/exe/heimdall_tools

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+# Trap ^C
+Signal.trap('INT') {
+  puts "\nCtrl-C detected. Exiting..."
+  sleep 1
+  exit
+}
+
+$LOAD_PATH.unshift(File.expand_path('../lib', __dir__))
+require 'heimdall_tools'
+require 'heimdall_tools/cli'
+
+HeimdallTools::CLI.start(ARGV)

data/lib/data/cwe-nist-mapping.csv

@@ -0,0 +1,195 @@
+CWE-ID,CWE Name,NIST-ID,Rev,NIST Name
+5, J2EE Misconfiguration: Data Transmission Without Encryption,SC-8,4,Transmission Confidentiality and Integrity
+6, J2EE Misconfiguration: Insufficient Session-ID Length,SC-23,4,Session Authenticity
+7, J2EE Misconfiguration: Missing Custom Error Page,SI-11,4,Error Handling
+8, J2EE Misconfiguration: Entity Bean Declared Remote,AC-3,4,Access Enforcement
+9, J2EE Misconfiguration: Weak Access Permissions for EJB Methods,AC-3,4,Access Enforcement
+11, ASP.NET Misconfiguration: Creating Debug Binary,SI-11,4,Error Handling
+14, Compiler Removal of Code to Clear Buffers,SI-16,4,Memory Protection
+15, External Control of System or Configuration Setting,SI-10,4,Information Input Validation
+20, Improper Input Validation,SI-10,4,Information Input Validation
+22, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'),SI-10,4,Information Input Validation
+23, Relative Path Traversal,SI-10,4,Information Input Validation
+36, Absolute Path Traversal,SI-10,4,Information Input Validation
+73, External Control of File Name or Path,SI-10,4,Information Input Validation
+77, Improper Neutralization of Special Elements used in a Command ('Command Injection'),SI-10,4,Information Input Validation
+78, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'),SI-10,4,Information Input Validation
+79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'),SI-10,4,Information Input Validation
+89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'),SI-10,4,Information Input Validation
+90, Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection'),SI-10,4,Information Input Validation
+91, XML Injection (aka Blind XPath Injection),SI-10,4,Information Input Validation
+94, Improper Control of Generation of Code ('Code Injection'),SI-10,4,Information Input Validation
+95, Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'),SI-10,4,Information Input Validation
+99, Improper Control of Resource Identifiers ('Resource Injection'),SI-10,4,Information Input Validation
+101, Struts Validation Problems,SI-10,4,Information Input Validation
+102, Struts: Duplicate Validation Forms,SI-10,4,Information Input Validation
+103, Struts: Incomplete validate() Method Definition,SI-10,4,Information Input Validation
+104, Struts: Form Bean Does Not Extend Validation Class,SI-10,4,Information Input Validation
+105, Struts: Form Field Without Validator,SI-10,4,Information Input Validation
+106, Struts: Plug-in Framework not in Use,SI-10,4,Information Input Validation
+107, Struts: Unused Validation Form,SI-10,4,Information Input Validation
+108, Struts: Unvalidated Action Form,SI-10,4,Information Input Validation
+109, Struts: Validator Turned Off,SI-10,4,Information Input Validation
+110, Struts: Validator Without Form Field,SI-10,4,Information Input Validation
+111, Direct Use of Unsafe JNI,SI-10,4,Information Input Validation
+112, Missing XML Validation,SI-10,4,Information Input Validation
+113, Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'),SI-10,4,Information Input Validation
+114, Process Control,SI-10,4,Information Input Validation
+117, Improper Output Neutralization for Logs,SI-10,4,Information Input Validation
+119, Improper Restriction of Operations within the Bounds of a Memory Buffer,SI-10,4,Information Input Validation
+120, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'),SI-10,4,Information Input Validation
+125, Out-of-bounds Read,SI-10,4,Information Input Validation
+126, Buffer Over-read,SI-10,4,Information Input Validation
+129, Improper Validation of Array Index,,4,
+131, Incorrect Calculation of Buffer Size,SI-10,4,Information Input Validation
+134, Uncontrolled Format String,SI-10,4,Information Input Validation
+170, Improper Null Termination,SI-10,4,Information Input Validation
+176, Improper Handling of Unicode Encoding,,4,
+185, Incorrect Regular Expression,,4,
+190, Integer Overflow or Wraparound,SI-10,4,Information Input Validation
+195, Signed to Unsigned Conversion Error,,4,
+200, Information Exposure,SC-8,4,Transmission Confidentiality and Integrity
+209, Information Exposure Through an Error Message,,4,
+215, Information Exposure Through Debug Information,SI-11,4,Error Handling
+226, Sensitive Information Uncleared Before Release,SC-4,4,Information in Shared Resources
+235, Improper Handling of Extra Parameters,SI-10,4,Information Input Validation
+242, Use of Inherently Dangerous Function,,4,
+243, Creation of chroot Jail Without Changing Working Directory,AC-3,4,Access Enforcement
+244, Improper Cleaning of Heap Memory,SC-4,4,Information in Shared Resources
+245, J2EE Bad Practices: Direct Management of Connections,,4,
+246, J2EE Bad Practices: Direct Use of Sockets,,4,
+248, Uncaught Exception,,4,
+250, Execution with Unnecessary Privileges,AC-6,4,Least Privilege: Privilege Levels for Code Execution
+251, Often Misused: String Management,,4,
+252, Unchecked Return Value,,4,
+256, Plaintext Storage of a Password,SC-28,4,Protection of Information at Rest
+258, Empty Password in Configuration File,SC-28,4,Protection of Information at Rest
+259, Use of Hard-coded Password,,4,
+260, Password in Configuration File,SC-28,4,Protection of Information at Rest
+261, Weak Cryptography for Passwords,SC-13,4,Cryptographic Protection
+265, Privilege / Sandbox Issues,AC-6,4,Least Privilege
+269, Improper Privilege Management,AC-4,4,Information Flow Enforcement
+272, Least Privilege Violation,AC-6,4,Least Privilege: Privilege Levels for Code Execution -8
+275, Permission Issues,AC-3,4,Access Enforcement
+284, Improper Access Control,AC-3,4,Access Enforcement
+285, Improper Authorization,AC-3,4,Access Enforcement
+288, Authentication Bypass Using an Alternate Path or Channel,IA-8,4,Identification and Authentication (Non-Organizational Users)
+297, Improper Validation of Certificate with Host Mismatch,SC-8,4,Transmission Confidentiality and Integrity
+302, Authentication Bypass by Assumed-Immutable Data,SC-23,4,Session Authenticity
+305, Authentication Bypass by Primary Weakness,IA-8,4,Identification and Authentication (Non-Organizational Users)
+306, Missing Authentication for Critical Function,AC-3,4,Access Enforcement
+307, Improper Restriction of Excessive Authentication Attempts,AC-7,4,Unsuccessful Logon Attempts
+311, Missing Encryption of Sensitive Data,SC-8,4,Transmission Confidentiality and Integrity
+321, Use of Hard-coded Cryptographic Key,SC-12,4,Cryptographic Key Establishment and Management
+325, Missing Required Cryptographic Step,SC-13,4,Cryptographic Protection
+326, Inadequate Encryption Strength,SC-12,4,Cryptographic Key Establishment and Management
+327, Use of a Broken or Risky Cryptographic Algorithm,SC-13,4,Cryptographic Protection
+328, Reversible One-Way Hash,SC-13,4,Cryptographic Protection
+329, Not Using a Random IV with CBC Mode,SC-12,4,Cryptographic Key Establishment and Management
+330, Use of Insufficiently Random Values,SC-13,4,Cryptographic Protection
+331, Insufficient Entropy,SC-13,4,Cryptographic Protection
+335, PRNG Seed Error,SC-13,4,Cryptographic Protection
+336, Same Seed in PRNG,SC-13,4,Cryptographic Protection
+338, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG),SC-13,4,Cryptographic Protection
+345, Insufficient Verification of Data Authenticity,SC-8,4,Transmission Confidentiality and Integrity
+350, Reliance on Reverse DNS Resolution for a Security-Critical Function,SI-10,4,Information Input Validation
+352, Cross-Site Request Forgery (CSRF),AC-3,4,Access Enforcement
+358, Improperly Implemented Security Check for Standard,AC-3,4,Access Enforcement
+359, Exposure of Private Information ('Privacy Violation'),SC-28,4,Protection of Information at Rest
+362, Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'),SC-4,4,Information in Shared Resources
+364, Signal Handler Race Condition,,4,
+369, Divide by Zero,,4,
+377, Insecure Temporary File,SC-4,4,Information in Shared Resources (P1)
+382, J2EE Bad Practices: Use of System.exit(),,4,
+383, J2EE Bad Practices: Direct Use of Threads,,4,
+384, Session Fixation,SC-23,4,Session Authenticity
+388, Error Handling,SI-11,4,Error Handling
+391, Unchecked Error Condition,SI-11,4,Error Handling
+395, Use of NullPointerException Catch to Detect NULL Pointer Dereference,SI-11,4,Error Handling
+396, Declaration of Catch for Generic Exception,SI-11,4,Error Handling
+397, Declaration of Throws for Generic Exception,SI-11,4,Error Handling
+398, Indicator of Poor Code Quality,,4,
+400, Uncontrolled Resource Consumption ('Resource Exhaustion'),SI-10,4,Information Input Validation
+401, Improper Release of Memory Before Removing Last Reference,,4,
+404, Improper Resource Shutdown or Release,,4,
+415, Double Free,,4,
+416, Use after Free,,4,
+434, Unrestricted Upload of File with Dangerous Type,AC-6,4,Least Privilege: Privilege Levels for Code Execution
+457, Use of Uninitialized Variable,,4,
+466, Return of Pointer Value Outside of Expected Range,,4,
+470, Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection'),SI-10,4,Information Input Validation
+471, Modification of Assumed-Immutable DATA (MAID),AC-3,4,Access Enforcement
+474, Use of Function with Inconsistent Implementations,,4,
+475, Undefined Behavior for Input to API,,4,
+476, NULL Pointer Dereference,,4,
+477, Use of Obsolete Functions,,4,
+478, Missing Default Case in Switch Statement,,4,
+492, Use of Inner Class Containing Sensitive Data,AC-3,4,Access Enforcement
+493, Critical Public Variable Without Final Modifier,SI-11,4,Error Handling
+494, Download of Code Without Integrity Check,SI-10,4,Information Input Validation
+495, Private Array-Typed Field Returned From A Public Method,AC-3,4,Access Enforcement
+497, Exposure of System Data to an Unauthorized Control Sphere,SI-11,4,Error Handling
+501, Trust Boundary Violation,SI-10,4,Information Input Validation
+521, Weak Password Requirements,IA-5,4,Authenticator Management : -1 Password-based Authentication
+522, Insufficiently Protected Credentials,SC-8,4,Transmission Confidentiality and Integrity
+539, Information Exposure Through Persistent Cookies,SC-23,4,Session Authenticity
+546, Suspicious Comment,,4,
+557, Concurrency Issues,,4,
+560, Use of umask() with chmod-style Argument,,4,
+561, Dead Code,,4,
+562, Return of Stack Variable Address,,4,
+563, Assigntment to Variable without Use,,4,
+564, SQL Injection: Hibernate,SI-10,4,Information Input Validation
+566, Authorization Bypass Through User-Controlled SQL Primary Key,AC-3,4,Access Enforcement
+568, finalize() Method without super.finalize(),,4,
+574, EJB Bad Practices: Use of Synchronization Primitives,,4,
+575, EJB Bad Practices: Use of AWT Swing,,4,
+576, EJB Bad Practices: Use of java I/O,,4,
+577, EJB Bad Practices: Use of Sockets,,4,
+578, EJB Bad Practices: Use of Class Loader,,4,
+579, J2EE Bad Practices: Non-serializable Object Stored in Session,,4,
+580, clone() Method Without super.clone(),,4,
+581, Object Model Violation: Just One of Equals and Hashcode Defined,,4,
+582, Array Declared Public,AC-3,4,Access Enforcement
+583, finalize() Method Declared Public,AC-3,4,Access Enforcement
+584, Return Inside Finally Block,SI-11,4,Error Handling
+586, Explicit Call to Finalize(),,4,
+590, Free of Memory not on the Heap,,4,
+591, Sensitive Data Storage in Improperly Locked Memory,SC-4,4,Information in Shared Resources
+601, URL Redirection to Untrusted Site ('Open Redirect'),SI-10,4,Information Input Validation
+607, Public Static Final Field References Mutable Object,,4,
+609, Double-Checked Locking,,4,
+611, Improper Restriction of XML External Entity Reference ('XXE'),,4,
+613, Insufficient Session Expiration,AC-12,4,Session Termination
+614, Sensitive Cookie in HTTPS Session Without 'Secure' Attribute,SC-8,4,Transmission Confidentiality and Integrity
+615, Information Exposure Through Comments,AC-3,4,Access Enforcement : -5 Security-Relevant Information
+639, Authorization Bypass Through User-Controlled Key,AC-3,4,Access Enforcement
+642, External Control of Critical State Data,,4,
+643, Improper Neutralization of Data within XPath Expressions ('XPath Injection'),SI-10,4,Information Input Validation
+651, Information Exposure Through WSDL File,,4,
+652, Improper Neutralization of Data within XQuery Expressions ('XQuery Injection'),SI-10,4,Information Input Validation
+662, Improper Synchonization,,4,
+667, Improper Locking,,4,
+676, Use of Potentially Dangerous Function,,4,
+690,: Unchecked Return Value to NULL Pointer Dereference,,4,
+691, Insufficient Control Flow Management,SI-11,4,Error Handling
+694, Use of Multiple Resources with Duplicate Identifier,,4,
+732, Incorrect Permission Assignment for Critical Resource,AC-3,4,Access Enforcement
+733, Compiler Optimization Removal or Modification of Security-critical Code,,4,
+759, Use of a One-Way Hash without a Salt,SC-13,4,Cryptographic Protection
+760, Use of a One-Way Hash with a Predictable Salt,SC-13,4,Cryptographic Protection
+776, Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion'),,4,
+780, Use of RSA Algorithm without OAEP,SC-13,4,Cryptographic Protection
+785, Use of Path Manipulation Function without Maximum-sized Buffer,SI-10,4,Information Input Validation
+787, Out-of-bounds Write,SI-10,4,Information Input Validation
+798, Use of Hard-coded Credentials,,4,
+805, Buffer Access with Incorrect Length Value,SI-10,4,Information Input Validation
+807, Reliance on Untrusted Inputs in a Security Decision,SC-23,4,Session Authenticity
+820, Missing Synchronization,,4,
+821, Incorrect Synchronization,,4,
+829, Inclusion of Functionality from Untrusted Control Sphere,,4,
+862, Missing Authorization,AC-3,4,Access Enforcement
+863, Incorrect Authorization,AC-3,4,Access Enforcement
+915, Improperly Controlled Modification of Dynamically-Determined Object Attributes,SI-10,4,Information Input Validation
+916, Use of Password Hash With Insufficient Computational Effort,SC-13,4,Cryptographic Protection
+918, Server-Side Request Forgery (SSRF),SI-10,4,Information Input Validation

data/lib/data/owasp-nist-mapping.csv

@@ -0,0 +1,11 @@
+OWASP-ID,OWASP Name,NIST-ID,Rev,NIST Name
+A1,Injection,SI-10,4,Information Input Validation
+A2,Broken Authentication,SC-23,4,Session Authenticity
+A3,Sensitive Data Exposure,SI-11,4,Error Handling
+A4,XML External Entities (XXE),SI-10,4,Information Input Validation
+A5,Broken Access Control,AC-3,4,Access Enforcement
+A6,Security Misconfiguration,CM-6,4,Configuration Settings
+A7,Cross-Site Scripting (XSS),SI-10,4,Information Input Validation
+A8,Insecure Deserialization,SC-23,4,Session Authenticity
+A9,Using Components with Known Vulnerabilities,SI-2,4,Flaw Remediation
+A10,Insufficient Logging&Monitoring,AU-12,4,Audit Generation

data/lib/heimdall_tools/cli.rb

@@ -0,0 +1,42 @@
+# require_relative '../utilities/' Place any utility code in utilities folder and require here
+
+module HeimdallTools
+  class CLI < Command
+    desc 'fortify_mapper', 'fortify_mapper translates Fortify fvdl files to HDF format Json be viewed on Heimdall'
+    long_desc Help.text(:fortify_mapper)
+    option :fvdl, required: true, aliases: '-f'
+    option :output, required: true, aliases: '-o'
+    option :verbose, type: :boolean, aliases: '-V'
+    def fortify_mapper
+      hdf = HeimdallTools::FortifyMapper.new(File.read(options[:fvdl])).to_hdf
+      File.write(options[:output], hdf)
+    end
+
+    desc 'zap_mapper', 'zap_mapper translates OWASP ZAP results Json to HDF format Json be viewed on Heimdall'
+    long_desc Help.text(:fortify_mapper)
+    option :json, required: true, aliases: '-j'
+    option :name, required: true, aliases: '-n'
+    option :output, required: true, aliases: '-o'
+    option :verbose, type: :boolean, aliases: '-V'
+    def zap_mapper
+      hdf = HeimdallTools::ZapMapper.new(File.read(options[:json]), options[:name]).to_hdf
+      File.write(options[:output], hdf)
+    end
+
+    desc 'sonarqube_mapper', 'sonarqube_mapper pulls SonarQube results, for the specified project name, from the API and outputs in HDF format Json to be viewed on Heimdall'
+    long_desc Help.text(:sonarqube_mapper)
+    option :name, required: true, aliases: '-n'
+    option :api_url, required: true, aliases: '-u'
+    option :output, required: true, aliases: '-o'
+    option :verbose, type: :boolean, aliases: '-V'
+    def sonarqube_mapper
+      hdf = HeimdallTools::SonarQubeMapper.new(options[:name], options[:api_url]).to_hdf
+      File.write(options[:output], hdf)
+    end
+
+    desc 'version', 'prints version'
+    def version
+      puts VERSION
+    end
+  end
+end

data/lib/heimdall_tools/command.rb

@@ -0,0 +1,50 @@
+require 'thor'
+
+# Override thor's long_desc identation behavior
+# https://github.com/erikhuda/thor/issues/398
+
+# rubocop:disable Naming/UncommunicativeMethodParamName
+
+class Thor
+  module Shell
+    class Basic
+      def print_wrapped(message, _options = {})
+        message = "\n#{message}" unless message[0] == "\n"
+        stdout.puts message
+      end
+    end
+  end
+end
+
+module HeimdallTools
+  class Command < Thor
+    class << self
+      def dispatch(m, args, options, config)
+        # Allow calling for help via:
+        #   heimdall_tools command help
+        #   heimdall_tools command -h
+        #   heimdall_tools command --help
+        #   heimdall_tools command -D
+        #
+        # as well thor's normal way:
+        #
+        #   heimdall_tools help command
+        help_flags = Thor::HELP_MAPPINGS + ['help']
+        if args.length > 1 && !(args & help_flags).empty?
+          args -= help_flags
+          args.insert(-2, 'help')
+        end
+
+        #   heimdall_tools version
+        #   heimdall_tools --version
+        #   heimdall_tools -v
+        version_flags = ['--version', '-v']
+        if args.length == 1 && !(args & version_flags).empty?
+          args = ['version']
+        end
+
+        super
+      end
+    end
+  end
+end

data/lib/heimdall_tools/fortify_mapper.rb

@@ -0,0 +1,93 @@
+require 'json'
+require 'nokogiri'
+require 'nori'
+
+NIST_REFERENCE_NAME = 'Standards Mapping - NIST Special Publication 800-53 Revision 4'.freeze
+
+module HeimdallTools
+  class FortifyMapper
+    def initialize(fvdl, verbose = false)
+      @fvdl = fvdl
+      @verbose = verbose
+
+      begin
+        data = Nori.new(empty_tag_value: true).parse(fvdl)
+        @timestamp = data['FVDL']['CreatedTS']
+        @vulns = data['FVDL']['Vulnerabilities']['Vulnerability']
+        @snippets = data['FVDL']['Snippets']['Snippet']
+        @rules = data['FVDL']['Description']
+      rescue StandardError => e
+        raise "Invalid Fortify FVDL file provided Exception: #{e}"
+      end
+    end
+
+    def process_entry(entry)
+      snippetid = entry['Node']['SourceLocation']['@snippet']
+      finding = {}
+      finding['status'] = 'failed'
+      finding['code_desc'] = snippet(snippetid)
+      finding
+    end
+
+    def primaries(classid)
+      matched_vulns = @vulns.select { |x| x['ClassInfo']['ClassID'].eql?(classid) }
+      findings = []
+      matched_vulns.each do |vuln|
+        traces = vuln['AnalysisInfo']['Unified']['Trace']
+        traces = [traces] unless traces.is_a?(Array)
+        traces.each do |trace|
+          entries = trace['Primary']['Entry']
+          entries = [entries] unless entries.is_a?(Array)
+          entries = entries.reject { |x| x['Node'].nil? }
+          entries.each do |entry|
+            findings << process_entry(entry)
+          end
+        end
+      end
+      findings.uniq
+    end
+
+    def snippet(snippetid)
+      snippet = @snippets.select { |x| x['@id'].eql?(snippetid) }.first
+      "\nPath: #{snippet['File']}\n" \
+      "StartLine: #{snippet['StartLine']}, " \
+      "EndLine: #{snippet['EndLine']}\n" \
+      "Code:\n#{snippet['Text'].strip}" \
+    end
+
+    def nist_tag(rule)
+      references = rule['References']['Reference']
+      references = [references] unless references.is_a?(Array)
+      tag = references.detect { |x| x['Author'].eql?(NIST_REFERENCE_NAME) }
+      tag.nil? ? 'unmapped' : tag['Title'].match(/[a-zA-Z][a-zA-Z]-\d{1,2}/)
+    end
+
+    def impact(classid)
+      vuln = @vulns.detect { |x| x['ClassInfo']['ClassID'].eql?(classid) }
+      vuln['ClassInfo']['DefaultSeverity'].to_f / 5
+    end
+
+    def to_hdf
+      inpsec_json = {}
+
+      inpsec_json['name'] = 'Fortify Static Analyzer Scan'
+      inpsec_json['version'] = [@timestamp['@date'], @timestamp['@time']].join(' ')
+      inpsec_json['controls'] = []
+
+      @rules.each do |rule|
+        @item = {}
+        @item['id']           = rule['@classID']
+        @item['desc']         = rule['Explanation']
+        @item['title']        = rule['Abstract']
+        @item['impact']       = impact(rule['@classID'])
+        @item['code']         = ''
+        @item['results']      = []
+        @item['results']      = primaries(@item['id'])
+        @item['tags']         = {}
+        @item['tags']['nist'] = [nist_tag(rule).to_s, 'Rev_4']
+        inpsec_json['controls'] << @item
+      end
+      inpsec_json.to_json
+    end
+  end
+end

data/lib/heimdall_tools/help/fortify_mapper.md

@@ -0,0 +1,5 @@
+  fortify_mapper translates an Fortify results FVDL file into HDF format json to be viewable in Heimdall
+  
+Examples:
+
+  heimdall_tools fortify_mapper -f audit.fvdl -o scan_results.json

data/lib/heimdall_tools/help/sonarqube_mapper.md

@@ -0,0 +1,5 @@
+  sonarqube_mapper pulls SonarQube results, for the specified project name, from the API and outputs in HDF format Json to be viewed on Heimdall
+
+Examples:
+
+  heimdall_tools sonarqube_mapper -n sonar_project -u http://sonar:9000/api -o scan_results.json

data/lib/heimdall_tools/help/zap_mapper.md

@@ -0,0 +1,5 @@
+  zap_mapper translates OWASP ZAP results Json to HDF format Json be viewed on Heimdall
+  
+Examples:
+
+  heimdall_tools zap_mapper -j zap_results.json -n site_name -o scan_results.json

data/lib/heimdall_tools/help.rb

@@ -0,0 +1,9 @@
+module HeimdallTools::Help
+  class << self
+    def text(namespaced_command)
+      path = namespaced_command.to_s.tr(':', '/')
+      path = File.expand_path("../help/#{path}.md", __FILE__)
+      IO.read(path) if File.exist?(path)
+    end
+  end
+end

data/lib/heimdall_tools/sonarqube_mapper.rb

@@ -0,0 +1,291 @@
+require 'httparty'
+require 'json'
+require 'csv'
+
+MAPPING_FILES = {
+  cwe: './lib/data/cwe-nist-mapping.csv'.freeze,
+  owasp: './lib/data/owasp-nist-mapping.csv'.freeze
+}.freeze
+
+IMPACT_MAPPING = {
+  BLOCKER: 1.0,
+  CRITICAL: 0.7,
+  MAJOR: 0.5,
+  MINOR: 0.3,
+  INFO: 0.0
+}.freeze
+
+def check_response(response)
+  raise "API Error: #{response.status}\n#{response.body}" unless response.ok?
+end
+
+class SonarQubeApi
+  ISSUES_ENDPOINT = '/issues/search'.freeze
+  RULES_ENDPOINT = '/rules/search'.freeze
+  RULE_ENDPOINT = '/rules/show'.freeze
+  SOURCE_ENDPOINT = '/sources/raw'.freeze
+  VERSION_ENDPOINT = '/server/version'.freeze
+
+  PAGE_SIZE = 100
+
+  def initialize(api_url)
+    @api_url = api_url
+  end
+
+  # Query issues endpoint, get all vulnerabilities
+  # This query is based on the url params used by the web project issue view
+  def query_issues(project_name)
+    issues = []
+    params = {
+      componentKeys: project_name,
+        resolved: 'false',
+        types: 'VULNERABILITY',
+        ps: PAGE_SIZE,
+        p: 1
+    }
+
+    loop do # Get all pages
+      response = HTTParty.get(@api_url + ISSUES_ENDPOINT, { query: params })
+      check_response response
+      issues += response['issues']
+
+      if params[:p] * PAGE_SIZE >= response['paging']['total']
+        break
+      end
+
+      params[:p] += 1
+    end
+
+    issues
+  end
+
+  # Query rules endpoint to get additional info for 800-53 mapping
+  def query_rule(rule)
+    params = {
+      key: rule
+    }
+    response = HTTParty.get(@api_url + RULE_ENDPOINT, { query: params })
+    check_response response
+    response['rule']
+  end
+
+  # Query the source endpoint for a code snippet showing a vulnerability
+  # SonarQube has 3 relevant source endpoints.
+  # The web gui uses sources/list (not in webservices), returns each line w/ html formatting and scm
+  # sources/show returns just the source lines, but still w/ html formatting
+  # Both of the above allow filtering by line, whereas raw does not.
+  # sources/raw returns the entire file
+  # We are going to use sources/raw for now so we don't have to deal with the html
+  def query_code_snippet(component, start_line, end_line)
+    params = {
+      key: component
+    }
+    response = HTTParty.get(@api_url + SOURCE_ENDPOINT, { query: params })
+    check_response response
+    response.body.split("\n")[start_line..end_line].join("\n")
+  end
+
+  # Query the version of the SonarQube server
+  def query_version
+    response = HTTParty.get(@api_url + VERSION_ENDPOINT)
+    check_response response
+    response.body
+  end
+end
+
+module HeimdallTools
+  class SonarQubeMapper
+    # Fetches the necessary data from the API and builds report
+    def initialize(project_name, sonarqube_url)
+      @project_name = project_name
+      @api = SonarQubeApi.new(sonarqube_url)
+
+      @mappings = load_nist_mappings
+      @findings = @api.query_issues(@project_name).map { |x| Finding.new(x, @api) }
+      @controls = _get_controls
+    end
+
+    # Build an array of Controls based on the SonarQube findings
+    def _get_controls
+      control_key_to_findings_map = Hash.new { |h, k| h[k] = [] }
+      @findings.each { |f| control_key_to_findings_map[f.control_key] << f }
+      control_key_to_findings_map.map { |control_key, findings| Control.new(control_key, findings, @api, @mappings) }
+    end
+
+    def load_nist_mappings
+      mappings = {}
+      MAPPING_FILES.each do |mapping_type, path|
+        csv_data = CSV.read(path, { encoding: 'UTF-8',
+                                            headers: true,
+                                            header_converters: :symbol,
+                                            converters: :all })
+        mappings[mapping_type] = Hash[csv_data.map { |row|
+          [row[(mapping_type.to_s.downcase + 'id').to_sym].to_s, [row[:nistid], "Rev_#{row[:rev]}"]]
+        }]
+      end
+      mappings
+    end
+
+    # Returns a report in HDF format
+    def to_hdf
+      {
+        controls: @controls.map(&:hdf),
+          # currently on heimdall version tag is displayed as time on profile view
+          # this wil be updated after heimdal update to fix this
+          version: Time.now.strftime("%a,%d %b %Y %X"),
+          name: "#{@project_name} SonarQube Scan"
+      }.to_json
+    end
+  end
+end
+
+class Control
+  # CWE and CERT will be stated generically in tags (ie. it just says cwe or cert, not which number)
+  # OWASP is stated specifically, ex owasp-a1
+  #
+  # SonarQube is inconsistent with tags (ex some cwe rules don't have cwe number in desc,) as noted below
+  TAG_DATA = {} # NOTE: We count on Ruby to preserve order for TAG_DATA
+  TAG_DATA[:cwe] = {
+    # Some rules with cwe tag don't have cwe number in description!
+    # Currently only squid:S2658, but it has OWASP tag so we can use that.
+    regex: 'cwe.mitre.org/data/definitions/([^\.]*)' # Sometimes the "http://" is not part of the url
+  }
+  TAG_DATA[:owasp] = {
+    # Many (19 currently) owasp have don't cwe (ex. squid:S3355)
+  }
+  TAG_DATA[:cert] = {
+    # Some rules only have cert tag (ex. kotlin:S1313)
+    # Some rules with cert tag don't actually have cert in description!
+    # Currently only squid:S4434, but it has OWASP tag so we can use that.
+    regex: 'CERT,?\n? ([^<]*)\.?<'
+  }
+  # All sans-tagged rules have CWE number, so no need to map SANS
+  # There some tags which we can map directly (ex. denial-of-service)
+  # But there are currently no rules with such a tag that don't have a better tag (ex. cwe)
+  # So we will be leaving this functionality out until necessary
+
+  # These rules don't have the cert/cwe number in description or have other problems
+  # If there is an error with them, ignore it since we know they have problems.
+  KNOWN_BAD_RULES = %w{squid:S4434 squid:S2658}.to_set
+
+  # @param [SonarQubeApi] sonar_api
+  def initialize(control_key, findings, sonar_api, mappings)
+    @key = control_key
+    @findings = findings
+    @api = sonar_api
+    @mappings = mappings
+
+    @data = @api.query_rule(@key)
+  end
+
+  # Get specific tags for a given type.
+  # ex. for cwe, get the CWE numbers
+  # Output: []  # ["cwe-295", ...]
+  def _get_parsed_tags(tag_type)
+    tag_data = TAG_DATA[tag_type]
+    parsed_tags = []
+
+    if tag_data.key? :regex
+      # If the tag type has a regex, try to find the specified tag in the description
+      # NOTE: Some tag types can have multiple matches, such as cwe
+      reg = Regexp.new(tag_data[:regex], Regexp::IGNORECASE)
+      parsed_tags += @data['htmlDesc'].scan(reg).map(&:first)
+
+      if parsed_tags.empty? and not KNOWN_BAD_RULES.include? @key
+        puts "Error: Rule #{@key}: No regex matches for #{tag_type} tag." if parsed_tags.empty?
+      end
+    else
+      # If the tag type doesn't have a regex, it is specific enough to be mapped directly
+      # Ex. Rule with tag owasp-a1 can be mapped directly.
+      parsed_tags = @data['sysTags'] & @mappings[tag_type].keys
+
+      if parsed_tags.empty? and not KNOWN_BAD_RULES.include? @key
+        puts "Warning: Rule #{@key}: Has #{tag_type} tag but no usable mapping found."
+      end
+    end
+
+    parsed_tags
+  end
+
+  # Returns the a list of the NIST 800-53 control based on the tags
+  def get_nist_tags
+    # Since we only care about the most important 800-53 control,
+    # we check for tags in order of importance/specificity (cwe's, then owasp, etc. Same as order of tag_data)
+    # and return a 800-53 control for the first tag we can map
+    TAG_DATA.each do |tag_type, _|
+      next unless @data['sysTags'].any? { |tag| tag.start_with? tag_type.to_s }
+
+      parsed_tags = _get_parsed_tags tag_type
+      next if parsed_tags.empty?
+
+      parsed_tag = parsed_tags.find { |tag| @mappings[tag_type].key? tag }
+      next if parsed_tag.nil?
+
+      return [@mappings[tag_type][parsed_tag]].flatten.uniq
+    end
+
+    ['unmapped'] # HDF expects this to be a list, but not an empty list even if there aren't results
+  end
+
+  def hdf
+    # Note: Structure is based on fortify -> HDF converter output
+    {
+      title: @data['name'],
+        desc: @data['htmlDesc'],
+        impact: IMPACT_MAPPING[@data['severity'].to_sym],
+        tags: {
+          nist: get_nist_tags
+        },
+        results: @findings.map(&:get_result),
+        code: '', # This should be the inspec code for the control, which we don't have
+        id: @key
+    }
+  end
+end
+
+class Finding
+  attr_reader :control_key
+
+  # @param [SonarQubeApi] sonar_api
+  def initialize(vuln_data, sonar_api)
+    @data = vuln_data
+    @api = sonar_api
+
+    @key = @data['key']
+    @control_key = @data['rule']
+    @project = @data['project']
+  end
+
+  def get_result
+    vuln_start = @data['textRange']['startLine']
+    vuln_end =  @data['textRange']['endLine']
+    component = @data['component']
+    snip_start = [1, vuln_start - 3].max
+    snip_end = vuln_end + 3 # api doesn't care if we request lines past end of file
+    snip = @api.query_code_snippet(component, snip_start, snip_end)
+
+    snip_html = "StartLine: #{snip_start}, EndLine: #{snip_end}<br>Code:<pre>#{snip}</pre>"
+    {
+      status: 'failed',
+        code_desc: "Path:#{component}:#{vuln_start}:#{vuln_end} #{snip_html}"
+    }
+  end
+end
+
+if $PROGRAM_NAME == __FILE__
+  puts 'Getting data from SonarQube API'
+
+  url = 'http://sonar:9000/api'
+  project_name = 'ansible-test'
+
+  MAPPING_FILES = {
+    cwe: '../data/cwe-nist-mapping.csv'.freeze,
+      owasp: '../data/owasp-nist-mapping.csv'.freeze
+  }.freeze
+
+  sonar_mapper = HeimdallTools::SonarQubeMapper.new(project_name, url)
+  File.open('sonarqube_hdf_output.json', 'w') do |f|
+    f.write(sonar_mapper.to_hdf)
+  end
+
+end

data/lib/heimdall_tools/version.rb

@@ -0,0 +1,3 @@
+module HeimdallTools
+  VERSION = '1.2.0'.freeze
+end

data/lib/heimdall_tools/zap_mapper.rb

@@ -0,0 +1,131 @@
+require 'json'
+require 'nokogiri'
+require 'csv'
+
+CWE_NIST_MAPPING_FILE = './lib/data/cwe-nist-mapping.csv'.freeze
+
+# rubocop:disable Metrics/AbcSize
+
+module HeimdallTools
+  class ZapMapper
+    def initialize(zap_json, name, verbose = false)
+      @zap_json = zap_json
+      @verbose = verbose
+
+      begin
+        data = JSON.parse(zap_json, symbolize_names: true)
+
+        unless data[:site].map { |x| x[:@name] }.include?(name)
+          abort("Specified site name: #{name} is not defined in the JSON provided.")
+        end
+
+        site = data[:site].select { |x| x[:@name].eql?(name) }.first
+
+        @cwe_nist_mapping = parse_mapper
+        @zap_verison      = data[:@version]
+        @timestamp        = data[:@generated]
+        @name             = site[:@name]
+        @host             = site[:@host]
+        @port             = site[:@port]
+        @ssl              = site[:@ssl]
+        @alerts           = site[:alerts]
+      rescue StandardError => e
+        raise "Invalid ZAP results JSON file provided Exception: #{e}"
+      end
+    end
+
+    def process_instances(instances)
+      findings = []
+      instances.each do |instance|
+        findings << finding(instance)
+      end
+      findings.uniq
+    end
+
+    def finding(instance)
+      finding = {}
+      finding['status'] = 'failed'
+      finding['code_desc'] = format_code_desc(instance)
+      finding
+    end
+
+    def format_code_desc(code_desc)
+      desc = ''
+      code_desc.keys.each do |key|
+        desc += "#{key.capitalize}: #{code_desc[key]}\n"
+      end
+      desc
+    end
+
+    def nist_tag(cweid)
+      entries = @cwe_nist_mapping.select { |x| x[:cweid].to_s.eql?(cweid.to_s) }
+      tags = entries.map { |x| [x[:nistid], "Rev_#{x[:rev]}"] }
+      tags.empty? ? ['unmapped'] : tags.flatten.uniq
+    end
+
+    def impact(riskcode)
+      if riskcode.to_i.between?(0, 1)
+        0.3
+      elsif riskcode.to_i == 2
+        0.5
+      elsif riskcode.to_i >= 3
+        0.7
+      end
+    end
+
+    def checktext(alert)
+      [alert[:solution], alert[:otherinfo], alert[:otherinfo]].join("\n")
+    end
+
+    def parse_mapper
+      csv_data = CSV.read(CWE_NIST_MAPPING_FILE, { encoding: 'UTF-8',
+                                                   headers: true,
+                                                   header_converters: :symbol,
+                                                   converters: :all })
+      csv_data.map(&:to_hash)
+    end
+
+    def fix_duplicates(controls)
+      control_ids = controls.map { |x| x['id'] }
+      dup_ids = control_ids.select { |x| control_ids.count(x) > 1 }.uniq
+      dup_ids.each do |dup_id|
+        index = 1
+        controls.select { |x| x['id'].eql?(dup_id) }.each do |control|
+          control['id'] = control['id'] + '.' + index.to_s
+          index += 1
+        end
+      end
+    end
+
+    def to_hdf
+      inpsec_profile = {}
+
+      inpsec_profile['name'] = "#{@host} OWASP ZAP Scan"
+      inpsec_profile['version'] = @timestamp
+
+      inpsec_profile['controls'] = []
+
+      @alerts.each do |alert|
+        @item = {}
+        @item['id']                 = alert[:pluginid].to_s
+        @item['title']              = alert[:name].to_s
+        @item['desc']               = Nokogiri::HTML(alert[:desc]).text
+        @item['impact']             = impact(alert[:riskcode]).to_s
+        @item['tags']               = {}
+        @item['tags']['nist']       = nist_tag(alert[:cweid])
+        @item['tags']['cweid']      = alert[:cweid].to_s
+        @item['tags']['wascid']     = alert[:wascid].to_s
+        @item['tags']['sourceid']   = alert[:sourceid].to_s
+        @item['tags']['confidence'] = alert[:confidence].to_s
+        @item['tags']['riskdesc']   = alert[:riskdesc].to_s
+        @item['tags']['check']      = checktext(alert)
+        @item['code']               = ''
+        @item['results']            = process_instances(alert[:instances])
+
+        inpsec_profile['controls'] << @item
+      end
+      fix_duplicates(inpsec_profile['controls'])
+      inpsec_profile.to_json
+    end
+  end
+end

data/lib/heimdall_tools.rb

@@ -0,0 +1,11 @@
+$LOAD_PATH.unshift(File.expand_path(__dir__))
+require 'heimdall_tools/version'
+
+module HeimdallTools
+  autoload :Help, 'heimdall_tools/help'
+  autoload :Command, 'heimdall_tools/command'
+  autoload :CLI, 'heimdall_tools/cli'
+  autoload :FortifyMapper, 'heimdall_tools/fortify_mapper'
+  autoload :ZapMapper, 'heimdall_tools/zap_mapper'
+  autoload :SonarQubeMapper, 'heimdall_tools/sonarqube_mapper'
+end

metadata

@@ -0,0 +1,210 @@
+--- !ruby/object:Gem::Specification
+name: heimdall_tools
+version: !ruby/object:Gem::Version
+  version: 1.2.0
+platform: ruby
+authors:
+- Robert Thew
+- Rony Xavier
+- Aaron Lippold
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2019-02-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.2.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.2.3
+- !ruby/object:Gem::Dependency
+  name: colorize
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+- !ruby/object:Gem::Dependency
+  name: nori
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: OptionParser
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: Converter utils that can be included as a gem or used from the command
+  line
+email:
+- rxavier@mitre.org
+executables:
+- heimdall_tools
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- Guardfile
+- LICENSE.md
+- README.md
+- Rakefile
+- exe/heimdall_tools
+- lib/data/cwe-nist-mapping.csv
+- lib/data/gitkeep
+- lib/data/owasp-nist-mapping.csv
+- lib/heimdall_tools.rb
+- lib/heimdall_tools/cli.rb
+- lib/heimdall_tools/command.rb
+- lib/heimdall_tools/fortify_mapper.rb
+- lib/heimdall_tools/help.rb
+- lib/heimdall_tools/help/fortify_mapper.md
+- lib/heimdall_tools/help/sonarqube_mapper.md
+- lib/heimdall_tools/help/zap_mapper.md
+- lib/heimdall_tools/sonarqube_mapper.rb
+- lib/heimdall_tools/version.rb
+- lib/heimdall_tools/zap_mapper.rb
+- lib/utilities/gitkeep
+homepage: https://github.com/mitre/heimdall_tools
+licenses:
+- Apache-2.0
+metadata:
+  allowed_push_host: https://rubygems.org
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.14
+signing_key: 
+specification_version: 4
+summary: Convert Forify, Openzap and Sonarqube results to HDF
+test_files: []