RubyGems - heimdall_tools - Versions diffs - 1.3.27 → 1.3.32 - Mend

heimdall_tools 1.3.27 → 1.3.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml +4 -4
data/README.md +19 -0
data/lib/data/U_CCI_List.xml +38403 -0
data/lib/data/cwe-nist-mapping.csv +8 -4
data/lib/heimdall_tools.rb +1 -0
data/lib/heimdall_tools/cli.rb +16 -1
data/lib/heimdall_tools/help/snyk_mapper.md +7 -0
data/lib/heimdall_tools/nessus_mapper.rb +95 -17
data/lib/heimdall_tools/snyk_mapper.rb +161 -0
metadata +5 -4
data/CHANGELOG.md +0 -248
data/lib/data/gitkeep +0 -0

data/lib/data/cwe-nist-mapping.csv CHANGED

@@ -46,6 +46,7 @@
 170, Improper Null Termination,SI-10,4,Information Input Validation
 176, Improper Handling of Unicode Encoding,,4,
 185, Incorrect Regular Expression,,4,
+189, Numeric Errors,SA-11,4,Developer Security Testing and Evaluation
 190, Integer Overflow or Wraparound,SI-10,4,Information Input Validation
 195, Signed to Unsigned Conversion Error,,4,
 200, Information Exposure,SC-8,4,Transmission Confidentiality and Integrity
@@ -79,6 +80,7 @@
 305, Authentication Bypass by Primary Weakness,IA-8,4,Identification and Authentication (Non-Organizational Users)
 306, Missing Authentication for Critical Function,AC-3,4,Access Enforcement
 307, Improper Restriction of Excessive Authentication Attempts,AC-7,4,Unsuccessful Logon Attempts
+310, Cryptographic Issues,SC-13,4,Cryptographic Protection
 311, Missing Encryption of Sensitive Data,SC-8,4,Transmission Confidentiality and Integrity
 321, Use of Hard-coded Cryptographic Key,SC-12,4,Cryptographic Key Establishment and Management
 325, Missing Required Cryptographic Step,SC-13,4,Cryptographic Protection
@@ -113,15 +115,16 @@
 401, Improper Release of Memory Before Removing Last Reference,,4,
 404, Improper Resource Shutdown or Release,,4,
 415, Double Free,,4,
-416, Use after Free,,4,
+416, Use after Free,SC-4,4,Information in Shared Resources
 434, Unrestricted Upload of File with Dangerous Type,AC-6,4,Least Privilege: Privilege Levels for Code Execution
+444, Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'),SI-10,4,Information Input Validation
 457, Use of Uninitialized Variable,,4,
 466, Return of Pointer Value Outside of Expected Range,,4,
 470, Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection'),SI-10,4,Information Input Validation
 471, Modification of Assumed-Immutable DATA (MAID),AC-3,4,Access Enforcement
 474, Use of Function with Inconsistent Implementations,,4,
 475, Undefined Behavior for Input to API,,4,
-476, NULL Pointer Dereference,,4,
+476, NULL Pointer Dereference,SI-10,4,Information Input Validation
 477, Use of Obsolete Functions,,4,
 478, Missing Default Case in Switch Statement,,4,
 492, Use of Inner Class Containing Sensitive Data,AC-3,4,Access Enforcement
@@ -130,6 +133,7 @@
 495, Private Array-Typed Field Returned From A Public Method,AC-3,4,Access Enforcement
 497, Exposure of System Data to an Unauthorized Control Sphere,SI-11,4,Error Handling
 501, Trust Boundary Violation,SI-10,4,Information Input Validation
+502, Deserialization of Untrusted Data,SI-10,4,Information Input Validation
 521, Weak Password Requirements,IA-5,4,Authenticator Management : -1 Password-based Authentication
 522, Insufficiently Protected Credentials,SC-8,4,Transmission Confidentiality and Integrity
 539, Information Exposure Through Persistent Cookies,SC-23,4,Session Authenticity
@@ -159,7 +163,7 @@
 601, URL Redirection to Untrusted Site ('Open Redirect'),SI-10,4,Information Input Validation
 607, Public Static Final Field References Mutable Object,,4,
 609, Double-Checked Locking,,4,
-611, Improper Restriction of XML External Entity Reference ('XXE'),,4,
+611, Improper Restriction of XML External Entity Reference ('XXE'),SI-10,4,Information Input Validation
 613, Insufficient Session Expiration,AC-12,4,Session Termination
 614, Sensitive Cookie in HTTPS Session Without 'Secure' Attribute,SC-8,4,Transmission Confidentiality and Integrity
 615, Information Exposure Through Comments,AC-3,4,Access Enforcement : -5 Security-Relevant Information
@@ -192,4 +196,4 @@
 863, Incorrect Authorization,AC-3,4,Access Enforcement
 915, Improperly Controlled Modification of Dynamically-Determined Object Attributes,SI-10,4,Information Input Validation
 916, Use of Password Hash With Insufficient Computational Effort,SC-13,4,Cryptographic Protection
-918, Server-Side Request Forgery (SSRF),SI-10,4,Information Input Validation
+918, Server-Side Request Forgery (SSRF),SI-10,4,Information Input Validation

data/lib/heimdall_tools.rb CHANGED

@@ -10,4 +10,5 @@ module HeimdallTools
   autoload :SonarQubeMapper, 'heimdall_tools/sonarqube_mapper'
   autoload :BurpSuiteMapper, 'heimdall_tools/burpsuite_mapper'
   autoload :NessusMapper, 'heimdall_tools/nessus_mapper'
+  autoload :SnykMapper, 'heimdall_tools/snyk_mapper'
 end

data/lib/heimdall_tools/cli.rb CHANGED

@@ -53,13 +53,28 @@ module HeimdallTools
     def nessus_mapper
       hdfs = HeimdallTools::NessusMapper.new(File.read(options[:xml])).to_hdf
+      puts "\nHDF Generated:"
       hdfs.keys.each do | host |
         File.write("#{options[:output_prefix]}-#{host}.json", hdfs[host])
-        puts "HDF Generated: #{options[:output_prefix]}-#{host}.json"
+        puts "#{options[:output_prefix]}-#{host}.json"
       end
     end
+    desc 'snyk_mapper', 'snyk_mapper translates Synk results Json to HDF format Json be viewed on Heimdall'
+    long_desc Help.text(:fortify_mapper)
+    option :json, required: true, aliases: '-j'
+    option :output_prefix, required: true, aliases: '-o'
+    option :verbose, type: :boolean, aliases: '-V'
+    def snyk_mapper
+      hdfs = HeimdallTools::SnykMapper.new(File.read(options[:json]), options[:name]).to_hdf
+      puts "\r\HDF Generated:\n"
+      hdfs.keys.each do | host |
+        File.write("#{options[:output_prefix]}-#{host}.json", hdfs[host])
+        puts "#{options[:output_prefix]}-#{host}.json"
+      end
+    end
     desc 'version', 'prints version'
     def version
       puts VERSION

data/lib/heimdall_tools/help/snyk_mapper.md ADDED

@@ -0,0 +1,7 @@
+  snyk_mapper translates an Snyk results JSON file into HDF format json to be viewable in Heimdall
+  A separate HDF JSON is generated for each project reported in the Snyk Report.
+Examples:
+  heimdall_tools snyk_mapper -j snyk_results.json -o output-file-prefix

data/lib/heimdall_tools/nessus_mapper.rb CHANGED

@@ -2,10 +2,12 @@ require 'json'
 require 'csv'
 require 'heimdall_tools/hdf'
 require 'utilities/xml_to_hash'
+require 'nokogiri'
 RESOURCE_DIR = Pathname.new(__FILE__).join('../../data')
 NESSUS_PLUGINS_NIST_MAPPING_FILE =   File.join(RESOURCE_DIR, 'nessus-plugins-nist-mapping.csv')
+U_CCI_LIST =   File.join(RESOURCE_DIR, 'U_CCI_List.xml')
 IMPACT_MAPPING = {
   Info: 0.0,
@@ -17,20 +19,33 @@ IMPACT_MAPPING = {
 DEFAULT_NIST_TAG = ["unmapped"].freeze
+# Nessus results file 800-53 refs does not contain Nist rev version. Using this default
+# version in that case
+DEFAULT_NIST_REV = 'Rev_4'.freeze
 NA_PLUGIN_OUTPUT = "This Nessus Plugin does not provide output message.".freeze
 # rubocop:disable Metrics/AbcSize
+# Loading spinner sign
+$spinner = Enumerator.new do |e|
+  loop do
+    e.yield '|'
+    e.yield '/'
+    e.yield '-'
+    e.yield '\\'
+  end
+end
 module HeimdallTools
   class NessusMapper
     def initialize(nessus_xml, verbose = false)
       @nessus_xml = nessus_xml
       @verbose = verbose
+      read_cci_xml
       begin
         @cwe_nist_mapping = parse_mapper
         @data = xml_to_hash(nessus_xml)
         @reports = extract_report
         @scaninfo = extract_scaninfo
       rescue StandardError => e
@@ -51,6 +66,10 @@ module HeimdallTools
       end
     end
+    def parse_refs(refs, key)
+      refs.split(',').map { |x| x.split('|')[1] if x.include?(key) }.compact
+    end
     def extract_scaninfo
       begin
         policy = @data['NessusClientData_v2']['Policy']
@@ -82,28 +101,60 @@ module HeimdallTools
     def finding(issue, timestamp)
       finding = {}
-      finding['status'] = 'failed'
-      finding['code_desc'] = issue['plugin_output'] || NA_PLUGIN_OUTPUT
+      # if compliance-result field, this is a policy compliance result entry
+      # nessus policy compliance result provides a pass/fail data
+      # For non policy compliance  results are defaulted to failed
+      if issue['compliance-result']
+        finding['status'] = issue['compliance-result'].eql?('PASSED') ? 'passed' : 'failed'
+      else
+        finding['status'] = 'failed'
+      end
+      if issue['description']
+        finding['code_desc'] = issue['description'].to_s || NA_PLUGIN_OUTPUT
+      else
+        finding['code_desc'] = issue['plugin_output'] || NA_PLUGIN_OUTPUT
+      end
       finding['run_time'] = NA_FLOAT
       finding['start_time'] = timestamp
       [finding]
     end
-    def nist_tag(pluginfamily, pluginid)
+    def read_cci_xml
+      @cci_xml = Nokogiri::XML(File.open(U_CCI_LIST))
+      @cci_xml.remove_namespaces!
+    rescue StandardError => e
+      puts "Exception: #{e.message}"
+    end
+    def cci_nist_tag(cci_refs)
+      nist_tags = []
+      cci_refs.each do | cci_ref |
+        item_node = @cci_xml.xpath("//cci_list/cci_items/cci_item[@id='#{cci_ref}']")[0] unless @cci_xml.nil?
+        unless item_node.nil?
+          nist_ref = item_node.xpath('./references/reference[not(@version <= preceding-sibling::reference/@version) and not(@version <=following-sibling::reference/@version)]/@index').text
+        end
+        nist_tags << nist_ref
+      end
+      nist_tags
+    end
+    def plugin_nist_tag(pluginfamily, pluginid)
       entries = @cwe_nist_mapping.select { |x| (x[:pluginfamily].eql?(pluginfamily) && (x[:pluginid].eql?('*') || x[:pluginid].eql?(pluginid.to_i)) ) }
       tags = entries.map { |x| [x[:nistid].split('|'), "Rev_#{x[:rev]}"] }
       tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq
     end
     def impact(severity)
+      # Map CAT levels and Plugin severity to HDF impact levels
       case severity
       when "0"
         IMPACT_MAPPING[:Info]
-      when "1"
+      when "1","III"
         IMPACT_MAPPING[:Low]
-      when "2"
+      when "2","II"
         IMPACT_MAPPING[:Medium]
-      when "3"
+      when "3","I"
         IMPACT_MAPPING[:High]
       when "4"
         IMPACT_MAPPING[:Critical]
@@ -142,21 +193,48 @@ module HeimdallTools
     def to_hdf
       host_results = {}
       @reports.each do | report|
-        # Under current version of the converter `Policy Compliance` items are ignored
-        report_items = report['ReportItem'].select {|x| !x['pluginFamily'].eql? 'Policy Compliance'}
         controls = []
-        report_items.each do | item |
+        report['ReportItem'].each do | item |
+          printf("\rProcessing: %s", $spinner.next)
           @item = {}
-          @item['id']                 = item['pluginID'].to_s
-          @item['title']              = item['pluginName'].to_s
-          @item['desc']               = format_desc(item).to_s
-          @item['impact']             = impact(item['severity'])
           @item['tags']               = {}
           @item['descriptions']       = []
           @item['refs']               = NA_ARRAY
           @item['source_location']    = NA_HASH
-          @item['tags']['nist']       = nist_tag(item['pluginFamily'],item['pluginID'])
+          # Nessus results field set are different for 'Policy Compliance' plug-in family vs other plug-in families
+          # Following if conditions capture compliance* if it exists else it will default to plugin* fields
+          # Current version covers STIG based 'Policy Compliance' results
+          # TODO Cover cases for 'Policy Compliance' results based on CIS
+          if item['compliance-reference']
+            @item['id']                 = parse_refs(item['compliance-reference'],'Vuln-ID').join.to_s
+          else
+            @item['id']                 = item['pluginID'].to_s
+          end
+          if item['compliance-check-name']
+            @item['title']              = item['compliance-check-name'].to_s
+          else
+            @item['title']              = item['pluginName'].to_s
+          end
+          if item['compliance-info']
+            @item['desc']              = item['compliance-info'].to_s
+          else
+            @item['desc']              = format_desc(item).to_s
+          end
+          if item['compliance-reference']
+            @item['impact']            = impact(parse_refs(item['compliance-reference'],'CAT').join.to_s)
+          else
+            @item['impact']            = impact(item['severity'])
+          end
+          if item['compliance-reference']
+            @item['tags']['nist']     = cci_nist_tag(parse_refs(item['compliance-reference'],'CCI'))
+          else
+            @item['tags']['nist']     = plugin_nist_tag(item['pluginFamily'],item['pluginID'])
+          end
+          if item['compliance-solution']
+            @item['descriptions']       <<  desc_tags(item['compliance-solution'], 'check')
+          end
           @item['code']               = ''
           @item['results']            = finding(item, extract_timestamp(report))
           controls << @item

data/lib/heimdall_tools/snyk_mapper.rb ADDED

@@ -0,0 +1,161 @@
+require 'json'
+require 'csv'
+require 'heimdall_tools/hdf'
+require 'utilities/xml_to_hash'
+RESOURCE_DIR = Pathname.new(__FILE__).join('../../data')
+CWE_NIST_MAPPING_FILE = File.join(RESOURCE_DIR, 'cwe-nist-mapping.csv')
+IMPACT_MAPPING = {
+  high: 0.7,
+  medium: 0.5,
+  low: 0.3,
+}.freeze
+SNYK_VERSION_REGEX = 'v(\d+.)(\d+.)(\d+)'.freeze
+DEFAULT_NIST_TAG = ["SA-11", "RA-5"].freeze
+# Loading spinner sign
+$spinner = Enumerator.new do |e|
+  loop do
+    e.yield '|'
+    e.yield '/'
+    e.yield '-'
+    e.yield '\\'
+  end
+end
+module HeimdallTools
+  class SnykMapper
+    def initialize(synk_json, name=nil, verbose = false)
+      @synk_json = synk_json
+      @verbose = verbose
+      begin
+        @cwe_nist_mapping = parse_mapper
+        @projects = JSON.parse(synk_json)
+        # Cover single and multi-project scan use cases.
+        unless @projects.kind_of?(Array)
+          @projects = [ @projects ]
+        end
+      rescue StandardError => e
+        raise "Invalid Snyk JSON file provided Exception: #{e}"
+      end
+    end
+    def extract_scaninfo(project)
+      info = {}
+      begin
+        info['policy'] = project['policy']
+        reg = Regexp.new(SNYK_VERSION_REGEX, Regexp::IGNORECASE)
+        info['version'] = info['policy'].scan(reg).join
+        info['projectName'] = project['projectName']
+        info['summary'] = project['summary']
+        info
+      rescue StandardError => e
+        raise "Error extracting project info from Synk JSON file provided Exception: #{e}"
+      end
+    end
+    def finding(vulnerability)
+      finding = {}
+      finding['status'] = 'failed'
+      finding['code_desc'] = "From : [ #{vulnerability['from'].join(" , ").to_s } ]"
+      finding['run_time'] = NA_FLOAT
+      # Snyk results does not profile scan timestamp; using current time to satisfy HDF format
+      finding['start_time'] = NA_STRING
+      [finding]
+    end
+    def nist_tag(cweid)
+      entries = @cwe_nist_mapping.select { |x| cweid.include? x[:cweid].to_s }
+      tags = entries.map { |x| x[:nistid] }
+      tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq
+    end
+    def parse_identifiers(vulnerability, ref)
+      # Extracting id number from reference style CWE-297
+      vulnerability['identifiers'][ref].map { |e| e.split("#{ref}-")[1]  }
+      rescue
+        return []
+    end
+    def impact(severity)
+      IMPACT_MAPPING[severity.to_sym]
+    end
+    def parse_mapper
+      csv_data = CSV.read(CWE_NIST_MAPPING_FILE, **{ encoding: 'UTF-8',
+                                                   headers: true,
+                                                   header_converters: :symbol,
+                                                   converters: :all })
+      csv_data.map(&:to_hash)
+    end
+    def desc_tags(data, label)
+      { "data": data || NA_STRING, "label": label || NA_STRING }
+    end
+    # Snyk report could have multiple vulnerability entries for multiple findings of same issue type.
+    # The meta data is identical across entries
+    # method collapse_duplicates return unique controls with applicable findings collapsed into it.
+    def collapse_duplicates(controls)
+      unique_controls = []
+      controls.map { |x| x['id'] }.uniq.each do |id|
+        collapsed_results = controls.select { |x| x['id'].eql?(id) }.map {|x| x['results']}
+        unique_control = controls.find { |x| x['id'].eql?(id) }
+        unique_control['results'] = collapsed_results.flatten
+        unique_controls << unique_control
+      end
+      unique_controls
+    end
+    def to_hdf
+      project_results = {}
+      @projects.each do | project |
+        controls = []
+        project['vulnerabilities'].each do | vulnerability |
+          printf("\rProcessing: %s", $spinner.next)
+          item = {}
+          item['tags']               = {}
+          item['descriptions']       = []
+          item['refs']               = NA_ARRAY
+          item['source_location']    = NA_HASH
+          item['descriptions']       = NA_ARRAY
+          item['title']              = vulnerability['title'].to_s
+          item['id']                 = vulnerability['id'].to_s
+          item['desc']               = vulnerability['description'].to_s
+          item['impact']             = impact(vulnerability['severity'])
+          item['code']               = ''
+          item['results']            = finding(vulnerability)
+          item['tags']['nist']       = nist_tag( parse_identifiers( vulnerability, 'CWE') )
+          item['tags']['cweid']      = parse_identifiers( vulnerability, 'CWE')
+          item['tags']['cveid']      = parse_identifiers( vulnerability, 'CVE')
+          item['tags']['ghsaid']     = parse_identifiers( vulnerability, 'GHSA')
+          controls << item
+        end
+        controls = collapse_duplicates(controls)
+        scaninfo = extract_scaninfo(project)
+        results = HeimdallDataFormat.new(profile_name: scaninfo['policy'],
+                                         version: scaninfo['version'],
+                                         title: "Snyk Project: #{scaninfo['projectName']}",
+                                         summary: "Snyk Summary: #{scaninfo['summary']}",
+                                         controls: controls,
+                                         target_id: scaninfo['projectName'])
+        project_results[scaninfo['projectName']] = results.to_hdf
+      end
+      project_results
+    end
+  end
+end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: heimdall_tools
 version: !ruby/object:Gem::Version
-  version: 1.3.27
+  version: 1.3.32
 platform: ruby
 authors:
 - Robert Thew
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-05-22 00:00:00.000000000 Z
+date: 2020-07-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -203,14 +203,13 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- CHANGELOG.md
 - Guardfile
 - LICENSE.md
 - README.md
 - Rakefile
 - exe/heimdall_tools
+- lib/data/U_CCI_List.xml
 - lib/data/cwe-nist-mapping.csv
-- lib/data/gitkeep
 - lib/data/nessus-plugins-nist-mapping.csv
 - lib/data/owasp-nist-mapping.csv
 - lib/heimdall_tools.rb
@@ -223,9 +222,11 @@ files:
 - lib/heimdall_tools/help/burpsuite_mapper.md
 - lib/heimdall_tools/help/fortify_mapper.md
 - lib/heimdall_tools/help/nessus_mapper.md
+- lib/heimdall_tools/help/snyk_mapper.md
 - lib/heimdall_tools/help/sonarqube_mapper.md
 - lib/heimdall_tools/help/zap_mapper.md
 - lib/heimdall_tools/nessus_mapper.rb
+- lib/heimdall_tools/snyk_mapper.rb
 - lib/heimdall_tools/sonarqube_mapper.rb
 - lib/heimdall_tools/version.rb
 - lib/heimdall_tools/zap_mapper.rb