RubyGems - heimdall_tools - Versions diffs - 1.3.27 → 1.3.32 - Mend

heimdall_tools 1.3.27 → 1.3.32

Files changed (12) hide show

checksums.yaml +4 -4
data/README.md +19 -0
data/lib/data/U_CCI_List.xml +38403 -0
data/lib/data/cwe-nist-mapping.csv +8 -4
data/lib/heimdall_tools.rb +1 -0
data/lib/heimdall_tools/cli.rb +16 -1
data/lib/heimdall_tools/help/snyk_mapper.md +7 -0
data/lib/heimdall_tools/nessus_mapper.rb +95 -17
data/lib/heimdall_tools/snyk_mapper.rb +161 -0
metadata +5 -4
data/CHANGELOG.md +0 -248
data/lib/data/gitkeep +0 -0

data/lib/data/cwe-nist-mapping.csv CHANGED

@@ -46,6 +46,7 @@
 170, Improper Null Termination,SI-10,4,Information Input Validation
 176, Improper Handling of Unicode Encoding,,4,
 185, Incorrect Regular Expression,,4,
+189, Numeric Errors,SA-11,4,Developer Security Testing and Evaluation
 190, Integer Overflow or Wraparound,SI-10,4,Information Input Validation
 195, Signed to Unsigned Conversion Error,,4,
 200, Information Exposure,SC-8,4,Transmission Confidentiality and Integrity
@@ -79,6 +80,7 @@
 305, Authentication Bypass by Primary Weakness,IA-8,4,Identification and Authentication (Non-Organizational Users)
 306, Missing Authentication for Critical Function,AC-3,4,Access Enforcement
 307, Improper Restriction of Excessive Authentication Attempts,AC-7,4,Unsuccessful Logon Attempts
+310, Cryptographic Issues,SC-13,4,Cryptographic Protection
 311, Missing Encryption of Sensitive Data,SC-8,4,Transmission Confidentiality and Integrity
 321, Use of Hard-coded Cryptographic Key,SC-12,4,Cryptographic Key Establishment and Management
 325, Missing Required Cryptographic Step,SC-13,4,Cryptographic Protection
@@ -113,15 +115,16 @@
 401, Improper Release of Memory Before Removing Last Reference,,4,
 404, Improper Resource Shutdown or Release,,4,
 415, Double Free,,4,
-416, Use after Free,,4,
+416, Use after Free,SC-4,4,Information in Shared Resources
 434, Unrestricted Upload of File with Dangerous Type,AC-6,4,Least Privilege: Privilege Levels for Code Execution
+444, Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'),SI-10,4,Information Input Validation
 457, Use of Uninitialized Variable,,4,
 466, Return of Pointer Value Outside of Expected Range,,4,
 470, Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection'),SI-10,4,Information Input Validation
 471, Modification of Assumed-Immutable DATA (MAID),AC-3,4,Access Enforcement
 474, Use of Function with Inconsistent Implementations,,4,
 475, Undefined Behavior for Input to API,,4,
-476, NULL Pointer Dereference,,4,
+476, NULL Pointer Dereference,SI-10,4,Information Input Validation
 477, Use of Obsolete Functions,,4,
 478, Missing Default Case in Switch Statement,,4,
 492, Use of Inner Class Containing Sensitive Data,AC-3,4,Access Enforcement
@@ -130,6 +133,7 @@
 495, Private Array-Typed Field Returned From A Public Method,AC-3,4,Access Enforcement
 497, Exposure of System Data to an Unauthorized Control Sphere,SI-11,4,Error Handling
 501, Trust Boundary Violation,SI-10,4,Information Input Validation
+502, Deserialization of Untrusted Data,SI-10,4,Information Input Validation
 521, Weak Password Requirements,IA-5,4,Authenticator Management : -1 Password-based Authentication
 522, Insufficiently Protected Credentials,SC-8,4,Transmission Confidentiality and Integrity
 539, Information Exposure Through Persistent Cookies,SC-23,4,Session Authenticity
@@ -159,7 +163,7 @@
 601, URL Redirection to Untrusted Site ('Open Redirect'),SI-10,4,Information Input Validation
 607, Public Static Final Field References Mutable Object,,4,
 609, Double-Checked Locking,,4,
-611, Improper Restriction of XML External Entity Reference ('XXE'),,4,
+611, Improper Restriction of XML External Entity Reference ('XXE'),SI-10,4,Information Input Validation
 613, Insufficient Session Expiration,AC-12,4,Session Termination
 614, Sensitive Cookie in HTTPS Session Without 'Secure' Attribute,SC-8,4,Transmission Confidentiality and Integrity
 615, Information Exposure Through Comments,AC-3,4,Access Enforcement : -5 Security-Relevant Information
@@ -192,4 +196,4 @@
 863, Incorrect Authorization,AC-3,4,Access Enforcement
 915, Improperly Controlled Modification of Dynamically-Determined Object Attributes,SI-10,4,Information Input Validation
 916, Use of Password Hash With Insufficient Computational Effort,SC-13,4,Cryptographic Protection
-918, Server-Side Request Forgery (SSRF),SI-10,4,Information Input Validation
+918, Server-Side Request Forgery (SSRF),SI-10,4,Information Input Validation

data/lib/heimdall_tools.rb CHANGED

@@ -10,4 +10,5 @@ module HeimdallTools
   autoload :SonarQubeMapper, 'heimdall_tools/sonarqube_mapper'
   autoload :BurpSuiteMapper, 'heimdall_tools/burpsuite_mapper'
   autoload :NessusMapper, 'heimdall_tools/nessus_mapper'
+  autoload :SnykMapper, 'heimdall_tools/snyk_mapper'
 end

data/lib/heimdall_tools/cli.rb CHANGED

@@ -53,13 +53,28 @@ module HeimdallTools
     def nessus_mapper
       hdfs = HeimdallTools::NessusMapper.new(File.read(options[:xml])).to_hdf
+      puts "\nHDF Generated:"
       hdfs.keys.each do | host |
         File.write("#{options[:output_prefix]}-#{host}.json", hdfs[host])
-        puts "HDF Generated: #{options[:output_prefix]}-#{host}.json"
+        puts "#{options[:output_prefix]}-#{host}.json"
       end
     end
+    desc 'snyk_mapper', 'snyk_mapper translates Synk results Json to HDF format Json be viewed on Heimdall'
+    long_desc Help.text(:fortify_mapper)
+    option :json, required: true, aliases: '-j'
+    option :output_prefix, required: true, aliases: '-o'
+    option :verbose, type: :boolean, aliases: '-V'
+    def snyk_mapper
+      hdfs = HeimdallTools::SnykMapper.new(File.read(options[:json]), options[:name]).to_hdf
+      puts "\r\HDF Generated:\n"
+      hdfs.keys.each do | host |
+        File.write("#{options[:output_prefix]}-#{host}.json", hdfs[host])
+        puts "#{options[:output_prefix]}-#{host}.json"
+      end
+    end
     desc 'version', 'prints version'
     def version
       puts VERSION

data/lib/heimdall_tools/help/snyk_mapper.md ADDED

@@ -0,0 +1,7 @@
+  snyk_mapper translates an Snyk results JSON file into HDF format json to be viewable in Heimdall
+  A separate HDF JSON is generated for each project reported in the Snyk Report.
+Examples:
+  heimdall_tools snyk_mapper -j snyk_results.json -o output-file-prefix

data/lib/heimdall_tools/nessus_mapper.rb CHANGED

@@ -2,10 +2,12 @@ require 'json'
 require 'csv'
 require 'heimdall_tools/hdf'
 require 'utilities/xml_to_hash'
+require 'nokogiri'
 RESOURCE_DIR = Pathname.new(__FILE__).join('../../data')
 NESSUS_PLUGINS_NIST_MAPPING_FILE =   File.join(RESOURCE_DIR, 'nessus-plugins-nist-mapping.csv')
+U_CCI_LIST =   File.join(RESOURCE_DIR, 'U_CCI_List.xml')
 IMPACT_MAPPING = {
   Info: 0.0,
@@ -17,20 +19,33 @@ IMPACT_MAPPING = {
 DEFAULT_NIST_TAG = ["unmapped"].freeze
+# Nessus results file 800-53 refs does not contain Nist rev version. Using this default
+# version in that case
+DEFAULT_NIST_REV = 'Rev_4'.freeze
 NA_PLUGIN_OUTPUT = "This Nessus Plugin does not provide output message.".freeze
 # rubocop:disable Metrics/AbcSize
+# Loading spinner sign
+$spinner = Enumerator.new do |e|
+  loop do
+    e.yield '|'
+    e.yield '/'
+    e.yield '-'
+    e.yield '\\'
+  end
+end
 module HeimdallTools
   class NessusMapper
     def initialize(nessus_xml, verbose = false)
       @nessus_xml = nessus_xml
       @verbose = verbose
+      read_cci_xml
       begin
         @cwe_nist_mapping = parse_mapper
         @data = xml_to_hash(nessus_xml)
         @reports = extract_report
         @scaninfo = extract_scaninfo
       rescue StandardError => e
@@ -51,6 +66,10 @@ module HeimdallTools
       end
     end
+    def parse_refs(refs, key)
+      refs.split(',').map { |x| x.split('|')[1] if x.include?(key) }.compact
+    end
     def extract_scaninfo
       begin
         policy = @data['NessusClientData_v2']['Policy']
@@ -82,28 +101,60 @@ module HeimdallTools
     def finding(issue, timestamp)
       finding = {}
-      finding['status'] = 'failed'
-      finding['code_desc'] = issue['plugin_output'] || NA_PLUGIN_OUTPUT
+      # if compliance-result field, this is a policy compliance result entry
+      # nessus policy compliance result provides a pass/fail data
+      # For non policy compliance  results are defaulted to failed
+      if issue['compliance-result']
+        finding['status'] = issue['compliance-result'].eql?('PASSED') ? 'passed' : 'failed'
+      else
+        finding['status'] = 'failed'
+      end
+      if issue['description']
+        finding['code_desc'] = issue['description'].to_s || NA_PLUGIN_OUTPUT
+      else
+        finding['code_desc'] = issue['plugin_output'] || NA_PLUGIN_OUTPUT
+      end
       finding['run_time'] = NA_FLOAT
       finding['start_time'] = timestamp
       [finding]
     end
-    def nist_tag(pluginfamily, pluginid)
+    def read_cci_xml
+      @cci_xml = Nokogiri::XML(File.open(U_CCI_LIST))
+      @cci_xml.remove_namespaces!
+    rescue StandardError => e
+      puts "Exception: #{e.message}"
+    end
+    def cci_nist_tag(cci_refs)
+      nist_tags = []
+      cci_refs.each do | cci_ref |
+        item_node = @cci_xml.xpath("//cci_list/cci_items/cci_item[@id='#{cci_ref}']")[0] unless @cci_xml.nil?
+        unless item_node.nil?
+          nist_ref = item_node.xpath('./references/reference[not(@version <= preceding-sibling::reference/@version) and not(@version <=following-sibling::reference/@version)]/@index').text
+        end
+        nist_tags << nist_ref
+      end
+      nist_tags
+    end
+    def plugin_nist_tag(pluginfamily, pluginid)
       entries = @cwe_nist_mapping.select { |x| (x[:pluginfamily].eql?(pluginfamily) && (x[:pluginid].eql?('*') || x[:pluginid].eql?(pluginid.to_i)) ) }
       tags = entries.map { |x| [x[:nistid].split('|'), "Rev_#{x[:rev]}"] }
       tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq
     end
     def impact(severity)
+      # Map CAT levels and Plugin severity to HDF impact levels
       case severity
       when "0"
         IMPACT_MAPPING[:Info]
-      when "1"
+      when "1","III"
         IMPACT_MAPPING[:Low]
-      when "2"
+      when "2","II"
         IMPACT_MAPPING[:Medium]
-      when "3"
+      when "3","I"
         IMPACT_MAPPING[:High]
       when "4"
         IMPACT_MAPPING[:Critical]
@@ -142,21 +193,48 @@ module HeimdallTools
     def to_hdf
       host_results = {}
       @reports.each do | report|
-        # Under current version of the converter `Policy Compliance` items are ignored
-        report_items = report['ReportItem'].select {|x| !x['pluginFamily'].eql? 'Policy Compliance'}
         controls = []
-        report_items.each do | item |
+        report['ReportItem'].each do | item |
+          printf("\rProcessing: %s", $spinner.next)
           @item = {}
-          @item['id']                 = item['pluginID'].to_s
-          @item['title']              = item['pluginName'].to_s
-          @item['desc']               = format_desc(item).to_s
-          @item['impact']             = impact(item['severity'])
           @item['tags']               = {}
           @item['descriptions']       = []
           @item['refs']               = NA_ARRAY
           @item['source_location']    = NA_HASH
-          @item['tags']['nist']       = nist_tag(item['pluginFamily'],item['pluginID'])
+          # Nessus results field set are different for 'Policy Compliance' plug-in family vs other plug-in families
+          # Following if conditions capture compliance* if it exists else it will default to plugin* fields
+          # Current version covers STIG based 'Policy Compliance' results
+          # TODO Cover cases for 'Policy Compliance' results based on CIS
+          if item['compliance-reference']
+            @item['id']                 = parse_refs(item['compliance-reference'],'Vuln-ID').join.to_s
+          else
+            @item['id']                 = item['pluginID'].to_s
+          end
+          if item['compliance-check-name']
+            @item['title']              = item['compliance-check-name'].to_s
+          else
+            @item['title']              = item['pluginName'].to_s
+          end
+          if item['compliance-info']
+            @item['desc']              = item['compliance-info'].to_s
+          else
+            @item['desc']              = format_desc(item).to_s
+          end
+          if item['compliance-reference']
+            @item['impact']            = impact(parse_refs(item['compliance-reference'],'CAT').join.to_s)
+          else
+            @item['impact']            = impact(item['severity'])
+          end
+          if item['compliance-reference']
+            @item['tags']['nist']     = cci_nist_tag(parse_refs(item['compliance-reference'],'CCI'))
+          else
+            @item['tags']['nist']     = plugin_nist_tag(item['pluginFamily'],item['pluginID'])
+          end
+          if item['compliance-solution']
+            @item['descriptions']       <<  desc_tags(item['compliance-solution'], 'check')
+          end
           @item['code']               = ''
           @item['results']            = finding(item, extract_timestamp(report))
           controls << @item

data/lib/heimdall_tools/snyk_mapper.rb ADDED

@@ -0,0 +1,161 @@
+require 'json'
+require 'csv'
+require 'heimdall_tools/hdf'
+require 'utilities/xml_to_hash'
+RESOURCE_DIR = Pathname.new(__FILE__).join('../../data')
+CWE_NIST_MAPPING_FILE = File.join(RESOURCE_DIR, 'cwe-nist-mapping.csv')
+IMPACT_MAPPING = {
+  high: 0.7,
+  medium: 0.5,
+  low: 0.3,
+}.freeze
+SNYK_VERSION_REGEX = 'v(\d+.)(\d+.)(\d+)'.freeze
+DEFAULT_NIST_TAG = ["SA-11", "RA-5"].freeze
+# Loading spinner sign
+$spinner = Enumerator.new do |e|
+  loop do
+    e.yield '|'
+    e.yield '/'
+    e.yield '-'
+    e.yield '\\'
+  end
+end
+module HeimdallTools
+  class SnykMapper
+    def initialize(synk_json, name=nil, verbose = false)
+      @synk_json = synk_json
+      @verbose = verbose
+      begin
+        @cwe_nist_mapping = parse_mapper
+        @projects = JSON.parse(synk_json)
+        # Cover single and multi-project scan use cases.
+        unless @projects.kind_of?(Array)
+          @projects = [ @projects ]
+        end
+      rescue StandardError => e
+        raise "Invalid Snyk JSON file provided Exception: #{e}"
+      end
+    end
+    def extract_scaninfo(project)
+      info = {}
+      begin
+        info['policy'] = project['policy']
+        reg = Regexp.new(SNYK_VERSION_REGEX, Regexp::IGNORECASE)
+        info['version'] = info['policy'].scan(reg).join
+        info['projectName'] = project['projectName']
+        info['summary'] = project['summary']
+        info
+      rescue StandardError => e
+        raise "Error extracting project info from Synk JSON file provided Exception: #{e}"
+      end
+    end
+    def finding(vulnerability)
+      finding = {}
+      finding['status'] = 'failed'
+      finding['code_desc'] = "From : [ #{vulnerability['from'].join(" , ").to_s } ]"
+      finding['run_time'] = NA_FLOAT
+      # Snyk results does not profile scan timestamp; using current time to satisfy HDF format
+      finding['start_time'] = NA_STRING
+      [finding]
+    end
+    def nist_tag(cweid)
+      entries = @cwe_nist_mapping.select { |x| cweid.include? x[:cweid].to_s }
+      tags = entries.map { |x| x[:nistid] }
+      tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq
+    end
+    def parse_identifiers(vulnerability, ref)
+      # Extracting id number from reference style CWE-297
+      vulnerability['identifiers'][ref].map { |e| e.split("#{ref}-")[1]  }
+      rescue
+        return []
+    end
+    def impact(severity)
+      IMPACT_MAPPING[severity.to_sym]
+    end
+    def parse_mapper
+      csv_data = CSV.read(CWE_NIST_MAPPING_FILE, **{ encoding: 'UTF-8',
+                                                   headers: true,
+                                                   header_converters: :symbol,
+                                                   converters: :all })
+      csv_data.map(&:to_hash)
+    end
+    def desc_tags(data, label)
+      { "data": data || NA_STRING, "label": label || NA_STRING }
+    end
+    # Snyk report could have multiple vulnerability entries for multiple findings of same issue type.
+    # The meta data is identical across entries
+    # method collapse_duplicates return unique controls with applicable findings collapsed into it.
+    def collapse_duplicates(controls)
+      unique_controls = []
+      controls.map { |x| x['id'] }.uniq.each do |id|
+        collapsed_results = controls.select { |x| x['id'].eql?(id) }.map {|x| x['results']}
+        unique_control = controls.find { |x| x['id'].eql?(id) }
+        unique_control['results'] = collapsed_results.flatten
+        unique_controls << unique_control
+      end
+      unique_controls
+    end
+    def to_hdf
+      project_results = {}
+      @projects.each do | project |
+        controls = []
+        project['vulnerabilities'].each do | vulnerability |
+          printf("\rProcessing: %s", $spinner.next)
+          item = {}
+          item['tags']               = {}
+          item['descriptions']       = []
+          item['refs']               = NA_ARRAY
+          item['source_location']    = NA_HASH
+          item['descriptions']       = NA_ARRAY
+          item['title']              = vulnerability['title'].to_s
+          item['id']                 = vulnerability['id'].to_s
+          item['desc']               = vulnerability['description'].to_s
+          item['impact']             = impact(vulnerability['severity'])
+          item['code']               = ''
+          item['results']            = finding(vulnerability)
+          item['tags']['nist']       = nist_tag( parse_identifiers( vulnerability, 'CWE') )
+          item['tags']['cweid']      = parse_identifiers( vulnerability, 'CWE')
+          item['tags']['cveid']      = parse_identifiers( vulnerability, 'CVE')
+          item['tags']['ghsaid']     = parse_identifiers( vulnerability, 'GHSA')
+          controls << item
+        end
+        controls = collapse_duplicates(controls)
+        scaninfo = extract_scaninfo(project)
+        results = HeimdallDataFormat.new(profile_name: scaninfo['policy'],
+                                         version: scaninfo['version'],
+                                         title: "Snyk Project: #{scaninfo['projectName']}",
+                                         summary: "Snyk Summary: #{scaninfo['summary']}",
+                                         controls: controls,
+                                         target_id: scaninfo['projectName'])
+        project_results[scaninfo['projectName']] = results.to_hdf
+      end
+      project_results
+    end
+  end
+end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: heimdall_tools
 version: !ruby/object:Gem::Version
-  version: 1.3.27
+  version: 1.3.32
 platform: ruby
 authors:
 - Robert Thew
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-05-22 00:00:00.000000000 Z
+date: 2020-07-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -203,14 +203,13 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- CHANGELOG.md
 - Guardfile
 - LICENSE.md
 - README.md
 - Rakefile
 - exe/heimdall_tools
+- lib/data/U_CCI_List.xml
 - lib/data/cwe-nist-mapping.csv
-- lib/data/gitkeep
 - lib/data/nessus-plugins-nist-mapping.csv
 - lib/data/owasp-nist-mapping.csv
 - lib/heimdall_tools.rb
@@ -223,9 +222,11 @@ files:
 - lib/heimdall_tools/help/burpsuite_mapper.md
 - lib/heimdall_tools/help/fortify_mapper.md
 - lib/heimdall_tools/help/nessus_mapper.md
+- lib/heimdall_tools/help/snyk_mapper.md
 - lib/heimdall_tools/help/sonarqube_mapper.md
 - lib/heimdall_tools/help/zap_mapper.md
 - lib/heimdall_tools/nessus_mapper.rb
+- lib/heimdall_tools/snyk_mapper.rb
 - lib/heimdall_tools/sonarqube_mapper.rb
 - lib/heimdall_tools/version.rb
 - lib/heimdall_tools/zap_mapper.rb