heimdall_tools 1.3.40 → 1.3.41
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/heimdall_tools/aws_config_mapper.rb +26 -26
- data/lib/heimdall_tools/burpsuite_mapper.rb +7 -11
- data/lib/heimdall_tools/cli.rb +9 -10
- data/lib/heimdall_tools/command.rb +0 -2
- data/lib/heimdall_tools/dbprotect_mapper.rb +9 -18
- data/lib/heimdall_tools/fortify_mapper.rb +1 -2
- data/lib/heimdall_tools/hdf.rb +4 -5
- data/lib/heimdall_tools/jfrog_xray_mapper.rb +26 -27
- data/lib/heimdall_tools/nessus_mapper.rb +39 -46
- data/lib/heimdall_tools/netsparker_mapper.rb +13 -16
- data/lib/heimdall_tools/nikto_mapper.rb +27 -27
- data/lib/heimdall_tools/snyk_mapper.rb +20 -22
- data/lib/heimdall_tools/sonarqube_mapper.rb +23 -21
- data/lib/heimdall_tools/zap_mapper.rb +3 -4
- data/lib/utilities/xml_to_hash.rb +6 -6
- metadata +38 -24
@@ -5,7 +5,7 @@ require 'heimdall_tools/hdf'
|
|
5
5
|
|
6
6
|
RESOURCE_DIR = Pathname.new(__FILE__).join('../../data')
|
7
7
|
|
8
|
-
DEFAULT_NIST_TAG =
|
8
|
+
DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze
|
9
9
|
|
10
10
|
MAPPING_FILES = {
|
11
11
|
cwe: File.join(RESOURCE_DIR, 'cwe-nist-mapping.csv'),
|
@@ -33,16 +33,18 @@ class SonarQubeApi
|
|
33
33
|
|
34
34
|
PAGE_SIZE = 100
|
35
35
|
|
36
|
-
def initialize(api_url, auth=nil)
|
36
|
+
def initialize(api_url, auth = nil)
|
37
37
|
@api_url = api_url
|
38
38
|
@auth = auth
|
39
39
|
end
|
40
40
|
|
41
|
-
def query_api(endpoint, params={})
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
41
|
+
def query_api(endpoint, params = {})
|
42
|
+
unless @auth.nil?
|
43
|
+
creds = {
|
44
|
+
username: @auth.split(':')[0],
|
45
|
+
password: @auth.split(':')[1]
|
46
|
+
}
|
47
|
+
end
|
46
48
|
|
47
49
|
response = HTTParty.get(@api_url + endpoint, { query: params, basic_auth: creds })
|
48
50
|
check_response response
|
@@ -109,9 +111,9 @@ end
|
|
109
111
|
module HeimdallTools
|
110
112
|
class SonarQubeMapper
|
111
113
|
# Fetches the necessary data from the API and builds report
|
112
|
-
def initialize(project_name, sonarqube_url, auth=nil)
|
114
|
+
def initialize(project_name, sonarqube_url, auth = nil)
|
113
115
|
@project_name = project_name
|
114
|
-
@api = SonarQubeApi.new(sonarqube_url,auth)
|
116
|
+
@api = SonarQubeApi.new(sonarqube_url, auth)
|
115
117
|
|
116
118
|
@mappings = load_nist_mappings
|
117
119
|
@findings = @api.query_issues(@project_name).map { |x| Finding.new(x, @api) }
|
@@ -132,16 +134,16 @@ module HeimdallTools
|
|
132
134
|
headers: true,
|
133
135
|
header_converters: :symbol,
|
134
136
|
converters: :all })
|
135
|
-
mappings[mapping_type] =
|
136
|
-
[row[
|
137
|
-
}
|
137
|
+
mappings[mapping_type] = csv_data.reject { |row| row[:nistid].nil? }.map { |row|
|
138
|
+
[row["#{mapping_type.to_s.downcase}id".to_sym].to_s, [row[:nistid], "Rev_#{row[:rev]}"]]
|
139
|
+
}.to_h
|
138
140
|
end
|
139
141
|
mappings
|
140
142
|
end
|
141
143
|
|
142
144
|
# Returns a report in HDF format
|
143
145
|
def to_hdf
|
144
|
-
results = HeimdallDataFormat.new(profile_name:
|
146
|
+
results = HeimdallDataFormat.new(profile_name: 'SonarQube Scan',
|
145
147
|
version: @api.query_version,
|
146
148
|
title: "SonarQube Scan of Project: #{@project_name}",
|
147
149
|
summary: "SonarQube Scan of Project: #{@project_name}",
|
@@ -156,7 +158,7 @@ class Control
|
|
156
158
|
# OWASP is stated specifically, ex owasp-a1
|
157
159
|
#
|
158
160
|
# SonarQube is inconsistent with tags (ex some cwe rules don't have cwe number in desc,) as noted below
|
159
|
-
TAG_DATA = {} # NOTE: We count on Ruby to preserve order for TAG_DATA
|
161
|
+
TAG_DATA = {}.freeze # NOTE: We count on Ruby to preserve order for TAG_DATA
|
160
162
|
TAG_DATA[:cwe] = {
|
161
163
|
# Some rules with cwe tag don't have cwe number in description!
|
162
164
|
# Currently only squid:S2658, but it has OWASP tag so we can use that.
|
@@ -206,8 +208,8 @@ class Control
|
|
206
208
|
reg = Regexp.new(tag_data[:regex], Regexp::IGNORECASE)
|
207
209
|
parsed_tags += @data['htmlDesc'].scan(reg).map(&:first)
|
208
210
|
|
209
|
-
if parsed_tags.empty? and not KNOWN_BAD_RULES.include? @key
|
210
|
-
puts "Error: Rule #{@key}: No regex matches for #{tag_type} tag."
|
211
|
+
if parsed_tags.empty? and not KNOWN_BAD_RULES.include? @key && parsed_tags.empty?
|
212
|
+
puts "Error: Rule #{@key}: No regex matches for #{tag_type} tag."
|
211
213
|
end
|
212
214
|
else
|
213
215
|
# If the tag type doesn't have a regex, it is specific enough to be mapped directly
|
@@ -239,11 +241,11 @@ class Control
|
|
239
241
|
return [@mappings[tag_type][parsed_tag]].flatten.uniq
|
240
242
|
end
|
241
243
|
|
242
|
-
DEFAULT_NIST_TAG # Entries with unmapped NIST tags
|
244
|
+
DEFAULT_NIST_TAG # Entries with unmapped NIST tags fall back to defaults
|
243
245
|
end
|
244
246
|
|
245
247
|
def hdf
|
246
|
-
#
|
248
|
+
# NOTE: Structure is based on fortify -> HDF converter output
|
247
249
|
{
|
248
250
|
title: @data['name'],
|
249
251
|
desc: @data['htmlDesc'],
|
@@ -256,7 +258,7 @@ class Control
|
|
256
258
|
id: @key,
|
257
259
|
descriptions: NA_ARRAY,
|
258
260
|
refs: NA_ARRAY,
|
259
|
-
source_location: NA_HASH
|
261
|
+
source_location: NA_HASH
|
260
262
|
}
|
261
263
|
end
|
262
264
|
end
|
@@ -284,10 +286,10 @@ class Finding
|
|
284
286
|
|
285
287
|
snip_html = "StartLine: #{snip_start}, EndLine: #{snip_end}<br>Code:<pre>#{snip}</pre>"
|
286
288
|
{
|
287
|
-
|
289
|
+
status: 'failed',
|
288
290
|
code_desc: "Path:#{component}:#{vuln_start}:#{vuln_end} #{snip_html}",
|
289
291
|
run_time: NA_FLOAT,
|
290
|
-
start_time: Time.now.strftime(
|
292
|
+
start_time: Time.now.strftime('%a,%d %b %Y %X')
|
291
293
|
}
|
292
294
|
end
|
293
295
|
end
|
@@ -3,11 +3,10 @@ require 'nokogiri'
|
|
3
3
|
require 'csv'
|
4
4
|
require 'heimdall_tools/hdf'
|
5
5
|
|
6
|
-
|
7
6
|
RESOURCE_DIR = Pathname.new(__FILE__).join('../../data')
|
8
7
|
|
9
8
|
CWE_NIST_MAPPING_FILE = File.join(RESOURCE_DIR, 'cwe-nist-mapping.csv')
|
10
|
-
DEFAULT_NIST_TAG =
|
9
|
+
DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze
|
11
10
|
|
12
11
|
# rubocop:disable Metrics/AbcSize
|
13
12
|
|
@@ -58,7 +57,7 @@ module HeimdallTools
|
|
58
57
|
|
59
58
|
def format_code_desc(code_desc)
|
60
59
|
desc = ''
|
61
|
-
code_desc.
|
60
|
+
code_desc.each_key do |key|
|
62
61
|
desc += "#{key.capitalize}: #{code_desc[key]}\n"
|
63
62
|
end
|
64
63
|
desc
|
@@ -98,7 +97,7 @@ module HeimdallTools
|
|
98
97
|
dup_ids.each do |dup_id|
|
99
98
|
index = 1
|
100
99
|
controls.select { |x| x['id'].eql?(dup_id) }.each do |control|
|
101
|
-
control['id'] = control['id']
|
100
|
+
control['id'] = "#{control['id']}.#{index}"
|
102
101
|
index += 1
|
103
102
|
end
|
104
103
|
end
|
@@ -6,11 +6,13 @@ def xml_node_to_hash(node)
|
|
6
6
|
result_hash = {}
|
7
7
|
if node.attributes != {}
|
8
8
|
attributes = {}
|
9
|
-
node.attributes.
|
9
|
+
node.attributes.each_key do |key|
|
10
10
|
attributes[node.attributes[key].name] = node.attributes[key].value
|
11
11
|
end
|
12
12
|
end
|
13
|
-
if
|
13
|
+
if node.children.empty?
|
14
|
+
attributes
|
15
|
+
else
|
14
16
|
node.children.each do |child|
|
15
17
|
result = xml_node_to_hash(child)
|
16
18
|
|
@@ -36,9 +38,7 @@ def xml_node_to_hash(node)
|
|
36
38
|
# if there is a collision then node content supersets attributes
|
37
39
|
result_hash = attributes.merge(result_hash)
|
38
40
|
end
|
39
|
-
|
40
|
-
else
|
41
|
-
return attributes
|
41
|
+
result_hash
|
42
42
|
end
|
43
43
|
else
|
44
44
|
node.content.to_s
|
@@ -47,7 +47,7 @@ end
|
|
47
47
|
|
48
48
|
def xml_to_hash(xml)
|
49
49
|
begin
|
50
|
-
data = Nokogiri::XML(xml
|
50
|
+
data = Nokogiri::XML(xml, &:strict)
|
51
51
|
rescue Nokogiri::XML::SyntaxError => e
|
52
52
|
puts "XML Parsing caught exception: #{e}"
|
53
53
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: heimdall_tools
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.3.
|
4
|
+
version: 1.3.41
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Robert Thew
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: exe
|
12
12
|
cert_chain: []
|
13
|
-
date: 2021-03-
|
13
|
+
date: 2021-03-29 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: aws-sdk-configservice
|
@@ -27,75 +27,75 @@ dependencies:
|
|
27
27
|
- !ruby/object:Gem::Version
|
28
28
|
version: '1'
|
29
29
|
- !ruby/object:Gem::Dependency
|
30
|
-
name:
|
30
|
+
name: csv
|
31
31
|
requirement: !ruby/object:Gem::Requirement
|
32
32
|
requirements:
|
33
33
|
- - "~>"
|
34
34
|
- !ruby/object:Gem::Version
|
35
|
-
version: 1
|
35
|
+
version: '3.1'
|
36
36
|
type: :runtime
|
37
37
|
prerelease: false
|
38
38
|
version_requirements: !ruby/object:Gem::Requirement
|
39
39
|
requirements:
|
40
40
|
- - "~>"
|
41
41
|
- !ruby/object:Gem::Version
|
42
|
-
version: 1
|
42
|
+
version: '3.1'
|
43
43
|
- !ruby/object:Gem::Dependency
|
44
|
-
name:
|
44
|
+
name: git-lite-version-bump
|
45
45
|
requirement: !ruby/object:Gem::Requirement
|
46
46
|
requirements:
|
47
|
-
- - "
|
47
|
+
- - ">="
|
48
48
|
- !ruby/object:Gem::Version
|
49
|
-
version:
|
49
|
+
version: 0.17.2
|
50
50
|
type: :runtime
|
51
51
|
prerelease: false
|
52
52
|
version_requirements: !ruby/object:Gem::Requirement
|
53
53
|
requirements:
|
54
|
-
- - "
|
54
|
+
- - ">="
|
55
55
|
- !ruby/object:Gem::Version
|
56
|
-
version:
|
56
|
+
version: 0.17.2
|
57
57
|
- !ruby/object:Gem::Dependency
|
58
|
-
name:
|
58
|
+
name: httparty
|
59
59
|
requirement: !ruby/object:Gem::Requirement
|
60
60
|
requirements:
|
61
61
|
- - "~>"
|
62
62
|
- !ruby/object:Gem::Version
|
63
|
-
version:
|
63
|
+
version: 0.18.0
|
64
64
|
type: :runtime
|
65
65
|
prerelease: false
|
66
66
|
version_requirements: !ruby/object:Gem::Requirement
|
67
67
|
requirements:
|
68
68
|
- - "~>"
|
69
69
|
- !ruby/object:Gem::Version
|
70
|
-
version:
|
70
|
+
version: 0.18.0
|
71
71
|
- !ruby/object:Gem::Dependency
|
72
|
-
name:
|
72
|
+
name: json
|
73
73
|
requirement: !ruby/object:Gem::Requirement
|
74
74
|
requirements:
|
75
75
|
- - "~>"
|
76
76
|
- !ruby/object:Gem::Version
|
77
|
-
version: '3
|
77
|
+
version: '2.3'
|
78
78
|
type: :runtime
|
79
79
|
prerelease: false
|
80
80
|
version_requirements: !ruby/object:Gem::Requirement
|
81
81
|
requirements:
|
82
82
|
- - "~>"
|
83
83
|
- !ruby/object:Gem::Version
|
84
|
-
version: '3
|
84
|
+
version: '2.3'
|
85
85
|
- !ruby/object:Gem::Dependency
|
86
|
-
name:
|
86
|
+
name: nokogiri
|
87
87
|
requirement: !ruby/object:Gem::Requirement
|
88
88
|
requirements:
|
89
89
|
- - "~>"
|
90
90
|
- !ruby/object:Gem::Version
|
91
|
-
version:
|
91
|
+
version: 1.10.9
|
92
92
|
type: :runtime
|
93
93
|
prerelease: false
|
94
94
|
version_requirements: !ruby/object:Gem::Requirement
|
95
95
|
requirements:
|
96
96
|
- - "~>"
|
97
97
|
- !ruby/object:Gem::Version
|
98
|
-
version:
|
98
|
+
version: 1.10.9
|
99
99
|
- !ruby/object:Gem::Dependency
|
100
100
|
name: openssl
|
101
101
|
requirement: !ruby/object:Gem::Requirement
|
@@ -111,19 +111,19 @@ dependencies:
|
|
111
111
|
- !ruby/object:Gem::Version
|
112
112
|
version: '2.1'
|
113
113
|
- !ruby/object:Gem::Dependency
|
114
|
-
name:
|
114
|
+
name: thor
|
115
115
|
requirement: !ruby/object:Gem::Requirement
|
116
116
|
requirements:
|
117
|
-
- - "
|
117
|
+
- - "~>"
|
118
118
|
- !ruby/object:Gem::Version
|
119
|
-
version: 0.
|
119
|
+
version: '0.19'
|
120
120
|
type: :runtime
|
121
121
|
prerelease: false
|
122
122
|
version_requirements: !ruby/object:Gem::Requirement
|
123
123
|
requirements:
|
124
|
-
- - "
|
124
|
+
- - "~>"
|
125
125
|
- !ruby/object:Gem::Version
|
126
|
-
version: 0.
|
126
|
+
version: '0.19'
|
127
127
|
- !ruby/object:Gem::Dependency
|
128
128
|
name: bundler
|
129
129
|
requirement: !ruby/object:Gem::Requirement
|
@@ -180,6 +180,20 @@ dependencies:
|
|
180
180
|
- - ">="
|
181
181
|
- !ruby/object:Gem::Version
|
182
182
|
version: '0'
|
183
|
+
- !ruby/object:Gem::Dependency
|
184
|
+
name: rubocop
|
185
|
+
requirement: !ruby/object:Gem::Requirement
|
186
|
+
requirements:
|
187
|
+
- - "~>"
|
188
|
+
- !ruby/object:Gem::Version
|
189
|
+
version: '1.11'
|
190
|
+
type: :development
|
191
|
+
prerelease: false
|
192
|
+
version_requirements: !ruby/object:Gem::Requirement
|
193
|
+
requirements:
|
194
|
+
- - "~>"
|
195
|
+
- !ruby/object:Gem::Version
|
196
|
+
version: '1.11'
|
183
197
|
description: Converter utils that can be included as a gem or used from the command
|
184
198
|
line
|
185
199
|
email:
|