heimdall_tools 1.3.43 → 1.3.48

data/lib/data/scoutsuite-nist-mapping.csv

@@ -0,0 +1,140 @@
+rule,nistid
+acm-certificate-with-close-expiration-date,SC-12
+acm-certificate-with-transparency-logging-disabled,SC-12
+cloudformation-stack-with-role,AC-6
+cloudtrail-duplicated-global-services-logging,AU-6
+cloudtrail-no-cloudwatch-integration,AU-12|SI-4(2)
+cloudtrail-no-data-logging,AU-12
+cloudtrail-no-encryption-with-kms,AU-6
+cloudtrail-no-global-services-logging,AU-12
+cloudtrail-no-log-file-validation,AU-6
+cloudtrail-no-logging,AU-12
+cloudtrail-not-configured,AU-12
+cloudwatch-alarm-without-actions,AU-12
+config-recorder-not-configured,CM-8|CM-8(2)|CM-8(6)
+ec2-ami-public,AC-3
+ec2-default-security-group-in-use,AC-3(3)
+ec2-default-security-group-with-rules,AC-3(3)
+ec2-ebs-snapshot-not-encrypted,SC-28
+ec2-ebs-snapshot-public,AC-3
+ec2-ebs-volume-not-encrypted,SC-28
+ec2-instance-in-security-group,CM-7(1)
+ec2-instance-type,CM-2
+ec2-instance-types,CM-2
+ec2-instance-with-public-ip,AC-3
+ec2-instance-with-user-data-secrets,AC-3
+ec2-security-group-opens-all-ports,CM-7(1)
+ec2-security-group-opens-all-ports-to-all,CM-7(1)
+ec2-security-group-opens-all-ports-to-self,CM-7(1)
+ec2-security-group-opens-icmp-to-all,CM-7(1)
+ec2-security-group-opens-known-port-to-all,CM-7(1)
+ec2-security-group-opens-plaintext-port,CM-7(1)
+ec2-security-group-opens-port-range,CM-7(1)
+ec2-security-group-opens-port-to-all,CM-7(1)
+ec2-security-group-whitelists-aws,CM-7(1)
+ec2-security-group-whitelists-aws-ip-from-banned-region,CM-7(1)
+ec2-security-group-whitelists-non-elastic-ips,CM-7(1)
+ec2-security-group-whitelists-unknown-aws,CM-7(1)
+ec2-security-group-whitelists-unknown-cidrs,CM-7(1)
+ec2-unused-security-group,CM-7(1)
+elb-listener-allowing-cleartext,SC-8
+elb-no-access-logs,AU-12
+elb-older-ssl-policy,SC-8
+elbv2-http-request-smuggling,SC-8
+elbv2-listener-allowing-cleartext,SC-8
+elbv2-no-access-logs,AU-12
+elbv2-no-deletion-protection,SI-7
+elbv2-older-ssl-policy,SC-8
+iam-assume-role-lacks-external-id-and-mfa,AC-17
+iam-assume-role-no-mfa,AC-6
+iam-assume-role-policy-allows-all,AC-6
+iam-ec2-role-without-instances,AC-6
+iam-group-with-inline-policies,AC-6
+iam-group-with-no-users,AC-6
+iam-human-user-with-policies,AC-6
+iam-inline-policy-allows-non-sts-action,AC-6
+iam-inline-policy-allows-NotActions,AC-6
+iam-inline-policy-for-role,AC-6
+iam-managed-policy-allows-full-privileges,AC-6
+iam-managed-policy-allows-non-sts-action,AC-6
+iam-managed-policy-allows-NotActions,AC-6
+iam-managed-policy-for-role,AC-6
+iam-managed-policy-no-attachments,AC-6
+iam-no-support-role,IR-7
+iam-password-policy-expiration-threshold,AC-2
+iam-password-policy-minimum-length,AC-2
+iam-password-policy-no-expiration,AC-2
+iam-password-policy-no-lowercase-required,AC-2
+iam-password-policy-no-number-required,AC-2
+iam-password-policy-no-symbol-required,AC-2
+iam-password-policy-no-uppercase-required,AC-2
+iam-password-policy-reuse-enabled,IA-5(1)
+iam-role-with-inline-policies,AC-6
+iam-root-account-no-hardware-mfa,IA-2(1)
+iam-root-account-no-mfa,IA-2(1)
+iam-root-account-used-recently,AC-6(9)
+iam-root-account-with-active-certs,AC-6(9)
+iam-root-account-with-active-keys,AC-6(9)
+iam-service-user-with-password,AC-2
+iam-unused-credentials-not-disabled,AC-2
+iam-user-no-key-rotation,AC-2
+iam-user-not-in-category-group,AC-2
+iam-user-not-in-common-group,AC-2
+iam-user-unused-access-key-initial-setup,AC-2
+iam-user-with-multiple-access-keys,IA-2
+iam-user-without-mfa,IA-2(1)
+iam-user-with-password-and-key,IA-2
+iam-user-with-policies,AC-2
+kms-cmk-rotation-disabled,SC-12
+logs-no-alarm-aws-configuration-changes,CM-8|CM-8(2)|CM-8(6)
+logs-no-alarm-cloudtrail-configuration-changes,AU-6
+logs-no-alarm-cmk-deletion,AC-2
+logs-no-alarm-console-authentication-failures,AC-2
+logs-no-alarm-iam-policy-changes,AC-2
+logs-no-alarm-nacl-changes,CM-6(2)
+logs-no-alarm-network-gateways-changes,AU-12|CM-6(2)
+logs-no-alarm-root-usage,AU-2
+logs-no-alarm-route-table-changes,AU-12|CM-6(2)
+logs-no-alarm-s3-policy-changes,AC-6|AU-12
+logs-no-alarm-security-group-changes,AC-2(4)
+logs-no-alarm-signin-without-mfa,AC-2
+logs-no-alarm-unauthorized-api-calls,AU-6|SI-4(2)
+logs-no-alarm-vpc-changes,CM-6(1)
+rds-instance-backup-disabled,CP-9
+rds-instance-ca-certificate-deprecated,SC-12
+rds-instance-no-minor-upgrade,SI-2
+rds-instance-short-backup-retention-period,CP-9
+rds-instance-single-az,CP-7
+rds-instance-storage-not-encrypted,SC-28
+rds-postgres-instance-with-invalid-certificate,SC-12
+rds-security-group-allows-all,CM-7(1)
+rds-snapshot-public,SC-28
+redshift-cluster-database-not-encrypted,SC-28
+redshift-cluster-no-version-upgrade,SI-2
+redshift-cluster-publicly-accessible,AC-3
+redshift-parameter-group-logging-disabled,AU-12
+redshift-parameter-group-ssl-not-required,SC-8
+redshift-security-group-whitelists-all,CM-7(1)
+route53-domain-no-autorenew,SC-2
+route53-domain-no-transferlock,SC-2
+route53-domain-transferlock-not-authorized,SC-2
+s3-bucket-allowing-cleartext,SC-28
+s3-bucket-no-default-encryption,SC-28
+s3-bucket-no-logging,AU-2|AU-12
+s3-bucket-no-mfa-delete,SI-7
+s3-bucket-no-versioning,SI-7
+s3-bucket-world-acl,AC-3(3)
+s3-bucket-world-policy-arg,AC-3(3)
+s3-bucket-world-policy-star,AC-3(3)
+ses-identity-dkim-not-enabled,SC-23
+ses-identity-dkim-not-verified,SC-23
+ses-identity-world-policy,AC-6
+sns-topic-world-policy,AC-6
+sqs-queue-world-policy,AC-6
+vpc-custom-network-acls-allow-all,SC-7
+vpc-default-network-acls-allow-all,SC-7
+vpc-network-acl-not-used,SC-7
+vpc-routing-tables-with-peering,AC-3(3)
+vpc-subnet-with-bad-acls,SC-7
+vpc-subnet-with-default-acls,SC-7
+vpc-subnet-without-flow-log,AU-12

data/lib/heimdall_tools.rb

@@ -16,4 +16,7 @@ module HeimdallTools
   autoload :DBProtectMapper, 'heimdall_tools/dbprotect_mapper'
   autoload :AwsConfigMapper, 'heimdall_tools/aws_config_mapper'
   autoload :NetsparkerMapper, 'heimdall_tools/netsparker_mapper'
+  autoload :SarifMapper, 'heimdall_tools/sarif_mapper'
+  autoload :ScoutSuiteMapper, 'heimdall_tools/scoutsuite_mapper'
+  autoload :XCCDFResultsMapper, 'heimdall_tools/xccdf_results_mapper'
 end

data/lib/heimdall_tools/aws_config_mapper.rb

@@ -18,8 +18,7 @@ INSUFFICIENT_DATA_MSG = 'Not enough data has been collectd to determine complian
 #
 module HeimdallTools
   class AwsConfigMapper
-    def initialize(custom_mapping, endpoint = nil, verbose = false)
-      @verbose = verbose
+    def initialize(custom_mapping, endpoint = nil)
       @default_mapping = get_rule_mapping(AWS_CONFIG_MAPPING_FILE)
       @custom_mapping = custom_mapping.nil? ? {} : get_rule_mapping(custom_mapping)
       if endpoint.nil?
@@ -58,10 +57,10 @@ module HeimdallTools
 
       results = HeimdallDataFormat.new(
         profile_name: 'AWS Config',
-         title: 'AWS Config',
-         summary: 'AWS Config',
-         controls: controls,
-         statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION },
+        title: 'AWS Config',
+        summary: 'AWS Config',
+        controls: controls,
+        statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION },
       )
       results.to_hdf
     end

data/lib/heimdall_tools/burpsuite_mapper.rb

@@ -20,9 +20,8 @@ DEFAULT_NIST_TAG = %w{SA-11 RA-5 Rev_4}.freeze
 
 module HeimdallTools
   class BurpSuiteMapper
-    def initialize(burps_xml, _name = nil, verbose = false)
+    def initialize(burps_xml, _name = nil)
       @burps_xml = burps_xml
-      @verbose = verbose
 
       begin
         @cwe_nist_mapping = parse_mapper

data/lib/heimdall_tools/cli.rb

@@ -6,7 +6,6 @@ module HeimdallTools
     long_desc Help.text(:fortify_mapper)
     option :fvdl, required: true, aliases: '-f'
     option :output, required: true, aliases: '-o'
-    option :verbose, type: :boolean, aliases: '-V'
     def fortify_mapper
       hdf = HeimdallTools::FortifyMapper.new(File.read(options[:fvdl])).to_hdf
       File.write(options[:output], hdf)
@@ -17,7 +16,6 @@ module HeimdallTools
     option :json, required: true, aliases: '-j'
     option :name, required: true, aliases: '-n'
     option :output, required: true, aliases: '-o'
-    option :verbose, type: :boolean, aliases: '-V'
     def zap_mapper
       hdf = HeimdallTools::ZapMapper.new(File.read(options[:json]), options[:name]).to_hdf
       File.write(options[:output], hdf)
@@ -29,7 +27,6 @@ module HeimdallTools
     option :api_url, required: true, aliases: '-u'
     option :auth, type: :string, required: false
     option :output, required: true, aliases: '-o'
-    option :verbose, type: :boolean, aliases: '-V'
     def sonarqube_mapper
       hdf = HeimdallTools::SonarQubeMapper.new(options[:name], options[:api_url], options[:auth]).to_hdf
       File.write(options[:output], hdf)
@@ -39,17 +36,24 @@ module HeimdallTools
     long_desc Help.text(:burpsuite_mapper)
     option :xml, required: true, aliases: '-x'
     option :output, required: true, aliases: '-o'
-    option :verbose, type: :boolean, aliases: '-V'
     def burpsuite_mapper
       hdf = HeimdallTools::BurpSuiteMapper.new(File.read(options[:xml])).to_hdf
       File.write(options[:output], hdf)
     end
 
+    desc 'xccdf_results_mapper', 'xccdf_results_mapper translates SCAP client XCCDF-Results XML report to HDF format Json be viewed on Heimdall'
+    long_desc Help.text(:xccdf_results_mapper)
+    option :xml, required: true, aliases: '-x'
+    option :output, required: true, aliases: '-o'
+    def xccdf_results_mapper
+      hdf = HeimdallTools::XCCDFResultsMapper.new(File.read(options[:xml])).to_hdf
+      File.write(options[:output], hdf)
+    end
+
     desc 'nessus_mapper', 'nessus_mapper translates nessus xml report to HDF format Json be viewed on Heimdall'
     long_desc Help.text(:nessus_mapper)
     option :xml, required: true, aliases: '-x'
     option :output_prefix, required: true, aliases: '-o'
-    option :verbose, type: :boolean, aliases: '-V'
     def nessus_mapper
       hdfs = HeimdallTools::NessusMapper.new(File.read(options[:xml])).to_hdf
 
@@ -64,7 +68,6 @@ module HeimdallTools
     long_desc Help.text(:snyk_mapper)
     option :json, required: true, aliases: '-j'
     option :output_prefix, required: true, aliases: '-o'
-    option :verbose, type: :boolean, aliases: '-V'
     def snyk_mapper
       hdfs = HeimdallTools::SnykMapper.new(File.read(options[:json]), options[:name]).to_hdf
       puts "\r\HDF Generated:\n"
@@ -78,7 +81,6 @@ module HeimdallTools
     long_desc Help.text(:nikto_mapper)
     option :json, required: true, aliases: '-j'
     option :output, required: true, aliases: '-o'
-    option :verbose, type: :boolean, aliases: '-V'
     def nikto_mapper
       hdf = HeimdallTools::NiktoMapper.new(File.read(options[:json])).to_hdf
       File.write(options[:output], hdf)
@@ -90,7 +92,6 @@ module HeimdallTools
     long_desc Help.text(:jfrog_xray_mapper)
     option :json, required: true, aliases: '-j'
     option :output, required: true, aliases: '-o'
-    option :verbose, type: :boolean, aliases: '-V'
     def jfrog_xray_mapper
       hdf = HeimdallTools::JfrogXrayMapper.new(File.read(options[:json])).to_hdf
       File.write(options[:output], hdf)
@@ -102,7 +103,6 @@ module HeimdallTools
     long_desc Help.text(:dbprotect_mapper)
     option :xml, required: true, aliases: '-x'
     option :output, required: true, aliases: '-o'
-    option :verbose, type: :boolean, aliases: '-V'
     def dbprotect_mapper
       hdf = HeimdallTools::DBProtectMapper.new(File.read(options[:xml])).to_hdf
       File.write(options[:output], hdf)
@@ -114,7 +114,6 @@ module HeimdallTools
     long_desc Help.text(:aws_config_mapper)
     # option :custom_mapping, required: false, aliases: '-m'
     option :output, required: true, aliases: '-o'
-    option :verbose, type: :boolean, aliases: '-V'
     def aws_config_mapper
       hdf = HeimdallTools::AwsConfigMapper.new(options[:custom_mapping]).to_hdf
       File.write(options[:output], hdf)
@@ -126,7 +125,6 @@ module HeimdallTools
     long_desc Help.text(:netsparker_mapper)
     option :xml, required: true, aliases: '-x'
     option :output, required: true, aliases: '-o'
-    option :verbose, type: :boolean, aliases: '-V'
     def netsparker_mapper
       hdf = HeimdallTools::NetsparkerMapper.new(File.read(options[:xml])).to_hdf
       File.write(options[:output], hdf)
@@ -134,6 +132,29 @@ module HeimdallTools
       puts options[:output].to_s
     end
 
+    desc 'sarif_mapper', 'sarif_mapper translates a SARIF JSON file into HDF format JSON to be viewable in Heimdall'
+    long_desc Help.text(:sarif_mapper)
+    option :json, required: true, aliases: '-j'
+    option :output, required: true, aliases: '-o'
+    option :verbose, type: :boolean, aliases: '-V'
+    def sarif_mapper
+      hdf = HeimdallTools::SarifMapper.new(File.read(options[:json])).to_hdf
+      File.write(options[:output], hdf)
+      puts "\r\HDF Generated:\n"
+      puts options[:output].to_s
+    end
+
+    desc 'scoutsuite_mapper', 'scoutsuite_mapper translates Scout Suite results from Javascript to HDF-formatted JSON so as to be viewable on Heimdall'
+    long_desc Help.text(:scoutsuite_mapper)
+    option :javascript, required: true, banner: 'SCOUTSUITE-RESULTS-JS', aliases: ['-i', '--input', '-j']
+    option :output, required: true, banner: 'HDF-SCAN-RESULTS-JSON', aliases: '-o'
+    def scoutsuite_mapper
+      hdf = HeimdallTools::ScoutSuiteMapper.new(File.read(options[:javascript])).to_hdf
+      File.write(options[:output], hdf)
+      puts "\rHDF Generated:\n"
+      puts options[:output].to_s
+    end
+
     desc 'version', 'prints version'
     def version
       puts VERSION

data/lib/heimdall_tools/dbprotect_mapper.rb

@@ -12,15 +12,11 @@ IMPACT_MAPPING = {
 
 module HeimdallTools
   class DBProtectMapper
-    def initialize(xml, _name = nil, verbose = false)
-      @verbose = verbose
-
-      begin
-        dataset = xml_to_hash(xml)
-        @entries = compile_findings(dataset['dataset'])
-      rescue StandardError => e
-        raise "Invalid DBProtect XML file provided Exception: #{e};\nNote that XML must be of kind `Check Results Details`."
-      end
+    def initialize(xml, _name = nil)
+      dataset = xml_to_hash(xml)
+      @entries = compile_findings(dataset['dataset'])
+    rescue StandardError => e
+      raise "Invalid DBProtect XML file provided Exception: #{e};\nNote that XML must be of kind `Check Results Details`."
     end
 
     def to_hdf

data/lib/heimdall_tools/fortify_mapper.rb

@@ -7,9 +7,8 @@ DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze
 
 module HeimdallTools
   class FortifyMapper
-    def initialize(fvdl, verbose = false)
+    def initialize(fvdl)
       @fvdl = fvdl
-      @verbose = verbose
 
       begin
         data = xml_to_hash(fvdl)
@@ -56,6 +55,7 @@ module HeimdallTools
       findings.uniq
     end
 
+    # rubocop:disable Layout/LineEndStringConcatenationIndentation
     def snippet(snippetid)
       snippet = @snippets.select { |x| x['id'].eql?(snippetid) }.first
       "\nPath: #{snippet['File']}\n" \
@@ -63,6 +63,7 @@ module HeimdallTools
       "EndLine: #{snippet['EndLine']}\n" \
       "Code:\n#{snippet['Text']['#cdata-section'].strip}" \
     end
+    # rubocop:enable Layout/LineEndStringConcatenationIndentation
 
     def nist_tag(rule)
       references = rule['References']['Reference']

data/lib/heimdall_tools/help/sarif_mapper.md

@@ -0,0 +1,12 @@
+  sarif_mapper translates a SARIF JSON file into HDF format JSON to be viewable in Heimdall
+
+SARIF level to HDF impact Mapping:
+  SARIF level error -> HDF impact 0.7
+  SARIF level warning -> HDF impact 0.5
+  SARIF level note -> HDF impact 0.3
+  SARIF level none -> HDF impact 0.1
+  SARIF level not provided -> HDF impact 0.1 as default
+
+Examples:
+
+  heimdall_tools sarif_mapper [OPTIONS] -j <sarif-results-json> -o <hdf-scan-results.json>

data/lib/heimdall_tools/help/scoutsuite_mapper.md

@@ -0,0 +1,7 @@
+  scoutsuite_mapper translates Scout Suite results from Javascript to HDF-formatted JSON so as to be viewable on Heimdall
+
+  Note: Currently this mapper only supports AWS.
+
+Examples:
+
+  heimdall_tools scoutsuite_mapper -i <scoutsuite-results-js> -o <hdf-scan-results-json>

data/lib/heimdall_tools/jfrog_xray_mapper.rb

@@ -27,9 +27,8 @@ end
 
 module HeimdallTools
   class JfrogXrayMapper
-    def initialize(xray_json, _name = nil, verbose = false)
+    def initialize(xray_json, _name = nil)
       @xray_json = xray_json
-      @verbose = verbose
 
       begin
         @cwe_nist_mapping = parse_mapper

data/lib/heimdall_tools/nessus_mapper.rb

@@ -25,8 +25,6 @@ DEFAULT_NIST_REV = 'Rev_4'.freeze
 
 NA_PLUGIN_OUTPUT = 'This Nessus Plugin does not provide output message.'.freeze
 
-# rubocop:disable Metrics/AbcSize
-
 # Loading spinner sign
 $spinner = Enumerator.new do |e|
   loop do
@@ -39,9 +37,8 @@ end
 
 module HeimdallTools
   class NessusMapper
-    def initialize(nessus_xml, verbose = false)
+    def initialize(nessus_xml)
       @nessus_xml = nessus_xml
-      @verbose = verbose
       read_cci_xml
       begin
         @cwe_nist_mapping = parse_mapper
@@ -72,7 +69,8 @@ module HeimdallTools
       info = {}
 
       info['policyName'] = policy['policyName']
-      info['version'] = policy['Preferences']['ServerPreferences']['preference'].select { |x| x['name'].eql? 'sc_version' }.first['value']
+      scanner_version = policy['Preferences']['ServerPreferences']['preference'].select { |x| x['name'].eql? 'sc_version' }
+      info['version'] = scanner_version.empty? ? NA_STRING : scanner_version.first['value']
       info
     rescue StandardError => e
       raise "Invalid Nessus XML file provided Exception: #{e}"
@@ -221,8 +219,12 @@ module HeimdallTools
           end
           if item['compliance-reference']
             @item['tags']['nist']     = cci_nist_tag(parse_refs(item['compliance-reference'], 'CCI'))
+            @item['tags']['cci']      = parse_refs(item['compliance-reference'], 'CCI')
+            @item['tags']['rid']      = parse_refs(item['compliance-reference'], 'Rule-ID').join(',')
+            @item['tags']['stig_id']  = parse_refs(item['compliance-reference'], 'STIG-ID').join(',')
           else
             @item['tags']['nist']     = plugin_nist_tag(item['pluginFamily'], item['pluginID'])
+            @item['tags']['rid']      = item['pluginID'].to_s
           end
           if item['compliance-solution']
             @item['descriptions']       << desc_tags(item['compliance-solution'], 'check')

data/lib/heimdall_tools/netsparker_mapper.rb

@@ -21,19 +21,15 @@ DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze
 
 module HeimdallTools
   class NetsparkerMapper
-    def initialize(xml, _name = nil, verbose = false)
-      @verbose = verbose
-
-      begin
-        @cwe_nist_mapping = parse_mapper(CWE_NIST_MAPPING_FILE)
-        @owasp_nist_mapping = parse_mapper(OWASP_NIST_MAPPING_FILE)
-        data = xml_to_hash(xml)
-
-        @vulnerabilities = data['netsparker-enterprise']['vulnerabilities']['vulnerability']
-        @scan_info = data['netsparker-enterprise']['target']
-      rescue StandardError => e
-        raise "Invalid Netsparker XML file provided Exception: #{e}"
-      end
+    def initialize(xml, _name = nil)
+      @cwe_nist_mapping = parse_mapper(CWE_NIST_MAPPING_FILE)
+      @owasp_nist_mapping = parse_mapper(OWASP_NIST_MAPPING_FILE)
+      data = xml_to_hash(xml)
+
+      @vulnerabilities = data['netsparker-enterprise']['vulnerabilities']['vulnerability']
+      @scan_info = data['netsparker-enterprise']['target']
+    rescue StandardError => e
+      raise "Invalid Netsparker XML file provided Exception: #{e}"
     end
 
     def to_hdf