heimdall_tools 1.3.43 → 1.3.48

data/lib/heimdall_tools/nikto_mapper.rb

@@ -26,9 +26,8 @@ end
 
 module HeimdallTools
   class NiktoMapper
-    def initialize(nikto_json, _name = nil, verbose = false)
+    def initialize(nikto_json, _name = nil)
       @nikto_json = nikto_json
-      @verbose = verbose
 
       begin
         @nikto_nist_mapping = parse_mapper

data/lib/heimdall_tools/sarif_mapper.rb

@@ -0,0 +1,198 @@
+require 'json'
+require 'csv'
+require 'heimdall_tools/hdf'
+
+RESOURCE_DIR = Pathname.new(__FILE__).join('../../data')
+
+CWE_NIST_MAPPING_FILE = File.join(RESOURCE_DIR, 'cwe-nist-mapping.csv')
+
+IMPACT_MAPPING = {
+  error: 0.7,
+  warning: 0.5,
+  note: 0.3,
+  none: 0.0
+}.freeze
+
+DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze
+
+# Loading spinner sign
+$spinner = Enumerator.new do |e|
+  loop do
+    e.yield '|'
+    e.yield '/'
+    e.yield '-'
+    e.yield '\\'
+  end
+end
+
+module HeimdallTools
+  class SarifMapper
+    def initialize(sarif_json, _name = nil, verbose = false)
+      @sarif_json = sarif_json
+      @verbose = verbose
+      begin
+        @cwe_nist_mapping = parse_mapper
+        @sarif_log = JSON.parse(@sarif_json)
+      rescue StandardError => e
+        raise "Invalid SARIF JSON file provided\n\nException: #{e}"
+      end
+    end
+
+    def extract_scaninfo(sarif_log)
+      info = {}
+      begin
+        info['policy'] = 'SARIF'
+        info['version'] = sarif_log['version']
+        info['projectName'] = 'Static Analysis Results Interchange Format'
+        info['summary'] = NA_STRING
+        info
+      rescue StandardError => e
+        raise "Error extracting project info from SARIF JSON file provided Exception: #{e}"
+      end
+    end
+
+    def finding(result)
+      finding = {}
+      finding['status'] = 'failed'
+      finding['code_desc'] = ''
+      if get_location(result)['uri']
+        finding['code_desc'] += " URL : #{get_location(result)['uri']}"
+      end
+      if get_location(result)['start_line']
+        finding['code_desc'] += " LINE : #{get_location(result)['start_line']}"
+      end
+      if get_location(result)['start_column']
+        finding['code_desc'] += " COLUMN : #{get_location(result)['start_column']}"
+      end
+      finding['code_desc'].strip!
+      finding['run_time'] = NA_FLOAT
+      finding['start_time'] = NA_STRING
+      finding
+    end
+
+    def add_nist_tag_from_cwe(cweid, taxonomy_name, tags_node)
+      entries = @cwe_nist_mapping.select { |x| cweid.include?(x[:cweid].to_s) && !x[:nistid].nil? }
+      tags = entries.map { |x| x[:nistid] }
+      result_tags = tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq
+      if result_tags.count.positive?
+        if !tags_node
+          tags_node = {}
+        end
+        if !tags_node.key?(taxonomy_name)
+          tags_node[taxonomy_name] = []
+        end
+        result_tags.each do |t|
+          tags_node[taxonomy_name] |= [t]
+        end
+      end
+      tags_node
+    end
+
+    def get_location(result)
+      location_info = {}
+      location_info['uri'] = result.dig('locations', 0, 'physicalLocation', 'artifactLocation', 'uri')
+      location_info['start_line'] = result.dig('locations', 0, 'physicalLocation', 'region', 'startLine')
+      location_info['start_column'] = result.dig('locations', 0, 'physicalLocation', 'region', 'startColumn')
+      location_info
+    end
+
+    def get_rule_info(run, result, rule_id)
+      finding = {}
+      driver = run.dig('tool', 'driver')
+      finding['driver_name'] = driver['name']
+      finding['driver_version'] = driver['version']
+      rules = driver['rules']
+      if rules
+        rule = rules.find { |x| x['id'].eql?(rule_id) }
+        if rule
+          finding['rule_name'] = rule&.[]('name')
+          finding['rule_short_description'] = rule&.[]('shortDescription')&.[]('text')
+          finding['rule_tags'] = get_tags(rule)
+          finding['rule_name'] = rule&.[]('messageStrings')&.[]('default')&.[]('text') unless finding['rule_name']
+        end
+      end
+      finding['rule_name'] = result&.[]('message')&.[]('text') unless finding['rule_name']
+      finding
+    end
+
+    def get_tags(rule)
+      result = {}
+      Array(rule&.[]('relationships')).each do |relationship|
+        taxonomy_name = relationship['target']['toolComponent']['name'].downcase
+        taxonomy_id = relationship['target']['id']
+        if !result.key?(taxonomy_name)
+          result[taxonomy_name] = []
+        end
+        result[taxonomy_name] |= [taxonomy_id]
+      end
+      result
+    end
+
+    def parse_identifiers(rule_tags, ref)
+      # Extracting id number from reference style CWE-297
+      rule_tags[ref.downcase].map { |e| e.downcase.split("#{ref.downcase}-")[1] }
+    rescue StandardError
+      []
+    end
+
+    def impact(severity)
+      severity_mapping = IMPACT_MAPPING[severity.to_sym]
+      severity_mapping.nil? ? 0.1 : severity_mapping
+    end
+
+    def parse_mapper
+      csv_data = CSV.read(CWE_NIST_MAPPING_FILE, **{ encoding: 'UTF-8',
+                                                   headers: true,
+                                                   header_converters: :symbol,
+                                                   converters: :all })
+      csv_data.map(&:to_hash)
+    end
+
+    def desc_tags(data, label)
+      { data: data || NA_STRING, label: label || NA_STRING }
+    end
+
+    def process_item(run, result, controls)
+      printf("\rProcessing: %s", $spinner.next)
+      control = controls.find { |x| x['id'].eql?(result['ruleId']) }
+
+      if control
+        control['results'] << finding(result)
+      else
+        rule_info = get_rule_info(run, result, result['ruleId'])
+        item = {}
+        item['tags']               = rule_info['rule_tags']
+        item['descriptions']       = []
+        item['refs']               = NA_ARRAY
+        item['source_location']    = { ref: get_location(result)['uri'], line: get_location(result)['start_line'] }
+        item['descriptions']       = NA_ARRAY
+        item['title']              = rule_info['rule_name'].to_s
+        item['id']                 = result['ruleId'].to_s
+        item['desc']               = rule_info['rule_short_description'].to_s
+        item['impact']             = impact(result['level'].to_s)
+        item['code']               = NA_STRING
+        item['results']            = [finding(result)]
+        item['tags']               = add_nist_tag_from_cwe(parse_identifiers(rule_info['rule_tags'], 'CWE'), 'nist', item['tags'])
+        controls << item
+      end
+    end
+
+    def to_hdf
+      controls = []
+      @sarif_log['runs'].each do |run|
+        run['results'].each do |result|
+          process_item(run, result, controls)
+        end
+      end
+
+      scaninfo = extract_scaninfo(@sarif_log)
+      results = HeimdallDataFormat.new(profile_name: scaninfo['policy'],
+                                       version: scaninfo['version'],
+                                       title: scaninfo['projectName'],
+                                       summary: scaninfo['summary'],
+                                       controls: controls,
+                                       target_id: scaninfo['projectName'])
+      results.to_hdf
+    end
+  end
+end

data/lib/heimdall_tools/scoutsuite_mapper.rb

@@ -0,0 +1,180 @@
+require 'json'
+require 'csv'
+require 'heimdall_tools/hdf'
+
+RESOURCE_DIR = Pathname.new(__FILE__).join('../../data')
+
+SCOUTSUITE_NIST_MAPPING_FILE = File.join(RESOURCE_DIR, 'scoutsuite-nist-mapping.csv')
+
+IMPACT_MAPPING = {
+  danger: 0.7,
+  warning: 0.5
+}.freeze
+
+DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze
+
+INSPEC_INPUTS_MAPPING = {
+  string: 'String',
+  numeric: 'Numeric',
+  regexp: 'Regexp',
+  array: 'Array',
+  hash: 'Hash',
+  boolean: 'Boolean',
+  any: 'Any'
+}.freeze
+
+# Loading spinner sign
+$spinner = Enumerator.new do |e|
+  loop do
+    e.yield '|'
+    e.yield '/'
+    e.yield '-'
+    e.yield '\\'
+  end
+end
+
+module HeimdallTools
+  # currently only tested against an AWS based result, but ScoutSuite supports many other cloud providers such as Azure
+  class ScoutSuiteMapper
+    def initialize(scoutsuite_js)
+      begin
+        @scoutsuite_nist_mapping = parse_mapper
+      rescue StandardError => e
+        raise "Invalid Scout Suite to NIST mapping file:\nException: #{e}"
+      end
+
+      begin
+        @scoutsuite_json = scoutsuite_js.lines[1] # first line is `scoutsuite_results =\n` and second line is json
+        @report = JSON.parse(@scoutsuite_json)
+      rescue StandardError => e
+        raise "Invalid Scout Suite JavaScript file provided:\nException: #{e}"
+      end
+    end
+
+    def parse_mapper
+      csv_data = CSV.read(SCOUTSUITE_NIST_MAPPING_FILE, { encoding: 'UTF-8', headers: true, header_converters: :symbol })
+      csv_data.map(&:to_hash)
+    end
+
+    def create_attribute(name, value, required = nil, sensitive = nil, type = nil)
+      { name: name, options: { value: value, required: required, sensitive: sensitive, type: type }.compact }
+    end
+
+    def extract_scaninfo(report)
+      info = {}
+      begin
+        info['name'] = 'Scout Suite Multi-Cloud Security Auditing Tool'
+        info['version'] = report['last_run']['version']
+        info['title'] = "Scout Suite Report using #{report['last_run']['ruleset_name']} ruleset on #{report['provider_name']} with account #{report['account_id']}"
+        info['target_id'] = "#{report['last_run']['ruleset_name']} ruleset:#{report['provider_name']}:#{report['account_id']}"
+        info['summary'] = report['last_run']['ruleset_about']
+        info['attributes'] = [
+          create_attribute('account_id', report['account_id'], true, false, INSPEC_INPUTS_MAPPING[:string]),
+          create_attribute('environment', report['environment']),
+          create_attribute('ruleset', report['ruleset_name']),
+          # think at least these run_parameters are aws only
+          create_attribute('run_parameters_excluded_regions', report['last_run']['run_parameters']['excluded_regions'].join(', ')),
+          create_attribute('run_parameters_regions', report['last_run']['run_parameters']['regions'].join(', ')),
+          create_attribute('run_parameters_services', report['last_run']['run_parameters']['services'].join(', ')),
+          create_attribute('run_parameters_skipped_services', report['last_run']['run_parameters']['skipped_services'].join(', ')),
+          create_attribute('time', report['last_run']['time']),
+          create_attribute('partition', report['partition']), # think this is aws only
+          create_attribute('provider_code', report['provider_code']),
+          create_attribute('provider_name', report['provider_name']),
+        ]
+
+        info
+      rescue StandardError => e
+        raise "Error extracting report info from Scout Suite JS->JSON file:\nException: #{e}"
+      end
+    end
+
+    def nist_tag(rule)
+      entries = @scoutsuite_nist_mapping.select { |x| rule.eql?(x[:rule].to_s) && !x[:nistid].nil? }
+      tags = entries.map { |x| x[:nistid].split('|') }
+      tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq
+    end
+
+    def impact(severity)
+      IMPACT_MAPPING[severity.to_sym]
+    end
+
+    def desc_tags(data, label)
+      { data: data || NA_STRING, label: label || NA_STRING }
+    end
+
+    def findings(details)
+      finding = {}
+      if (details['checked_items']).zero?
+        finding['status'] = 'skipped'
+        finding['skip_message'] = 'Skipped because no items were checked'
+      elsif (details['flagged_items']).zero?
+        finding['status'] = 'passed'
+        finding['message'] = "0 flagged items out of #{details['checked_items']} checked items"
+      else # there are checked items and things were flagged
+        finding['status'] = 'failed'
+        finding['message'] = "#{details['flagged_items']} flagged items out of #{details['checked_items']} checked items:\n#{details['items'].join("\n")}"
+      end
+      finding['code_desc'] = details['description']
+      finding['start_time'] = @report['last_run']['time']
+      [finding]
+    end
+
+    def compliance(arr)
+      str = 'Compliant with '
+      arr.map do |val|
+        info = "#{val['name']}, reference #{val['reference']}, version #{val['version']}"
+        str + info
+      end.join("\n")
+    end
+
+    def to_hdf
+      controls = []
+      @report['services'].each_key do |service|
+        @report['services'][service]['findings'].each_key do |finding|
+          printf("\rProcessing: %s", $spinner.next)
+
+          finding_id = finding
+          finding_details = @report['services'][service]['findings'][finding]
+
+          item = {}
+          item['id']                 = finding_id
+          item['title']              = finding_details['description']
+
+          item['tags']               = { nist: nist_tag(finding_id) }
+
+          item['impact']             = impact(finding_details['level'])
+
+          item['desc']               = finding_details['rationale']
+
+          item['descriptions']       = []
+          item['descriptions']       << desc_tags(finding_details['remediation'], 'fix') unless finding_details['remediation'].nil?
+          item['descriptions']       << desc_tags(finding_details['service'], 'service')
+          item['descriptions']       << desc_tags(finding_details['path'], 'path')
+          item['descriptions']       << desc_tags(finding_details['id_suffix'], 'id_suffix')
+
+          item['refs']               = []
+          item['refs']               += finding_details['references'].map { |link| { url: link } } unless finding_details['references'].nil? || finding_details['references'].empty?
+          item['refs']               << { ref: compliance(finding_details['compliance']) } unless finding_details['compliance'].nil?
+
+          item['source_location']    = NA_HASH
+          item['code']               = NA_STRING
+
+          item['results']            = findings(finding_details)
+
+          controls << item
+        end
+      end
+
+      scaninfo = extract_scaninfo(@report)
+      results = HeimdallDataFormat.new(profile_name: scaninfo['name'],
+                                       version: scaninfo['version'],
+                                       title: scaninfo['title'],
+                                       summary: scaninfo['summary'],
+                                       controls: controls,
+                                       target_id: scaninfo['target_id'],
+                                       attributes: scaninfo['attributes'])
+      results.to_hdf
+    end
+  end
+end

data/lib/heimdall_tools/snyk_mapper.rb

@@ -29,9 +29,8 @@ end
 
 module HeimdallTools
   class SnykMapper
-    def initialize(synk_json, _name = nil, verbose = false)
+    def initialize(synk_json, _name = nil)
       @synk_json = synk_json
-      @verbose = verbose
 
       begin
         @cwe_nist_mapping = parse_mapper

data/lib/heimdall_tools/sonarqube_mapper.rb

@@ -158,7 +158,11 @@ class Control
   # OWASP is stated specifically, ex owasp-a1
   #
   # SonarQube is inconsistent with tags (ex some cwe rules don't have cwe number in desc,) as noted below
-  TAG_DATA = {}.freeze # NOTE: We count on Ruby to preserve order for TAG_DATA
+
+  # rubocop:disable Style/MutableConstant
+  TAG_DATA = {} # NOTE: We count on Ruby to preserve order for TAG_DATA
+  # rubocop:enable Style/MutableConstant
+
   TAG_DATA[:cwe] = {
     # Some rules with cwe tag don't have cwe number in description!
     # Currently only squid:S2658, but it has OWASP tag so we can use that.

data/lib/heimdall_tools/xccdf_results_mapper.rb

@@ -0,0 +1,161 @@
+require 'json'
+require 'csv'
+require 'heimdall_tools/hdf'
+require 'utilities/xml_to_hash'
+require 'nokogiri'
+
+RESOURCE_DIR = Pathname.new(__FILE__).join('../../data')
+
+# XCCDF mapping for converting SCAP client (SCC or OpenSCAP) outputs to HDF
+# SCC output from the RHEL7 Lockdown image was used for testing
+
+U_CCI_LIST =   File.join(RESOURCE_DIR, 'U_CCI_List.xml')
+
+IMPACT_MAPPING = {
+  critical: 0.9,
+  high: 0.7,
+  medium: 0.5,
+  low: 0.3,
+  na: 0.0
+}.freeze
+
+# severity maps to high, medium, low with weights all being 10.0 from the xml
+# it doesn't really look like SCAP or SCC cares about that value, just if its high, med, or low
+
+CWE_REGEX = 'CWE-(\d*):'.freeze
+CCI_REGEX = 'CCI-(\d*)'.freeze
+
+DEFAULT_NIST_TAG = %w{SA-11 RA-5 Rev_4}.freeze
+
+module HeimdallTools
+  class XCCDFResultsMapper
+    def initialize(scap_xml, _name = nil)
+      @scap_xml = scap_xml
+      read_cci_xml
+      begin
+        data = xml_to_hash(scap_xml)
+        @results = data['Benchmark']['TestResult']
+        @benchmarks = data['Benchmark']
+        @groups = data['Benchmark']['Group']
+      rescue StandardError => e
+        raise "Invalid SCAP Client XCCDF output XML file provided Exception: #{e}"
+      end
+    end
+
+    # change for pass/fail based on output Benchmark.rule
+    # Pass/Fail are the only two options included in the output file
+    def finding(issue, count)
+      finding = {}
+      finding['status'] = issue['rule-result'][count]['result'].to_s
+      if finding['status'] == 'pass'
+        finding['status'] = 'passed'
+      end
+      if finding['status'] == 'fail'
+        finding['status'] = 'failed'
+      end
+      finding['code_desc']      = NA_STRING
+      finding['run_time']       = NA_FLOAT
+      finding['start_time']     = issue['start-time']
+      finding['message']        = NA_STRING
+      finding['resource_class'] = NA_STRING
+      [finding]
+    end
+
+    def read_cci_xml
+      @cci_xml = Nokogiri::XML(File.open(U_CCI_LIST))
+      @cci_xml.remove_namespaces!
+    rescue StandardError => e
+      puts "Exception: #{e.message}"
+    end
+
+    def cci_nist_tag(cci_refs)
+      nist_tags = []
+      cci_refs.each do |cci_ref|
+        item_node = @cci_xml.xpath("//cci_list/cci_items/cci_item[@id='#{cci_ref}']")[0] unless @cci_xml.nil?
+        unless item_node.nil?
+          nist_ref = item_node.xpath('./references/reference[not(@version <= preceding-sibling::reference/@version) and not(@version <=following-sibling::reference/@version)]/@index').text
+        end
+        nist_tags << nist_ref
+      end
+      nist_tags
+    end
+
+    def get_impact(severity)
+      IMPACT_MAPPING[severity.to_sym]
+    end
+
+    def parse_refs(refs)
+      refs.map { |ref| ref['text'] if ref['text'].match?(CCI_REGEX) }.reject!(&:nil?)
+    end
+
+    # Clean up output by removing the Satsifies block and the end of the description
+    def satisfies_parse(satisf)
+      temp_satisf = satisf.match('Satisfies: ([^;]*)<\/VulnDiscussion>')
+      return temp_satisf[1].split(',') unless temp_satisf.nil?
+
+      NA_ARRAY
+    end
+
+    def desc_tags(data, label)
+      { data: data || NA_STRING, label: label || NA_STRING }
+    end
+
+    def collapse_duplicates(controls)
+      unique_controls = []
+
+      controls.map { |x| x['id'] }.uniq.each do |id|
+        collapsed_results = controls.select { |x| x['id'].eql?(id) }.map { |x| x['results'] }
+        unique_control = controls.find { |x| x['id'].eql?(id) }
+        unique_control['results'] = collapsed_results.flatten
+        unique_controls << unique_control
+      end
+      unique_controls
+    end
+
+    def to_hdf
+      controls = []
+      @groups.each_with_index do |group, i|
+        @item = {}
+        @item['id'] = group['Rule']['id'].split('.').last.split('_').drop(2).first.split('r').first.split('S')[1]
+        @item['title']               = group['Rule']['title'].to_s
+        @item['desc']                = group['Rule']['description'].to_s.split('Satisfies').first
+        @item['descriptions']		 = []
+        @item['descriptions']		 << desc_tags(group['Rule']['description'], 'default')
+        @item['descriptions']		 << desc_tags('NA', 'rationale')
+        @item['descriptions']		 << desc_tags(group['Rule']['check']['check-content-ref']['name'], 'check')
+        @item['descriptions']		 << desc_tags(group['Rule']['fixtext']['text'], 'fix')
+        @item['impact']				 = get_impact(group['Rule']['severity'])
+        @item['refs']				 = NA_ARRAY
+        @item['tags']				 = {}
+        @item['tags']['severity']    = nil
+        @item['tags']['gtitle']      = group['title']
+        @item['tags']['satisfies']   = satisfies_parse(group['Rule']['description'])
+        @item['tags']['gid']         = group['Rule']['id'].split('.').last.split('_').drop(2).first.split('r').first
+        @item['tags']['legacy_id']   = group['Rule']['ident'][2]['text']
+        @item['tags']['rid']         = group['Rule']['ident'][1]['text']
+        @item['tags']['stig_id']     = @benchmarks['id']
+        @item['tags']['fix_id']      = group['Rule']['fix']['id']
+        @item['tags']['cci']         = parse_refs(group['Rule']['ident'])
+        @item['tags']['nist']        = cci_nist_tag(@item['tags']['cci'])
+        @item['code']                = NA_STRING
+        @item['source_location'] = NA_HASH
+        # results were in another location and using the top block "Benchmark" as a starting point caused odd issues. This works for now for the results.
+        @item['results'] = finding(@results, i)
+        controls << @item
+      end
+
+      controls = collapse_duplicates(controls)
+      results = HeimdallDataFormat.new(profile_name: @benchmarks['id'],
+                                       version: @benchmarks['style'],
+                                       duration: NA_FLOAT,
+                                       title: @benchmarks['title'],
+                                       maintainer: @benchmarks['reference']['publisher'],
+                                       summary: @benchmarks['description'],
+                                       license: @benchmarks['notice']['id'],
+                                       copyright: @benchmarks['metadata']['creator'],
+                                       copyright_email: 'disa.stig_spt@mail.mil',
+                                       controls: controls)
+      results.to_hdf
+    end
+  end
+end