heimdall_tools 1.3.45 → 1.3.49

data/lib/data/scoutsuite-nist-mapping.csv

@@ -0,0 +1,140 @@
+rule,nistid
+acm-certificate-with-close-expiration-date,SC-12
+acm-certificate-with-transparency-logging-disabled,SC-12
+cloudformation-stack-with-role,AC-6
+cloudtrail-duplicated-global-services-logging,AU-6
+cloudtrail-no-cloudwatch-integration,AU-12|SI-4(2)
+cloudtrail-no-data-logging,AU-12
+cloudtrail-no-encryption-with-kms,AU-6
+cloudtrail-no-global-services-logging,AU-12
+cloudtrail-no-log-file-validation,AU-6
+cloudtrail-no-logging,AU-12
+cloudtrail-not-configured,AU-12
+cloudwatch-alarm-without-actions,AU-12
+config-recorder-not-configured,CM-8|CM-8(2)|CM-8(6)
+ec2-ami-public,AC-3
+ec2-default-security-group-in-use,AC-3(3)
+ec2-default-security-group-with-rules,AC-3(3)
+ec2-ebs-snapshot-not-encrypted,SC-28
+ec2-ebs-snapshot-public,AC-3
+ec2-ebs-volume-not-encrypted,SC-28
+ec2-instance-in-security-group,CM-7(1)
+ec2-instance-type,CM-2
+ec2-instance-types,CM-2
+ec2-instance-with-public-ip,AC-3
+ec2-instance-with-user-data-secrets,AC-3
+ec2-security-group-opens-all-ports,CM-7(1)
+ec2-security-group-opens-all-ports-to-all,CM-7(1)
+ec2-security-group-opens-all-ports-to-self,CM-7(1)
+ec2-security-group-opens-icmp-to-all,CM-7(1)
+ec2-security-group-opens-known-port-to-all,CM-7(1)
+ec2-security-group-opens-plaintext-port,CM-7(1)
+ec2-security-group-opens-port-range,CM-7(1)
+ec2-security-group-opens-port-to-all,CM-7(1)
+ec2-security-group-whitelists-aws,CM-7(1)
+ec2-security-group-whitelists-aws-ip-from-banned-region,CM-7(1)
+ec2-security-group-whitelists-non-elastic-ips,CM-7(1)
+ec2-security-group-whitelists-unknown-aws,CM-7(1)
+ec2-security-group-whitelists-unknown-cidrs,CM-7(1)
+ec2-unused-security-group,CM-7(1)
+elb-listener-allowing-cleartext,SC-8
+elb-no-access-logs,AU-12
+elb-older-ssl-policy,SC-8
+elbv2-http-request-smuggling,SC-8
+elbv2-listener-allowing-cleartext,SC-8
+elbv2-no-access-logs,AU-12
+elbv2-no-deletion-protection,SI-7
+elbv2-older-ssl-policy,SC-8
+iam-assume-role-lacks-external-id-and-mfa,AC-17
+iam-assume-role-no-mfa,AC-6
+iam-assume-role-policy-allows-all,AC-6
+iam-ec2-role-without-instances,AC-6
+iam-group-with-inline-policies,AC-6
+iam-group-with-no-users,AC-6
+iam-human-user-with-policies,AC-6
+iam-inline-policy-allows-non-sts-action,AC-6
+iam-inline-policy-allows-NotActions,AC-6
+iam-inline-policy-for-role,AC-6
+iam-managed-policy-allows-full-privileges,AC-6
+iam-managed-policy-allows-non-sts-action,AC-6
+iam-managed-policy-allows-NotActions,AC-6
+iam-managed-policy-for-role,AC-6
+iam-managed-policy-no-attachments,AC-6
+iam-no-support-role,IR-7
+iam-password-policy-expiration-threshold,AC-2
+iam-password-policy-minimum-length,AC-2
+iam-password-policy-no-expiration,AC-2
+iam-password-policy-no-lowercase-required,AC-2
+iam-password-policy-no-number-required,AC-2
+iam-password-policy-no-symbol-required,AC-2
+iam-password-policy-no-uppercase-required,AC-2
+iam-password-policy-reuse-enabled,IA-5(1)
+iam-role-with-inline-policies,AC-6
+iam-root-account-no-hardware-mfa,IA-2(1)
+iam-root-account-no-mfa,IA-2(1)
+iam-root-account-used-recently,AC-6(9)
+iam-root-account-with-active-certs,AC-6(9)
+iam-root-account-with-active-keys,AC-6(9)
+iam-service-user-with-password,AC-2
+iam-unused-credentials-not-disabled,AC-2
+iam-user-no-key-rotation,AC-2
+iam-user-not-in-category-group,AC-2
+iam-user-not-in-common-group,AC-2
+iam-user-unused-access-key-initial-setup,AC-2
+iam-user-with-multiple-access-keys,IA-2
+iam-user-without-mfa,IA-2(1)
+iam-user-with-password-and-key,IA-2
+iam-user-with-policies,AC-2
+kms-cmk-rotation-disabled,SC-12
+logs-no-alarm-aws-configuration-changes,CM-8|CM-8(2)|CM-8(6)
+logs-no-alarm-cloudtrail-configuration-changes,AU-6
+logs-no-alarm-cmk-deletion,AC-2
+logs-no-alarm-console-authentication-failures,AC-2
+logs-no-alarm-iam-policy-changes,AC-2
+logs-no-alarm-nacl-changes,CM-6(2)
+logs-no-alarm-network-gateways-changes,AU-12|CM-6(2)
+logs-no-alarm-root-usage,AU-2
+logs-no-alarm-route-table-changes,AU-12|CM-6(2)
+logs-no-alarm-s3-policy-changes,AC-6|AU-12
+logs-no-alarm-security-group-changes,AC-2(4)
+logs-no-alarm-signin-without-mfa,AC-2
+logs-no-alarm-unauthorized-api-calls,AU-6|SI-4(2)
+logs-no-alarm-vpc-changes,CM-6(1)
+rds-instance-backup-disabled,CP-9
+rds-instance-ca-certificate-deprecated,SC-12
+rds-instance-no-minor-upgrade,SI-2
+rds-instance-short-backup-retention-period,CP-9
+rds-instance-single-az,CP-7
+rds-instance-storage-not-encrypted,SC-28
+rds-postgres-instance-with-invalid-certificate,SC-12
+rds-security-group-allows-all,CM-7(1)
+rds-snapshot-public,SC-28
+redshift-cluster-database-not-encrypted,SC-28
+redshift-cluster-no-version-upgrade,SI-2
+redshift-cluster-publicly-accessible,AC-3
+redshift-parameter-group-logging-disabled,AU-12
+redshift-parameter-group-ssl-not-required,SC-8
+redshift-security-group-whitelists-all,CM-7(1)
+route53-domain-no-autorenew,SC-2
+route53-domain-no-transferlock,SC-2
+route53-domain-transferlock-not-authorized,SC-2
+s3-bucket-allowing-cleartext,SC-28
+s3-bucket-no-default-encryption,SC-28
+s3-bucket-no-logging,AU-2|AU-12
+s3-bucket-no-mfa-delete,SI-7
+s3-bucket-no-versioning,SI-7
+s3-bucket-world-acl,AC-3(3)
+s3-bucket-world-policy-arg,AC-3(3)
+s3-bucket-world-policy-star,AC-3(3)
+ses-identity-dkim-not-enabled,SC-23
+ses-identity-dkim-not-verified,SC-23
+ses-identity-world-policy,AC-6
+sns-topic-world-policy,AC-6
+sqs-queue-world-policy,AC-6
+vpc-custom-network-acls-allow-all,SC-7
+vpc-default-network-acls-allow-all,SC-7
+vpc-network-acl-not-used,SC-7
+vpc-routing-tables-with-peering,AC-3(3)
+vpc-subnet-with-bad-acls,SC-7
+vpc-subnet-with-default-acls,SC-7
+vpc-subnet-without-flow-log,AU-12

data/lib/heimdall_tools/asff_compatible_products/firewall_manager.rb

@@ -0,0 +1,11 @@
+module HeimdallTools
+  class FirewallManager
+    def self.finding_id(finding, *, encode:, **)
+      encode.call(finding['Title'])
+    end
+
+    def self.product_name(findings, *, encode:, **)
+      encode.call("#{findings[0]['ProductFields']['aws/securityhub/CompanyName']} #{findings[0]['ProductFields']['aws/securityhub/ProductName']}")
+    end
+  end
+end

data/lib/heimdall_tools/asff_compatible_products/prowler.rb

@@ -0,0 +1,19 @@
+module HeimdallTools
+  class Prowler
+    def self.subfindings_code_desc(finding, *, encode:, **)
+      encode.call(finding['Description'])
+    end
+
+    def self.finding_id(finding, *, encode:, **)
+      encode.call(finding['GeneratorId'].partition('-')[-1])
+    end
+
+    def self.product_name(findings, *, encode:, **)
+      encode.call(findings[0]['ProductFields']['ProviderName'])
+    end
+
+    def self.desc(*, **)
+      ' '
+    end
+  end
+end

data/lib/heimdall_tools/asff_compatible_products/securityhub.rb

@@ -0,0 +1,89 @@
+require 'csv'
+require 'json'
+
+module HeimdallTools
+  class SecurityHub
+    private_class_method def self.corresponding_control(controls, finding)
+      controls.find { |c| c['StandardsControlArn'] == finding['ProductFields']['StandardsControlArn'] }
+    end
+
+    def self.supporting_docs(standards:)
+      begin
+        controls = standards.nil? ? nil : standards.map { |s| JSON.parse(s)['Controls'] }.flatten
+      rescue StandardError => e
+        raise "Invalid supporting docs for Security Hub:\nException: #{e}"
+      end
+
+      begin
+        resource_dir = Pathname.new(__FILE__).join('../../../data')
+        aws_config_mapping_file = File.join(resource_dir, 'aws-config-mapping.csv')
+        aws_config_mapping = CSV.read(aws_config_mapping_file, { encoding: 'UTF-8', headers: true, header_converters: :symbol }).map(&:to_hash)
+      rescue StandardError => e
+        raise "Invalid AWS Config mapping file:\nException: #{e}"
+      end
+
+      { controls: controls, aws_config_mapping: aws_config_mapping }
+    end
+
+    def self.finding_id(finding, *, encode:, controls: nil, **)
+      ret = if !controls.nil? && !(control = corresponding_control(controls, finding)).nil?
+              control['ControlId']
+            elsif finding['ProductFields'].member?('ControlId') # check if aws
+              finding['ProductFields']['ControlId']
+            elsif finding['ProductFields'].member?('RuleId') # check if cis
+              finding['ProductFields']['RuleId']
+            else
+              finding['GeneratorId'].split('/')[-1]
+            end
+      encode.call(ret)
+    end
+
+    def self.finding_impact(finding, *, controls: nil, **)
+      if !controls.nil? && !(control = corresponding_control(controls, finding)).nil?
+        imp = control['SeverityRating'].to_sym
+      else
+        # severity is required, but can be either 'label' or 'normalized' internally with 'label' being preferred.  other values can be in here too such as the original severity rating.
+        imp = finding['Severity'].key?('Label') ? finding['Severity']['Label'].to_sym : finding['Severity']['Normalized']/100.0
+        # securityhub asff file does not contain accurate severity information by setting things that shouldn't be informational to informational: when additional context, i.e. standards, is not provided, set informational to medium.
+        imp = :MEDIUM if imp.is_a?(Symbol) && imp == :INFORMATIONAL
+      end
+      imp
+    end
+
+    def self.finding_nist_tag(finding, *, aws_config_mapping:, **)
+      return {} unless finding['ProductFields']['RelatedAWSResources:0/type'] == 'AWS::Config::ConfigRule'
+
+      entries = aws_config_mapping.select { |rule| finding['ProductFields']['RelatedAWSResources:0/name'].include? rule[:awsconfigrulename] }
+      entries.map do |rule|
+        tags_joined = rule[:nistid].split('|') # subheadings are joined together in the csv file
+        tags_joined.map do |tag|
+          if (i = tag.index('(')).nil?
+            tag
+          else
+            tag[i..-1].scan(/\(.+?\)/).map { |subheading| "#{tag[0..i-1]}#{subheading}" }
+          end
+        end
+      end.flatten.uniq
+    end
+
+    def self.finding_title(finding, *, encode:, controls: nil, **)
+      ret = if !controls.nil? && !(control = corresponding_control(controls, finding)).nil?
+              control['Title']
+            else
+              finding['Title']
+            end
+      encode.call(ret)
+    end
+
+    def self.product_name(findings, *, encode:, **)
+      # "#{findings[0]['ProductFields']['aws/securityhub/CompanyName']} #{findings[0]['ProductFields']['aws/securityhub/ProductName']}"
+      # not using above due to wanting to provide the standard's name instead
+      if findings[0]['Types'][0].split('/')[-1].gsub(/-/, ' ').downcase == findings[0]['ProductFields']['StandardsControlArn'].split('/')[-4].gsub(/-/, ' ').downcase
+        standardname = findings[0]['Types'][0].split('/')[-1].gsub(/-/, ' ')
+      else
+        standardname = findings[0]['ProductFields']['StandardsControlArn'].split('/')[-4].gsub(/-/, ' ').split.map(&:capitalize).join(' ')
+      end
+      encode.call("#{standardname} v#{findings[0]['ProductFields']['StandardsControlArn'].split('/')[-2]}")
+    end
+  end
+end

data/lib/heimdall_tools/asff_mapper.rb

@@ -0,0 +1,232 @@
+require 'json'
+require 'set'
+
+require 'htmlentities'
+
+require 'heimdall_tools/hdf'
+require 'heimdall_tools/asff_compatible_products/firewall_manager'
+require 'heimdall_tools/asff_compatible_products/prowler'
+require 'heimdall_tools/asff_compatible_products/securityhub'
+
+module HeimdallTools
+  DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze
+
+  INSPEC_INPUTS_MAPPING = {
+    string: 'String',
+    numeric: 'Numeric',
+    regexp: 'Regexp',
+    array: 'Array',
+    hash: 'Hash',
+    boolean: 'Boolean',
+    any: 'Any'
+  }.freeze
+
+  # Loading spinner sign
+  $spinner = Enumerator.new do |e|
+    loop do
+      e.yield '|'
+      e.yield '/'
+      e.yield '-'
+      e.yield '\\'
+    end
+  end
+
+  # TODO: use hash.dig and safe navigation operator throughout
+  class ASFFMapper
+    IMPACT_MAPPING = {
+      CRITICAL: 0.9,
+      HIGH: 0.7,
+      MEDIUM: 0.5,
+      LOW: 0.3,
+      INFORMATIONAL: 0.0
+    }.freeze
+
+    PRODUCT_ARN_MAPPING = {
+      %r{arn:.+:securityhub:.+:.*:product/aws/firewall-manager} => FirewallManager,
+      %r{arn:.+:securityhub:.+:.*:product/aws/securityhub} => SecurityHub,
+      %r{arn:.+:securityhub:.+:.*:product/prowler/prowler} => Prowler
+    }.freeze
+
+    def initialize(asff_json, securityhub_standards_json_array: nil, meta: nil)
+      @meta = meta
+
+      @supporting_docs = {}
+      @supporting_docs[SecurityHub] = SecurityHub.supporting_docs({ standards: securityhub_standards_json_array })
+
+      begin
+        asff_required_keys = %w{AwsAccountId CreatedAt Description GeneratorId Id ProductArn Resources SchemaVersion Severity Title Types UpdatedAt}
+        @report = JSON.parse(asff_json)
+        if @report.length == 1 && @report.member?('Findings') && @report['Findings'].each { |finding| asff_required_keys.to_set.difference(finding.keys.to_set).none? }.all?
+          # ideal case that is spec compliant
+          # might need to ensure that the file is utf-8 encoded and remove a BOM if one exists
+        elsif asff_required_keys.to_set.difference(@report.keys.to_set).none?
+          # individual finding so have to add wrapping array
+          @report = { 'Findings' => [@report] }
+        else
+          raise 'Not a findings file nor an individual finding'
+        end
+      rescue StandardError => e
+        raise "Invalid ASFF file provided:\nException: #{e}"
+      end
+
+      @coder = HTMLEntities.new
+    end
+
+    def encode(string)
+      @coder.encode(string, :basic, :named, :decimal)
+    end
+
+    def external_product_handler(product, data, func, default)
+      if (product.is_a?(Regexp) || (arn = PRODUCT_ARN_MAPPING.keys.find { |a| product.match(a) })) && PRODUCT_ARN_MAPPING.key?(arn || product) && PRODUCT_ARN_MAPPING[arn || product].respond_to?(func)
+        keywords = { encode: method(:encode) }
+        keywords = keywords.merge(@supporting_docs[PRODUCT_ARN_MAPPING[arn || product]]) if @supporting_docs.member?(PRODUCT_ARN_MAPPING[arn || product])
+        PRODUCT_ARN_MAPPING[arn || product].send(func, data, **keywords)
+      elsif default.is_a? Proc
+        default.call
+      else
+        default
+      end
+    end
+
+    def nist_tag(finding)
+      tags = external_product_handler(finding['ProductArn'], finding, :finding_nist_tag, {})
+      tags.empty? ? DEFAULT_NIST_TAG : tags
+    end
+
+    def impact(finding)
+      # there can be findings listed that are intentionally ignored due to the underlying control being superceded by a control from a different standard
+      if finding.member?('Workflow') && finding['Workflow'].member?('Status') && finding['Workflow']['Status'] == 'SUPPRESSED'
+        imp = :INFORMATIONAL
+      else
+        # severity is required, but can be either 'label' or 'normalized' internally with 'label' being preferred.  other values can be in here too such as the original severity rating.
+        default = proc { finding['Severity'].key?('Label') ? finding['Severity']['Label'].to_sym : finding['Severity']['Normalized']/100.0 }
+        imp = external_product_handler(finding['ProductArn'], finding, :finding_impact, default)
+      end
+      imp.is_a?(Symbol) ? IMPACT_MAPPING[imp] : imp
+    end
+
+    def desc_tags(data, label)
+      { data: data || NA_STRING, label: label || NA_STRING }
+    end
+
+    def subfindings(finding)
+      subfinding = {}
+
+      statusreason = finding['Compliance']['StatusReasons'].map { |reason| reason.flatten.map { |string| encode(string) } }.flatten.join("\n") if finding.key?('Compliance') && finding['Compliance'].key?('StatusReasons')
+      if finding.key?('Compliance') && finding['Compliance'].key?('Status')
+        case finding['Compliance']['Status']
+        when 'PASSED'
+          subfinding['status'] = 'passed'
+          subfinding['message'] = statusreason if statusreason
+        when 'WARNING'
+          subfinding['status'] = 'skipped'
+          subfinding['skip_message'] = statusreason if statusreason
+        when 'FAILED'
+          subfinding['status'] = 'failed'
+          subfinding['message'] = statusreason if statusreason
+        when 'NOT_AVAILABLE'
+          # primary meaning is that the check could not be performed due to a service outage or API error, but it's also overloaded to mean NOT_APPLICABLE so technically 'skipped' or 'error' could be applicable, but AWS seems to do the equivalent of skipped
+          subfinding['status'] = 'skipped'
+          subfinding['skip_message'] = statusreason if statusreason
+        else
+          subfinding['status'] = 'error' # not a valid value for the status enum
+          subfinding['message'] = statusreason if statusreason
+        end
+      else
+        subfinding['status'] = 'skipped' # if no compliance status is provided which is a weird but possible case, then skip
+        subfinding['skip_message'] = statusreason if statusreason
+      end
+
+      subfinding['code_desc'] = external_product_handler(finding['ProductArn'], finding, :subfindings_code_desc, '')
+      subfinding['code_desc'] += '; ' unless subfinding['code_desc'].empty?
+      subfinding['code_desc'] += "Resources: [#{finding['Resources'].map { |r| "Type: #{encode(r['Type'])}, Id: #{encode(r['Id'])}#{", Partition: #{encode(r['Partition'])}" if r.key?('Partition')}#{", Region: #{encode(r['Region'])}" if r.key?('Region')}" }.join(', ')}]"
+
+      subfinding['start_time'] = finding.key?('LastObservedAt') ? finding['LastObservedAt'] : finding['UpdatedAt']
+
+      [subfinding]
+    end
+
+    def to_hdf
+      product_groups = {}
+      @report['Findings'].each do |finding|
+        printf("\rProcessing: %s", $spinner.next)
+
+        external = method(:external_product_handler).curry(4)[finding['ProductArn']][finding]
+
+        # group subfindings by asff productarn and then hdf id
+        item = {}
+        item['id'] = external[:finding_id][encode(finding['GeneratorId'])]
+
+        item['title'] = external[:finding_title][encode(finding['Title'])]
+
+        item['tags'] = { nist: nist_tag(finding) }
+
+        item['impact'] = impact(finding)
+
+        item['desc'] = encode(finding['Description'])
+
+        item['descriptions'] = []
+        item['descriptions'] << desc_tags(finding['Remediation']['Recommendation'].map { |_k, v| encode(v) }.join("\n"), 'fix') if finding.key?('Remediation') && finding['Remediation'].key?('Recommendation')
+
+        item['refs'] = []
+        item['refs'] << { url: finding['SourceUrl'] } if finding.key?('SourceUrl')
+
+        item['source_location'] = NA_HASH
+
+        item['results'] = subfindings(finding)
+
+        arn = PRODUCT_ARN_MAPPING.keys.find { |a| finding['ProductArn'].match(a) }
+        if arn.nil?
+          product_info = finding['ProductArn'].split(':')[-1]
+          arn = Regexp.new "arn:.+:securityhub:.+:.*:product/#{product_info.split('/')[1]}/#{product_info.split('/')[2]}"
+        end
+        product_groups[arn] = {} if product_groups[arn].nil?
+        product_groups[arn][item['id']] = [] if product_groups[arn][item['id']].nil?
+        product_groups[arn][item['id']] << [item, finding]
+      end
+
+      controls = []
+      product_groups.each do |product, id_groups|
+        id_groups.each do |id, data|
+          printf("\rProcessing: %s", $spinner.next)
+
+          external = method(:external_product_handler).curry(4)[product]
+
+          group = data.map { |d| d[0] }
+          findings = data.map { |d| d[1] }
+
+          product_info = findings[0]['ProductArn'].split(':')[-1].split('/')
+          product_name = external[findings][:product_name][encode("#{product_info[1]}/#{product_info[2]}")]
+
+          item = {}
+          # add product name to id if any ids are the same across products
+          item['id'] = product_groups.reject { |pg| pg == product }.values.any? { |ig| ig.keys.include?(id) } ? "[#{product_name}] #{id}" : id
+
+          item['title'] = "#{product_name}: #{group.map { |d| d['title'] }.uniq.join(';')}"
+
+          item['tags'] = { nist: group.map { |d| d['tags'][:nist] }.flatten.uniq }
+
+          item['impact'] = group.map { |d| d['impact'] }.max
+
+          item['desc'] = external[group][:desc][group.map { |d| d['desc'] }.uniq.join("\n")]
+
+          item['descriptions'] = group.map { |d| d['descriptions'] }.flatten.compact.reject(&:empty?).uniq
+
+          item['refs'] = group.map { |d| d['refs'] }.flatten.compact.reject(&:empty?).uniq
+
+          item['source_location'] = NA_HASH
+          item['code'] = JSON.pretty_generate({ Findings: findings })
+
+          item['results'] = group.map { |d| d['results'] }.flatten.uniq
+
+          controls << item
+        end
+      end
+
+      results = HeimdallDataFormat.new(profile_name: @meta&.key?('name') ? @meta['name'] : 'AWS Security Finding Format',
+                                       title: @meta&.key?('title') ? @meta['title'] : 'ASFF findings',
+                                       controls: controls)
+      results.to_hdf
+    end
+  end
+end

data/lib/heimdall_tools/aws_config_mapper.rb

@@ -8,7 +8,7 @@ RESOURCE_DIR = Pathname.new(__FILE__).join('../../data')
 AWS_CONFIG_MAPPING_FILE = File.join(RESOURCE_DIR, 'aws-config-mapping.csv')
 
 NOT_APPLICABLE_MSG = 'No AWS resources found to evaluate complaince for this rule'.freeze
-INSUFFICIENT_DATA_MSG = 'Not enough data has been collectd to determine compliance yet.'.freeze
+INSUFFICIENT_DATA_MSG = 'Not enough data has been collected to determine compliance yet.'.freeze
 
 ##
 # HDF mapper for use with AWS Config rules.
@@ -57,10 +57,10 @@ module HeimdallTools
 
       results = HeimdallDataFormat.new(
         profile_name: 'AWS Config',
-         title: 'AWS Config',
-         summary: 'AWS Config',
-         controls: controls,
-         statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION },
+        title: 'AWS Config',
+        summary: 'AWS Config',
+        controls: controls,
+        statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION },
       )
       results.to_hdf
     end

data/lib/heimdall_tools/cli.rb

@@ -41,6 +41,15 @@ module HeimdallTools
       File.write(options[:output], hdf)
     end
 
+    desc 'xccdf_results_mapper', 'xccdf_results_mapper translates SCAP client XCCDF-Results XML report to HDF format Json be viewed on Heimdall'
+    long_desc Help.text(:xccdf_results_mapper)
+    option :xml, required: true, aliases: '-x'
+    option :output, required: true, aliases: '-o'
+    def xccdf_results_mapper
+      hdf = HeimdallTools::XCCDFResultsMapper.new(File.read(options[:xml])).to_hdf
+      File.write(options[:output], hdf)
+    end
+
     desc 'nessus_mapper', 'nessus_mapper translates nessus xml report to HDF format Json be viewed on Heimdall'
     long_desc Help.text(:nessus_mapper)
     option :xml, required: true, aliases: '-x'
@@ -61,7 +70,7 @@ module HeimdallTools
     option :output_prefix, required: true, aliases: '-o'
     def snyk_mapper
       hdfs = HeimdallTools::SnykMapper.new(File.read(options[:json]), options[:name]).to_hdf
-      puts "\r\HDF Generated:\n"
+      puts "\rHDF Generated:\n"
       hdfs.each_key do |host|
         File.write("#{options[:output_prefix]}-#{host}.json", hdfs[host])
         puts "#{options[:output_prefix]}-#{host}.json"
@@ -75,7 +84,7 @@ module HeimdallTools
     def nikto_mapper
       hdf = HeimdallTools::NiktoMapper.new(File.read(options[:json])).to_hdf
       File.write(options[:output], hdf)
-      puts "\r\HDF Generated:\n"
+      puts "\rHDF Generated:\n"
       puts options[:output].to_s
     end
 
@@ -86,7 +95,7 @@ module HeimdallTools
     def jfrog_xray_mapper
       hdf = HeimdallTools::JfrogXrayMapper.new(File.read(options[:json])).to_hdf
       File.write(options[:output], hdf)
-      puts "\r\HDF Generated:\n"
+      puts "\rHDF Generated:\n"
       puts options[:output].to_s
     end
 
@@ -97,7 +106,7 @@ module HeimdallTools
     def dbprotect_mapper
       hdf = HeimdallTools::DBProtectMapper.new(File.read(options[:xml])).to_hdf
       File.write(options[:output], hdf)
-      puts "\r\HDF Generated:\n"
+      puts "\rHDF Generated:\n"
       puts options[:output].to_s
     end
 
@@ -108,7 +117,7 @@ module HeimdallTools
     def aws_config_mapper
       hdf = HeimdallTools::AwsConfigMapper.new(options[:custom_mapping]).to_hdf
       File.write(options[:output], hdf)
-      puts "\r\HDF Generated:\n"
+      puts "\rHDF Generated:\n"
       puts options[:output].to_s
     end
 
@@ -119,7 +128,53 @@ module HeimdallTools
     def netsparker_mapper
       hdf = HeimdallTools::NetsparkerMapper.new(File.read(options[:xml])).to_hdf
       File.write(options[:output], hdf)
-      puts "\r\HDF Generated:\n"
+      puts "\rHDF Generated:\n"
+      puts options[:output].to_s
+    end
+
+    desc 'sarif_mapper', 'sarif_mapper translates a SARIF JSON file into HDF format JSON to be viewable in Heimdall'
+    long_desc Help.text(:sarif_mapper)
+    option :json, required: true, aliases: '-j'
+    option :output, required: true, aliases: '-o'
+    option :verbose, type: :boolean, aliases: '-V'
+    def sarif_mapper
+      hdf = HeimdallTools::SarifMapper.new(File.read(options[:json])).to_hdf
+      File.write(options[:output], hdf)
+      puts "\rHDF Generated:\n"
+      puts options[:output].to_s
+    end
+
+    desc 'scoutsuite_mapper', 'scoutsuite_mapper translates Scout Suite results from Javascript to HDF-formatted JSON so as to be viewable on Heimdall'
+    long_desc Help.text(:scoutsuite_mapper)
+    option :javascript, required: true, banner: 'SCOUTSUITE-RESULTS-JS', aliases: ['-i', '--input', '-j']
+    option :output, required: true, banner: 'HDF-SCAN-RESULTS-JSON', aliases: '-o'
+    def scoutsuite_mapper
+      hdf = HeimdallTools::ScoutSuiteMapper.new(File.read(options[:javascript])).to_hdf
+      File.write(options[:output], hdf)
+      puts "\rHDF Generated:\n"
+      puts options[:output].to_s
+    end
+
+    desc 'asff_mapper', 'asff_mapper translates AWS Security Finding Format results from JSON to HDF-formatted JSON so as to be viewable on Heimdall'
+    long_desc Help.text(:asff_mapper)
+    option :json, required: true, banner: 'ASFF-FINDING-JSON', aliases: ['-i', '--input', '-j']
+    option :securityhub_standards, required: false, type: :array, banner: 'ASFF-SECURITYHUB-STANDARDS-JSON', aliases: ['--sh', '--input-securityhub-standards']
+    option :output, required: true, banner: 'HDF-SCAN-RESULTS-JSON', aliases: '-o'
+    def asff_mapper
+      hdf = HeimdallTools::ASFFMapper.new(File.read(options[:json]), securityhub_standards_json_array: options[:securityhub_standards].nil? ? nil : options[:securityhub_standards].map { |filename| File.read(filename) }).to_hdf
+      File.write(options[:output], hdf)
+      puts "\rHDF Generated:\n"
+      puts options[:output].to_s
+    end
+
+    desc 'prowler_mapper', 'prowler_mapper translates Prowler-derived AWS Security Finding Format results from concatenated JSON blobs to HDF-formatted JSON so as to be viewable on Heimdall'
+    long_desc Help.text(:prowler_mapper)
+    option :json, required: true, banner: 'PROWLER-ASFF-JSON', aliases: ['-i', '--input', '-j']
+    option :output, required: true, banner: 'HDF-SCAN-RESULTS-JSON', aliases: '-o'
+    def prowler_mapper
+      hdf = HeimdallTools::ProwlerMapper.new(File.read(options[:json])).to_hdf
+      File.write(options[:output], hdf)
+      puts "\rHDF Generated:\n"
       puts options[:output].to_s
     end
 

data/lib/heimdall_tools/fortify_mapper.rb

@@ -58,9 +58,9 @@ module HeimdallTools
     def snippet(snippetid)
       snippet = @snippets.select { |x| x['id'].eql?(snippetid) }.first
       "\nPath: #{snippet['File']}\n" \
-      "StartLine: #{snippet['StartLine']}, " \
-      "EndLine: #{snippet['EndLine']}\n" \
-      "Code:\n#{snippet['Text']['#cdata-section'].strip}" \
+        "StartLine: #{snippet['StartLine']}, " \
+        "EndLine: #{snippet['EndLine']}\n" \
+        "Code:\n#{snippet['Text']['#cdata-section'].strip}" \
     end
 
     def nist_tag(rule)

data/lib/heimdall_tools/help/asff_mapper.md

@@ -0,0 +1,6 @@
+  asff_mapper translates AWS Security Finding Format results from JSON to HDF-formatted JSON so as to be viewable on Heimdall
+
+Examples:
+
+  heimdall_tools asff_mapper -i <asff-finding-json> -o <hdf-scan-results-json>
+  heimdall_tools asff_mapper -i <asff-finding-json> --sh <standard-1-json> ... <standard-n-json> -o <hdf-scan-results-json>

data/lib/heimdall_tools/help/prowler_mapper.md

@@ -0,0 +1,5 @@
+  prowler_mapper translates Prowler-derived AWS Security Finding Format results from concatenated JSON blobs to HDF-formatted JSON so as to be viewable on Heimdall
+
+Examples:
+
+  heimdall_tools prowler_mapper -i <prowler-asff-json> -o <hdf-scan-results-json>

data/lib/heimdall_tools/help/sarif_mapper.md

@@ -0,0 +1,12 @@
+  sarif_mapper translates a SARIF JSON file into HDF format JSON to be viewable in Heimdall
+
+SARIF level to HDF impact Mapping:
+  SARIF level error -> HDF impact 0.7
+  SARIF level warning -> HDF impact 0.5
+  SARIF level note -> HDF impact 0.3
+  SARIF level none -> HDF impact 0.1
+  SARIF level not provided -> HDF impact 0.1 as default
+
+Examples:
+
+  heimdall_tools sarif_mapper [OPTIONS] -j <sarif-results-json> -o <hdf-scan-results.json>