inspec_tools 0.0.0.1.ENOTAG → 1.2.0

data/lib/happy_mapper_tools/cci_attributes.rb

@@ -3,7 +3,7 @@
 require 'happymapper'
 require 'nokogiri'
 
-# rubocop:disable Naming/ClassAndModuleCamelCase
+# rubocop: disable Naming/ClassAndModuleCamelCase
 
 module HappyMapperTools
   module CCIAttributes
@@ -18,6 +18,13 @@ module HappyMapperTools
       attribute :index, String, tag: 'index'
     end
 
+    class References
+      include HappyMapper
+      tag 'references'
+
+      has_many :references, Reference, tag: 'reference'
+    end
+
     class CCI_Item
       include HappyMapper
       tag 'cci_item'
@@ -28,7 +35,14 @@ module HappyMapperTools
       element :contributor, String, tag: 'contributor'
       element :definition, String, tag: 'definition'
       element :type, String, tag: 'type'
-      has_many :references, Reference, xpath: 'xmlns:references'
+      has_one :references, References, tag: 'references'
+    end
+
+    class CCI_Items
+      include HappyMapper
+      tag 'cci_items'
+
+      has_many :cci_item, CCI_Item, tag: 'cci_item'
     end
 
     class Metadata
@@ -46,21 +60,17 @@ module HappyMapperTools
       attribute :xsi, String, tag: 'xsi', namespace: 'xmlns'
       attribute :schemaLocation, String, tag: 'schemaLocation', namespace: 'xmlns'
       has_one :metadata, Metadata, tag: 'metadata'
-      has_many :cci_items, CCI_Item, xpath: 'xmlns:cci_items'
+      has_many :cci_items, CCI_Items, tag: 'cci_items'
 
       def fetch_nists(ccis)
         ccis = [ccis] unless ccis.is_a?(Array)
-
-        # some of the XCCDF files were having CCE- tags show up which
-        # we don't support, not sure if this is a typo on their part or
-        # we need to see about supporting CCE tags but ... for now
-        filtered_ccis = ccis.select { |f| /CCI-/.match(f) }
-        filtered_ccis.map do |cci|
-          cci_items.find { |item| item.id == cci }.references.max_by(&:version).index
+        nists = []
+        nist_ver = cci_items[0].cci_item[0].references.references.max_by(&:version).version
+        ccis.each do |cci|
+          nists << cci_items[0].cci_item.select { |item| item.id == cci }.first.references.references.max_by(&:version).index
         end
+        nists << ('Rev_' + nist_ver)
       end
     end
   end
 end
-
-# rubocop:enable Naming/ClassAndModuleCamelCase

data/lib/happy_mapper_tools/stig_checklist.rb

@@ -42,12 +42,6 @@ module HappyMapperTools
     # Class Asset maps from the 'STIG_DATA' from Checklist XML file using HappyMapper
     class StigData
       include HappyMapper
-
-      def initialize(attrib = nil, data = nil)
-        self.attrib = attrib
-        self.data = data
-      end
-
       tag 'STIG_DATA'
       has_one :attrib, String, tag: 'VULN_ATTRIBUTE'
       has_one :data, String, tag: 'ATTRIBUTE_DATA'
@@ -85,6 +79,7 @@ module HappyMapperTools
       tag 'CHECKLIST'
       has_one :asset, Asset, tag: 'ASSET'
       has_one :stig, Stigs, tag: 'STIGS'
+      Encoding.default_external = 'UTF-8'
 
       def where(attrib, data)
         stig.istig.vuln.each do |vuln|

data/lib/inspec_tools.rb

@@ -1,6 +1,8 @@
 $LOAD_PATH.unshift(File.expand_path(__dir__))
 require 'inspec_tools/version'
 require 'rubygems'
+require 'bundler/setup'
+Bundler.setup(:default)
 
 module InspecTools
   autoload :Help, 'inspec_tools/help'
@@ -13,5 +15,4 @@ module InspecTools
   autoload :Inspec, 'inspec_tools/inspec'
   autoload :Summary, 'inspec_tools/summary'
   autoload :Threshold, 'inspec_tools/threshold'
-  autoload :XLSXTool, 'inspec_tools/xlsx_tool'
 end

data/lib/inspec_tools/cli.rb

@@ -1,31 +1,147 @@
 require 'yaml'
 require 'json'
+require_relative '../utilities/inspec_util'
+require_relative '../utilities/csv_util'
 
-require 'inspec-objects'
-require 'inspec'
-require_relative './plugin_cli.rb'
+# rubocop:disable Style/GuardClause
 
-# This tells the ruby cli app to use the same argument parsing as the plugin
 module InspecTools
-  CLI = InspecPlugins::InspecToolsPlugin::CliCommand
-end
+  class CLI < Command
+    desc 'xccdf2inspec', 'xccdf2inspec translates an xccdf file to an inspec profile'
+    long_desc Help.text(:xccdf2inspec)
+    option :xccdf, required: true, aliases: '-x'
+    option :attributes, required: false, aliases: '-a'
+    option :output, required: false, aliases: '-o', default: 'profile'
+    option :format, required: false, aliases: '-f', enum: %w{ruby hash}, default: 'ruby'
+    option :separate_files, required: false, type: :boolean, default: true, aliases: '-s'
+    option :replace_tags, required: false, aliases: '-r'
+    def xccdf2inspec
+      xccdf = XCCDF.new(File.read(options[:xccdf]))
+      profile = xccdf.to_inspec
+      Utils::InspecUtil.unpack_inspec_json(options[:output], profile, options[:separate_files], options[:format])
+      if !options[:attributes].nil?
+        attributes = xccdf.to_attributes
+        File.write(options[:attributes], YAML.dump(attributes))
+      end
+    end
 
-#=====================================================================#
-#                        Pre-Flight Code
-#=====================================================================#
-help_commands = ['-h', '--help', 'help']
-log_commands = ['-l', '--log-directory']
-version_commands = ['-v', '--version', 'version']
-
-#---------------------------------------------------------------------#
-# Adjustments for non-required version commands
-#---------------------------------------------------------------------#
-unless (version_commands & ARGV).empty?
-  puts InspecTools::VERSION
-  exit 0
-end
+    desc 'inspec2xccdf', 'inspec2xccdf translates an inspec profile and attributes files to an xccdf file'
+    long_desc Help.text(:inspec2xccdf)
+    option :inspec_json, required: true, aliases: '-j'
+    option :attributes,  required: true, aliases: '-a'
+    option :output, required: true, aliases: '-o'
+    def inspec2xccdf
+      json = File.read(options[:inspec_json])
+      inspec_tool = InspecTools::Inspec.new(json)
+      attr_hsh = YAML.load_file(options[:attributes])
+      xccdf = inspec_tool.to_xccdf(attr_hsh)
+      File.write(options[:output], xccdf)
+    end
+
+    desc 'csv2inspec', 'csv2inspec translates CSV to Inspec controls using a mapping file'
+    long_desc Help.text(:csv2inspec)
+    option :csv, required: true, aliases: '-c'
+    option :mapping, required: true, aliases: '-m'
+    option :verbose, required: false, type: :boolean, aliases: '-V'
+    option :output, required: false, aliases: '-o', default: 'profile'
+    option :format, required: false, aliases: '-f', enum: %w{ruby hash}, default: 'ruby'
+    option :separate_files, required: false, type: :boolean, default: true, aliases: '-s'
+    def csv2inspec
+      csv = CSV.read(options[:csv], encoding: 'ISO8859-1')
+      mapping = YAML.load_file(options[:mapping])
+      profile = CSVTool.new(csv, mapping, options[:csv].split('/')[-1].split('.')[0], options[:verbose]).to_inspec
+      Utils::InspecUtil.unpack_inspec_json(options[:output], profile, options[:separate_files], options[:format])
+    end
+
+    desc 'inspec2csv', 'inspec2csv translates Inspec controls to CSV'
+    long_desc Help.text(:inspec2csv)
+    option :inspec_json, required: true, aliases: '-j'
+    option :output, required: true, aliases: '-o'
+    option :verbose, required: false, type: :boolean, aliases: '-V'
+    def inspec2csv
+      csv = Inspec.new(File.read(options[:inspec_json])).to_csv
+      Utils::CSVUtil.unpack_csv(csv, options[:output])
+    end
+
+    desc 'inspec2ckl', 'inspec2ckl translates an inspec json file to a Checklist file'
+    long_desc Help.text(:inspec2ckl)
+    option :inspec_json, required: true, aliases: '-j'
+    option :output, required: true, aliases: '-o'
+    option :verbose, type: :boolean, aliases: '-V'
+    def inspec2ckl
+      ckl = InspecTools::Inspec.new(File.read(options[:inspec_json])).to_ckl
+      File.write(options[:output], ckl)
+    end
+
+    desc 'pdf2inspec', 'pdf2inspec translates a PDF Security Control Speficication to Inspec Security Profile'
+    long_desc Help.text(:pdf2inspec)
+    option :pdf, required: true, aliases: '-p'
+    option :output, required: false, aliases: '-o', default: 'profile'
+    option :debug, required: false, aliases: '-d', type: :boolean, default: false
+    option :format, required: false, aliases: '-f', enum: %w{ruby hash}, default: 'ruby'
+    option :separate_files, required: false, type: :boolean, default: true, aliases: '-s'
+    def pdf2inspec
+      pdf = File.open(options[:pdf])
+      profile = InspecTools::PDF.new(pdf, options[:output], options[:debug]).to_inspec
+      Utils::InspecUtil.unpack_inspec_json(options[:output], profile, options[:separate_files], options[:format])
+    end
+
+    desc 'generate_map', 'Generates mapping template from CSV to Inspec Controls'
+    def generate_map
+      template = '
+      # Setting csv_header to true will skip the csv file header
+      skip_csv_header: true
+      width   : 80
 
-#---------------------------------------------------------------------#
-# Adjustments for non-required log-directory
-#---------------------------------------------------------------------#
-ARGV.push("--log-directory=#{Dir.pwd}/logs") if (log_commands & ARGV).empty? && (help_commands & ARGV).empty?
+
+      control.id: 0
+      control.title: 15
+      control.desc: 16
+      control.tags:
+              severity: 1
+              rid: 8
+              stig_id: 3
+              cci: 2
+              check: 12
+              fix: 10
+      '
+      myfile = File.new('mapping.yml', 'w')
+      myfile.puts template
+      myfile.close
+    end
+
+    desc 'summary', 'summary parses an inspec results json to create a summary json'
+    long_desc Help.text(:summary)
+    option :inspec_json, required: true, aliases: '-j'
+    option :output, required: true, aliases: '-o'
+    option :verbose, type: :boolean, aliases: '-V'
+
+    def summary
+      summary = InspecTools::Summary.new(File.read(options[:inspec_json])).to_summary
+      File.write(options[:output], summary.to_json)
+    end
+
+    desc 'compliance', 'compliance parses an inspec results json to check if the compliance level meets a specified threshold'
+    long_desc Help.text(:compliance)
+    option :inspec_json, required: true, aliases: '-j'
+    option :threshold_file, required: false, aliases: '-f'
+    option :threshold_inline, required: false, aliases: '-i'
+    option :verbose, type: :boolean, aliases: '-V'
+
+    def compliance
+      if options[:threshold_file].nil? && options[:threshold_inline].nil?
+        puts 'Please provide threshold as a yaml file or inline yaml'
+        exit(1)
+      end
+      threshold = YAML.load_file(options[:threshold_file]) unless options[:threshold_file].nil?
+      threshold = YAML.safe_load(options[:threshold_inline]) unless options[:threshold_inline].nil?
+      compliance = InspecTools::Summary.new(File.read(options[:inspec_json])).threshold(threshold)
+      compliance ? exit(0) : exit(1)
+    end
+
+    desc 'version', 'prints version'
+    def version
+      puts VERSION
+    end
+  end
+end

data/lib/inspec_tools/command.rb

@@ -0,0 +1,50 @@
+require 'thor'
+
+# Override thor's long_desc identation behavior
+# https://github.com/erikhuda/thor/issues/398
+
+# rubocop:disable Naming/UncommunicativeMethodParamName
+
+class Thor
+  module Shell
+    class Basic
+      def print_wrapped(message, _options = {})
+        message = "\n#{message}" unless message[0] == "\n"
+        stdout.puts message
+      end
+    end
+  end
+end
+
+module InspecTools
+  class Command < Thor
+    class << self
+      def dispatch(m, args, options, config)
+        # Allow calling for help via:
+        #   inspec_tools command help
+        #   inspec_tools command -h
+        #   inspec_tools command --help
+        #   inspec_tools command -D
+        #
+        # as well thor's normal way:
+        #
+        #   inspec_tools help command
+        help_flags = Thor::HELP_MAPPINGS + ['help']
+        if args.length > 1 && !(args & help_flags).empty?
+          args -= help_flags
+          args.insert(-2, 'help')
+        end
+
+        #   inspec_tools version
+        #   inspec_tools --version
+        #   inspec_tools -v
+        version_flags = ['--version', '-v']
+        if args.length == 1 && !(args & version_flags).empty?
+          args = ['version']
+        end
+
+        super
+      end
+    end
+  end
+end

data/lib/inspec_tools/csv.rb

@@ -1,5 +1,6 @@
 require 'csv'
 require 'nokogiri'
+require 'inspec/objects'
 require 'word_wrap'
 require 'yaml'
 require 'digest'
@@ -55,8 +56,8 @@ module InspecTools
       @profile['supports'] = []
       @profile['attributes'] = []
       @profile['generator'] = {
-        'name': 'inspec_tools',
-        'version': VERSION
+        'name': 'inspec',
+        'version': Gem.loaded_specs['inspec'].version
       }
     end
 
@@ -90,10 +91,7 @@ module InspecTools
         @mapping['control.tags'].each do |tag|
           control['tags'][tag.first.to_s] = row[tag.last] unless row[tag.last].nil?
         end
-        unless @mapping['control.tags']['severity'].nil? || row[@mapping['control.tags']['severity']].nil?
-          control['impact'] = Utils::InspecUtil.get_impact(row[@mapping['control.tags']['severity']])
-          control['tags']['severity'] = Utils::InspecUtil.get_impact_string(control['impact'])
-        end
+        control['impact'] = Utils::InspecUtil.get_impact(row[@mapping['control.tags']['severity']]) unless @mapping['control.tags']['severity'].nil? || row[@mapping['control.tags']['severity']].nil?
         @controls << control
       end
     end

data/lib/inspec_tools/help/summary.md

@@ -1,5 +1,5 @@
   summary parses an inspec results json to create a summary json
-
+  
 Examples:
 
-  inspec_tools summary -j examples/sample_json/rhel-simp.json -f -o summary.json
+  inspec_tools summary -j examples/sample_json/rhel-simp.json -o summary.json

data/lib/inspec_tools/inspec.rb

@@ -3,7 +3,6 @@ require 'json'
 require 'cgi'
 require 'csv'
 require 'yaml'
-require 'pp'
 require_relative '../happy_mapper_tools/stig_attributes'
 require_relative '../happy_mapper_tools/stig_checklist'
 require_relative '../happy_mapper_tools/benchmark'
@@ -17,14 +16,12 @@ require_relative 'csv'
 
 module InspecTools
   class Inspec
-    def initialize(inspec_json, metadata = '{}')
-      @json = JSON.parse(inspec_json.gsub(/\\+u0000/, ''))
-      @metadata = JSON.parse(metadata)
+    def initialize(inspec_json)
+      @json = JSON.parse(inspec_json)
     end
 
     def to_ckl(title = nil, date = nil, cklist = nil)
       @data = Utils::InspecUtil.parse_data_for_ckl(@json)
-      @platform = Utils::InspecUtil.get_platform(@json)
       @title = generate_title title, @json, date
       @cklist = cklist
       @checklist = HappyMapperTools::StigChecklist::Checklist.new
@@ -84,7 +81,7 @@ module InspecTools
       inspec_json['controls'].each do |json_control|
         control = []
         headers.each do |key, _|
-          control.push(json_control[key] || json_control['tags'][key] || json_control['results']&.collect { |result| result[key] }&.join(",\n") || nil)
+          control.push(json_control[key] || json_control['tags'][key] || (json_control['results']&.collect { |result| result[key] }&.join(",\n")) || nil)
         end
         data.push(control)
       end
@@ -113,45 +110,26 @@ module InspecTools
       end
     end
 
-    def generate_ckl
-      stigs = HappyMapperTools::StigChecklist::Stigs.new
-      istig = HappyMapperTools::StigChecklist::IStig.new
-
-      vuln_list = []
-      @data.keys.each do |control_id|
-        vuln_list.push(generate_vuln_data(@data[control_id]))
-      end
-
-      si_data = HappyMapperTools::StigChecklist::SiData.new
-      si_data.name = 'stigid'
-      si_data.data = ''
-      if !@metadata['stigid'].nil?
-        si_data.data = @metadata['stigid']
-      end
-
-      stig_info = HappyMapperTools::StigChecklist::StigInfo.new
-      stig_info.si_data = si_data
-      istig.stig_info = stig_info
-
-      istig.vuln = vuln_list
-      stigs.istig = istig
-      @checklist.stig = stigs
-
-      @checklist.asset = generate_asset
-    end
-
     def generate_vuln_data(control)
       vuln = HappyMapperTools::StigChecklist::Vuln.new
       stig_data_list = []
 
-      %w{Vuln_Num Group_Title Rule_ID Rule_Ver Rule_Title Vuln_Discuss Check_Content Fix_Text}.each do |attribute|
-        stig_data_list << create_stig_data_element(attribute, control)
+      %w{
+        Vuln_Num Severity Group_Title Rule_ID Rule_Ver Rule_Title Vuln_Discuss
+        Check_Content Fix_Text CCI_REF
+      }.each do |param|
+        stigdata = HappyMapperTools::StigChecklist::StigData.new
+        stigdata.attrib = param
+        stigdata.data = control[param.downcase.to_sym]
+        stig_data_list.push(stigdata)
       end
-      stig_data_list << handle_severity(control)
-      stig_data_list += handle_cci_ref(control)
-      stig_data_list << handle_stigref
 
-      vuln.stig_data = stig_data_list.reject(&:nil?)
+      stigdata = HappyMapperTools::StigChecklist::StigData.new
+      stigdata.attrib = 'STIGRef'
+      stigdata.data = @title
+      stig_data_list.push(stigdata)
+
+      vuln.stig_data = stig_data_list
       vuln.status = Utils::InspecUtil.control_status(control)
       vuln.comments = "\nAutomated compliance tests brought to you by the MITRE corporation and the InSpec project.\n\nInspec Profile: #{control[:profile_name]}\nProfile shasum: #{control[:profile_shasum]}"
       vuln.finding_details = Utils::InspecUtil.control_finding_details(control, vuln.status)
@@ -161,66 +139,25 @@ module InspecTools
       vuln
     end
 
-    def generate_asset
-      asset = HappyMapperTools::StigChecklist::Asset.new
-      asset.role = !@metadata['role'].nil? ? @metadata['role'] : 'Workstation'
-      asset.type = !@metadata['type'].nil? ? @metadata['type'] : 'Computing'
-      asset.host_name = generate_hostname
-      asset.host_ip = generate_ip
-      asset.host_mac = generate_mac
-      asset.host_fqdn = generate_fqdn
-      asset.tech_area = !@metadata['tech_area'].nil? ? @metadata['tech_area'] : ''
-      asset.target_key = !@metadata['target_key'].nil? ? @metadata['target_key'] : ''
-      asset.web_or_database = !@metadata['web_or_database'].nil? ? @metadata['web_or_database'] : '0'
-      asset.web_db_site = !@metadata['web_db_site'].nil? ? @metadata['web_db_site'] : ''
-      asset.web_db_instance = !@metadata['web_db_instance'].nil? ? @metadata['web_db_instance'] : ''
-      asset
-    end
-
-    def generate_hostname
-      hostname = @metadata['hostname']
-      if hostname.nil? && @platform.nil?
-        hostname = ''
-      elsif hostname.nil?
-        hostname = @platform[:hostname]
-      end
-      hostname
-    end
-
-    def generate_mac
-      mac = @metadata['mac']
-      if mac.nil?
-        nics = @platform.nil? ? [] : @platform[:network]
-        nics_macs = []
-        nics.each do |nic|
-          nics_macs.push(nic[:mac])
-        end
-        mac = nics_macs.join(',')
-      end
-      mac
-    end
-
-    def generate_fqdn
-      fqdn = @metadata['fqdn']
-      if fqdn.nil? && @platform.nil?
-        fqdn = ''
-      elsif fqdn.nil?
-        fqdn = @platform[:fqdn]
-      end
-      fqdn
+    def generate_title(title, json, date)
+      title ||= "Untitled - Checklist Created from Automated InSpec Results JSON; Profiles: #{json['profiles'].map { |x| x['name'] }.join(' | ')}"
+      title + " Checklist Date: #{date || Date.today.to_s}"
     end
 
-    def generate_ip
-      ip = @metadata['ip']
-      if ip.nil?
-        nics = @platform.nil? ? [] : @platform[:network]
-        nics_ips = []
-        nics.each do |nic|
-          nics_ips.push(*nic[:ip])
-        end
-        ip = nics_ips.join(',')
+    def generate_ckl
+      stigs = HappyMapperTools::StigChecklist::Stigs.new
+      istig = HappyMapperTools::StigChecklist::IStig.new
+      vuln_list = []
+      @data.keys.each do |control_id|
+        vuln_list.push(generate_vuln_data(@data[control_id]))
       end
-      ip
+      istig.stig_info = HappyMapperTools::StigChecklist::StigInfo.new
+      istig.vuln = vuln_list
+      stigs.istig = istig
+      @checklist.stig = stigs
+      asset = HappyMapperTools::StigChecklist::Asset.new
+      asset.type = 'Computing'
+      @checklist.asset = asset
     end
 
     def populate_header
@@ -270,7 +207,7 @@ module InspecTools
         group.rule.reference.dc_identifier = @attribute['reference.dc.identifier']
 
         group.rule.ident = HappyMapperTools::Benchmark::Ident.new
-        group.rule.ident.system = 'https://public.cyber.mil/stigs/cci/'
+        group.rule.ident.system = 'http://iase.disa.mil/cci'
         group.rule.ident.ident = control['cci']
 
         group.rule.fixtext = HappyMapperTools::Benchmark::Fixtext.new
@@ -291,41 +228,5 @@ module InspecTools
       end
       @benchmark.group = group_array
     end
-
-    def generate_title(title, json, date)
-      title ||= "Untitled - Checklist Created from Automated InSpec Results JSON; Profiles: #{json['profiles'].map { |x| x['name'] }.join(' | ')}"
-      title + " Checklist Date: #{date || Date.today.to_s}"
-    end
-
-    def create_stig_data_element(attribute, control)
-      return HappyMapperTools::StigChecklist::StigData.new(attribute, control[attribute.downcase.to_sym]) unless control[attribute.downcase.to_sym].nil?
-    end
-
-    def handle_severity(control)
-      return if control[:impact].nil?
-
-      value = Utils::InspecUtil.get_impact_string(control[:impact], use_cvss_terms: false)
-      return if value == 'none'
-
-      HappyMapperTools::StigChecklist::StigData.new('Severity', value)
-    end
-
-    def handle_cci_ref(control)
-      return [] if control[:cci_ref].nil?
-
-      cci_data = []
-      if control[:cci_ref].respond_to?(:each)
-        control[:cci_ref].each do |cci_number|
-          cci_data << HappyMapperTools::StigChecklist::StigData.new('CCI_REF', cci_number)
-        end
-        cci_data
-      else
-        cci_data << HappyMapperTools::StigChecklist::StigData.new('CCI_REF', control[:cci_ref])
-      end
-    end
-
-    def handle_stigref
-      HappyMapperTools::StigChecklist::StigData.new('STIGRef', @title)
-    end
   end
 end