inspec_tools 0.0.0.1.ENOTAG

data/lib/happy_mapper_tools/cci_attributes.rb

@@ -0,0 +1,66 @@
+# encoding: utf-8
+
+require 'happymapper'
+require 'nokogiri'
+
+# rubocop:disable Naming/ClassAndModuleCamelCase
+
+module HappyMapperTools
+  module CCIAttributes
+    class Reference
+      include HappyMapper
+      tag 'reference'
+
+      attribute :creator, String, tag: 'creator'
+      attribute :title, String, tag: 'title'
+      attribute :version, String, tag: 'version'
+      attribute :location, String, tag: 'location'
+      attribute :index, String, tag: 'index'
+    end
+
+    class CCI_Item
+      include HappyMapper
+      tag 'cci_item'
+
+      attribute :id, String, tag: 'id'
+      element :status, String, tag: 'status'
+      element :publishdate, String, tag: 'publishdate'
+      element :contributor, String, tag: 'contributor'
+      element :definition, String, tag: 'definition'
+      element :type, String, tag: 'type'
+      has_many :references, Reference, xpath: 'xmlns:references'
+    end
+
+    class Metadata
+      include HappyMapper
+      tag 'metadata'
+
+      element :version, String, tag: 'version'
+      element :publishdate, String, tag: 'publishdate'
+    end
+
+    class CCI_List
+      include HappyMapper
+      tag 'cci_list'
+
+      attribute :xsi, String, tag: 'xsi', namespace: 'xmlns'
+      attribute :schemaLocation, String, tag: 'schemaLocation', namespace: 'xmlns'
+      has_one :metadata, Metadata, tag: 'metadata'
+      has_many :cci_items, CCI_Item, xpath: 'xmlns:cci_items'
+
+      def fetch_nists(ccis)
+        ccis = [ccis] unless ccis.is_a?(Array)
+
+        # some of the XCCDF files were having CCE- tags show up which
+        # we don't support, not sure if this is a typo on their part or
+        # we need to see about supporting CCE tags but ... for now
+        filtered_ccis = ccis.select { |f| /CCI-/.match(f) }
+        filtered_ccis.map do |cci|
+          cci_items.find { |item| item.id == cci }.references.max_by(&:version).index
+        end
+      end
+    end
+  end
+end
+
+# rubocop:enable Naming/ClassAndModuleCamelCase

data/lib/happy_mapper_tools/stig_attributes.rb

@@ -0,0 +1,196 @@
+# encoding: utf-8
+
+module HappyMapperTools
+  module StigAttributes
+    require 'happymapper'
+    require 'nokogiri'
+    require 'colorize'
+
+    class ContentRef
+      include HappyMapper
+      tag 'check-content-ref'
+      attribute :name, String, tag: 'name'
+      attribute :href, String, tag: 'href'
+    end
+
+    class Check
+      include HappyMapper
+      tag 'check'
+
+      element :content_ref, ContentRef, tag: 'check-content-ref'
+      element :content, String, tag: 'check-content'
+    end
+
+    class Fix
+      include HappyMapper
+      tag 'fix'
+
+      attribute :id, String, tag: 'id'
+    end
+
+    class DescriptionDetails
+      include HappyMapper
+      tag 'Details'
+
+      element :vuln_discussion, String, tag: 'VulnDiscussion'
+      element :false_positives, String, tag: 'FalsePositives'
+      element :false_negatives, String, tag: 'FalseNegatives'
+      element :documentable, Boolean, tag: 'Documentable'
+      element :mitigations, String, tag: 'Mitigations'
+      element :severity_override_guidance, String, tag: 'SeverityOverrideGuidance'
+      element :potential_impacts, String, tag: 'PotentialImpacts'
+      element :third_party_tools, String, tag: 'ThirdPartyTools'
+      element :mitigation_controls, String, tag: 'MitigationControl'
+      element :responsibility, String, tag: 'Responsibility'
+      element :ia_controls, String, tag: 'IAControls'
+    end
+
+    class Description
+      include HappyMapper
+      tag 'description'
+
+      content :details, DescriptionDetails
+
+      detail_tags = %i(vuln_discussion false_positives false_negatives documentable
+                       mitigations severity_override_guidance potential_impacts
+                       third_party_tools mitigation_controls responsibility ia_controls)
+
+      detail_tags.each do |name|
+        define_method name do
+          details.send(name)
+        end
+      end
+    end
+
+    class ReferenceInfo
+      include HappyMapper
+      tag 'reference'
+
+      attribute :href, String, tag: 'href'
+      element :dc_publisher, String, tag: 'publisher', namespace: 'dc'
+      element :dc_source, String, tag: 'source', namespace: 'dc'
+      element :dc_title, String, tag: 'title', namespace: 'dc'
+      element :dc_type, String, tag: 'type', namespace: 'dc'
+      element :dc_subject, String, tag: 'subject', namespace: 'dc'
+      element :dc_identifier, String, tag: 'identifier', namespace: 'dc'
+    end
+
+    class Rule
+      include HappyMapper
+      tag 'Rule'
+
+      attribute :id, String, tag: 'id'
+      attribute :severity, String, tag: 'severity'
+      element :version, String, tag: 'version'
+      element :title, String, tag: 'title'
+      has_one :description, Description, tag: 'description'
+      element :reference, ReferenceInfo, tag: 'reference'
+      has_many :idents, String, tag: 'ident'
+      element :fixtext, String, tag: 'fixtext'
+      has_one :fix, Fix, tag: 'fix'
+      has_one :check, Check, tag: 'check'
+    end
+
+    class Group
+      include HappyMapper
+      tag 'Group'
+
+      attribute :id, String, tag: 'id'
+      element :title, String, tag: 'title'
+      element :description, String, tag: 'description'
+      has_one :rule, Rule, tag: 'Rule'
+    end
+
+    class ReleaseDate
+      include HappyMapper
+      tag 'status'
+
+      attribute :release_date, String, tag: 'date'
+    end
+
+    class Notice
+      include HappyMapper
+      tag 'notice'
+      attribute :id, String, tag: 'id'
+      attribute :xml_lang, String, namespace: 'xml', tag: 'lang'
+      content :notice, String, tag: 'notice'
+    end
+
+    class Plaintext
+      include HappyMapper
+      tag 'plain-text'
+      attribute :id, String, tag: 'id'
+      content :plaintext, String
+    end
+
+    class Benchmark
+      include HappyMapper
+      tag 'Benchmark'
+
+      has_one :release_date, ReleaseDate, tag: 'status'
+      attribute :id, String, tag: 'id'
+      element :status, String, tag: 'status'
+      element :title, String, tag: 'title'
+      element :description, String, tag: 'description'
+      element :version, String, tag: 'version'
+      element :notice, Notice, tag: 'notice'
+      has_one :reference, ReferenceInfo, tag: 'reference'
+      element :plaintext, Plaintext, tag: 'plain-text'
+      has_many :group, Group, tag: 'Group'
+    end
+
+    class DescriptionDetailsType
+      def self.type
+        DescriptionDetails
+      end
+
+      def self.apply(value) # rubocop:disable Metrics/AbcSize
+        value = value.gsub('&', 'and')
+        DescriptionDetails.parse "<Details>#{value}</Details>"
+      rescue Nokogiri::XML::SyntaxError
+        allowed_tags = %w{VulnDiscussion FalsePositives FalseNegatives Documentable
+                          Mitigations SeverityOverrideGuidance PotentialImpacts
+                          PotentialImpacts ThirdPartyTools MitigationControl
+                          Responsibility IAControls}
+
+        tags_found = value.scan(%r{(?<=<)([^\/]*?)((?= \/>)|(?=>))}).to_a
+
+        tags_found = tags_found.uniq.flatten.reject!(&:empty?)
+        offending_tags = tags_found - allowed_tags
+
+        if offending_tags.count > 1
+          puts "\n\nThe non-standard tags: #{offending_tags.to_s.colorize(:red)}" \
+               ' were found in: ' + "\n\n#{value}"
+        else
+          puts "\n\nThe non-standard tag: #{offending_tags.to_s.colorize(:red)}" \
+               ' was found in: ' + "\n\n#{value}"
+        end
+        puts "\n\nPlease:\n "
+        option_one = '(1) ' + '(best)'.colorize(:green) + ' Use the ' +
+                     '`-r --replace-tags array` '.colorize(:light_yellow) +
+                     '(case sensitive) option to replace the offending tags ' \
+                     'during processing of the XCCDF ' \
+                     'file to use the ' +
+                     "`$#{offending_tags[0]}` " .colorize(:light_green) +
+                     'syntax in your InSpec profile.'
+        option_two = '(2) Update your XCCDF file to *not use* non-standard XCCDF ' \
+                     'elements within ' +
+                     '`&lt;`,`&gt;`, `<` '.colorize(:red) +
+                     'or '.colorize(:default) +
+                     '`>` '.colorize(:red) +
+                     'as "placeholders", and use something that doesn\'t confuse ' \
+                     'the XML parser, such as : ' +
+                     "`$#{offending_tags[0]}`" .colorize(:light_green)
+        puts option_one
+        puts "\n"
+        puts option_two
+        # exit
+      end
+
+      def self.apply?(value, _convert_to_type)
+        value.is_a?(String)
+      end
+    end
+    HappyMapper::SupportedTypes.register DescriptionDetailsType
+  end
+end

data/lib/happy_mapper_tools/stig_checklist.rb

@@ -0,0 +1,99 @@
+# encoding: utf-8
+
+require 'happymapper'
+require 'nokogiri'
+
+module HappyMapperTools
+  module StigChecklist
+    # see: https://github.com/dam5s/happymapper
+    # Class Asset maps from the 'Asset' from Checklist XML file using HappyMapper
+    class Asset
+      include HappyMapper
+      tag 'ASSET'
+      element :role, String, tag: 'ROLE'
+      element :type, String, tag: 'ASSET_TYPE'
+      element :host_name, String, tag: 'HOST_NAME'
+      element :host_ip, String, tag: 'HOST_IP'
+      element :host_mac, String, tag: 'HOST_MAC'
+      element :host_guid, String, tag: 'HOST_GUID'
+      element :host_fqdn, String, tag: 'HOST_FQDN'
+      element :tech_area, String, tag: 'TECH_AREA'
+      element :target_key, String, tag: 'TARGET_KEY'
+      element :web_or_database, String, tag: 'WEB_OR_DATABASE'
+      element :web_db_site, String, tag: 'WEB_DB_SITE'
+      element :web_db_instance, String, tag: 'WEB_DB_INSTANCE'
+    end
+
+    # Class Asset maps from the 'SI_DATA' from Checklist XML file using HappyMapper
+    class SiData
+      include HappyMapper
+      tag 'SI_DATA'
+      element :name, String, tag: 'SID_NAME'
+      element :data, String, tag: 'SID_DATA'
+    end
+
+    # Class Asset maps from the 'STIG_INFO' from Checklist XML file using HappyMapper
+    class StigInfo
+      include HappyMapper
+      tag 'STIG_INFO'
+      has_many :si_data, SiData, tag: 'SI_DATA'
+    end
+
+    # Class Asset maps from the 'STIG_DATA' from Checklist XML file using HappyMapper
+    class StigData
+      include HappyMapper
+
+      def initialize(attrib = nil, data = nil)
+        self.attrib = attrib
+        self.data = data
+      end
+
+      tag 'STIG_DATA'
+      has_one :attrib, String, tag: 'VULN_ATTRIBUTE'
+      has_one :data, String, tag: 'ATTRIBUTE_DATA'
+    end
+
+    # Class Asset maps from the 'VULN' from Checklist XML file using HappyMapper
+    class Vuln
+      include HappyMapper
+      tag 'VULN'
+      has_many :stig_data, StigData, tag: 'STIG_DATA'
+      has_one :status, String, tag: 'STATUS'
+      has_one :finding_details, String, tag: 'FINDING_DETAILS'
+      has_one :comments, String, tag: 'COMMENTS'
+      has_one :severity_override, String, tag: 'SEVERITY_OVERRIDE'
+      has_one :severity_justification, String, tag: 'SEVERITY_JUSTIFICATION'
+    end
+
+    # Class Asset maps from the 'iSTIG' from Checklist XML file using HappyMapper
+    class IStig
+      include HappyMapper
+      tag 'iSTIG'
+      has_one :stig_info, StigInfo, tag: 'STIG_INFO'
+      has_many :vuln, Vuln, tag: 'VULN'
+    end
+
+    # Class Asset maps from the 'STIGS' from Checklist XML file using HappyMapper
+    class Stigs
+      include HappyMapper
+      tag 'STIGS'
+      has_one :istig, IStig, tag: 'iSTIG'
+    end
+
+    class Checklist
+      include HappyMapper
+      tag 'CHECKLIST'
+      has_one :asset, Asset, tag: 'ASSET'
+      has_one :stig, Stigs, tag: 'STIGS'
+
+      def where(attrib, data)
+        stig.istig.vuln.each do |vuln|
+          if vuln.stig_data.any? { |element| element.attrib == attrib && element.data == data }
+            # TODO: Handle multiple objects that match the condition
+            return vuln
+          end
+        end
+      end
+    end
+  end
+end

data/lib/inspec_tools.rb

@@ -0,0 +1,17 @@
+$LOAD_PATH.unshift(File.expand_path(__dir__))
+require 'inspec_tools/version'
+require 'rubygems'
+
+module InspecTools
+  autoload :Help, 'inspec_tools/help'
+  autoload :Command, 'inspec_tools/command'
+  autoload :CLI, 'inspec_tools/cli'
+  autoload :XCCDF, 'inspec_tools/xccdf'
+  autoload :PDF, 'inspec_tools/pdf'
+  autoload :CSV, 'inspec_tools/csv'
+  autoload :CKL, 'inspec_tools/ckl'
+  autoload :Inspec, 'inspec_tools/inspec'
+  autoload :Summary, 'inspec_tools/summary'
+  autoload :Threshold, 'inspec_tools/threshold'
+  autoload :XLSXTool, 'inspec_tools/xlsx_tool'
+end

data/lib/inspec_tools/ckl.rb

@@ -0,0 +1,20 @@
+module InspecTools
+  # Methods for converting from CKL to various formats
+  class CKL
+    def initialize(ckl)
+      @ckl = ckl
+    end
+
+    def to_csv
+      # TODO: to_csv
+    end
+
+    def to_xccdf
+      # TODO: to_xccdf
+    end
+
+    def to_inspec
+      # TODO: to_inspec
+    end
+  end
+end

data/lib/inspec_tools/cli.rb

@@ -0,0 +1,31 @@
+require 'yaml'
+require 'json'
+
+require 'inspec-objects'
+require 'inspec'
+require_relative './plugin_cli.rb'
+
+# This tells the ruby cli app to use the same argument parsing as the plugin
+module InspecTools
+  CLI = InspecPlugins::InspecToolsPlugin::CliCommand
+end
+
+#=====================================================================#
+#                        Pre-Flight Code
+#=====================================================================#
+help_commands = ['-h', '--help', 'help']
+log_commands = ['-l', '--log-directory']
+version_commands = ['-v', '--version', 'version']
+
+#---------------------------------------------------------------------#
+# Adjustments for non-required version commands
+#---------------------------------------------------------------------#
+unless (version_commands & ARGV).empty?
+  puts InspecTools::VERSION
+  exit 0
+end
+
+#---------------------------------------------------------------------#
+# Adjustments for non-required log-directory
+#---------------------------------------------------------------------#
+ARGV.push("--log-directory=#{Dir.pwd}/logs") if (log_commands & ARGV).empty? && (help_commands & ARGV).empty?

data/lib/inspec_tools/csv.rb

@@ -0,0 +1,101 @@
+require 'csv'
+require 'nokogiri'
+require 'word_wrap'
+require 'yaml'
+require 'digest'
+
+require_relative '../utilities/inspec_util'
+
+# rubocop:disable Metrics/AbcSize
+# rubocop:disable Metrics/PerceivedComplexity
+# rubocop:disable Metrics/CyclomaticComplexity
+
+module InspecTools
+  # Methods for converting from CSV to various formats
+  class CSVTool
+    def initialize(csv, mapping, name, verbose = false)
+      @name = name
+      @csv = csv
+      @mapping = mapping
+      @verbose = verbose
+      @csv.shift if @mapping['skip_csv_header']
+    end
+
+    def to_ckl
+      # TODO
+    end
+
+    def to_xccdf
+      # TODO
+    end
+
+    def to_inspec
+      @controls = []
+      @cci_xml = nil
+      @profile = {}
+      read_cci_xml
+      insert_json_metadata
+      parse_controls
+      @profile['controls'] = @controls
+      @profile['sha256'] = Digest::SHA256.hexdigest @profile.to_s
+      @profile
+    end
+
+    private
+
+    def insert_json_metadata
+      @profile['name'] = @name
+      @profile['title'] = 'InSpec Profile'
+      @profile['maintainer'] = 'The Authors'
+      @profile['copyright'] = 'The Authors'
+      @profile['copyright_email'] = 'you@example.com'
+      @profile['license'] = 'Apache-2.0'
+      @profile['summary'] = 'An InSpec Compliance Profile'
+      @profile['version'] = '0.1.0'
+      @profile['supports'] = []
+      @profile['attributes'] = []
+      @profile['generator'] = {
+        'name': 'inspec_tools',
+        'version': VERSION
+      }
+    end
+
+    def read_cci_xml
+      cci_list_path = File.join(File.dirname(__FILE__), '../data/U_CCI_List.xml')
+      @cci_xml = Nokogiri::XML(File.open(cci_list_path))
+      @cci_xml.remove_namespaces!
+    rescue StandardError => e
+      puts "Exception: #{e.message}"
+    end
+
+    def get_nist_reference(cci_number)
+      item_node = @cci_xml.xpath("//cci_list/cci_items/cci_item[@id='#{cci_number}']")[0] unless @cci_xml.nil?
+      unless item_node.nil?
+        nist_ref = item_node.xpath('./references/reference[not(@version <= preceding-sibling::reference/@version) and not(@version <=following-sibling::reference/@version)]/@index').text
+        nist_ver = item_node.xpath('./references/reference[not(@version <= preceding-sibling::reference/@version) and not(@version <=following-sibling::reference/@version)]/@version').text
+      end
+      [nist_ref, nist_ver]
+    end
+
+    def parse_controls
+      @csv.each do |row|
+        print '.'
+        control = {}
+        control['id']     = row[@mapping['control.id']]     unless @mapping['control.id'].nil? || row[@mapping['control.id']].nil?
+        control['title']  = row[@mapping['control.title']]  unless @mapping['control.title'].nil? || row[@mapping['control.title']].nil?
+        control['desc']   = row[@mapping['control.desc']]   unless @mapping['control.desc'].nil? || row[@mapping['control.desc']].nil?
+        control['tags'] = {}
+        nist, nist_rev = get_nist_reference(row[@mapping['control.tags']['cci']]) unless @mapping['control.tags']['cci'].nil? || row[@mapping['control.tags']['cci']].nil?
+        control['tags']['nist'] = [nist, 'Rev_' + nist_rev] unless nist.nil? || nist_rev.nil?
+        @mapping['control.tags'].each do |tag|
+          control['tags'][tag.first.to_s] = row[tag.last] unless row[tag.last].nil?
+        end
+        unless @mapping['control.tags']['severity'].nil? || row[@mapping['control.tags']['severity']].nil?
+          control['impact'] = Utils::InspecUtil.get_impact(row[@mapping['control.tags']['severity']])
+          control['tags']['severity'] = Utils::InspecUtil.get_impact_string(control['impact'])
+        end
+        @controls << control
+      end
+    end
+  end
+end