inspec_tools 0.0.0.1.ENOTAG

data/lib/inspec_tools/plugin.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module InspecToolsPlugin
+  class Plugin < Inspec.plugin(2)
+    # Metadata
+    # Must match entry in plugins.json
+    plugin_name :'inspec-tools_plugin'
+
+    # Activation hooks (CliCommand as an example)
+    cli_command :tools do
+      require_relative 'plugin_cli'
+      InspecPlugins::InspecToolsPlugin::CliCommand
+    end
+  end
+end

data/lib/inspec_tools/plugin_cli.rb

@@ -0,0 +1,278 @@
+require 'yaml'
+require 'json'
+require 'roo'
+require_relative '../utilities/inspec_util'
+require_relative '../utilities/csv_util'
+
+module InspecTools
+  autoload :Help, 'inspec_tools/help'
+  autoload :Command, 'inspec_tools/command'
+  autoload :XCCDF, 'inspec_tools/xccdf'
+  autoload :PDF, 'inspec_tools/pdf'
+  autoload :CSVTool, 'inspec_tools/csv'
+  autoload :CKL, 'inspec_tools/ckl'
+  autoload :Inspec, 'inspec_tools/inspec'
+  autoload :Summary, 'inspec_tools/summary'
+  autoload :Threshold, 'inspec_tools/threshold'
+  autoload :XLSXTool, 'inspec_tools/xlsx_tool'
+end
+
+# rubocop:disable Style/GuardClause
+module InspecPlugins
+  module InspecToolsPlugin
+    class CliCommand < Inspec.plugin(2, :cli_command) # rubocop:disable Metrics/ClassLength
+      POSSIBLE_LOG_LEVELS = %w{debug info warn error fatal}.freeze
+
+      class_option :log_directory, type: :string, aliases: :l, desc: 'Provie log location'
+      class_option :log_level, type: :string, desc: "Set the logging level: #{POSSIBLE_LOG_LEVELS}"
+
+      subcommand_desc 'tools [COMMAND]', 'Runs inspec_tools commands through Inspec'
+
+      desc 'xccdf2inspec', 'xccdf2inspec translates an xccdf file to an inspec profile'
+      long_desc InspecTools::Help.text(:xccdf2inspec)
+      option :xccdf, required: true, aliases: '-x'
+      option :attributes, required: false, aliases: '-a'
+      option :output, required: false, aliases: '-o', default: 'profile'
+      option :format, required: false, aliases: '-f', enum: %w{ruby hash}, default: 'ruby'
+      option :separate_files, required: false, type: :boolean, default: true, aliases: '-s'
+      option :replace_tags, type: :array, required: false, aliases: '-r'
+      option :metadata, required: false, aliases: '-m'
+      def xccdf2inspec
+        xccdf = InspecTools::XCCDF.new(File.read(options[:xccdf]), options[:replace_tags])
+        profile = xccdf.to_inspec
+
+        if !options[:metadata].nil?
+          xccdf.inject_metadata(File.read(options[:metadata]))
+        end
+
+        Utils::InspecUtil.unpack_inspec_json(options[:output], profile, options[:separate_files], options[:format])
+        if !options[:attributes].nil?
+          attributes = xccdf.to_attributes
+          File.write(options[:attributes], YAML.dump(attributes))
+        end
+      end
+
+      desc 'inspec2xccdf', 'inspec2xccdf translates an inspec profile and attributes files to an xccdf file'
+      long_desc InspecTools::Help.text(:inspec2xccdf)
+      option :inspec_json, required: true, aliases: '-j'
+      option :attributes,  required: true, aliases: '-a'
+      option :output, required: true, aliases: '-o'
+      def inspec2xccdf
+        json = File.read(options[:inspec_json])
+        inspec_tool = InspecTools::Inspec.new(json)
+        attr_hsh = YAML.load_file(options[:attributes])
+        xccdf = inspec_tool.to_xccdf(attr_hsh)
+        File.write(options[:output], xccdf)
+      end
+
+      desc 'csv2inspec', 'csv2inspec translates CSV to Inspec controls using a mapping file'
+      long_desc InspecTools::Help.text(:csv2inspec)
+      option :csv, required: true, aliases: '-c'
+      option :mapping, required: true, aliases: '-m'
+      option :verbose, required: false, type: :boolean, aliases: '-V'
+      option :output, required: false, aliases: '-o', default: 'profile'
+      option :format, required: false, aliases: '-f', enum: %w{ruby hash}, default: 'ruby'
+      option :separate_files, required: false, type: :boolean, default: true, aliases: '-s'
+      def csv2inspec
+        csv = CSV.read(options[:csv], encoding: 'ISO8859-1')
+        mapping = YAML.load_file(options[:mapping])
+        profile = InspecTools::CSVTool.new(csv, mapping, options[:csv].split('/')[-1].split('.')[0], options[:verbose]).to_inspec
+        Utils::InspecUtil.unpack_inspec_json(options[:output], profile, options[:separate_files], options[:format])
+      end
+
+      desc 'xlsx2inspec', 'xlsx2inspec translates CIS XLSX to Inspec controls using a mapping file'
+      long_desc InspecTools::Help.text(:xlsx2inspec)
+      option :xlsx, required: true, aliases: '-x'
+      option :mapping, required: true, aliases: '-m'
+      option :control_name_prefix, required: true, aliases: '-p'
+      option :verbose, required: false, type: :boolean, aliases: '-V'
+      option :output, required: false, aliases: '-o', default: 'profile'
+      option :format, required: false, aliases: '-f', enum: %w{ruby hash}, default: 'ruby'
+      option :separate_files, required: false, type: :boolean, default: true, aliases: '-s'
+      def xlsx2inspec
+        xlsx = Roo::Spreadsheet.open(options[:xlsx])
+        mapping = YAML.load_file(options[:mapping])
+        profile = InspecTools::XLSXTool.new(xlsx, mapping, options[:xlsx].split('/')[-1].split('.')[0], options[:verbose]).to_inspec(options[:control_name_prefix])
+        Utils::InspecUtil.unpack_inspec_json(options[:output], profile, options[:separate_files], options[:format])
+      end
+
+      desc 'inspec2csv', 'inspec2csv translates Inspec controls to CSV'
+      long_desc InspecTools::Help.text(:inspec2csv)
+      option :inspec_json, required: true, aliases: '-j'
+      option :output, required: true, aliases: '-o'
+      option :verbose, required: false, type: :boolean, aliases: '-V'
+      def inspec2csv
+        csv = InspecTools::Inspec.new(File.read(options[:inspec_json])).to_csv
+        Utils::CSVUtil.unpack_csv(csv, options[:output])
+      end
+
+      desc 'inspec2ckl', 'inspec2ckl translates an inspec json file to a Checklist file'
+      long_desc InspecTools::Help.text(:inspec2ckl)
+      option :inspec_json, required: true, aliases: '-j'
+      option :output, required: true, aliases: '-o'
+      option :verbose, type: :boolean, aliases: '-V'
+      option :metadata, required: false, aliases: '-m'
+      def inspec2ckl
+        metadata = '{}'
+        if !options[:metadata].nil?
+          metadata = File.read(options[:metadata])
+        end
+        ckl = InspecTools::Inspec.new(File.read(options[:inspec_json]), metadata).to_ckl
+        File.write(options[:output], ckl)
+      end
+
+      desc 'pdf2inspec', 'pdf2inspec translates a PDF Security Control Speficication to Inspec Security Profile'
+      long_desc InspecTools::Help.text(:pdf2inspec)
+      option :pdf, required: true, aliases: '-p'
+      option :output, required: false, aliases: '-o', default: 'profile'
+      option :debug, required: false, aliases: '-d', type: :boolean, default: false
+      option :format, required: false, aliases: '-f', enum: %w{ruby hash}, default: 'ruby'
+      option :separate_files, required: false, type: :boolean, default: true, aliases: '-s'
+      def pdf2inspec
+        pdf = File.open(options[:pdf])
+        profile = InspecTools::PDF.new(pdf, options[:output], options[:debug]).to_inspec
+        Utils::InspecUtil.unpack_inspec_json(options[:output], profile, options[:separate_files], options[:format])
+      end
+
+      desc 'generate_map', 'Generates mapping template from CSV to Inspec Controls'
+      def generate_map
+        template = '
+        # Setting csv_header to true will skip the csv file header
+        skip_csv_header: true
+        width   : 80
+
+
+        control.id: 0
+        control.title: 15
+        control.desc: 16
+        control.tags:
+                severity: 1
+                rid: 8
+                stig_id: 3
+                cci: 2
+                check: 12
+                fix: 10
+        '
+        myfile = File.new('mapping.yml', 'w')
+        myfile.puts template
+        myfile.close
+      end
+
+      desc 'generate_ckl_metadata', 'Generate metadata file that can be passed to inspec2ckl'
+      def generate_ckl_metadata
+        metadata = {}
+
+        metadata['stigid'] = ask('STID ID: ')
+        metadata['role'] = ask('Role: ')
+        metadata['type'] = ask('Type: ')
+        metadata['hostname'] = ask('Hostname: ')
+        metadata['ip'] = ask('IP Address: ')
+        metadata['mac'] = ask('MAC Address: ')
+        metadata['fqdn'] = ask('FQDN: ')
+        metadata['tech_area'] = ask('Tech Area: ')
+        metadata['target_key'] = ask('Target Key: ')
+        metadata['web_or_database'] = ask('Web or Database: ')
+        metadata['web_db_site'] = ask('Web DB Site: ')
+        metadata['web_db_instance'] = ask('Web DB Instance: ')
+
+        metadata.delete_if { |_key, value| value.empty? }
+        File.open('metadata.json', 'w') do |f|
+          f.write(metadata.to_json)
+        end
+      end
+
+      desc 'generate_inspec_metadata', 'Generate mapping file that can be passed to xccdf2inspec'
+      def generate_inspec_metadata
+        metadata = {}
+
+        metadata['maintainer'] = ask('Maintainer: ')
+        metadata['copyright'] = ask('Copyright: ')
+        metadata['copyright_email'] = ask('Copyright Email: ')
+        metadata['license'] = ask('License: ')
+        metadata['version'] = ask('Version: ')
+
+        metadata.delete_if { |_key, value| value.empty? }
+        File.open('metadata.json', 'w') do |f|
+          f.write(metadata.to_json)
+        end
+      end
+
+      desc 'summary', 'summary parses an inspec results json to create a summary json'
+      long_desc InspecTools::Help.text(:summary)
+      option :inspec_json, required: true, aliases: '-j'
+      option :output, required: false, aliases: '-o'
+      option :cli, type: :boolean, required: false, aliases: '-c'
+      option :verbose, type: :boolean, aliases: '-V'
+      option :json_full, type: :boolean, required: false, aliases: '-f'
+      option :json_counts, type: :boolean, required: false, aliases: '-k'
+
+      def summary
+        summary = InspecTools::Summary.new(File.read(options[:inspec_json])).to_summary
+
+        if options[:cli]
+          puts "\nOverall compliance: #{summary[:compliance]}%\n\n"
+          summary[:status].keys.each do |category|
+            puts category
+            summary[:status][category].keys.each do |impact|
+              puts "\t#{impact} : #{summary[:status][category][impact]}"
+            end
+          end
+        end
+
+        json_summary = summary.to_json
+        File.write(options[:output], json_summary) if options[:output]
+        puts json_summary if options[:json_full]
+        puts summary[:status].to_json if options[:json_counts]
+      end
+
+      desc 'compliance', 'compliance parses an inspec results json to check if the compliance level meets a specified threshold'
+      long_desc InspecTools::Help.text(:compliance)
+      option :inspec_json, required: true, aliases: '-j'
+      option :threshold_file, required: false, aliases: '-f'
+      option :threshold_inline, required: false, aliases: '-i'
+      option :verbose, type: :boolean, aliases: '-V'
+
+      def compliance
+        if options[:threshold_file].nil? && options[:threshold_inline].nil?
+          puts 'Please provide threshold as a yaml file or inline yaml'
+          exit(1)
+        end
+        threshold = YAML.load_file(options[:threshold_file]) unless options[:threshold_file].nil?
+        threshold = YAML.safe_load(options[:threshold_inline]) unless options[:threshold_inline].nil?
+        compliance = InspecTools::Summary.new(File.read(options[:inspec_json])).threshold(threshold)
+        compliance ? exit(0) : exit(1)
+      end
+    end
+  end
+end
+
+#=====================================================================#
+#                        Pre-Flight Code
+#=====================================================================#
+help_commands = ['-h', '--help', 'help']
+log_commands = ['-l', '--log-directory']
+version_commands = ['-v', '--version', 'version']
+
+#---------------------------------------------------------------------#
+# Adjustments for non-required version commands
+#---------------------------------------------------------------------#
+unless (version_commands & ARGV).empty?
+  puts InspecTools::VERSION
+  exit 0
+end
+
+#---------------------------------------------------------------------#
+# Adjustments for non-required log-directory
+#---------------------------------------------------------------------#
+ARGV.push("--log-directory=#{Dir.pwd}/logs") if (log_commands & ARGV).empty? && (help_commands & ARGV).empty?
+
+# Push help to front of command so thor recognizes subcommands are called with help
+if help_commands.any? { |cmd| ARGV.include? cmd }
+  help_commands.each do |cmd|
+    if (match = ARGV.delete(cmd))
+      ARGV.unshift match
+    end
+  end
+end
+
+# rubocop:enable Style/GuardClause

data/lib/inspec_tools/summary.rb

@@ -0,0 +1,126 @@
+require 'json'
+require 'yaml'
+require_relative '../utilities/inspec_util'
+
+# rubocop:disable Metrics/AbcSize
+
+# Impact Definitions
+CRITICAL = 0.9
+HIGH = 0.7
+MEDIUM = 0.5
+LOW = 0.3
+
+BUCKETS = %w{failed passed no_impact skipped error}.freeze
+TALLYS = %w{total critical high medium low}.freeze
+
+THRESHOLD_TEMPLATE = File.expand_path('../data/threshold.yaml', File.dirname(__FILE__))
+
+module InspecTools
+  class Summary
+    def initialize(inspec_json)
+      @json = JSON.parse(inspec_json)
+    end
+
+    def to_summary
+      @data = Utils::InspecUtil.parse_data_for_ckl(@json)
+      @summary = {}
+      @data.keys.each do |control_id|
+        current_control = @data[control_id]
+        current_control[:compliance_status] = Utils::InspecUtil.control_status(current_control, true)
+        current_control[:finding_details] = Utils::InspecUtil.control_finding_details(current_control, current_control[:compliance_status])
+      end
+      compute_summary
+      @summary
+    end
+
+    def threshold(threshold = nil)
+      @summary = to_summary
+      @threshold = Utils::InspecUtil.to_dotted_hash(YAML.load_file(THRESHOLD_TEMPLATE))
+      parse_threshold(Utils::InspecUtil.to_dotted_hash(threshold))
+      threshold_compliance
+    end
+
+    private
+
+    def compute_summary
+      @summary[:buckets] = {}
+      @summary[:buckets][:failed]    = select_by_status(@data, 'Open')
+      @summary[:buckets][:passed]    = select_by_status(@data, 'NotAFinding')
+      @summary[:buckets][:no_impact] = select_by_status(@data, 'Not_Applicable')
+      @summary[:buckets][:skipped]   = select_by_status(@data, 'Not_Reviewed')
+      @summary[:buckets][:error]     = select_by_status(@data, 'Profile_Error')
+
+      @summary[:status] = {}
+      @summary[:status][:failed]    = tally_by_impact(@summary[:buckets][:failed])
+      @summary[:status][:passed]    = tally_by_impact(@summary[:buckets][:passed])
+      @summary[:status][:no_impact] = tally_by_impact(@summary[:buckets][:no_impact])
+      @summary[:status][:skipped]   = tally_by_impact(@summary[:buckets][:skipped])
+      @summary[:status][:error]     = tally_by_impact(@summary[:buckets][:error])
+
+      @summary[:compliance] = compute_compliance
+    end
+
+    def select_by_impact(controls, impact)
+      controls.select { |_key, value| value[:impact].to_f.eql?(impact) }
+    end
+
+    def select_by_status(controls, status)
+      controls.select { |_key, value| value[:compliance_status].eql?(status) }
+    end
+
+    def tally_by_impact(controls)
+      tally = {}
+      tally[:total]    = controls.count
+      tally[:critical] = select_by_impact(controls, CRITICAL).count
+      tally[:high]     = select_by_impact(controls, HIGH).count
+      tally[:medium]   = select_by_impact(controls, MEDIUM).count
+      tally[:low]      = select_by_impact(controls, LOW).count
+      tally
+    end
+
+    def compute_compliance
+      (@summary[:status][:passed][:total]*100.0/
+        (@summary[:status][:passed][:total]+
+         @summary[:status][:failed][:total]+
+         @summary[:status][:skipped][:total]+
+         @summary[:status][:error][:total])).round(1)
+    end
+
+    def threshold_compliance
+      compliance = true
+      failure = []
+      max = @threshold['compliance.max']
+      min = @threshold['compliance.min']
+      if max != -1 and @summary[:compliance] > max
+        compliance = false
+        failure << "Expected compliance.max:#{max} got:#{@summary[:compliance]}"
+      end
+      if min != -1 and @summary[:compliance] < min
+        compliance = false
+        failure << "Expected compliance.min:#{min} got:#{@summary[:compliance]}"
+      end
+      status = @summary[:status]
+      BUCKETS.each do |bucket|
+        TALLYS.each do |tally|
+          max = @threshold["#{bucket}.#{tally}.max"]
+          min = @threshold["#{bucket}.#{tally}.min"]
+          if max != -1 and status[bucket.to_sym][tally.to_sym] > max
+            compliance = false
+            failure << "Expected #{bucket}.#{tally}.max:#{max} got:#{status[bucket.to_sym][tally.to_sym]}"
+          end
+          if min != -1 and status[bucket.to_sym][tally.to_sym] < min
+            compliance = false
+            failure << "Expected #{bucket}.#{tally}.min:#{min} got:#{status[bucket.to_sym][tally.to_sym]}"
+          end
+        end
+      end
+      puts failure.join("\n") unless compliance
+      puts 'Compliance threshold met' if compliance
+      compliance
+    end
+
+    def parse_threshold(new_threshold)
+      @threshold.merge!(new_threshold)
+    end
+  end
+end

data/lib/inspec_tools/version.rb

@@ -0,0 +1,8 @@
+require 'git-version-bump'
+
+module InspecTools
+  # Enable lite-tags (2nd parameter to git-version-bump version command)
+  # Lite tags are tags that are used by GitHub releases that do not contain
+  # annotations
+  VERSION = GVB.version(false, true)
+end

data/lib/inspec_tools/xccdf.rb

@@ -0,0 +1,155 @@
+require_relative '../happy_mapper_tools/stig_attributes'
+require_relative '../happy_mapper_tools/cci_attributes'
+require_relative '../utilities/inspec_util'
+
+require 'digest'
+require 'json'
+
+module InspecTools
+  # rubocop:disable Metrics/ClassLength
+  # rubocop:disable Metrics/AbcSize
+  # rubocop:disable Metrics/PerceivedComplexity
+  # rubocop:disable Metrics/CyclomaticComplexity
+  # rubocop:disable Metrics/BlockLength
+  class XCCDF
+    def initialize(xccdf, replace_tags = nil)
+      @xccdf = xccdf
+      @xccdf = replace_tags_in_xccdf(replace_tags, @xccdf) unless replace_tags.nil?
+      cci_list_path = File.join(File.dirname(__FILE__), '../data/U_CCI_List.xml')
+      @cci_items = HappyMapperTools::CCIAttributes::CCI_List.parse(File.read(cci_list_path))
+      # @cci_items = HappyMapperTools::CCIAttributes::CCI_List.parse(File.read('./data/U_CCI_List.xml'))
+      @benchmark = HappyMapperTools::StigAttributes::Benchmark.parse(@xccdf)
+    end
+
+    def to_ckl
+      # TODO: to_ckl
+    end
+
+    def to_csv
+      # TODO: to_csv
+    end
+
+    def to_inspec
+      @profile = {}
+      @controls = []
+      insert_json_metadata
+      insert_controls
+      @profile['sha256'] = Digest::SHA256.hexdigest @profile.to_s
+      @profile
+    end
+
+    ####
+    # extracts non-InSpec attributes
+    ###
+    # TODO there may be more attributes we want to extract, see data/attributes.yml for example
+    def to_attributes # rubocop:disable Metrics/AbcSize
+      @attribute = {}
+
+      @attribute['benchmark.title'] = @benchmark.title
+      @attribute['benchmark.id'] = @benchmark.id
+      @attribute['benchmark.description'] = @benchmark.description
+      @attribute['benchmark.version'] = @benchmark.version
+
+      @attribute['benchmark.status'] = @benchmark.status
+      @attribute['benchmark.status.date'] = @benchmark.release_date.release_date
+
+      @attribute['benchmark.notice.id'] = @benchmark.notice.id
+
+      @attribute['benchmark.plaintext'] = @benchmark.plaintext.plaintext
+      @attribute['benchmark.plaintext.id'] = @benchmark.plaintext.id
+
+      @attribute['reference.href'] = @benchmark.reference.href
+      @attribute['reference.dc.publisher'] = @benchmark.reference.dc_publisher
+      @attribute['reference.dc.source'] = @benchmark.reference.dc_source
+      @attribute['reference.dc.title'] = @benchmark.group[0].rule.reference.dc_title if !@benchmark.group[0].nil?
+      @attribute['reference.dc.subject'] = @benchmark.group[0].rule.reference.dc_subject if !@benchmark.group[0].nil?
+      @attribute['reference.dc.type'] = @benchmark.group[0].rule.reference.dc_type if !@benchmark.group[0].nil?
+      @attribute['reference.dc.identifier'] = @benchmark.group[0].rule.reference.dc_identifier if !@benchmark.group[0].nil?
+
+      @attribute['content_ref.name'] = @benchmark.group[0].rule.check.content_ref.name if !@benchmark.group[0].nil?
+      @attribute['content_ref.href'] = @benchmark.group[0].rule.check.content_ref.href if !@benchmark.group[0].nil?
+
+      @attribute
+    end
+
+    def publisher
+      @benchmark.reference.dc_publisher
+    end
+
+    def published
+      @benchmark.release_date.release_date
+    end
+
+    def inject_metadata(metadata = '{}')
+      json_metadata = JSON.parse(metadata)
+      json_metadata.each do |key, value|
+        @profile[key] = value
+      end
+    end
+
+    private
+
+    def replace_tags_in_xccdf(replace_tags, xccdf_xml)
+      replace_tags.each do |tag|
+        xccdf_xml = xccdf_xml.gsub(/(&lt;|<)#{tag}(&gt;|>)/, "$#{tag}")
+      end
+      xccdf_xml
+    end
+
+    def insert_json_metadata
+      @profile['name'] = @benchmark.id
+      @profile['title'] = @benchmark.title
+      @profile['maintainer'] = 'The Authors' if @profile['maintainer'].nil?
+      @profile['copyright'] = 'The Authors' if @profile['copyright'].nil?
+      @profile['copyright_email'] = 'you@example.com' if @profile['copyright_email'].nil?
+      @profile['license'] = 'Apache-2.0' if @profile['license'].nil?
+      @profile['summary'] = "\"#{@benchmark.description.gsub('\\', '\\\\\\').gsub('"', '\"')}\""
+      @profile['version'] = '0.1.0' if @profile['version'].nil?
+      @profile['supports'] = []
+      @profile['attributes'] = []
+      @profile['generator'] = {
+        'name': 'inspec_tools',
+        'version': VERSION
+      }
+      @profile['plaintext'] = @benchmark.plaintext.plaintext
+      @profile['status'] = "#{@benchmark.status} on #{@benchmark.release_date.release_date}"
+      @profile['reference_href'] = @benchmark.reference.href
+      @profile['reference_publisher'] = @benchmark.reference.dc_publisher
+      @profile['reference_source'] = @benchmark.reference.dc_source
+    end
+
+    def insert_controls
+      @benchmark.group.each do |group|
+        control = {}
+        control['id'] = group.id
+        control['title'] = group.rule.title
+        control['desc'] = group.rule.description.vuln_discussion.split('Satisfies: ')[0]
+        control['impact'] = Utils::InspecUtil.get_impact(group.rule.severity)
+        control['tags'] = {}
+        control['tags']['severity'] = Utils::InspecUtil.get_impact_string(control['impact'])
+        control['tags']['gtitle'] = group.title
+        control['tags']['satisfies'] = group.rule.description.vuln_discussion.split('Satisfies: ')[1].split(',').map(&:strip) if group.rule.description.vuln_discussion.split('Satisfies: ').length > 1
+        control['tags']['gid'] = group.id
+        control['tags']['rid'] = group.rule.id
+        control['tags']['stig_id'] = group.rule.version
+        control['tags']['fix_id'] = group.rule.fix.id
+        control['tags']['cci'] = group.rule.idents
+        control['tags']['nist'] = @cci_items.fetch_nists(group.rule.idents)
+        control['tags']['false_negatives'] = group.rule.description.false_negatives if group.rule.description.false_negatives != ''
+        control['tags']['false_positives'] = group.rule.description.false_positives if group.rule.description.false_positives != ''
+        control['tags']['documentable'] = group.rule.description.documentable if group.rule.description.documentable != ''
+        control['tags']['mitigations'] = group.rule.description.false_negatives if group.rule.description.mitigations != ''
+        control['tags']['severity_override_guidance'] = group.rule.description.severity_override_guidance if group.rule.description.severity_override_guidance != ''
+        control['tags']['potential_impacts'] = group.rule.description.potential_impacts if group.rule.description.potential_impacts != ''
+        control['tags']['third_party_tools'] = group.rule.description.third_party_tools if group.rule.description.third_party_tools != ''
+        control['tags']['mitigation_controls'] = group.rule.description.mitigation_controls if group.rule.description.mitigation_controls != ''
+        control['tags']['responsibility'] = group.rule.description.responsibility if group.rule.description.responsibility != ''
+        control['tags']['ia_controls'] = group.rule.description.ia_controls if group.rule.description.ia_controls != ''
+        control['tags']['check'] = group.rule.check.content
+        control['tags']['fix'] = group.rule.fixtext
+        @controls << control
+      end
+      @profile['controls'] = @controls
+    end
+  end
+end