inspec_tools 2.0.2.pre11 → 2.0.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +85 -3
- data/README.md +52 -8
- data/lib/data/rubocop.yml +4 -0
- data/lib/happy_mapper_tools/stig_attributes.rb +68 -48
- data/lib/inspec_tools/plugin_cli.rb +1 -4
- data/lib/inspec_tools/summary.rb +7 -7
- data/lib/inspec_tools/xccdf.rb +1 -0
- data/lib/utilities/inspec_util.rb +7 -1
- metadata +15 -14
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 43b88686ec67ec39b204d239fc5374c6448b9cfa1c1bd6b7832966b90619cc23
|
4
|
+
data.tar.gz: dca55a3609c9ff90186d7e83f6017b4653b211b871e4ff2671f834e203a39879
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: eab9120d563910e628f1dbfa47dc11b1abfff5992a040a23ad7978ae42567584a34dcc8bbfa0a926b3abfb55ed58f04f2f91a056f458ee75f9ca353745c3ebb5
|
7
|
+
data.tar.gz: 17c1fea7003f96df5ce83fbda87165144b389ae6475521bb4e14af8eda259f2093f7a206ab7f9537994b645595fdcb4fbb3c3ece81aa283c4705e3c5d3553307
|
data/CHANGELOG.md
CHANGED
@@ -2,7 +2,86 @@
|
|
2
2
|
|
3
3
|
## [Unreleased](https://github.com/mitre/inspec_tools/tree/HEAD)
|
4
4
|
|
5
|
-
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v2.0.
|
5
|
+
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v2.0.5...HEAD)
|
6
|
+
|
7
|
+
**Closed issues:**
|
8
|
+
|
9
|
+
- Run inspec check in CI [\#195](https://github.com/mitre/inspec_tools/issues/195)
|
10
|
+
|
11
|
+
**Merged pull requests:**
|
12
|
+
|
13
|
+
- Fixes SecurityOverrideGuidance not being output in a profile [\#196](https://github.com/mitre/inspec_tools/pull/196) ([Bialogs](https://github.com/Bialogs))
|
14
|
+
|
15
|
+
## [v2.0.5](https://github.com/mitre/inspec_tools/tree/v2.0.5) (2020-06-22)
|
16
|
+
|
17
|
+
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v2.0.4...v2.0.5)
|
18
|
+
|
19
|
+
**Closed issues:**
|
20
|
+
|
21
|
+
- Remove Debug Files When Running Tests [\#175](https://github.com/mitre/inspec_tools/issues/175)
|
22
|
+
|
23
|
+
**Merged pull requests:**
|
24
|
+
|
25
|
+
- Add additional error checking and documentation surrounding the xccdf… [\#194](https://github.com/mitre/inspec_tools/pull/194) ([Bialogs](https://github.com/Bialogs))
|
26
|
+
|
27
|
+
## [v2.0.4](https://github.com/mitre/inspec_tools/tree/v2.0.4) (2020-06-18)
|
28
|
+
|
29
|
+
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v2.0.3...v2.0.4)
|
30
|
+
|
31
|
+
**Closed issues:**
|
32
|
+
|
33
|
+
- xccdf2inspec string quotes bug [\#191](https://github.com/mitre/inspec_tools/issues/191)
|
34
|
+
- xccdf2inspec fails on OpenSCAP xccdf results with undefined method [\#190](https://github.com/mitre/inspec_tools/issues/190)
|
35
|
+
|
36
|
+
**Merged pull requests:**
|
37
|
+
|
38
|
+
- Respect debug env variable when running tests [\#193](https://github.com/mitre/inspec_tools/pull/193) ([Bialogs](https://github.com/Bialogs))
|
39
|
+
- 191 single quote replacement [\#192](https://github.com/mitre/inspec_tools/pull/192) ([Bialogs](https://github.com/Bialogs))
|
40
|
+
|
41
|
+
## [v2.0.3](https://github.com/mitre/inspec_tools/tree/v2.0.3) (2020-05-26)
|
42
|
+
|
43
|
+
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v2.0.2.pre13...v2.0.3)
|
44
|
+
|
45
|
+
**Implemented enhancements:**
|
46
|
+
|
47
|
+
- Round compliance score down [\#146](https://github.com/mitre/inspec_tools/issues/146)
|
48
|
+
- Every usage of Bucket and Tally uses it as a symbol, making it a symbol as part of its declaration [\#187](https://github.com/mitre/inspec_tools/pull/187) ([rbclark](https://github.com/rbclark))
|
49
|
+
- Summary output [\#186](https://github.com/mitre/inspec_tools/pull/186) ([jsa5593](https://github.com/jsa5593))
|
50
|
+
- Compliance score is rounded down and the README is updated [\#185](https://github.com/mitre/inspec_tools/pull/185) ([jsa5593](https://github.com/jsa5593))
|
51
|
+
|
52
|
+
**Fixed bugs:**
|
53
|
+
|
54
|
+
- inspec\_tools docker images is not actually showing results to cli [\#183](https://github.com/mitre/inspec_tools/issues/183)
|
55
|
+
|
56
|
+
**Closed issues:**
|
57
|
+
|
58
|
+
- inspec\_tools docker container doesn't let me go into a bash shell [\#184](https://github.com/mitre/inspec_tools/issues/184)
|
59
|
+
- Add a Dockerfile so folks can eaily add this into their ci/cd container workflows [\#162](https://github.com/mitre/inspec_tools/issues/162)
|
60
|
+
|
61
|
+
## [v2.0.2.pre13](https://github.com/mitre/inspec_tools/tree/v2.0.2.pre13) (2020-05-22)
|
62
|
+
|
63
|
+
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v2.0.2.pre12...v2.0.2.pre13)
|
64
|
+
|
65
|
+
**Implemented enhancements:**
|
66
|
+
|
67
|
+
- Ruby to docker [\#181](https://github.com/mitre/inspec_tools/pull/181) ([jsa5593](https://github.com/jsa5593))
|
68
|
+
|
69
|
+
**Fixed bugs:**
|
70
|
+
|
71
|
+
- All Impacts Parsed from PDF are Medium [\#173](https://github.com/mitre/inspec_tools/issues/173)
|
72
|
+
- Git version bump version 0.17.2 is broken due to a faulty regex. [\#182](https://github.com/mitre/inspec_tools/pull/182) ([rbclark](https://github.com/rbclark))
|
73
|
+
|
74
|
+
## [v2.0.2.pre12](https://github.com/mitre/inspec_tools/tree/v2.0.2.pre12) (2020-05-07)
|
75
|
+
|
76
|
+
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v2.0.2.pre11...v2.0.2.pre12)
|
77
|
+
|
78
|
+
**Merged pull requests:**
|
79
|
+
|
80
|
+
- Require a newer version of git-lite-version-bump for Windows support [\#178](https://github.com/mitre/inspec_tools/pull/178) ([rbclark](https://github.com/rbclark))
|
81
|
+
|
82
|
+
## [v2.0.2.pre11](https://github.com/mitre/inspec_tools/tree/v2.0.2.pre11) (2020-05-07)
|
83
|
+
|
84
|
+
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v2.0.2.pre10...v2.0.2.pre11)
|
6
85
|
|
7
86
|
**Merged pull requests:**
|
8
87
|
|
@@ -80,7 +159,6 @@
|
|
80
159
|
- Updated README to standardize wording [\#160](https://github.com/mitre/inspec_tools/pull/160) ([Bialogs](https://github.com/Bialogs))
|
81
160
|
- Remove guardfile [\#159](https://github.com/mitre/inspec_tools/pull/159) ([Bialogs](https://github.com/Bialogs))
|
82
161
|
- Remove unnecessary debug output from xccdf2inspec [\#158](https://github.com/mitre/inspec_tools/pull/158) ([rbclark](https://github.com/rbclark))
|
83
|
-
- Add unit tests for XLSXTool and add system tests in CI [\#130](https://github.com/mitre/inspec_tools/pull/130) ([Bialogs](https://github.com/Bialogs))
|
84
162
|
|
85
163
|
## [v2.0.2.pre6](https://github.com/mitre/inspec_tools/tree/v2.0.2.pre6) (2020-04-28)
|
86
164
|
|
@@ -129,6 +207,7 @@
|
|
129
207
|
|
130
208
|
**Merged pull requests:**
|
131
209
|
|
210
|
+
- Add unit tests for XLSXTool and add system tests in CI [\#130](https://github.com/mitre/inspec_tools/pull/130) ([Bialogs](https://github.com/Bialogs))
|
132
211
|
- Apply fixes from CodeFactor [\#129](https://github.com/mitre/inspec_tools/pull/129) ([aaronlippold](https://github.com/aaronlippold))
|
133
212
|
|
134
213
|
## [v2.0.1.pre3](https://github.com/mitre/inspec_tools/tree/v2.0.1.pre3) (2020-04-03)
|
@@ -174,6 +253,10 @@
|
|
174
253
|
|
175
254
|
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v1.8.9...v1.8.10)
|
176
255
|
|
256
|
+
**Merged pull requests:**
|
257
|
+
|
258
|
+
- added two digit contol parsing fixes \#117 [\#120](https://github.com/mitre/inspec_tools/pull/120) ([yarick](https://github.com/yarick))
|
259
|
+
|
177
260
|
## [v1.8.9](https://github.com/mitre/inspec_tools/tree/v1.8.9) (2020-03-30)
|
178
261
|
|
179
262
|
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v1.8.8...v1.8.9)
|
@@ -192,7 +275,6 @@
|
|
192
275
|
|
193
276
|
**Merged pull requests:**
|
194
277
|
|
195
|
-
- added two digit contol parsing fixes \#117 [\#120](https://github.com/mitre/inspec_tools/pull/120) ([yarick](https://github.com/yarick))
|
196
278
|
- Add --json-full and --json-summary options to summary subcommand [\#116](https://github.com/mitre/inspec_tools/pull/116) ([Bialogs](https://github.com/Bialogs))
|
197
279
|
|
198
280
|
## [v1.8.7](https://github.com/mitre/inspec_tools/tree/v1.8.7) (2020-03-29)
|
data/README.md
CHANGED
@@ -61,6 +61,13 @@ xccdf_results = tool.to_xccdf(attribs_json)
|
|
61
61
|
On the Command Line, `inspec_tools help` will print a listing of all the command with a short description.
|
62
62
|
For detailed help on any command, run `inspec_tools help [COMMAND]`. Help can also be called with the `-h, --help` flags after any command, like `inspec_tools xccdf2inspec -h`.
|
63
63
|
|
64
|
+
For Docker usage, replace the `inspec_tools` command with the correct Docker command below for your operating system:
|
65
|
+
|
66
|
+
- **On Linux and Mac**: `docker run -it -v$(pwd):/share mitre/inspec_tools`
|
67
|
+
- **On Windows CMD**: `docker run -it -v%cd%:/share mitre/inspec_tools`
|
68
|
+
|
69
|
+
Note that all of the above Docker commands will mount your current directory on the Docker container. Ensure that you have navigated to the directory you intend to convert files in before executing the command.
|
70
|
+
|
64
71
|
### generate_map
|
65
72
|
|
66
73
|
This command will generate a `mapping.xml` file that can be passed in to the `csv2inspec` command with the `--m` option.
|
@@ -91,6 +98,8 @@ USAGE: inspec_tools generate_inspec_metadata
|
|
91
98
|
|
92
99
|
If the specified threshold is not met, an error code (1) is returned along with non-compliant elements.
|
93
100
|
|
101
|
+
The compliance score are rounded down to the nearest whole number. For example a score of 77.3 would be displayed as 77.
|
102
|
+
|
94
103
|
```
|
95
104
|
USAGE: inspec_tools compliance [OPTIONS] -j <inspec-json> -i <threshold-inline>
|
96
105
|
inspec_tools compliance [OPTIONS] -j <inspec-json> -f <threshold-file>
|
@@ -135,22 +144,57 @@ failed.high.max: 1
|
|
135
144
|
|
136
145
|
## summary
|
137
146
|
|
138
|
-
`summary` parses an inspec results json
|
147
|
+
`summary` parses an inspec results json and displays the information from all of the tests that were run. Running the command with flags but `-j` it will display information like:
|
148
|
+
|
149
|
+
```
|
150
|
+
Overall compliance: 77%
|
151
|
+
|
152
|
+
failed
|
153
|
+
total : 41
|
154
|
+
critical : 0
|
155
|
+
high : 3
|
156
|
+
medium : 33
|
157
|
+
low : 5
|
158
|
+
passed
|
159
|
+
total : 174
|
160
|
+
critical : 0
|
161
|
+
high : 21
|
162
|
+
medium : 147
|
163
|
+
low : 6
|
164
|
+
no_impact
|
165
|
+
total : 21
|
166
|
+
critical : 0
|
167
|
+
high : 0
|
168
|
+
medium : 0
|
169
|
+
low : 0
|
170
|
+
skipped
|
171
|
+
total : 10
|
172
|
+
critical : 0
|
173
|
+
high : 2
|
174
|
+
medium : 5
|
175
|
+
low : 3
|
176
|
+
error
|
177
|
+
total : 0
|
178
|
+
critical : 0
|
179
|
+
high : 0
|
180
|
+
medium : 0
|
181
|
+
low : 0
|
182
|
+
```
|
183
|
+
|
184
|
+
Using additional flags will override the normal output and only display the output that flag specifies.
|
185
|
+
|
186
|
+
USAGE: inspec_tools summary [OPTIONS] -j <inspec-json>
|
139
187
|
|
140
188
|
```
|
141
|
-
USAGE: inspec_tools summary [OPTIONS] -j <inspec-json> -o <summary-csv>
|
142
|
-
|
143
189
|
FLAGS:
|
144
|
-
|
145
|
-
-o --output <output-json> : path to summary JSON
|
146
|
-
-c --cli, --no-cli : print formatted summary to STDOUT
|
190
|
+
-j --inspec-json <inspec-json> : path to InSpec results JSON
|
147
191
|
-V --verbose, --no-verbose : print verbose an debug output
|
148
192
|
-f --json-full, --no-json-full : print the summary STDOUT as JSON
|
149
193
|
-k --json-counts, --no-json_cou : print the reslut status to STDOUT as JSON
|
150
194
|
|
151
195
|
Examples:
|
152
196
|
|
153
|
-
inspec_tools summary -j examples/sample_json/rhel-simp.json -f
|
197
|
+
inspec_tools summary -j examples/sample_json/rhel-simp.json -f
|
154
198
|
```
|
155
199
|
|
156
200
|
## xccdf2inspec
|
@@ -167,7 +211,7 @@ FLAGS:
|
|
167
211
|
-f --format [ruby | hash] : the format you would like (default: ruby) [optional]
|
168
212
|
-s --separate-files [true | false] : output the resulting controls as one or mutiple files (default: true) [optional]
|
169
213
|
-m --metadata <metadata-json> : path to json file with additional metadata for the inspec.yml file [optional]
|
170
|
-
-r --replace-tags <array> : A case-sensitive,
|
214
|
+
-r --replace-tags <array> : A case-sensitive, space separated list to replace tags with a $ if found in a group rules description tag [optional]
|
171
215
|
|
172
216
|
example: inspec_tools xccdf2inspec -x xccdf_file.xml -a attributes.yml -o myprofile -f ruby -s false
|
173
217
|
```
|
@@ -38,6 +38,7 @@ module HappyMapperTools
|
|
38
38
|
element :documentable, Boolean, tag: 'Documentable'
|
39
39
|
element :mitigations, String, tag: 'Mitigations'
|
40
40
|
element :severity_override_guidance, String, tag: 'SeverityOverrideGuidance'
|
41
|
+
element :security_override_guidance, String, tag: 'SecurityOverrideGuidance'
|
41
42
|
element :potential_impacts, String, tag: 'PotentialImpacts'
|
42
43
|
element :third_party_tools, String, tag: 'ThirdPartyTools'
|
43
44
|
element :mitigation_controls, String, tag: 'MitigationControl'
|
@@ -53,7 +54,8 @@ module HappyMapperTools
|
|
53
54
|
|
54
55
|
detail_tags = %i(vuln_discussion false_positives false_negatives documentable
|
55
56
|
mitigations severity_override_guidance potential_impacts
|
56
|
-
third_party_tools mitigation_controls responsibility ia_controls
|
57
|
+
third_party_tools mitigation_controls responsibility ia_controls
|
58
|
+
security_override_guidance)
|
57
59
|
|
58
60
|
detail_tags.each do |name|
|
59
61
|
define_method name do
|
@@ -140,57 +142,75 @@ module HappyMapperTools
|
|
140
142
|
end
|
141
143
|
|
142
144
|
class DescriptionDetailsType
|
143
|
-
|
144
|
-
|
145
|
-
|
145
|
+
class << self
|
146
|
+
def type
|
147
|
+
DescriptionDetails
|
148
|
+
end
|
146
149
|
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
if offending_tags.count > 1
|
162
|
-
puts "\n\nThe non-standard tags: #{offending_tags.to_s.colorize(:red)}" \
|
163
|
-
' were found in: ' + "\n\n#{value}"
|
164
|
-
else
|
165
|
-
puts "\n\nThe non-standard tag: #{offending_tags.to_s.colorize(:red)}" \
|
166
|
-
' was found in: ' + "\n\n#{value}"
|
150
|
+
def apply(value)
|
151
|
+
value = value.gsub('&', 'and')
|
152
|
+
DescriptionDetails.parse "<Details>#{value}</Details>"
|
153
|
+
rescue Nokogiri::XML::SyntaxError => e
|
154
|
+
if e.to_s.include?('StartTag')
|
155
|
+
report_invalid_start_tag(value, e)
|
156
|
+
else
|
157
|
+
report_disallowed_tags(value)
|
158
|
+
end
|
159
|
+
end
|
160
|
+
|
161
|
+
def apply?(value, _convert_to_type)
|
162
|
+
value.is_a?(String)
|
167
163
|
end
|
168
|
-
puts "\n\nPlease:\n "
|
169
|
-
option_one = '(1) ' + '(best)'.colorize(:green) + ' Use the ' +
|
170
|
-
'`-r --replace-tags array` '.colorize(:light_yellow) +
|
171
|
-
'(case sensitive) option to replace the offending tags ' \
|
172
|
-
'during processing of the XCCDF ' \
|
173
|
-
'file to use the ' +
|
174
|
-
"`$#{offending_tags[0]}` " .colorize(:light_green) +
|
175
|
-
'syntax in your InSpec profile.'
|
176
|
-
option_two = '(2) Update your XCCDF file to *not use* non-standard XCCDF ' \
|
177
|
-
'elements within ' +
|
178
|
-
'`<`,`>`, `<` '.colorize(:red) +
|
179
|
-
'or '.colorize(:default) +
|
180
|
-
'`>` '.colorize(:red) +
|
181
|
-
'as "placeholders", and use something that doesn\'t confuse ' \
|
182
|
-
'the XML parser, such as : ' +
|
183
|
-
"`$#{offending_tags[0]}`" .colorize(:light_green)
|
184
|
-
puts option_one
|
185
|
-
puts "\n"
|
186
|
-
puts option_two
|
187
|
-
# exit
|
188
|
-
end
|
189
164
|
|
190
|
-
|
191
|
-
|
165
|
+
private
|
166
|
+
|
167
|
+
def report_invalid_start_tag(value, error)
|
168
|
+
puts error.to_s.colorize(:red)
|
169
|
+
column = error.column - '<Details>'.length - 2
|
170
|
+
puts "Error around #{value[column-10..column+10].colorize(:light_yellow)}"
|
171
|
+
exit(1)
|
172
|
+
end
|
173
|
+
|
174
|
+
def report_disallowed_tags(value)
|
175
|
+
allowed_tags = %w{VulnDiscussion FalsePositives FalseNegatives Documentable
|
176
|
+
Mitigations SeverityOverrideGuidance PotentialImpacts
|
177
|
+
PotentialImpacts ThirdPartyTools MitigationControl
|
178
|
+
Responsibility IAControl SecurityOverrideGuidance}
|
179
|
+
|
180
|
+
tags_found = value.scan(%r{(?<=<)([^\/]*?)((?= \/>)|(?=>))}).to_a
|
181
|
+
|
182
|
+
tags_found = tags_found.uniq.flatten.reject!(&:empty?)
|
183
|
+
offending_tags = tags_found - allowed_tags
|
184
|
+
|
185
|
+
if offending_tags.count > 1
|
186
|
+
puts "\n\nThe non-standard tags: #{offending_tags.to_s.colorize(:red)}" \
|
187
|
+
' were found in: ' + "\n\n#{value}"
|
188
|
+
else
|
189
|
+
puts "\n\nThe non-standard tag: #{offending_tags.to_s.colorize(:red)}" \
|
190
|
+
' was found in: ' + "\n\n#{value}"
|
191
|
+
end
|
192
|
+
puts "\n\nPlease:\n "
|
193
|
+
option_one = '(1) ' + '(best)'.colorize(:green) + ' Use the ' +
|
194
|
+
'`-r --replace-tags array` '.colorize(:light_yellow) +
|
195
|
+
'(case sensitive) option to replace the offending tags ' \
|
196
|
+
'during processing of the XCCDF ' \
|
197
|
+
'file to use the ' +
|
198
|
+
"`$#{offending_tags[0]}` " .colorize(:light_green) +
|
199
|
+
'syntax in your InSpec profile.'
|
200
|
+
option_two = '(2) Update your XCCDF file to *not use* non-standard XCCDF ' \
|
201
|
+
'elements within ' +
|
202
|
+
'`<`,`>`, `<` '.colorize(:red) +
|
203
|
+
'or '.colorize(:default) +
|
204
|
+
'`>` '.colorize(:red) +
|
205
|
+
'as "placeholders", and use something that doesn\'t confuse ' \
|
206
|
+
'the XML parser, such as : ' +
|
207
|
+
"`$#{offending_tags[0]}`" .colorize(:light_green)
|
208
|
+
puts option_one
|
209
|
+
puts "\n"
|
210
|
+
puts option_two
|
211
|
+
end
|
192
212
|
end
|
213
|
+
HappyMapper::SupportedTypes.register DescriptionDetailsType
|
193
214
|
end
|
194
|
-
HappyMapper::SupportedTypes.register DescriptionDetailsType
|
195
215
|
end
|
196
216
|
end
|
@@ -200,8 +200,6 @@ module InspecPlugins
|
|
200
200
|
desc 'summary', 'summary parses an inspec results json to create a summary json'
|
201
201
|
long_desc InspecTools::Help.text(:summary)
|
202
202
|
option :inspec_json, required: true, aliases: '-j'
|
203
|
-
option :output, required: false, aliases: '-o'
|
204
|
-
option :cli, type: :boolean, required: false, aliases: '-c'
|
205
203
|
option :verbose, type: :boolean, aliases: '-V'
|
206
204
|
option :json_full, type: :boolean, required: false, aliases: '-f'
|
207
205
|
option :json_counts, type: :boolean, required: false, aliases: '-k'
|
@@ -209,7 +207,7 @@ module InspecPlugins
|
|
209
207
|
def summary
|
210
208
|
summary = InspecTools::Summary.new(File.read(options[:inspec_json])).to_summary
|
211
209
|
|
212
|
-
|
210
|
+
unless options.include?('json_full') || options.include?('json_counts')
|
213
211
|
puts "\nOverall compliance: #{summary[:compliance]}%\n\n"
|
214
212
|
summary[:status].keys.each do |category|
|
215
213
|
puts category
|
@@ -220,7 +218,6 @@ module InspecPlugins
|
|
220
218
|
end
|
221
219
|
|
222
220
|
json_summary = summary.to_json
|
223
|
-
File.write(options[:output], json_summary) if options[:output]
|
224
221
|
puts json_summary if options[:json_full]
|
225
222
|
puts summary[:status].to_json if options[:json_counts]
|
226
223
|
end
|
data/lib/inspec_tools/summary.rb
CHANGED
@@ -10,8 +10,8 @@ HIGH = 0.7
|
|
10
10
|
MEDIUM = 0.5
|
11
11
|
LOW = 0.3
|
12
12
|
|
13
|
-
BUCKETS = %
|
14
|
-
TALLYS = %
|
13
|
+
BUCKETS = %i(failed passed no_impact skipped error).freeze
|
14
|
+
TALLYS = %i(total critical high medium low).freeze
|
15
15
|
|
16
16
|
THRESHOLD_TEMPLATE = File.expand_path('../data/threshold.yaml', File.dirname(__FILE__))
|
17
17
|
|
@@ -83,7 +83,7 @@ module InspecTools
|
|
83
83
|
(@summary[:status][:passed][:total]+
|
84
84
|
@summary[:status][:failed][:total]+
|
85
85
|
@summary[:status][:skipped][:total]+
|
86
|
-
@summary[:status][:error][:total])).
|
86
|
+
@summary[:status][:error][:total])).floor
|
87
87
|
end
|
88
88
|
|
89
89
|
def threshold_compliance
|
@@ -104,13 +104,13 @@ module InspecTools
|
|
104
104
|
TALLYS.each do |tally|
|
105
105
|
max = @threshold["#{bucket}.#{tally}.max"]
|
106
106
|
min = @threshold["#{bucket}.#{tally}.min"]
|
107
|
-
if max != -1 and status[bucket
|
107
|
+
if max != -1 and status[bucket][tally] > max
|
108
108
|
compliance = false
|
109
|
-
failure << "Expected #{bucket}.#{tally}.max:#{max} got:#{status[bucket
|
109
|
+
failure << "Expected #{bucket}.#{tally}.max:#{max} got:#{status[bucket][tally]}"
|
110
110
|
end
|
111
|
-
if min != -1 and status[bucket
|
111
|
+
if min != -1 and status[bucket][tally] < min
|
112
112
|
compliance = false
|
113
|
-
failure << "Expected #{bucket}.#{tally}.min:#{min} got:#{status[bucket
|
113
|
+
failure << "Expected #{bucket}.#{tally}.min:#{min} got:#{status[bucket][tally]}"
|
114
114
|
end
|
115
115
|
end
|
116
116
|
end
|
data/lib/inspec_tools/xccdf.rb
CHANGED
@@ -140,6 +140,7 @@ module InspecTools
|
|
140
140
|
control['tags']['documentable'] = group.rule.description.documentable if group.rule.description.documentable != ''
|
141
141
|
control['tags']['mitigations'] = group.rule.description.false_negatives if group.rule.description.mitigations != ''
|
142
142
|
control['tags']['severity_override_guidance'] = group.rule.description.severity_override_guidance if group.rule.description.severity_override_guidance != ''
|
143
|
+
control['tags']['security_override_guidance'] = group.rule.description.security_override_guidance if group.rule.description.security_override_guidance != ''
|
143
144
|
control['tags']['potential_impacts'] = group.rule.description.potential_impacts if group.rule.description.potential_impacts != ''
|
144
145
|
control['tags']['third_party_tools'] = group.rule.description.third_party_tools if group.rule.description.third_party_tools != ''
|
145
146
|
control['tags']['mitigation_controls'] = group.rule.description.mitigation_controls if group.rule.description.mitigation_controls != ''
|
@@ -11,6 +11,7 @@ require 'overrides/true_class'
|
|
11
11
|
require 'overrides/nil_class'
|
12
12
|
require 'overrides/object'
|
13
13
|
require 'overrides/string'
|
14
|
+
require 'rubocop'
|
14
15
|
|
15
16
|
# rubocop:disable Metrics/ClassLength
|
16
17
|
# rubocop:disable Metrics/AbcSize
|
@@ -314,6 +315,7 @@ module Utils
|
|
314
315
|
control.add_tag(::Inspec::Object::Tag.new('documentable', json_control['tags']['documentable'])) unless json_control['tags']['documentable'].blank?
|
315
316
|
control.add_tag(::Inspec::Object::Tag.new('mitigations', json_control['tags']['mitigations'])) unless json_control['tags']['mitigations'].blank?
|
316
317
|
control.add_tag(::Inspec::Object::Tag.new('severity_override_guidance', json_control['tags']['severity_override_guidance'])) unless json_control['tags']['severity_override_guidance'].blank?
|
318
|
+
control.add_tag(::Inspec::Object::Tag.new('security_override_guidance', json_control['tags']['security_override_guidance'])) unless json_control['tags']['security_override_guidance'].blank?
|
317
319
|
control.add_tag(::Inspec::Object::Tag.new('potential_impacts', json_control['tags']['potential_impacts'])) unless json_control['tags']['potential_impacts'].blank?
|
318
320
|
control.add_tag(::Inspec::Object::Tag.new('third_party_tools', json_control['tags']['third_party_tools'])) unless json_control['tags']['third_party_tools'].blank?
|
319
321
|
control.add_tag(::Inspec::Object::Tag.new('mitigation_controls', json_control['tags']['mitigation_controls'])) unless json_control['tags']['mitigation_controls'].blank?
|
@@ -393,7 +395,7 @@ module Utils
|
|
393
395
|
file_name = control.id.to_s
|
394
396
|
myfile = File.new("#{directory}/controls/#{file_name}.rb", 'w')
|
395
397
|
myfile.puts "# encoding: UTF-8\n\n"
|
396
|
-
myfile.puts wrap(control.to_ruby
|
398
|
+
myfile.puts wrap(control.to_ruby, WIDTH) + "\n"
|
397
399
|
myfile.close
|
398
400
|
end
|
399
401
|
else
|
@@ -424,6 +426,10 @@ module Utils
|
|
424
426
|
end
|
425
427
|
myfile.close
|
426
428
|
end
|
429
|
+
config_store = ::RuboCop::ConfigStore.new
|
430
|
+
config_store.options_config = File.join(File.dirname(__FILE__), '../data/rubocop.yml')
|
431
|
+
rubocop = ::RuboCop::Runner.new({ auto_correct: true }, config_store)
|
432
|
+
rubocop.run([directory])
|
427
433
|
end
|
428
434
|
end
|
429
435
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: inspec_tools
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0.
|
4
|
+
version: 2.0.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Robert Thew
|
@@ -11,7 +11,7 @@ authors:
|
|
11
11
|
autorequire:
|
12
12
|
bindir: exe
|
13
13
|
cert_chain: []
|
14
|
-
date: 2020-
|
14
|
+
date: 2020-07-01 00:00:00.000000000 Z
|
15
15
|
dependencies:
|
16
16
|
- !ruby/object:Gem::Dependency
|
17
17
|
name: colorize
|
@@ -151,22 +151,22 @@ dependencies:
|
|
151
151
|
requirements:
|
152
152
|
- - ">="
|
153
153
|
- !ruby/object:Gem::Version
|
154
|
-
version: 0.17.
|
154
|
+
version: 0.17.3
|
155
155
|
type: :runtime
|
156
156
|
prerelease: false
|
157
157
|
version_requirements: !ruby/object:Gem::Requirement
|
158
158
|
requirements:
|
159
159
|
- - ">="
|
160
160
|
- !ruby/object:Gem::Version
|
161
|
-
version: 0.17.
|
161
|
+
version: 0.17.3
|
162
162
|
- !ruby/object:Gem::Dependency
|
163
|
-
name:
|
163
|
+
name: rubocop
|
164
164
|
requirement: !ruby/object:Gem::Requirement
|
165
165
|
requirements:
|
166
166
|
- - ">="
|
167
167
|
- !ruby/object:Gem::Version
|
168
168
|
version: '0'
|
169
|
-
type: :
|
169
|
+
type: :runtime
|
170
170
|
prerelease: false
|
171
171
|
version_requirements: !ruby/object:Gem::Requirement
|
172
172
|
requirements:
|
@@ -174,7 +174,7 @@ dependencies:
|
|
174
174
|
- !ruby/object:Gem::Version
|
175
175
|
version: '0'
|
176
176
|
- !ruby/object:Gem::Dependency
|
177
|
-
name:
|
177
|
+
name: bundler
|
178
178
|
requirement: !ruby/object:Gem::Requirement
|
179
179
|
requirements:
|
180
180
|
- - ">="
|
@@ -188,7 +188,7 @@ dependencies:
|
|
188
188
|
- !ruby/object:Gem::Version
|
189
189
|
version: '0'
|
190
190
|
- !ruby/object:Gem::Dependency
|
191
|
-
name:
|
191
|
+
name: minitest
|
192
192
|
requirement: !ruby/object:Gem::Requirement
|
193
193
|
requirements:
|
194
194
|
- - ">="
|
@@ -202,7 +202,7 @@ dependencies:
|
|
202
202
|
- !ruby/object:Gem::Version
|
203
203
|
version: '0'
|
204
204
|
- !ruby/object:Gem::Dependency
|
205
|
-
name:
|
205
|
+
name: pry
|
206
206
|
requirement: !ruby/object:Gem::Requirement
|
207
207
|
requirements:
|
208
208
|
- - ">="
|
@@ -216,7 +216,7 @@ dependencies:
|
|
216
216
|
- !ruby/object:Gem::Version
|
217
217
|
version: '0'
|
218
218
|
- !ruby/object:Gem::Dependency
|
219
|
-
name:
|
219
|
+
name: rake
|
220
220
|
requirement: !ruby/object:Gem::Requirement
|
221
221
|
requirements:
|
222
222
|
- - ">="
|
@@ -230,7 +230,7 @@ dependencies:
|
|
230
230
|
- !ruby/object:Gem::Version
|
231
231
|
version: '0'
|
232
232
|
- !ruby/object:Gem::Dependency
|
233
|
-
name:
|
233
|
+
name: codeclimate-test-reporter
|
234
234
|
requirement: !ruby/object:Gem::Requirement
|
235
235
|
requirements:
|
236
236
|
- - ">="
|
@@ -244,7 +244,7 @@ dependencies:
|
|
244
244
|
- !ruby/object:Gem::Version
|
245
245
|
version: '0'
|
246
246
|
- !ruby/object:Gem::Dependency
|
247
|
-
name:
|
247
|
+
name: simplecov
|
248
248
|
requirement: !ruby/object:Gem::Requirement
|
249
249
|
requirements:
|
250
250
|
- - ">="
|
@@ -292,6 +292,7 @@ files:
|
|
292
292
|
- lib/data/attributes.yml
|
293
293
|
- lib/data/cci2html.xsl
|
294
294
|
- lib/data/mapping.yml
|
295
|
+
- lib/data/rubocop.yml
|
295
296
|
- lib/data/stig.csv
|
296
297
|
- lib/data/threshold.yaml
|
297
298
|
- lib/exceptions/impact_input_error.rb
|
@@ -348,9 +349,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
348
349
|
version: '2.5'
|
349
350
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
350
351
|
requirements:
|
351
|
-
- - "
|
352
|
+
- - ">="
|
352
353
|
- !ruby/object:Gem::Version
|
353
|
-
version:
|
354
|
+
version: '0'
|
354
355
|
requirements: []
|
355
356
|
rubygems_version: 3.1.2
|
356
357
|
signing_key:
|