inspec_tools 2.0.2.pre8 → 2.0.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +91 -2
- data/README.md +51 -7
- data/lib/data/attributes.yml +7 -8
- data/lib/inspec_tools/csv.rb +4 -1
- data/lib/inspec_tools/inspec.rb +2 -4
- data/lib/inspec_tools/pdf.rb +1 -0
- data/lib/inspec_tools/plugin_cli.rb +1 -4
- data/lib/inspec_tools/summary.rb +8 -8
- data/lib/inspec_tools/xccdf.rb +1 -0
- data/lib/utilities/inspec_util.rb +48 -23
- metadata +6 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d99887f62c18c23143d73ceb049277beaf493a765dc1df5beec9fee9b9bb7dca
|
4
|
+
data.tar.gz: c2613ab9b76c9dae510ba8c57a27664989161cc8dd0cfec099f1365a9743030f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e8f1fd2c3b491e7c3ef65c76c250e16e6e00cbb03ae0d3ed8c6c23bc8598ba31f8315bd72e6bcfb76b22c4a054f881852de0f290789c6d5bab304afc616003f4
|
7
|
+
data.tar.gz: ad843429c15e5e10c655860a6178b20d088decbd4f6bc92817183635b45c7478be16b30baf6883d3e1565f47c0926226e117482351137811829c9e147de4be3e
|
data/CHANGELOG.md
CHANGED
@@ -2,7 +2,96 @@
|
|
2
2
|
|
3
3
|
## [Unreleased](https://github.com/mitre/inspec_tools/tree/HEAD)
|
4
4
|
|
5
|
-
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v2.0.2.
|
5
|
+
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v2.0.2.pre13...HEAD)
|
6
|
+
|
7
|
+
**Implemented enhancements:**
|
8
|
+
|
9
|
+
- Round compliance score down [\#146](https://github.com/mitre/inspec_tools/issues/146)
|
10
|
+
|
11
|
+
**Fixed bugs:**
|
12
|
+
|
13
|
+
- inspec\_tools docker images is not actually showing results to cli [\#183](https://github.com/mitre/inspec_tools/issues/183)
|
14
|
+
|
15
|
+
**Closed issues:**
|
16
|
+
|
17
|
+
- inspec\_tools docker container doesn't let me go into a bash shell [\#184](https://github.com/mitre/inspec_tools/issues/184)
|
18
|
+
- Add a Dockerfile so folks can eaily add this into their ci/cd container workflows [\#162](https://github.com/mitre/inspec_tools/issues/162)
|
19
|
+
|
20
|
+
**Merged pull requests:**
|
21
|
+
|
22
|
+
- Every usage of Bucket and Tally uses it as a symbol, making it a symbol as part of its declaration [\#187](https://github.com/mitre/inspec_tools/pull/187) ([rbclark](https://github.com/rbclark))
|
23
|
+
- Summary output [\#186](https://github.com/mitre/inspec_tools/pull/186) ([jsa5593](https://github.com/jsa5593))
|
24
|
+
- Compliance score is rounded down and the README is updated [\#185](https://github.com/mitre/inspec_tools/pull/185) ([jsa5593](https://github.com/jsa5593))
|
25
|
+
|
26
|
+
## [v2.0.2.pre13](https://github.com/mitre/inspec_tools/tree/v2.0.2.pre13) (2020-05-22)
|
27
|
+
|
28
|
+
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v2.0.2.pre12...v2.0.2.pre13)
|
29
|
+
|
30
|
+
**Implemented enhancements:**
|
31
|
+
|
32
|
+
- Ruby to docker [\#181](https://github.com/mitre/inspec_tools/pull/181) ([jsa5593](https://github.com/jsa5593))
|
33
|
+
|
34
|
+
**Fixed bugs:**
|
35
|
+
|
36
|
+
- All Impacts Parsed from PDF are Medium [\#173](https://github.com/mitre/inspec_tools/issues/173)
|
37
|
+
|
38
|
+
**Merged pull requests:**
|
39
|
+
|
40
|
+
- Git version bump version 0.17.2 is broken due to a faulty regex. [\#182](https://github.com/mitre/inspec_tools/pull/182) ([rbclark](https://github.com/rbclark))
|
41
|
+
|
42
|
+
## [v2.0.2.pre12](https://github.com/mitre/inspec_tools/tree/v2.0.2.pre12) (2020-05-07)
|
43
|
+
|
44
|
+
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v2.0.2.pre11...v2.0.2.pre12)
|
45
|
+
|
46
|
+
**Merged pull requests:**
|
47
|
+
|
48
|
+
- Require a newer version of git-lite-version-bump for Windows support [\#178](https://github.com/mitre/inspec_tools/pull/178) ([rbclark](https://github.com/rbclark))
|
49
|
+
|
50
|
+
## [v2.0.2.pre11](https://github.com/mitre/inspec_tools/tree/v2.0.2.pre11) (2020-05-07)
|
51
|
+
|
52
|
+
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v2.0.2.pre10...v2.0.2.pre11)
|
53
|
+
|
54
|
+
**Merged pull requests:**
|
55
|
+
|
56
|
+
- git-lite-version-bump 0.17.0 is not compatible with Windows [\#176](https://github.com/mitre/inspec_tools/pull/176) ([rbclark](https://github.com/rbclark))
|
57
|
+
|
58
|
+
## [v2.0.2.pre10](https://github.com/mitre/inspec_tools/tree/v2.0.2.pre10) (2020-05-06)
|
59
|
+
|
60
|
+
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v2.0.2.pre9...v2.0.2.pre10)
|
61
|
+
|
62
|
+
**Implemented enhancements:**
|
63
|
+
|
64
|
+
- Standardize Severity Tag on CVSS 3.0 Terms [\#107](https://github.com/mitre/inspec_tools/issues/107)
|
65
|
+
|
66
|
+
**Merged pull requests:**
|
67
|
+
|
68
|
+
- Standardize Output of Severity and Impact to CVSS v3.0 terms [\#174](https://github.com/mitre/inspec_tools/pull/174) ([Bialogs](https://github.com/Bialogs))
|
69
|
+
|
70
|
+
## [v2.0.2.pre9](https://github.com/mitre/inspec_tools/tree/v2.0.2.pre9) (2020-05-04)
|
71
|
+
|
72
|
+
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v2.0.2.pre8...v2.0.2.pre9)
|
73
|
+
|
74
|
+
**Implemented enhancements:**
|
75
|
+
|
76
|
+
- Ensure the output of our converters formats with a standard of 2-space [\#140](https://github.com/mitre/inspec_tools/issues/140)
|
77
|
+
- Ensure we do not create code that uses " where ' are the correct style [\#138](https://github.com/mitre/inspec_tools/issues/138)
|
78
|
+
|
79
|
+
**Fixed bugs:**
|
80
|
+
|
81
|
+
- Summary always returns 0 for profile errors [\#164](https://github.com/mitre/inspec_tools/issues/164)
|
82
|
+
- Multiple fields missing from CKL generated with inspec2ckl [\#150](https://github.com/mitre/inspec_tools/issues/150)
|
83
|
+
- update inspec2ckl to support both tag and sub-descriptions in output [\#148](https://github.com/mitre/inspec_tools/issues/148)
|
84
|
+
|
85
|
+
**Merged pull requests:**
|
86
|
+
|
87
|
+
- Apply fixes from CodeFactor [\#172](https://github.com/mitre/inspec_tools/pull/172) ([aaronlippold](https://github.com/aaronlippold))
|
88
|
+
- Add parameter to InspecUtils\#control\_status to specify when used for summary. [\#170](https://github.com/mitre/inspec_tools/pull/170) ([Bialogs](https://github.com/Bialogs))
|
89
|
+
- Generate Ruby with Single Quoted Strings [\#169](https://github.com/mitre/inspec_tools/pull/169) ([Bialogs](https://github.com/Bialogs))
|
90
|
+
- Update CKL parse method to dig into sub descriptions [\#168](https://github.com/mitre/inspec_tools/pull/168) ([Bialogs](https://github.com/Bialogs))
|
91
|
+
|
92
|
+
## [v2.0.2.pre8](https://github.com/mitre/inspec_tools/tree/v2.0.2.pre8) (2020-04-30)
|
93
|
+
|
94
|
+
[Full Changelog](https://github.com/mitre/inspec_tools/compare/v2.0.2.pre7...v2.0.2.pre8)
|
6
95
|
|
7
96
|
**Fixed bugs:**
|
8
97
|
|
@@ -456,6 +545,7 @@
|
|
456
545
|
|
457
546
|
- Update Profile logic include control exceptions [\#75](https://github.com/mitre/inspec_tools/pull/75) ([rx294](https://github.com/rx294))
|
458
547
|
- Null Byte in json report causes inspec2ckl to bomb-out [\#73](https://github.com/mitre/inspec_tools/pull/73) ([kevin-j-smith](https://github.com/kevin-j-smith))
|
548
|
+
- Add in 'inspec' and 'fileutils' require statements [\#65](https://github.com/mitre/inspec_tools/pull/65) ([samcornwell](https://github.com/samcornwell))
|
459
549
|
|
460
550
|
## [v1.6.0](https://github.com/mitre/inspec_tools/tree/v1.6.0) (2019-10-04)
|
461
551
|
|
@@ -501,7 +591,6 @@
|
|
501
591
|
|
502
592
|
**Merged pull requests:**
|
503
593
|
|
504
|
-
- Add in 'inspec' and 'fileutils' require statements [\#65](https://github.com/mitre/inspec_tools/pull/65) ([samcornwell](https://github.com/samcornwell))
|
505
594
|
- Apply fixes from CodeFactor [\#61](https://github.com/mitre/inspec_tools/pull/61) ([aaronlippold](https://github.com/aaronlippold))
|
506
595
|
|
507
596
|
## [v1.3.6](https://github.com/mitre/inspec_tools/tree/v1.3.6) (2019-05-02)
|
data/README.md
CHANGED
@@ -61,6 +61,13 @@ xccdf_results = tool.to_xccdf(attribs_json)
|
|
61
61
|
On the Command Line, `inspec_tools help` will print a listing of all the command with a short description.
|
62
62
|
For detailed help on any command, run `inspec_tools help [COMMAND]`. Help can also be called with the `-h, --help` flags after any command, like `inspec_tools xccdf2inspec -h`.
|
63
63
|
|
64
|
+
For Docker usage, replace the `inspec_tools` command with the correct Docker command below for your operating system:
|
65
|
+
|
66
|
+
- **On Linux and Mac**: `docker run -it -v$(pwd):/share mitre/inspec_tools`
|
67
|
+
- **On Windows CMD**: `docker run -it -v%cd%:/share mitre/inspec_tools`
|
68
|
+
|
69
|
+
Note that all of the above Docker commands will mount your current directory on the Docker container. Ensure that you have navigated to the directory you intend to convert files in before executing the command.
|
70
|
+
|
64
71
|
### generate_map
|
65
72
|
|
66
73
|
This command will generate a `mapping.xml` file that can be passed in to the `csv2inspec` command with the `--m` option.
|
@@ -91,6 +98,8 @@ USAGE: inspec_tools generate_inspec_metadata
|
|
91
98
|
|
92
99
|
If the specified threshold is not met, an error code (1) is returned along with non-compliant elements.
|
93
100
|
|
101
|
+
The compliance score are rounded down to the nearest whole number. For example a score of 77.3 would be displayed as 77.
|
102
|
+
|
94
103
|
```
|
95
104
|
USAGE: inspec_tools compliance [OPTIONS] -j <inspec-json> -i <threshold-inline>
|
96
105
|
inspec_tools compliance [OPTIONS] -j <inspec-json> -f <threshold-file>
|
@@ -135,22 +144,57 @@ failed.high.max: 1
|
|
135
144
|
|
136
145
|
## summary
|
137
146
|
|
138
|
-
`summary` parses an inspec results json
|
147
|
+
`summary` parses an inspec results json and displays the information from all of the tests that were run. Running the command with flags but `-j` it will display information like:
|
148
|
+
|
149
|
+
```
|
150
|
+
Overall compliance: 77%
|
151
|
+
|
152
|
+
failed
|
153
|
+
total : 41
|
154
|
+
critical : 0
|
155
|
+
high : 3
|
156
|
+
medium : 33
|
157
|
+
low : 5
|
158
|
+
passed
|
159
|
+
total : 174
|
160
|
+
critical : 0
|
161
|
+
high : 21
|
162
|
+
medium : 147
|
163
|
+
low : 6
|
164
|
+
no_impact
|
165
|
+
total : 21
|
166
|
+
critical : 0
|
167
|
+
high : 0
|
168
|
+
medium : 0
|
169
|
+
low : 0
|
170
|
+
skipped
|
171
|
+
total : 10
|
172
|
+
critical : 0
|
173
|
+
high : 2
|
174
|
+
medium : 5
|
175
|
+
low : 3
|
176
|
+
error
|
177
|
+
total : 0
|
178
|
+
critical : 0
|
179
|
+
high : 0
|
180
|
+
medium : 0
|
181
|
+
low : 0
|
182
|
+
```
|
183
|
+
|
184
|
+
Using additional flags will override the normal output and only display the output that flag specifies.
|
185
|
+
|
186
|
+
USAGE: inspec_tools summary [OPTIONS] -j <inspec-json>
|
139
187
|
|
140
188
|
```
|
141
|
-
USAGE: inspec_tools summary [OPTIONS] -j <inspec-json> -o <summary-csv>
|
142
|
-
|
143
189
|
FLAGS:
|
144
|
-
|
145
|
-
-o --output <output-json> : path to summary JSON
|
146
|
-
-c --cli, --no-cli : print summary to STDOUT
|
190
|
+
-j --inspec-json <inspec-json> : path to InSpec results JSON
|
147
191
|
-V --verbose, --no-verbose : print verbose an debug output
|
148
192
|
-f --json-full, --no-json-full : print the summary STDOUT as JSON
|
149
193
|
-k --json-counts, --no-json_cou : print the reslut status to STDOUT as JSON
|
150
194
|
|
151
195
|
Examples:
|
152
196
|
|
153
|
-
inspec_tools summary -j examples/sample_json/rhel-simp.json -f
|
197
|
+
inspec_tools summary -j examples/sample_json/rhel-simp.json -f
|
154
198
|
```
|
155
199
|
|
156
200
|
## xccdf2inspec
|
data/lib/data/attributes.yml
CHANGED
@@ -1,24 +1,23 @@
|
|
1
1
|
---
|
2
2
|
benchmark.title: PostgreSQL 9.x Security Technical Implementation Guide
|
3
3
|
benchmark.id: PostgreSQL_9-x_STIG
|
4
|
-
benchmark.description:
|
5
|
-
"This Security Technical Implementation Guide is published
|
4
|
+
benchmark.description: 'This Security Technical Implementation Guide is published
|
6
5
|
as a tool to improve the security of Department of Defense (DoD) information systems.
|
7
6
|
The requirements are derived from the National Institute of Standards and Technology
|
8
7
|
(NIST) 800-53 and related documents. Comments or proposed revisions to this document
|
9
|
-
should be sent via email to the following address: disa.stig_spt@mail.mil.
|
10
|
-
benchmark.version:
|
8
|
+
should be sent via email to the following address: disa.stig_spt@mail.mil.'
|
9
|
+
benchmark.version: '1'
|
11
10
|
benchmark.status: accepted
|
12
|
-
benchmark.status.date:
|
11
|
+
benchmark.status.date: '2017-01-20'
|
13
12
|
benchmark.notice.id: terms-of-use
|
14
|
-
benchmark.plaintext:
|
13
|
+
benchmark.plaintext: 'Release: 1 Benchmark Date: 20 Jan 2017'
|
15
14
|
benchmark.plaintext.id: release-info
|
16
|
-
reference.href:
|
15
|
+
reference.href: http://iase.disa.mil
|
17
16
|
reference.dc.publisher: DISA
|
18
17
|
reference.dc.source: STIG.DOD.MIL
|
19
18
|
reference.dc.title: DPMS Target PostgreSQL 9.x
|
20
19
|
reference.dc.subject: PostgreSQL 9.x
|
21
20
|
reference.dc.type: DPMS Target
|
22
|
-
reference.dc.identifier:
|
21
|
+
reference.dc.identifier: '3087'
|
23
22
|
content_ref.name: M
|
24
23
|
content_ref.href: DPMS_XCCDF_Benchmark_PostgreSQL_9-x_STIG.xml
|
data/lib/inspec_tools/csv.rb
CHANGED
@@ -90,7 +90,10 @@ module InspecTools
|
|
90
90
|
@mapping['control.tags'].each do |tag|
|
91
91
|
control['tags'][tag.first.to_s] = row[tag.last] unless row[tag.last].nil?
|
92
92
|
end
|
93
|
-
|
93
|
+
unless @mapping['control.tags']['severity'].nil? || row[@mapping['control.tags']['severity']].nil?
|
94
|
+
control['impact'] = Utils::InspecUtil.get_impact(row[@mapping['control.tags']['severity']])
|
95
|
+
control['tags']['severity'] = Utils::InspecUtil.get_impact_string(control['impact'])
|
96
|
+
end
|
94
97
|
@controls << control
|
95
98
|
end
|
96
99
|
end
|
data/lib/inspec_tools/inspec.rb
CHANGED
@@ -151,7 +151,7 @@ module InspecTools
|
|
151
151
|
stig_data_list += handle_cci_ref(control)
|
152
152
|
stig_data_list << handle_stigref
|
153
153
|
|
154
|
-
vuln.stig_data = stig_data_list.reject
|
154
|
+
vuln.stig_data = stig_data_list.reject(&:nil?)
|
155
155
|
vuln.status = Utils::InspecUtil.control_status(control)
|
156
156
|
vuln.comments = "\nAutomated compliance tests brought to you by the MITRE corporation and the InSpec project.\n\nInspec Profile: #{control[:profile_name]}\nProfile shasum: #{control[:profile_shasum]}"
|
157
157
|
vuln.finding_details = Utils::InspecUtil.control_finding_details(control, vuln.status)
|
@@ -304,11 +304,9 @@ module InspecTools
|
|
304
304
|
def handle_severity(control)
|
305
305
|
return if control[:impact].nil?
|
306
306
|
|
307
|
-
value = Utils::InspecUtil.get_impact_string(control[:impact])
|
307
|
+
value = Utils::InspecUtil.get_impact_string(control[:impact], use_cvss_terms: false)
|
308
308
|
return if value == 'none'
|
309
309
|
|
310
|
-
value = 'high' if value == 'critical'
|
311
|
-
|
312
310
|
HappyMapperTools::StigChecklist::StigData.new('Severity', value)
|
313
311
|
end
|
314
312
|
|
data/lib/inspec_tools/pdf.rb
CHANGED
@@ -65,6 +65,7 @@ module InspecTools
|
|
65
65
|
control['desc'] = contr[:descr]
|
66
66
|
control['impact'] = Utils::InspecUtil.get_impact('medium')
|
67
67
|
control['tags'] = {}
|
68
|
+
control['tags']['severity'] = Utils::InspecUtil.get_impact_string(control['impact'])
|
68
69
|
control['tags']['ref'] = contr[:ref] unless contr[:ref].nil?
|
69
70
|
control['tags']['applicability'] = contr[:applicability] unless contr[:applicability].nil?
|
70
71
|
control['tags']['cis_id'] = contr[:title].split(' ')[0] unless contr[:title].nil?
|
@@ -200,8 +200,6 @@ module InspecPlugins
|
|
200
200
|
desc 'summary', 'summary parses an inspec results json to create a summary json'
|
201
201
|
long_desc InspecTools::Help.text(:summary)
|
202
202
|
option :inspec_json, required: true, aliases: '-j'
|
203
|
-
option :output, required: false, aliases: '-o'
|
204
|
-
option :cli, type: :boolean, required: false, aliases: '-c'
|
205
203
|
option :verbose, type: :boolean, aliases: '-V'
|
206
204
|
option :json_full, type: :boolean, required: false, aliases: '-f'
|
207
205
|
option :json_counts, type: :boolean, required: false, aliases: '-k'
|
@@ -209,7 +207,7 @@ module InspecPlugins
|
|
209
207
|
def summary
|
210
208
|
summary = InspecTools::Summary.new(File.read(options[:inspec_json])).to_summary
|
211
209
|
|
212
|
-
|
210
|
+
unless options.include?('json_full') || options.include?('json_counts')
|
213
211
|
puts "\nOverall compliance: #{summary[:compliance]}%\n\n"
|
214
212
|
summary[:status].keys.each do |category|
|
215
213
|
puts category
|
@@ -220,7 +218,6 @@ module InspecPlugins
|
|
220
218
|
end
|
221
219
|
|
222
220
|
json_summary = summary.to_json
|
223
|
-
File.write(options[:output], json_summary) if options[:output]
|
224
221
|
puts json_summary if options[:json_full]
|
225
222
|
puts summary[:status].to_json if options[:json_counts]
|
226
223
|
end
|
data/lib/inspec_tools/summary.rb
CHANGED
@@ -10,8 +10,8 @@ HIGH = 0.7
|
|
10
10
|
MEDIUM = 0.5
|
11
11
|
LOW = 0.3
|
12
12
|
|
13
|
-
BUCKETS = %
|
14
|
-
TALLYS = %
|
13
|
+
BUCKETS = %i(failed passed no_impact skipped error).freeze
|
14
|
+
TALLYS = %i(total critical high medium low).freeze
|
15
15
|
|
16
16
|
THRESHOLD_TEMPLATE = File.expand_path('../data/threshold.yaml', File.dirname(__FILE__))
|
17
17
|
|
@@ -26,7 +26,7 @@ module InspecTools
|
|
26
26
|
@summary = {}
|
27
27
|
@data.keys.each do |control_id|
|
28
28
|
current_control = @data[control_id]
|
29
|
-
current_control[:compliance_status] = Utils::InspecUtil.control_status(current_control)
|
29
|
+
current_control[:compliance_status] = Utils::InspecUtil.control_status(current_control, true)
|
30
30
|
current_control[:finding_details] = Utils::InspecUtil.control_finding_details(current_control, current_control[:compliance_status])
|
31
31
|
end
|
32
32
|
compute_summary
|
@@ -83,7 +83,7 @@ module InspecTools
|
|
83
83
|
(@summary[:status][:passed][:total]+
|
84
84
|
@summary[:status][:failed][:total]+
|
85
85
|
@summary[:status][:skipped][:total]+
|
86
|
-
@summary[:status][:error][:total])).
|
86
|
+
@summary[:status][:error][:total])).floor
|
87
87
|
end
|
88
88
|
|
89
89
|
def threshold_compliance
|
@@ -104,13 +104,13 @@ module InspecTools
|
|
104
104
|
TALLYS.each do |tally|
|
105
105
|
max = @threshold["#{bucket}.#{tally}.max"]
|
106
106
|
min = @threshold["#{bucket}.#{tally}.min"]
|
107
|
-
if max != -1 and status[bucket
|
107
|
+
if max != -1 and status[bucket][tally] > max
|
108
108
|
compliance = false
|
109
|
-
failure << "Expected #{bucket}.#{tally}.max:#{max} got:#{status[bucket
|
109
|
+
failure << "Expected #{bucket}.#{tally}.max:#{max} got:#{status[bucket][tally]}"
|
110
110
|
end
|
111
|
-
if min != -1 and status[bucket
|
111
|
+
if min != -1 and status[bucket][tally] < min
|
112
112
|
compliance = false
|
113
|
-
failure << "Expected #{bucket}.#{tally}.min:#{min} got:#{status[bucket
|
113
|
+
failure << "Expected #{bucket}.#{tally}.min:#{min} got:#{status[bucket][tally]}"
|
114
114
|
end
|
115
115
|
end
|
116
116
|
end
|
data/lib/inspec_tools/xccdf.rb
CHANGED
@@ -126,6 +126,7 @@ module InspecTools
|
|
126
126
|
control['desc'] = group.rule.description.vuln_discussion.split('Satisfies: ')[0]
|
127
127
|
control['impact'] = Utils::InspecUtil.get_impact(group.rule.severity)
|
128
128
|
control['tags'] = {}
|
129
|
+
control['tags']['severity'] = Utils::InspecUtil.get_impact_string(control['impact'])
|
129
130
|
control['tags']['gtitle'] = group.title
|
130
131
|
control['tags']['satisfies'] = group.rule.description.vuln_discussion.split('Satisfies: ')[1].split(',').map(&:strip) if group.rule.description.vuln_discussion.split('Satisfies: ').length > 1
|
131
132
|
control['tags']['gid'] = group.id
|
@@ -16,7 +16,6 @@ require 'overrides/string'
|
|
16
16
|
# rubocop:disable Metrics/AbcSize
|
17
17
|
# rubocop:disable Metrics/PerceivedComplexity
|
18
18
|
# rubocop:disable Metrics/CyclomaticComplexity
|
19
|
-
# rubocop:disable Metrics/BlockLength
|
20
19
|
# rubocop:disable Metrics/MethodLength
|
21
20
|
|
22
21
|
module Utils
|
@@ -46,7 +45,7 @@ module Utils
|
|
46
45
|
end
|
47
46
|
c_data = {}
|
48
47
|
|
49
|
-
controls.each do |control|
|
48
|
+
controls.each do |control|
|
50
49
|
c_id = control['id'].to_sym
|
51
50
|
c_data[c_id] = {}
|
52
51
|
c_data[c_id]['id'] = control['id'] || DATA_NOT_FOUND_MESSAGE
|
@@ -88,9 +87,11 @@ module Utils
|
|
88
87
|
profile['controls'].each do |control|
|
89
88
|
c_id = control['id'].to_sym
|
90
89
|
data[c_id] = {}
|
90
|
+
|
91
91
|
data[c_id][:vuln_num] = control['id'] unless control['id'].nil?
|
92
92
|
data[c_id][:rule_title] = control['title'] unless control['title'].nil?
|
93
93
|
data[c_id][:vuln_discuss] = control['desc'] unless control['desc'].nil?
|
94
|
+
|
94
95
|
unless control['tags'].nil?
|
95
96
|
data[c_id][:severity] = control['tags']['severity'] unless control['tags']['severity'].nil?
|
96
97
|
data[c_id][:gid] = control['tags']['gid'] unless control['tags']['gid'].nil?
|
@@ -99,15 +100,20 @@ module Utils
|
|
99
100
|
data[c_id][:rule_ver] = control['tags']['stig_id'] unless control['tags']['stig_id'].nil?
|
100
101
|
data[c_id][:cci_ref] = control['tags']['cci'] unless control['tags']['cci'].nil?
|
101
102
|
data[c_id][:nist] = control['tags']['nist'].join(' ') unless control['tags']['nist'].nil?
|
102
|
-
data[c_id][:check_content] = control['tags']['check'] unless control['tags']['check'].nil?
|
103
|
-
data[c_id][:fix_text] = control['tags']['fix'] unless control['tags']['fix'].nil?
|
104
103
|
end
|
104
|
+
|
105
|
+
if control['descriptions'].respond_to?(:find)
|
106
|
+
data[c_id][:check_content] = control['descriptions'].find { |c| c['label'] == 'fix' }&.dig('data')
|
107
|
+
data[c_id][:fix_text] = control['descriptions'].find { |c| c['label'] == 'check' }&.dig('data')
|
108
|
+
end
|
109
|
+
|
105
110
|
data[c_id][:impact] = control['impact'].to_s unless control['impact'].nil?
|
106
111
|
data[c_id][:profile_name] = profile['name'].to_s unless profile['name'].nil?
|
107
112
|
data[c_id][:profile_shasum] = profile['sha256'].to_s unless profile['sha256'].nil?
|
108
113
|
|
109
114
|
data[c_id][:status] = []
|
110
115
|
data[c_id][:message] = []
|
116
|
+
|
111
117
|
if control.key?('results')
|
112
118
|
control['results'].each do |result|
|
113
119
|
if !result['backtrace'].nil?
|
@@ -120,6 +126,7 @@ module Utils
|
|
120
126
|
data[c_id][:message].push("PROFILE_ERROR -- Test: #{result['code_desc']}\nMessage: #{result['backtrace']}\n") if result['status'] == 'error'
|
121
127
|
end
|
122
128
|
end
|
129
|
+
|
123
130
|
if data[c_id][:impact].to_f.zero?
|
124
131
|
data[c_id][:message].unshift("NOT_APPLICABLE -- Description: #{control['desc']}\n\n")
|
125
132
|
end
|
@@ -143,7 +150,7 @@ module Utils
|
|
143
150
|
end
|
144
151
|
end
|
145
152
|
|
146
|
-
def self.control_status(control)
|
153
|
+
def self.control_status(control, for_summary = false)
|
147
154
|
status_list = control[:status].uniq
|
148
155
|
if control[:impact].to_f.zero?
|
149
156
|
'Not_Applicable'
|
@@ -151,6 +158,8 @@ module Utils
|
|
151
158
|
'Open'
|
152
159
|
elsif status_list.include?('passed')
|
153
160
|
'NotAFinding'
|
161
|
+
elsif status_list.include?('error') && for_summary
|
162
|
+
'Profile_Error'
|
154
163
|
else
|
155
164
|
# profile skipped or profile error
|
156
165
|
'Not_Reviewed'
|
@@ -182,18 +191,20 @@ module Utils
|
|
182
191
|
# @todo Allow for the user to pass in a hash for the desired mapping of text
|
183
192
|
# values to numbers or to override our hard coded values.
|
184
193
|
#
|
185
|
-
def self.get_impact(severity)
|
186
|
-
return float_to_impact(severity) if severity.is_a?(Float)
|
194
|
+
def self.get_impact(severity, use_cvss_terms: true)
|
195
|
+
return float_to_impact(severity, use_cvss_terms) if severity.is_a?(Float)
|
187
196
|
|
188
|
-
return string_to_impact(severity) if severity.is_a?(String)
|
197
|
+
return string_to_impact(severity, use_cvss_terms) if severity.is_a?(String)
|
189
198
|
|
190
199
|
raise SeverityInputError, "'#{severity}' is not a valid severity value. It should be a Float between 0.0 and " \
|
191
200
|
'1.0 or one of the approved keywords.'
|
192
201
|
end
|
193
202
|
|
194
|
-
private_class_method def self.float_to_impact(severity)
|
195
|
-
|
196
|
-
|
203
|
+
private_class_method def self.float_to_impact(severity, use_cvss_terms)
|
204
|
+
unless severity.between?(0, 1)
|
205
|
+
raise SeverityInputError, "'#{severity}' is not a valid severity value. It should be a Float between 0.0 and " \
|
206
|
+
'1.0 or one of the approved keywords.'
|
207
|
+
end
|
197
208
|
|
198
209
|
if severity <= 0.01
|
199
210
|
0.0 # Informative
|
@@ -201,31 +212,33 @@ module Utils
|
|
201
212
|
0.3 # Low Impact
|
202
213
|
elsif severity < 0.7
|
203
214
|
0.5 # Medium Impact
|
204
|
-
elsif severity < 0.9
|
215
|
+
elsif severity < 0.9 || use_cvss_terms
|
205
216
|
0.7 # High Impact
|
206
217
|
else
|
207
218
|
1.0 # Critical Controls
|
208
219
|
end
|
209
220
|
end
|
210
221
|
|
211
|
-
private_class_method def self.string_to_impact(severity)
|
222
|
+
private_class_method def self.string_to_impact(severity, use_cvss_terms)
|
212
223
|
if /none|na|n\/a|not[_|(\s*)]?applicable/i.match?(severity)
|
213
|
-
0.0 # Informative
|
224
|
+
impact = 0.0 # Informative
|
214
225
|
elsif /low|cat(egory)?\s*(iii|3)/i.match?(severity)
|
215
|
-
0.3 # Low Impact
|
226
|
+
impact = 0.3 # Low Impact
|
216
227
|
elsif /med(ium)?|cat(egory)?\s*(ii|2)/i.match?(severity)
|
217
|
-
0.5 # Medium Impact
|
228
|
+
impact = 0.5 # Medium Impact
|
218
229
|
elsif /high|cat(egory)?\s*(i|1)/i.match?(severity)
|
219
|
-
0.7 # High Impact
|
230
|
+
impact = 0.7 # High Impact
|
220
231
|
elsif /crit(ical)?|severe/i.match?(severity)
|
221
|
-
1.0 # Critical Controls
|
232
|
+
impact = 1.0 # Critical Controls
|
222
233
|
else
|
223
234
|
raise SeverityInputError, "'#{severity}' is not a valid severity value. It should be a Float between 0.0 and " \
|
224
235
|
'1.0 or one of the approved keywords.'
|
225
236
|
end
|
237
|
+
|
238
|
+
impact == 1.0 && use_cvss_terms ? 0.7 : impact
|
226
239
|
end
|
227
240
|
|
228
|
-
def self.get_impact_string(impact)
|
241
|
+
def self.get_impact_string(impact, use_cvss_terms: true)
|
229
242
|
return if impact.nil?
|
230
243
|
|
231
244
|
value = impact.to_f
|
@@ -233,8 +246,14 @@ module Utils
|
|
233
246
|
raise ImpactInputError, "'#{value}' is not a valid impact score. Valid impact scores: [0.0 - 1.0]."
|
234
247
|
end
|
235
248
|
|
236
|
-
IMPACT_SCORES.reverse_each do |name,
|
237
|
-
|
249
|
+
IMPACT_SCORES.reverse_each do |name, impact_score|
|
250
|
+
if name == 'critical' && value >= impact_score && use_cvss_terms
|
251
|
+
return 'high'
|
252
|
+
elsif value >= impact_score
|
253
|
+
return name
|
254
|
+
else
|
255
|
+
next
|
256
|
+
end
|
238
257
|
end
|
239
258
|
end
|
240
259
|
|
@@ -374,7 +393,7 @@ module Utils
|
|
374
393
|
file_name = control.id.to_s
|
375
394
|
myfile = File.new("#{directory}/controls/#{file_name}.rb", 'w')
|
376
395
|
myfile.puts "# encoding: UTF-8\n\n"
|
377
|
-
myfile.puts wrap(control.to_ruby, WIDTH) + "\n"
|
396
|
+
myfile.puts wrap(control.to_ruby.gsub('"', "\'"), WIDTH) + "\n"
|
378
397
|
myfile.close
|
379
398
|
end
|
380
399
|
else
|
@@ -390,7 +409,7 @@ module Utils
|
|
390
409
|
if output_format == 'ruby'
|
391
410
|
controls.each do |control|
|
392
411
|
myfile.puts "# encoding: UTF-8\n\n"
|
393
|
-
myfile.puts wrap(control.to_ruby, WIDTH) + "\n"
|
412
|
+
myfile.puts wrap(control.to_ruby.gsub('"', "\'"), WIDTH) + "\n"
|
394
413
|
end
|
395
414
|
else
|
396
415
|
controls.each do |control|
|
@@ -408,3 +427,9 @@ module Utils
|
|
408
427
|
end
|
409
428
|
end
|
410
429
|
end
|
430
|
+
|
431
|
+
# rubocop:enable Metrics/ClassLength
|
432
|
+
# rubocop:enable Metrics/AbcSize
|
433
|
+
# rubocop:enable Metrics/PerceivedComplexity
|
434
|
+
# rubocop:enable Metrics/CyclomaticComplexity
|
435
|
+
# rubocop:enable Metrics/MethodLength
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: inspec_tools
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0.
|
4
|
+
version: 2.0.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Robert Thew
|
@@ -11,7 +11,7 @@ authors:
|
|
11
11
|
autorequire:
|
12
12
|
bindir: exe
|
13
13
|
cert_chain: []
|
14
|
-
date: 2020-05-
|
14
|
+
date: 2020-05-26 00:00:00.000000000 Z
|
15
15
|
dependencies:
|
16
16
|
- !ruby/object:Gem::Dependency
|
17
17
|
name: colorize
|
@@ -151,14 +151,14 @@ dependencies:
|
|
151
151
|
requirements:
|
152
152
|
- - ">="
|
153
153
|
- !ruby/object:Gem::Version
|
154
|
-
version:
|
154
|
+
version: 0.17.3
|
155
155
|
type: :runtime
|
156
156
|
prerelease: false
|
157
157
|
version_requirements: !ruby/object:Gem::Requirement
|
158
158
|
requirements:
|
159
159
|
- - ">="
|
160
160
|
- !ruby/object:Gem::Version
|
161
|
-
version:
|
161
|
+
version: 0.17.3
|
162
162
|
- !ruby/object:Gem::Dependency
|
163
163
|
name: bundler
|
164
164
|
requirement: !ruby/object:Gem::Requirement
|
@@ -348,9 +348,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
348
348
|
version: '2.5'
|
349
349
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
350
350
|
requirements:
|
351
|
-
- - "
|
351
|
+
- - ">="
|
352
352
|
- !ruby/object:Gem::Version
|
353
|
-
version:
|
353
|
+
version: '0'
|
354
354
|
requirements: []
|
355
355
|
rubygems_version: 3.1.2
|
356
356
|
signing_key:
|