inspec_tools 2.0.7 → 2.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c551987d4bfca9ae4d14630f4beb3f4dd6cbe78314a2f229d5df49b4c72cd0e2
-  data.tar.gz: d0553cb380d6103f21b879fdb43d39c502ba94d80cc6b30ae8c69cf246464f4d
+  metadata.gz: 84cf060364796b3cfd7e3c758498a76379c743452b0ce119e19160b803e81ad8
+  data.tar.gz: dc01762be82174930cb3ba6b59ab02ec1541218ac2567c408f8338d1d6e83e60
 SHA512:
-  metadata.gz: ffb7fa2a36d380a08c193fc0b1295c74a9479ef54ac5085cf3f36072509d67d235603c6fb589e81ce6c1d52544793fab3b91d37153e303923e7c99bb843f4510
-  data.tar.gz: 8e10eacec2b81f6a7c57198cc817050ee501ede1a390e347be50c80429d3834d506eb1f417b9f659ef0c620240d36e15cd65e118ea59fbbaa5481131cba4eb38
+  metadata.gz: a37d714accd3ea9a04d48f60864a5a1701c15f8a8b88072829c933e1f68be6a61af99b2c1d0c9d59ff830c0754adb165bc34c8925f53a2a90168bee783d8f4c5
+  data.tar.gz: feb725f4dd11cf0db94fa9dd7dbbd8108984f4308d5b266da380fa242da8191ea80fdea495c9a4af722630334a823a65da1c075a7a0756d4c35e6fc422a1d3df

data/README.md

@@ -70,7 +70,7 @@ Note that all of the above Docker commands will mount your current directory on
 
 ### generate_map
 
-This command will generate a `mapping.xml` file that can be passed in to the `csv2inspec` command with the `--m` option.
+This command will generate a `mapping.yml` file that can be passed in to the `csv2inspec` command with the `--m` option.
 
 ```
 USAGE: inspec_tools generate_map
@@ -100,13 +100,15 @@ If the specified threshold is not met, an error code (1) is returned along with
 
 The compliance score are rounded down to the nearest whole number. For example a score of 77.3 would be displayed as 77.
 
+Thresholds provided inline (i.e. `-i`) override thresholds provided by files (i.e. `-f`).
+
 ```
 USAGE:  inspec_tools compliance [OPTIONS] -j <inspec-json> -i <threshold-inline>
 	inspec_tools compliance [OPTIONS] -j <inspec-json> -f <threshold-file>
 FLAGS:
 	-j --inspec-json <inspec-json>          : path to InSpec results Json
 	-i --template-inline <threshold-inline> : inline compliance threshold definition
-	-f --template-file <threshold-file>     : yaml file with compliance threshold definition
+	-f --threshold-file <threshold-file>    : yaml file with compliance threshold definition
 Examples:
 
   inspec_tools compliance -j examples/sample_json/rhel-simp.json -i '{compliance.min: 80, failed.critical.max: 0, failed.high.max: 0}'
@@ -135,11 +137,11 @@ failed.high.max: 1
 
 #### In-Line Examples
 ```
-{compliance: {min: 90}, failed: {critical: {max: 0}, high: {max: 0}}}
+"{compliance: {min: 90}, failed: {critical: {max: 0}, high: {max: 0}}}"
 ```
 
 ```
-{compliance.min: 81, failed.critical.max: 0, failed.high.max: 0}
+"{compliance.min: 81, failed.critical.max: 0, failed.high.max: 0}"
 ```
 
 ## summary
@@ -185,12 +187,16 @@ Using additional flags will override the normal output and only display the outp
 
 USAGE: inspec_tools summary [OPTIONS] -j <inspec-json>
 
+Thresholds provided inline (i.e. `-i`) override thresholds provided by files (i.e. `-t`).
+
+
 ```
 FLAGS:
-  -j --inspec-json <inspec-json>   : path to InSpec results JSON
-  -V --verbose, --no-verbose       : print verbose an debug output
-  -f --json-full, --no-json-full   : print the summary STDOUT as JSON
-  -k --json-counts, --no-json_cou  : print the reslut status to STDOUT as JSON
+  -j --inspec-json <inspec-json>           : path to InSpec results JSON
+  -f --json-full, --no-json-full           : print the summary STDOUT as JSON
+  -k --json-counts, --no-json-counts       : print the result status to STDOUT as JSON
+  -t, --threshold-file=THRESHOLD_FILE]     : path to threshold YAML file
+  -i, --threshold-inline=THRESHOLD_INLINE] : string of text representing threshold YAML inline
 
 Examples:
 
@@ -220,16 +226,18 @@ example: inspec_tools xccdf2inspec -x xccdf_file.xml -a attributes.yml -o myprof
 
 `inspec2xccdf` converts an InSpec profile in json format to a STIG XCCDF Document
 
+See [examples documentation](./examples/inspec2xccdf/README.md) for additional guidance on usage including attribute details.
+
 ```
 USAGE: inspec_tools inspec2xccdf [OPTIONS] -j <inspec-json> -a <xccdf-attr-yml> -o <xccdf-xml>
 
 FLAGS:
 	-j --inspec-json <inspec-json>   : path to InSpec Json file created using command 'inspec json <profile> > example.json'
-	-a --attributes <xccdf-attr-yml> : path to yml file that provides the required attributes for the XCCDF Document. these attributes are parts of XCCDF document which do not fit into the InSpec schema
-	-o --output <xccdf-xml>          : name or path to create the xccdf and title to give the xccdf
-	-V --verbose                     : verbose run [optional]
+	-a --attributes <xccdf-attr-yml> : path to yml file that provides the required attributes for the XCCDF document. These attributes are parts of XCCDF document which do not fit into the InSpec schema.
+	-o --output <xccdf-xml>          : name or path to create the XCCDF and title to give the XCCDF
+        -m, [--metadata=METADATA]        : path to json file with additional host metadata for the XCCDF file
 
-example: inspec_tools inspec2xccdf -j example.json -a attributes.yml -o xccdf.xml
+example: inspec_tools inspec2xccdf -j examples/sample_json/good_nginxresults.json -a lib/data/attributes.yml -o output.xccdf
 ```
 
 ## csv2inspec

data/Rakefile

@@ -19,7 +19,15 @@ namespace :test do
       'test/unit/inspec_tools_test.rb'
     ])
   end
-end
+
+  Rake::TestTask.new(:exclude_slow) do |t|
+    t.description = 'Excluding all tests that take more than 3 seconds to complete'
+    t.libs << 'test'
+    t.libs << "lib"
+    t.verbose = true
+    t.test_files = FileList['test/**/*_test.rb'].reject{|file| file.include? 'pdf_test.rb'}.reverse
+  end
+end 
 
 desc 'Build for release'
 task :build_release do

data/lib/happy_mapper_tools/benchmark.rb

@@ -99,6 +99,88 @@ module HappyMapperTools
       element :content, String, tag: 'check-content'
     end
 
+    class MessageType
+      include HappyMapper
+      attribute :severity, String, tag: 'severity'
+      content :message, String
+    end
+
+    class RuleResultType
+      include HappyMapper
+      attribute :idref, String, tag: 'idref'
+      attribute :severity, String, tag: 'severity'
+      attribute :time, String, tag: 'time'
+      attribute :weight, String, tag: 'weight'
+      element :result, String, tag: 'result'
+      # element override - Not implemented. Does not apply to Inspec execution
+      has_many :ident, Ident, tag: 'ident'
+      # Note: element metadata not implemented at this time
+      has_many :message, MessageType, tag: 'message'
+      has_many :instance, String, tag: 'instance'
+      element :fix, Fix, tag: 'fix'
+      element :check, Check, tag: 'check'
+    end
+
+    class ScoreType
+      include HappyMapper
+
+      def initialize(system, maximum, score)
+        @system = system
+        @maximum = maximum
+        @score = score
+      end
+
+      attribute :system, String, tag: 'system'
+      attribute :maximum, String, tag: 'maximum' # optional attribute
+      content :score, String
+    end
+
+    class CPE2idrefType
+      include HappyMapper
+      attribute :idref, String, tag: 'idref'
+    end
+
+    class IdentityType
+      include HappyMapper
+      attribute :authenticated, Boolean, tag: 'authenticated'
+      attribute :privileged, Boolean, tag: 'privileged'
+      content :identity, String
+    end
+
+    class Fact
+      include HappyMapper
+      attribute :name, String, tag: 'name'
+      attribute :type, String, tag: 'type'
+      content :fact, String
+    end
+
+    class TargetFact
+      include HappyMapper
+      has_many :fact, Fact, tag: 'fact'
+    end
+
+    class TestResult
+      include HappyMapper
+      # Note: element benchmark not implemented at this time since this is same file
+      # Note: element title not implemented due to no mapping from Chef Inspec
+      element :remark, String, tag: 'remark'
+      has_many :organization, String, tag: 'organization'
+      element :identity, IdentityType, tag: 'identity'
+      element :target, String, tag: 'target'
+      has_many :target_address, String, tag: 'target-address'
+      element :target_facts, TargetFact, tag: 'target-facts'
+      element :platform, CPE2idrefType, tag: 'platform'
+      # Note: element profile not implemented since Benchmark profile is also not implemented
+      has_many :rule_result, RuleResultType, tag: 'rule-result'
+      has_many :score, ScoreType, tag: 'score' # One minimum
+      # Note: element signature not implemented due to no mapping from Chef Inspec
+      attribute :id, String, tag: 'id'
+      attribute :starttime, String, tag: 'start-time'
+      attribute :endtime, String, tag: 'end-time'
+      # Note: attribute test-system not implemented at this time due to unknown CPE value for Chef Inspec
+      attribute :version, String, tag: 'version'
+    end
+
     # Class Profile maps from the 'Profile' from Benchmark XML file using HappyMapper
     class Profile
       include HappyMapper
@@ -156,6 +238,7 @@ module HappyMapperTools
       element :version, String, tag: 'version'
       has_many :profile, Profile, tag: 'Profile'
       has_many :group, Group, tag: 'Group'
+      element :testresult, TestResult, tag: 'TestResult'
     end
   end
 end

data/lib/happy_mapper_tools/stig_attributes.rb

@@ -77,6 +77,15 @@ module HappyMapperTools
       element :dc_identifier, String, tag: 'identifier', namespace: 'dc'
     end
 
+    class Ident
+      include HappyMapper
+      attr_accessor :legacy
+      attr_accessor :cci
+      tag 'ident'
+      attribute :system, String, tag: 'system'
+      content :ident, String
+    end
+
     class Rule
       include HappyMapper
       tag 'Rule'
@@ -87,7 +96,7 @@ module HappyMapperTools
       element :title, String, tag: 'title'
       has_one :description, Description, tag: 'description'
       element :reference, ReferenceInfo, tag: 'reference'
-      has_many :idents, String, tag: 'ident'
+      has_many :idents, Ident, tag: 'ident'
       element :fixtext, String, tag: 'fixtext'
       has_one :fix, Fix, tag: 'fix'
       has_one :check, Check, tag: 'check'

data/lib/inspec_tools/csv.rb

@@ -1,10 +1,10 @@
 require 'csv'
-require 'nokogiri'
-require 'word_wrap'
 require 'yaml'
 require 'digest'
 
 require_relative '../utilities/inspec_util'
+require_relative '../utilities/cci_xml'
+require_relative '../utilities/mapping_validator'
 
 # rubocop:disable Metrics/AbcSize
 # rubocop:disable Metrics/PerceivedComplexity
@@ -16,34 +16,25 @@ module InspecTools
     def initialize(csv, mapping, name, verbose = false)
       @name = name
       @csv = csv
-      @mapping = mapping
+      @mapping = Utils::MappingValidator.validate(mapping)
       @verbose = verbose
       @csv.shift if @mapping['skip_csv_header']
     end
 
-    def to_ckl
-      # TODO
-    end
-
-    def to_xccdf
-      # TODO
-    end
-
-    def to_inspec
+    def to_inspec(control_name_prefix: nil)
       @controls = []
-      @cci_xml = nil
       @profile = {}
-      read_cci_xml
-      insert_json_metadata
-      parse_controls
+      @cci_xml = Utils::CciXml.get_cci_list('U_CCI_List.xml')
+      insert_metadata
+      parse_controls(control_name_prefix)
       @profile['controls'] = @controls
-      @profile['sha256'] = Digest::SHA256.hexdigest @profile.to_s
+      @profile['sha256'] = Digest::SHA256.hexdigest(@profile.to_s)
       @profile
     end
 
     private
 
-    def insert_json_metadata
+    def insert_metadata
       @profile['name'] = @name
       @profile['title'] = 'InSpec Profile'
       @profile['maintainer'] = 'The Authors'
@@ -60,35 +51,37 @@ module InspecTools
       }
     end
 
-    def read_cci_xml
-      cci_list_path = File.join(File.dirname(__FILE__), '../data/U_CCI_List.xml')
-      @cci_xml = Nokogiri::XML(File.open(cci_list_path))
-      @cci_xml.remove_namespaces!
-    rescue StandardError => e
-      puts "Exception: #{e.message}"
-    end
-
     def get_nist_reference(cci_number)
       item_node = @cci_xml.xpath("//cci_list/cci_items/cci_item[@id='#{cci_number}']")[0] unless @cci_xml.nil?
-      unless item_node.nil?
-        nist_ref = item_node.xpath('./references/reference[not(@version <= preceding-sibling::reference/@version) and not(@version <=following-sibling::reference/@version)]/@index').text
-        nist_ver = item_node.xpath('./references/reference[not(@version <= preceding-sibling::reference/@version) and not(@version <=following-sibling::reference/@version)]/@version').text
-      end
-      [nist_ref, nist_ver]
+      return nil if item_node.nil?
+
+      [] << item_node.xpath('./references/reference[not(@version <= preceding-sibling::reference/@version) and not(@version <=following-sibling::reference/@version)]/@index').text
     end
 
-    def parse_controls
+    def get_cci_number(cell)
+      # Return nil if a mapping to the CCI was not provided or if there is not content in the CSV cell.
+      return nil if cell.nil? || @mapping['control.tags']['cci'].nil?
+
+      # If the content has been exported from STIG Viewer, the cell will have extra information
+      cell.split("\n").first
+    end
+
+    def parse_controls(prefix)
       @csv.each do |row|
-        print '.'
         control = {}
-        control['id']     = row[@mapping['control.id']]     unless @mapping['control.id'].nil? || row[@mapping['control.id']].nil?
-        control['title']  = row[@mapping['control.title']]  unless @mapping['control.title'].nil? || row[@mapping['control.title']].nil?
-        control['desc']   = row[@mapping['control.desc']]   unless @mapping['control.desc'].nil? || row[@mapping['control.desc']].nil?
+        control['id']     = generate_control_id(prefix, row[@mapping['control.id']]) unless @mapping['control.id'].nil? || row[@mapping['control.id']].nil?
+        control['title']  = row[@mapping['control.title']] unless @mapping['control.title'].nil? || row[@mapping['control.title']].nil?
+        control['desc']   = row[@mapping['control.desc']] unless @mapping['control.desc'].nil? || row[@mapping['control.desc']].nil?
         control['tags'] = {}
-        nist, nist_rev = get_nist_reference(row[@mapping['control.tags']['cci']]) unless @mapping['control.tags']['cci'].nil? || row[@mapping['control.tags']['cci']].nil?
-        control['tags']['nist'] = [nist, 'Rev_' + nist_rev] unless nist.nil? || nist_rev.nil?
+        cci_number = get_cci_number(row[@mapping['control.tags']['cci']])
+        nist = get_nist_reference(cci_number) unless cci_number.nil?
+        control['tags']['nist'] = nist unless nist.nil? || nist.include?(nil)
         @mapping['control.tags'].each do |tag|
-          control['tags'][tag.first.to_s] = row[tag.last] unless row[tag.last].nil?
+          if tag.first == 'cci'
+            control['tags'][tag.first] = cci_number
+            next
+          end
+          control['tags'][tag.first] = row[tag.last] unless row[tag.last].nil?
         end
         unless @mapping['control.tags']['severity'].nil? || row[@mapping['control.tags']['severity']].nil?
           control['impact'] = Utils::InspecUtil.get_impact(row[@mapping['control.tags']['severity']])
@@ -97,5 +90,15 @@ module InspecTools
         @controls << control
       end
     end
+
+    def generate_control_id(prefix, id)
+      return id if prefix.nil?
+
+      "#{prefix}-#{id}"
+    end
   end
 end
+
+# rubocop:enable Metrics/AbcSize
+# rubocop:enable Metrics/PerceivedComplexity
+# rubocop:enable Metrics/CyclomaticComplexity

data/lib/inspec_tools/generate_map.rb

@@ -0,0 +1,35 @@
+module InspecTools
+  class GenerateMap
+    attr_accessor :text
+
+    def initialize(text = nil)
+      @text = text.nil? ? default_text : text
+    end
+
+    def generate_example(file)
+      File.write(file, @text)
+    end
+
+    private
+
+    def default_text
+      <<~YML
+      # Setting csv_header to true will skip the csv file header
+      skip_csv_header: true
+      width   : 80
+
+
+      control.id: 0
+      control.title: 15
+      control.desc: 16
+      control.tags:
+        severity: 1
+        rid: 8
+        stig_id: 3
+        cci: 2
+        check: 12
+        fix: 10
+      YML
+    end
+  end
+end

data/lib/inspec_tools/inspec.rb

@@ -9,17 +9,14 @@ require_relative '../happy_mapper_tools/stig_checklist'
 require_relative '../happy_mapper_tools/benchmark'
 require_relative '../utilities/inspec_util'
 require_relative 'csv'
-
-# rubocop:disable Metrics/ClassLength
-# rubocop:disable Metrics/AbcSize
-# rubocop:disable Metrics/BlockLength
-# rubocop:disable Style/GuardClause
+require_relative '../utilities/xccdf/from_inspec'
+require_relative '../utilities/xccdf/to_xccdf'
 
 module InspecTools
-  class Inspec
-    def initialize(inspec_json, metadata = '{}')
+  class Inspec # rubocop:disable Metrics/ClassLength
+    def initialize(inspec_json, metadata = {})
       @json = JSON.parse(inspec_json.gsub(/\\+u0000/, ''))
-      @metadata = JSON.parse(metadata)
+      @metadata = metadata
     end
 
     def to_ckl(title = nil, date = nil, cklist = nil)
@@ -36,16 +33,15 @@ module InspecTools
       @checklist.to_xml.encode('UTF-8').gsub('<?xml version="1.0"?>', '<?xml version="1.0" encoding="UTF-8"?>').chomp
     end
 
+    # Convert Inspec result data to XCCDF
+    #
+    # @param attributes [Hash] Optional input attributes
+    # @return [String] XML formatted String
     def to_xccdf(attributes, verbose = false)
-      @data = Utils::InspecUtil.parse_data_for_xccdf(@json)
-      @attribute = attributes
-      @attribute = {} if @attribute.eql? false
+      data = Utils::FromInspec.new.parse_data_for_xccdf(@json)
       @verbose = verbose
-      @benchmark = HappyMapperTools::Benchmark::Benchmark.new
-      populate_header
-      # populate_profiles @todo populate profiles; not implemented now because its use is deprecated
-      populate_groups
-      @benchmark.to_xml
+
+      Utils::ToXCCDF.new(attributes || {}, data).to_xml(@metadata)
     end
 
     ####
@@ -70,7 +66,7 @@ module InspecTools
     #
     # @param inspec_json : an inspec profile formatted as a json object
     ###
-    def inspec_json_to_array(inspec_json)
+    def inspec_json_to_array(inspec_json) # rubocop:disable Metrics/CyclomaticComplexity
       data = []
       headers = {}
       inspec_json['controls'].each do |control|
@@ -97,10 +93,11 @@ module InspecTools
           @data['controls'] << control
         end
       end
-      if json['profiles'].nil?
-        json['controls'].each do |control|
-          @data['controls'] << control
-        end
+
+      return unless json['profiles'].nil?
+
+      json['controls'].each do |control|
+        @data['controls'] << control
       end
     end
 
@@ -161,7 +158,7 @@ module InspecTools
       vuln
     end
 
-    def generate_asset
+    def generate_asset # rubocop:disable Metrics/AbcSize
       asset = HappyMapperTools::StigChecklist::Asset.new
       asset.role = !@metadata['role'].nil? ? @metadata['role'] : 'Workstation'
       asset.type = !@metadata['type'].nil? ? @metadata['type'] : 'Computing'
@@ -223,75 +220,6 @@ module InspecTools
       ip
     end
 
-    def populate_header
-      @benchmark.title = @attribute['benchmark.title']
-      @benchmark.id = @attribute['benchmark.id']
-      @benchmark.description = @attribute['benchmark.description']
-      @benchmark.version = @attribute['benchmark.version']
-
-      @benchmark.status = HappyMapperTools::Benchmark::Status.new
-      @benchmark.status.status = @attribute['benchmark.status']
-      @benchmark.status.date = @attribute['benchmark.status.date']
-
-      @benchmark.notice = HappyMapperTools::Benchmark::Notice.new
-      @benchmark.notice.id = @attribute['benchmark.notice.id']
-
-      @benchmark.plaintext = HappyMapperTools::Benchmark::Plaintext.new
-      @benchmark.plaintext.plaintext = @attribute['benchmark.plaintext']
-      @benchmark.plaintext.id = @attribute['benchmark.plaintext.id']
-
-      @benchmark.reference = HappyMapperTools::Benchmark::ReferenceBenchmark.new
-      @benchmark.reference.href = @attribute['reference.href']
-      @benchmark.reference.dc_publisher = @attribute['reference.dc.publisher']
-      @benchmark.reference.dc_source = @attribute['reference.dc.source']
-    end
-
-    def populate_groups
-      group_array = []
-      @data['controls'].each do |control|
-        group = HappyMapperTools::Benchmark::Group.new
-        group.id = control['id']
-        group.title = control['gtitle']
-        group.description = "<GroupDescription>#{control['gdescription']}</GroupDescription>"
-
-        group.rule = HappyMapperTools::Benchmark::Rule.new
-        group.rule.id = control['rid']
-        group.rule.severity = control['severity']
-        group.rule.weight = control['rweight']
-        group.rule.version = control['rversion']
-        group.rule.title = control['title'].tr("\n", ' ')
-        group.rule.description = "<VulnDiscussion>#{control['desc'].tr("\n", ' ')}</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>"
-
-        group.rule.reference = HappyMapperTools::Benchmark::ReferenceGroup.new
-        group.rule.reference.dc_publisher = @attribute['reference.dc.publisher']
-        group.rule.reference.dc_title = @attribute['reference.dc.title']
-        group.rule.reference.dc_subject = @attribute['reference.dc.subject']
-        group.rule.reference.dc_type = @attribute['reference.dc.type']
-        group.rule.reference.dc_identifier = @attribute['reference.dc.identifier']
-
-        group.rule.ident = HappyMapperTools::Benchmark::Ident.new
-        group.rule.ident.system = 'https://public.cyber.mil/stigs/cci/'
-        group.rule.ident.ident = control['cci']
-
-        group.rule.fixtext = HappyMapperTools::Benchmark::Fixtext.new
-        group.rule.fixtext.fixref = control['fixref']
-        group.rule.fixtext.fixtext = control['fix']
-
-        group.rule.fix = HappyMapperTools::Benchmark::Fix.new
-        group.rule.fix.id = control['fixref']
-
-        group.rule.check = HappyMapperTools::Benchmark::Check.new
-        group.rule.check.system = control['checkref']
-        group.rule.check.content_ref = HappyMapperTools::Benchmark::ContentRef.new
-        group.rule.check.content_ref.name = @attribute['content_ref.name']
-        group.rule.check.content_ref.href = @attribute['content_ref.href']
-        group.rule.check.content = control['check']
-
-        group_array << group
-      end
-      @benchmark.group = group_array
-    end
-
     def generate_title(title, json, date)
       title ||= "Untitled - Checklist Created from Automated InSpec Results JSON; Profiles: #{json['profiles'].map { |x| x['name'] }.join(' | ')}"
       title + " Checklist Date: #{date || Date.today.to_s}"