inspec_tools 2.0.7 → 2.3.3

data/lib/inspec_tools/plugin_cli.rb

@@ -1,4 +1,3 @@
-require 'yaml'
 require 'json'
 require 'roo'
 require_relative '../utilities/inspec_util'
@@ -13,8 +12,8 @@ module InspecTools
   autoload :CKL, 'inspec_tools/ckl'
   autoload :Inspec, 'inspec_tools/inspec'
   autoload :Summary, 'inspec_tools/summary'
-  autoload :Threshold, 'inspec_tools/threshold'
   autoload :XLSXTool, 'inspec_tools/xlsx_tool'
+  autoload :GenerateMap, 'inspec_tools/generate_map'
 end
 
 # rubocop:disable Style/GuardClause
@@ -23,7 +22,7 @@ module InspecPlugins
     class CliCommand < Inspec.plugin(2, :cli_command) # rubocop:disable Metrics/ClassLength
       POSSIBLE_LOG_LEVELS = %w{debug info warn error fatal}.freeze
 
-      class_option :log_directory, type: :string, aliases: :l, desc: 'Provie log location'
+      class_option :log_directory, type: :string, aliases: :l, desc: 'Provide log location'
       class_option :log_level, type: :string, desc: "Set the logging level: #{POSSIBLE_LOG_LEVELS}"
 
       subcommand_desc 'tools [COMMAND]', 'Runs inspec_tools commands through Inspec'
@@ -54,12 +53,18 @@ module InspecPlugins
 
       desc 'inspec2xccdf', 'inspec2xccdf translates an inspec profile and attributes files to an xccdf file'
       long_desc InspecTools::Help.text(:inspec2xccdf)
-      option :inspec_json, required: true, aliases: '-j'
-      option :attributes,  required: true, aliases: '-a'
-      option :output, required: true, aliases: '-o'
+      option :inspec_json, required: true, aliases: '-j',
+                           desc: 'path to InSpec JSON file created'
+      option :attributes,  required: true, aliases: '-a',
+                           desc: 'path to yml file that provides the required attributes for the XCCDF document. These attributes are parts of XCCDF document which do not fit into the InSpec schema.'
+      option :output, required: true, aliases: '-o',
+                      desc: 'name or path to create the XCCDF and title to give the XCCDF'
+      option :metadata, required: false, type: :string, aliases: '-m',
+                        desc: 'path to JSON file with additional host metadata for the XCCDF file'
       def inspec2xccdf
         json = File.read(options[:inspec_json])
-        inspec_tool = InspecTools::Inspec.new(json)
+        metadata = options[:metadata] ? JSON.parse(File.read(options[:metadata])) : {}
+        inspec_tool = InspecTools::Inspec.new(json, metadata)
         attr_hsh = YAML.load_file(options[:attributes])
         xccdf = inspec_tool.to_xccdf(attr_hsh)
         File.write(options[:output], xccdf)
@@ -73,10 +78,11 @@ module InspecPlugins
       option :output, required: false, aliases: '-o', default: 'profile'
       option :format, required: false, aliases: '-f', enum: %w{ruby hash}, default: 'ruby'
       option :separate_files, required: false, type: :boolean, default: true, aliases: '-s'
+      option :control_name_prefix, required: false, type: :string, aliases: '-p'
       def csv2inspec
         csv = CSV.read(options[:csv], encoding: 'ISO8859-1')
         mapping = YAML.load_file(options[:mapping])
-        profile = InspecTools::CSVTool.new(csv, mapping, options[:csv].split('/')[-1].split('.')[0], options[:verbose]).to_inspec
+        profile = InspecTools::CSVTool.new(csv, mapping, options[:csv].split('/')[-1].split('.')[0], options[:verbose]).to_inspec(control_name_prefix: options[:control_name_prefix])
         Utils::InspecUtil.unpack_inspec_json(options[:output], profile, options[:separate_files], options[:format])
       end
 
@@ -136,26 +142,8 @@ module InspecPlugins
 
       desc 'generate_map', 'Generates mapping template from CSV to Inspec Controls'
       def generate_map
-        template = '
-        # Setting csv_header to true will skip the csv file header
-        skip_csv_header: true
-        width   : 80
-
-
-        control.id: 0
-        control.title: 15
-        control.desc: 16
-        control.tags:
-                severity: 1
-                rid: 8
-                stig_id: 3
-                cci: 2
-                check: 12
-                fix: 10
-        '
-        myfile = File.new('mapping.yml', 'w')
-        myfile.puts template
-        myfile.close
+        generator = InspecTools::GenerateMap.new
+        generator.generate_example('mapping.yml')
       end
 
       desc 'generate_ckl_metadata', 'Generate metadata file that can be passed to inspec2ckl'
@@ -200,26 +188,14 @@ module InspecPlugins
       desc 'summary', 'summary parses an inspec results json to create a summary json'
       long_desc InspecTools::Help.text(:summary)
       option :inspec_json, required: true, aliases: '-j'
-      option :verbose, type: :boolean, aliases: '-V'
       option :json_full, type: :boolean, required: false, aliases: '-f'
       option :json_counts, type: :boolean, required: false, aliases: '-k'
+      option :threshold_file, required: false, aliases: '-t'
+      option :threshold_inline, required: false, aliases: '-i'
 
       def summary
-        summary = InspecTools::Summary.new(File.read(options[:inspec_json])).to_summary
-
-        unless options.include?('json_full') || options.include?('json_counts')
-          puts "\nOverall compliance: #{summary[:compliance]}%\n\n"
-          summary[:status].keys.each do |category|
-            puts category
-            summary[:status][category].keys.each do |impact|
-              puts "\t#{impact} : #{summary[:status][category][impact]}"
-            end
-          end
-        end
-
-        json_summary = summary.to_json
-        puts json_summary if options[:json_full]
-        puts summary[:status].to_json if options[:json_counts]
+        summary = InspecTools::Summary.new(options: options)
+        summary.output_summary
       end
 
       desc 'compliance', 'compliance parses an inspec results json to check if the compliance level meets a specified threshold'
@@ -227,17 +203,10 @@ module InspecPlugins
       option :inspec_json, required: true, aliases: '-j'
       option :threshold_file, required: false, aliases: '-f'
       option :threshold_inline, required: false, aliases: '-i'
-      option :verbose, type: :boolean, aliases: '-V'
 
       def compliance
-        if options[:threshold_file].nil? && options[:threshold_inline].nil?
-          puts 'Please provide threshold as a yaml file or inline yaml'
-          exit(1)
-        end
-        threshold = YAML.load_file(options[:threshold_file]) unless options[:threshold_file].nil?
-        threshold = YAML.safe_load(options[:threshold_inline]) unless options[:threshold_inline].nil?
-        compliance = InspecTools::Summary.new(File.read(options[:inspec_json])).threshold(threshold)
-        compliance ? exit(0) : exit(1)
+        compliance = InspecTools::Summary.new(options: options)
+        compliance.results_meet_threshold? ? exit(0) : exit(1)
       end
     end
   end

data/lib/inspec_tools/summary.rb

@@ -2,8 +2,6 @@ require 'json'
 require 'yaml'
 require_relative '../utilities/inspec_util'
 
-# rubocop:disable Metrics/AbcSize
-
 # Impact Definitions
 CRITICAL = 0.9
 HIGH = 0.7
@@ -16,48 +14,118 @@ TALLYS = %i(total critical high medium low).freeze
 THRESHOLD_TEMPLATE = File.expand_path('../data/threshold.yaml', File.dirname(__FILE__))
 
 module InspecTools
+  # rubocop:disable Metrics/ClassLength
   class Summary
-    def initialize(inspec_json)
-      @json = JSON.parse(inspec_json)
+    attr_reader :json
+    attr_reader :json_full
+    attr_reader :json_counts
+    attr_reader :threshold_file
+    attr_reader :threshold_inline
+    attr_reader :summary
+    attr_reader :threshold
+
+    def initialize(**options)
+      options = options[:options]
+      @json = JSON.parse(File.read(options[:inspec_json]))
+      @json_full = false || options[:json_full]
+      @json_counts = false || options[:json_counts]
+      @threshold = parse_threshold(options[:threshold_inline], options[:threshold_file])
+      @threshold_provided = options[:threshold_inline] || options[:threshold_file]
+      @summary = compute_summary
     end
 
-    def to_summary
-      @data = Utils::InspecUtil.parse_data_for_ckl(@json)
-      @summary = {}
-      @data.keys.each do |control_id|
-        current_control = @data[control_id]
-        current_control[:compliance_status] = Utils::InspecUtil.control_status(current_control, true)
-        current_control[:finding_details] = Utils::InspecUtil.control_finding_details(current_control, current_control[:compliance_status])
+    def output_summary
+      unless @json_full || @json_counts
+        puts "\nThreshold compliance: #{@threshold['compliance.min']}%"
+        puts "\nOverall compliance: #{@summary[:compliance]}%\n\n"
+        @summary[:status].keys.each do |category|
+          puts category
+          @summary[:status][category].keys.each do |impact|
+            puts "\t#{impact} : #{@summary[:status][category][impact]}"
+          end
+        end
       end
-      compute_summary
-      @summary
+
+      puts @summary.to_json if @json_full
+      puts @summary[:status].to_json if @json_counts
     end
 
-    def threshold(threshold = nil)
-      @summary = to_summary
-      @threshold = Utils::InspecUtil.to_dotted_hash(YAML.load_file(THRESHOLD_TEMPLATE))
-      parse_threshold(Utils::InspecUtil.to_dotted_hash(threshold))
-      threshold_compliance
+    def results_meet_threshold?
+      raise 'Please provide threshold as a yaml file or inline yaml' unless @threshold_provided
+
+      compliance = true
+      failure = []
+      failure << check_max_compliance(@threshold['compliance.max'], @summary[:compliance], '', 'compliance')
+      failure << check_min_compliance(@threshold['compliance.min'], @summary[:compliance], '', 'compliance')
+
+      BUCKETS.each do |bucket|
+        TALLYS.each do |tally|
+          failure << check_min_compliance(@threshold["#{bucket}.#{tally}.min"], @summary[:status][bucket][tally], bucket, tally)
+          failure << check_max_compliance(@threshold["#{bucket}.#{tally}.max"], @summary[:status][bucket][tally], bucket, tally)
+        end
+      end
+
+      failure.reject!(&:nil?)
+      compliance = false if failure.length.positive?
+      output(compliance, failure)
+      compliance
     end
 
     private
 
+    def check_min_compliance(min, data, bucket, tally)
+      expected_to_string(bucket, tally, 'min', min, data) if min != -1 and data < min
+    end
+
+    def check_max_compliance(max, data, bucket, tally)
+      expected_to_string(bucket, tally, 'max', max, data) if max != -1 and data > max
+    end
+
+    def output(passed_threshold, what_failed)
+      if passed_threshold
+        puts "Overall compliance threshold of #{@threshold['compliance.min']}\% met. Current compliance at #{@summary[:compliance]}\%"
+      else
+        puts 'Compliance threshold was not met: '
+        puts what_failed.join("\n")
+      end
+    end
+
+    def expected_to_string(bucket, tally, maxmin, value, got)
+      return "Expected #{bucket}.#{tally}.#{maxmin}:#{value} got:#{got}" unless bucket.empty? || bucket.nil?
+
+      "Expected #{tally}.#{maxmin}:#{value}\% got:#{got}\%"
+    end
+
+    def parse_threshold(threshold_inline, threshold_file)
+      threshold = Utils::InspecUtil.to_dotted_hash(YAML.load_file(THRESHOLD_TEMPLATE))
+      threshold.merge!(Utils::InspecUtil.to_dotted_hash(YAML.load_file(threshold_file))) if threshold_file
+      threshold.merge!(Utils::InspecUtil.to_dotted_hash(YAML.safe_load(threshold_inline))) if threshold_inline
+      threshold
+    end
+
     def compute_summary
-      @summary[:buckets] = {}
-      @summary[:buckets][:failed]    = select_by_status(@data, 'Open')
-      @summary[:buckets][:passed]    = select_by_status(@data, 'NotAFinding')
-      @summary[:buckets][:no_impact] = select_by_status(@data, 'Not_Applicable')
-      @summary[:buckets][:skipped]   = select_by_status(@data, 'Not_Reviewed')
-      @summary[:buckets][:error]     = select_by_status(@data, 'Profile_Error')
-
-      @summary[:status] = {}
-      @summary[:status][:failed]    = tally_by_impact(@summary[:buckets][:failed])
-      @summary[:status][:passed]    = tally_by_impact(@summary[:buckets][:passed])
-      @summary[:status][:no_impact] = tally_by_impact(@summary[:buckets][:no_impact])
-      @summary[:status][:skipped]   = tally_by_impact(@summary[:buckets][:skipped])
-      @summary[:status][:error]     = tally_by_impact(@summary[:buckets][:error])
-
-      @summary[:compliance] = compute_compliance
+      data = Utils::InspecUtil.parse_data_for_ckl(@json)
+
+      data.keys.each do |control_id|
+        current_control = data[control_id]
+        current_control[:compliance_status] = Utils::InspecUtil.control_status(current_control, true)
+        current_control[:finding_details] = Utils::InspecUtil.control_finding_details(current_control, current_control[:compliance_status])
+      end
+
+      summary = {}
+      summary[:buckets] = {}
+      summary[:buckets][:failed]    = select_by_status(data, 'Open')
+      summary[:buckets][:passed]    = select_by_status(data, 'NotAFinding')
+      summary[:buckets][:no_impact] = select_by_status(data, 'Not_Applicable')
+      summary[:buckets][:skipped]   = select_by_status(data, 'Not_Reviewed')
+      summary[:buckets][:error]     = select_by_status(data, 'Profile_Error')
+
+      summary[:status] = {}
+      %i(failed passed no_impact skipped error).each do |key|
+        summary[:status][key] = tally_by_impact(summary[:buckets][key])
+      end
+      summary[:compliance] = compute_compliance(summary)
+      summary
     end
 
     def select_by_impact(controls, impact)
@@ -78,49 +146,13 @@ module InspecTools
       tally
     end
 
-    def compute_compliance
-      (@summary[:status][:passed][:total]*100.0/
-        (@summary[:status][:passed][:total]+
-         @summary[:status][:failed][:total]+
-         @summary[:status][:skipped][:total]+
-         @summary[:status][:error][:total])).floor
-    end
-
-    def threshold_compliance
-      compliance = true
-      failure = []
-      max = @threshold['compliance.max']
-      min = @threshold['compliance.min']
-      if max != -1 and @summary[:compliance] > max
-        compliance = false
-        failure << "Expected compliance.max:#{max} got:#{@summary[:compliance]}"
-      end
-      if min != -1 and @summary[:compliance] < min
-        compliance = false
-        failure << "Expected compliance.min:#{min} got:#{@summary[:compliance]}"
-      end
-      status = @summary[:status]
-      BUCKETS.each do |bucket|
-        TALLYS.each do |tally|
-          max = @threshold["#{bucket}.#{tally}.max"]
-          min = @threshold["#{bucket}.#{tally}.min"]
-          if max != -1 and status[bucket][tally] > max
-            compliance = false
-            failure << "Expected #{bucket}.#{tally}.max:#{max} got:#{status[bucket][tally]}"
-          end
-          if min != -1 and status[bucket][tally] < min
-            compliance = false
-            failure << "Expected #{bucket}.#{tally}.min:#{min} got:#{status[bucket][tally]}"
-          end
-        end
-      end
-      puts failure.join("\n") unless compliance
-      puts 'Compliance threshold met' if compliance
-      compliance
-    end
-
-    def parse_threshold(new_threshold)
-      @threshold.merge!(new_threshold)
+    def compute_compliance(summary)
+      (summary[:status][:passed][:total]*100.0/
+        (summary[:status][:passed][:total]+
+         summary[:status][:failed][:total]+
+         summary[:status][:skipped][:total]+
+         summary[:status][:error][:total])).floor
     end
   end
+  # rubocop:enable Metrics/ClassLength
 end

data/lib/inspec_tools/xccdf.rb

@@ -17,7 +17,7 @@ module InspecTools
       @xccdf = replace_tags_in_xccdf(replace_tags, @xccdf) unless replace_tags.nil?
       cci_list_path = File.join(File.dirname(__FILE__), '../data/U_CCI_List.xml')
       @cci_items = HappyMapperTools::CCIAttributes::CCI_List.parse(File.read(cci_list_path))
-      # @cci_items = HappyMapperTools::CCIAttributes::CCI_List.parse(File.read('./data/U_CCI_List.xml'))
+      register_after_parse_callbacks
       @benchmark = HappyMapperTools::StigAttributes::Benchmark.parse(@xccdf)
     end
 
@@ -89,6 +89,14 @@ module InspecTools
 
     private
 
+    def register_after_parse_callbacks
+      # Determine if the parsed Ident is refrencing a legacy ID number.
+      HappyMapperTools::StigAttributes::Ident.after_parse do |object|
+        object.cci = object.system.eql?('http://cyber.mil/cci')
+        object.legacy = !object.cci
+      end
+    end
+
     def replace_tags_in_xccdf(replace_tags, xccdf_xml)
       replace_tags.each do |tag|
         xccdf_xml = xccdf_xml.gsub(/(&lt;|<)#{tag}(&gt;|>)/, "$#{tag}")
@@ -133,8 +141,9 @@ module InspecTools
         control['tags']['rid'] = group.rule.id
         control['tags']['stig_id'] = group.rule.version
         control['tags']['fix_id'] = group.rule.fix.id
-        control['tags']['cci'] = group.rule.idents
-        control['tags']['nist'] = @cci_items.fetch_nists(group.rule.idents)
+        control['tags']['cci'] = group.rule.idents.select { |i| i.cci }.map { |i| i.ident }
+        control['tags']['legacy'] = group.rule.idents.select { |i| i.legacy}.map { |i| i.ident }
+        control['tags']['nist'] = @cci_items.fetch_nists(control['tags']['cci'])
         control['tags']['false_negatives'] = group.rule.description.false_negatives if group.rule.description.false_negatives != ''
         control['tags']['false_positives'] = group.rule.description.false_positives if group.rule.description.false_positives != ''
         control['tags']['documentable'] = group.rule.description.documentable if group.rule.description.documentable != ''

data/lib/inspec_tools/xlsx_tool.rb

@@ -6,6 +6,7 @@ require 'digest'
 
 require_relative '../utilities/inspec_util'
 require_relative '../utilities/cis_to_nist'
+require_relative '../utilities/mapping_validator'
 
 # rubocop:disable Metrics/AbcSize
 # rubocop:disable Metrics/PerceivedComplexity
@@ -19,7 +20,7 @@ module InspecTools
     def initialize(xlsx, mapping, name, verbose = false)
       @name = name
       @xlsx = xlsx
-      @mapping = mapping
+      @mapping = Utils::MappingValidator.validate(mapping)
       @verbose = verbose
       @cis_to_nist = Utils::CisToNist.get_mapping('cis_to_nist_mapping')
     end

data/lib/utilities/cci_xml.rb

@@ -0,0 +1,13 @@
+require 'nokogiri'
+
+module Utils
+  class CciXml
+    def self.get_cci_list(cci_list_file)
+      path = File.expand_path(File.join(File.expand_path(__dir__), '..', 'data', cci_list_file))
+      raise "CCI list does not exist at #{path}" unless File.exist?(path)
+
+      cci_list = Nokogiri::XML(File.open(path))
+      cci_list.remove_namespaces!
+    end
+  end
+end

data/lib/utilities/inspec_util.rb

@@ -13,15 +13,8 @@ require 'overrides/object'
 require 'overrides/string'
 require 'rubocop'
 
-# rubocop:disable Metrics/ClassLength
-# rubocop:disable Metrics/AbcSize
-# rubocop:disable Metrics/PerceivedComplexity
-# rubocop:disable Metrics/CyclomaticComplexity
-# rubocop:disable Metrics/MethodLength
-
 module Utils
-  class InspecUtil
-    DATA_NOT_FOUND_MESSAGE = 'N/A'.freeze
+  class InspecUtil # rubocop:disable Metrics/ClassLength
     WIDTH = 80
     IMPACT_SCORES = {
       'none' => 0.0,
@@ -31,56 +24,7 @@ module Utils
       'critical' => 0.9
     }.freeze
 
-    def self.parse_data_for_xccdf(json)
-      data = {}
-
-      controls = []
-      if json['profiles'].nil?
-        controls = json['controls']
-      elsif json['profiles'].length == 1
-        controls = json['profiles'].last['controls']
-      else
-        json['profiles'].each do |profile|
-          controls.concat(profile['controls'])
-        end
-      end
-      c_data = {}
-
-      controls.each do |control|
-        c_id = control['id'].to_sym
-        c_data[c_id] = {}
-        c_data[c_id]['id']             = control['id']    || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['title']          = control['title'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['desc']           = control['desc'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['severity']       = control['tags']['severity'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['gid']            = control['tags']['gid'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['gtitle']         = control['tags']['gtitle'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['gdescription']   = control['tags']['gdescription'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['rid']            = control['tags']['rid'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['rversion']       = control['tags']['rversion'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['rweight']        = control['tags']['rweight'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['stig_id']        = control['tags']['stig_id'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['cci']            = control['tags']['cci'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['nist']           = control['tags']['nist'] || ['unmapped']
-        c_data[c_id]['check']          = control['tags']['check'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['checkref']       = control['tags']['checkref'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['fix']            = control['tags']['fix'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['fixref']         = control['tags']['fixref'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['fix_id']         = control['tags']['fix_id'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['rationale']      = control['tags']['rationale'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['cis_family']     = control['tags']['cis_family'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['cis_rid']        = control['tags']['cis_rid'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['cis_level']      = control['tags']['cis_level'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['impact']         = control['impact'].to_s || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['code']           = control['code'].to_s || DATA_NOT_FOUND_MESSAGE
-      end
-
-      data['controls'] = c_data.values
-      data['status'] = 'success'
-      data
-    end
-
-    def self.parse_data_for_ckl(json)
+    def self.parse_data_for_ckl(json) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
       data = {}
 
       # Parse for inspec profile results json
@@ -104,8 +48,8 @@ module Utils
           end
 
           if control['descriptions'].respond_to?(:find)
-            data[c_id][:check_content]  = control['descriptions'].find { |c| c['label'] == 'fix' }&.dig('data')
-            data[c_id][:fix_text]       = control['descriptions'].find { |c| c['label'] == 'check' }&.dig('data')
+            data[c_id][:check_content]  = control['descriptions'].find { |c| c['label'] == 'check' }&.dig('data')
+            data[c_id][:fix_text]       = control['descriptions'].find { |c| c['label'] == 'fix' }&.dig('data')
           end
 
           data[c_id][:impact]         = control['impact'].to_s unless control['impact'].nil?
@@ -221,7 +165,7 @@ module Utils
     end
 
     private_class_method def self.string_to_impact(severity, use_cvss_terms)
-      if /none|na|n\/a|not[_|(\s*)]?applicable/i.match?(severity)
+      if %r{none|na|n/a|not[_|(\s*)]?applicable}i.match?(severity)
         impact = 0.0 # Informative
       elsif /low|cat(egory)?\s*(iii|3)/i.match?(severity)
         impact = 0.3 # Low Impact
@@ -248,13 +192,10 @@ module Utils
       end
 
       IMPACT_SCORES.reverse_each do |name, impact_score|
-        if name == 'critical' && value >= impact_score && use_cvss_terms
-          return 'high'
-        elsif value >= impact_score
-          return name
-        else
-          next
-        end
+        return 'high' if name == 'critical' && value >= impact_score && use_cvss_terms
+        return name if value >= impact_score
+
+        next
       end
     end
 
@@ -277,7 +218,7 @@ module Utils
       WordWrap.ww(str.to_s, width)
     end
 
-    private_class_method def self.generate_controls(inspec_json)
+    private_class_method def self.generate_controls(inspec_json) # rubocop:disable Metrics/AbcSize,  Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
       controls = []
       inspec_json['controls'].each do |json_control|
         control = ::Inspec::Object::Control.new
@@ -305,6 +246,7 @@ module Utils
         control.add_tag(::Inspec::Object::Tag.new('stig_id',  json_control['tags']['stig_id']))
         control.add_tag(::Inspec::Object::Tag.new('fix_id', json_control['tags']['fix_id']))
         control.add_tag(::Inspec::Object::Tag.new('cci', json_control['tags']['cci']))
+        control.add_tag(::Inspec::Object::Tag.new('legacy', json_control['tags']['legacy']))
         control.add_tag(::Inspec::Object::Tag.new('nist', json_control['tags']['nist']))
         control.add_tag(::Inspec::Object::Tag.new('cis_level', json_control['tags']['cis_level'])) unless json_control['tags']['cis_level'].blank?
         control.add_tag(::Inspec::Object::Tag.new('cis_controls', json_control['tags']['cis_controls'])) unless json_control['tags']['cis_controls'].blank?
@@ -384,7 +326,7 @@ module Utils
       myfile.puts readme_contents
     end
 
-    private_class_method def self.unpack_profile(directory, controls, separated, output_format)
+    private_class_method def self.unpack_profile(directory, controls, separated, output_format) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
       FileUtils.rm_rf(directory) if Dir.exist?(directory)
       Dir.mkdir directory unless Dir.exist?(directory)
       Dir.mkdir "#{directory}/controls" unless Dir.exist?("#{directory}/controls")
@@ -433,9 +375,3 @@ module Utils
     end
   end
 end
-
-# rubocop:enable Metrics/ClassLength
-# rubocop:enable Metrics/AbcSize
-# rubocop:enable Metrics/PerceivedComplexity
-# rubocop:enable Metrics/CyclomaticComplexity
-# rubocop:enable Metrics/MethodLength