inspec_tools 2.1.0 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eee290c08f68bf8bb7894537a1871e0bdf5144266ee50932ea70af3018d5f94e
-  data.tar.gz: 42ed4ee43680aaceb6fa12c03bfe7c29dd88a33399787b7053510716182c627e
+  metadata.gz: 315e07faccf97b313b9493963ef7b9b80ffa7a1459bfa661527c4e827de89676
+  data.tar.gz: e31f0bc2c0006bcb96b9ee46f34c59b8ba71358c2293d7c39874b0fc80b5292b
 SHA512:
-  metadata.gz: 43e9b4038ff40f6aee88a16fb63e536b7d3918f15b8a3f9b3fcf87688eb1a167cfd08a7f45cac6fcdd68a2cdd1b5f1ac9ab9a85a2bd42c983b9e963c0b18d96d
-  data.tar.gz: cd750538af91a05636ad406b80f1adc83bbacfa382143d472bbced9265227f3da245a8a23dd7de0af3636c1650b1c563c6621dc48f524db1550518e7bcc55ae5
+  metadata.gz: 50409617c4e6142916f328e5850a5ef3f2d99b9e71671714ce0475708c435242911b6d4455f47fd1f5e50a7778b80e673d4ec74e3ee5d8f66ab5530c42fa8ad9
+  data.tar.gz: e34adf2df0ec1b1bcd5d9224a2621565c5c4efbe79177c2326a3ef8eef6e10922cbc025682c6bade7179add2e59b3b6394419da0cf7c82f1fd8dcfb58efe49f3

data/README.md

@@ -100,13 +100,15 @@ If the specified threshold is not met, an error code (1) is returned along with
 
 The compliance score are rounded down to the nearest whole number. For example a score of 77.3 would be displayed as 77.
 
+Thresholds provided inline (i.e. `-i`) override thresholds provided by files (i.e. `-f`).
+
 ```
 USAGE:  inspec_tools compliance [OPTIONS] -j <inspec-json> -i <threshold-inline>
 	inspec_tools compliance [OPTIONS] -j <inspec-json> -f <threshold-file>
 FLAGS:
 	-j --inspec-json <inspec-json>          : path to InSpec results Json
 	-i --template-inline <threshold-inline> : inline compliance threshold definition
-	-f --template-file <threshold-file>     : yaml file with compliance threshold definition
+	-f --threshold-file <threshold-file>    : yaml file with compliance threshold definition
 Examples:
 
   inspec_tools compliance -j examples/sample_json/rhel-simp.json -i '{compliance.min: 80, failed.critical.max: 0, failed.high.max: 0}'
@@ -135,11 +137,11 @@ failed.high.max: 1
 
 #### In-Line Examples
 ```
-{compliance: {min: 90}, failed: {critical: {max: 0}, high: {max: 0}}}
+"{compliance: {min: 90}, failed: {critical: {max: 0}, high: {max: 0}}}"
 ```
 
 ```
-{compliance.min: 81, failed.critical.max: 0, failed.high.max: 0}
+"{compliance.min: 81, failed.critical.max: 0, failed.high.max: 0}"
 ```
 
 ## summary
@@ -185,12 +187,16 @@ Using additional flags will override the normal output and only display the outp
 
 USAGE: inspec_tools summary [OPTIONS] -j <inspec-json>
 
+Thresholds provided inline (i.e. `-i`) override thresholds provided by files (i.e. `-t`).
+
+
 ```
 FLAGS:
-  -j --inspec-json <inspec-json>   : path to InSpec results JSON
-  -V --verbose, --no-verbose       : print verbose an debug output
-  -f --json-full, --no-json-full   : print the summary STDOUT as JSON
-  -k --json-counts, --no-json_cou  : print the reslut status to STDOUT as JSON
+  -j --inspec-json <inspec-json>           : path to InSpec results JSON
+  -f --json-full, --no-json-full           : print the summary STDOUT as JSON
+  -k --json-counts, --no-json-counts       : print the result status to STDOUT as JSON
+  -t, --threshold-file=THRESHOLD_FILE]     : path to threshold YAML file
+  -i, --threshold-inline=THRESHOLD_INLINE] : string of text representing threshold YAML inline
 
 Examples:
 

data/lib/inspec_tools/csv.rb

@@ -21,12 +21,12 @@ module InspecTools
       @csv.shift if @mapping['skip_csv_header']
     end
 
-    def to_inspec
+    def to_inspec(control_name_prefix: nil)
       @controls = []
       @profile = {}
       @cci_xml = Utils::CciXml.get_cci_list('U_CCI_List.xml')
       insert_metadata
-      parse_controls
+      parse_controls(control_name_prefix)
       @profile['controls'] = @controls
       @profile['sha256'] = Digest::SHA256.hexdigest(@profile.to_s)
       @profile
@@ -66,12 +66,12 @@ module InspecTools
       cell.split("\n").first
     end
 
-    def parse_controls
+    def parse_controls(prefix)
       @csv.each do |row|
         control = {}
-        control['id']     = row[@mapping['control.id']]     unless @mapping['control.id'].nil? || row[@mapping['control.id']].nil?
-        control['title']  = row[@mapping['control.title']]  unless @mapping['control.title'].nil? || row[@mapping['control.title']].nil?
-        control['desc']   = row[@mapping['control.desc']]   unless @mapping['control.desc'].nil? || row[@mapping['control.desc']].nil?
+        control['id']     = generate_control_id(prefix, row[@mapping['control.id']]) unless @mapping['control.id'].nil? || row[@mapping['control.id']].nil?
+        control['title']  = row[@mapping['control.title']] unless @mapping['control.title'].nil? || row[@mapping['control.title']].nil?
+        control['desc']   = row[@mapping['control.desc']] unless @mapping['control.desc'].nil? || row[@mapping['control.desc']].nil?
         control['tags'] = {}
         cci_number = get_cci_number(row[@mapping['control.tags']['cci']])
         nist = get_nist_reference(cci_number) unless cci_number.nil?
@@ -90,5 +90,15 @@ module InspecTools
         @controls << control
       end
     end
+
+    def generate_control_id(prefix, id)
+      return id if prefix.nil?
+
+      "#{prefix}-#{id}"
+    end
   end
 end
+
+# rubocop:enable Metrics/AbcSize
+# rubocop:enable Metrics/PerceivedComplexity
+# rubocop:enable Metrics/CyclomaticComplexity

data/lib/inspec_tools/plugin_cli.rb

@@ -1,4 +1,3 @@
-require 'yaml'
 require 'json'
 require 'roo'
 require_relative '../utilities/inspec_util'
@@ -13,7 +12,6 @@ module InspecTools
   autoload :CKL, 'inspec_tools/ckl'
   autoload :Inspec, 'inspec_tools/inspec'
   autoload :Summary, 'inspec_tools/summary'
-  autoload :Threshold, 'inspec_tools/threshold'
   autoload :XLSXTool, 'inspec_tools/xlsx_tool'
   autoload :GenerateMap, 'inspec_tools/generate_map'
 end
@@ -80,10 +78,11 @@ module InspecPlugins
       option :output, required: false, aliases: '-o', default: 'profile'
       option :format, required: false, aliases: '-f', enum: %w{ruby hash}, default: 'ruby'
       option :separate_files, required: false, type: :boolean, default: true, aliases: '-s'
+      option :control_name_prefix, required: false, type: :string, aliases: '-p'
       def csv2inspec
         csv = CSV.read(options[:csv], encoding: 'ISO8859-1')
         mapping = YAML.load_file(options[:mapping])
-        profile = InspecTools::CSVTool.new(csv, mapping, options[:csv].split('/')[-1].split('.')[0], options[:verbose]).to_inspec
+        profile = InspecTools::CSVTool.new(csv, mapping, options[:csv].split('/')[-1].split('.')[0], options[:verbose]).to_inspec(control_name_prefix: options[:control_name_prefix])
         Utils::InspecUtil.unpack_inspec_json(options[:output], profile, options[:separate_files], options[:format])
       end
 
@@ -189,26 +188,14 @@ module InspecPlugins
       desc 'summary', 'summary parses an inspec results json to create a summary json'
       long_desc InspecTools::Help.text(:summary)
       option :inspec_json, required: true, aliases: '-j'
-      option :verbose, type: :boolean, aliases: '-V'
       option :json_full, type: :boolean, required: false, aliases: '-f'
       option :json_counts, type: :boolean, required: false, aliases: '-k'
+      option :threshold_file, required: false, aliases: '-t'
+      option :threshold_inline, required: false, aliases: '-i'
 
       def summary
-        summary = InspecTools::Summary.new(File.read(options[:inspec_json])).to_summary
-
-        unless options.include?('json_full') || options.include?('json_counts')
-          puts "\nOverall compliance: #{summary[:compliance]}%\n\n"
-          summary[:status].keys.each do |category|
-            puts category
-            summary[:status][category].keys.each do |impact|
-              puts "\t#{impact} : #{summary[:status][category][impact]}"
-            end
-          end
-        end
-
-        json_summary = summary.to_json
-        puts json_summary if options[:json_full]
-        puts summary[:status].to_json if options[:json_counts]
+        summary = InspecTools::Summary.new(options: options)
+        summary.output_summary
       end
 
       desc 'compliance', 'compliance parses an inspec results json to check if the compliance level meets a specified threshold'
@@ -216,17 +203,10 @@ module InspecPlugins
       option :inspec_json, required: true, aliases: '-j'
       option :threshold_file, required: false, aliases: '-f'
       option :threshold_inline, required: false, aliases: '-i'
-      option :verbose, type: :boolean, aliases: '-V'
 
       def compliance
-        if options[:threshold_file].nil? && options[:threshold_inline].nil?
-          puts 'Please provide threshold as a yaml file or inline yaml'
-          exit(1)
-        end
-        threshold = YAML.load_file(options[:threshold_file]) unless options[:threshold_file].nil?
-        threshold = YAML.safe_load(options[:threshold_inline]) unless options[:threshold_inline].nil?
-        compliance = InspecTools::Summary.new(File.read(options[:inspec_json])).threshold(threshold)
-        compliance ? exit(0) : exit(1)
+        compliance = InspecTools::Summary.new(options: options)
+        compliance.results_meet_threshold? ? exit(0) : exit(1)
       end
     end
   end

data/lib/inspec_tools/summary.rb

@@ -2,8 +2,6 @@ require 'json'
 require 'yaml'
 require_relative '../utilities/inspec_util'
 
-# rubocop:disable Metrics/AbcSize
-
 # Impact Definitions
 CRITICAL = 0.9
 HIGH = 0.7
@@ -16,48 +14,118 @@ TALLYS = %i(total critical high medium low).freeze
 THRESHOLD_TEMPLATE = File.expand_path('../data/threshold.yaml', File.dirname(__FILE__))
 
 module InspecTools
+  # rubocop:disable Metrics/ClassLength
   class Summary
-    def initialize(inspec_json)
-      @json = JSON.parse(inspec_json)
+    attr_reader :json
+    attr_reader :json_full
+    attr_reader :json_counts
+    attr_reader :threshold_file
+    attr_reader :threshold_inline
+    attr_reader :summary
+    attr_reader :threshold
+
+    def initialize(**options)
+      options = options[:options]
+      @json = JSON.parse(File.read(options[:inspec_json]))
+      @json_full = false || options[:json_full]
+      @json_counts = false || options[:json_counts]
+      @threshold = parse_threshold(options[:threshold_inline], options[:threshold_file])
+      @threshold_provided = options[:threshold_inline] || options[:threshold_file]
+      @summary = compute_summary
     end
 
-    def to_summary
-      @data = Utils::InspecUtil.parse_data_for_ckl(@json)
-      @summary = {}
-      @data.keys.each do |control_id|
-        current_control = @data[control_id]
-        current_control[:compliance_status] = Utils::InspecUtil.control_status(current_control, true)
-        current_control[:finding_details] = Utils::InspecUtil.control_finding_details(current_control, current_control[:compliance_status])
+    def output_summary
+      unless @json_full || @json_counts
+        puts "\nThreshold compliance: #{@threshold['compliance.min']}%"
+        puts "\nOverall compliance: #{@summary[:compliance]}%\n\n"
+        @summary[:status].keys.each do |category|
+          puts category
+          @summary[:status][category].keys.each do |impact|
+            puts "\t#{impact} : #{@summary[:status][category][impact]}"
+          end
+        end
       end
-      compute_summary
-      @summary
+
+      puts @summary.to_json if @json_full
+      puts @summary[:status].to_json if @json_counts
     end
 
-    def threshold(threshold = nil)
-      @summary = to_summary
-      @threshold = Utils::InspecUtil.to_dotted_hash(YAML.load_file(THRESHOLD_TEMPLATE))
-      parse_threshold(Utils::InspecUtil.to_dotted_hash(threshold))
-      threshold_compliance
+    def results_meet_threshold?
+      raise 'Please provide threshold as a yaml file or inline yaml' unless @threshold_provided
+
+      compliance = true
+      failure = []
+      failure << check_max_compliance(@threshold['compliance.max'], @summary[:compliance], '', 'compliance')
+      failure << check_min_compliance(@threshold['compliance.min'], @summary[:compliance], '', 'compliance')
+
+      BUCKETS.each do |bucket|
+        TALLYS.each do |tally|
+          failure << check_min_compliance(@threshold["#{bucket}.#{tally}.min"], @summary[:status][bucket][tally], bucket, tally)
+          failure << check_max_compliance(@threshold["#{bucket}.#{tally}.max"], @summary[:status][bucket][tally], bucket, tally)
+        end
+      end
+
+      failure.reject!(&:nil?)
+      compliance = false if failure.length.positive?
+      output(compliance, failure)
+      compliance
     end
 
     private
 
+    def check_min_compliance(min, data, bucket, tally)
+      expected_to_string(bucket, tally, 'min', min, data) if min != -1 and data < min
+    end
+
+    def check_max_compliance(max, data, bucket, tally)
+      expected_to_string(bucket, tally, 'max', max, data) if max != -1 and data > max
+    end
+
+    def output(passed_threshold, what_failed)
+      if passed_threshold
+        puts "Overall compliance threshold of #{@threshold['compliance.min']}\% met. Current compliance at #{@summary[:compliance]}\%"
+      else
+        puts 'Compliance threshold was not met: '
+        puts what_failed.join("\n")
+      end
+    end
+
+    def expected_to_string(bucket, tally, maxmin, value, got)
+      return "Expected #{bucket}.#{tally}.#{maxmin}:#{value} got:#{got}" unless bucket.empty? || bucket.nil?
+
+      "Expected #{tally}.#{maxmin}:#{value}\% got:#{got}\%"
+    end
+
+    def parse_threshold(threshold_inline, threshold_file)
+      threshold = Utils::InspecUtil.to_dotted_hash(YAML.load_file(THRESHOLD_TEMPLATE))
+      threshold.merge!(Utils::InspecUtil.to_dotted_hash(YAML.load_file(threshold_file))) if threshold_file
+      threshold.merge!(Utils::InspecUtil.to_dotted_hash(YAML.safe_load(threshold_inline))) if threshold_inline
+      threshold
+    end
+
     def compute_summary
-      @summary[:buckets] = {}
-      @summary[:buckets][:failed]    = select_by_status(@data, 'Open')
-      @summary[:buckets][:passed]    = select_by_status(@data, 'NotAFinding')
-      @summary[:buckets][:no_impact] = select_by_status(@data, 'Not_Applicable')
-      @summary[:buckets][:skipped]   = select_by_status(@data, 'Not_Reviewed')
-      @summary[:buckets][:error]     = select_by_status(@data, 'Profile_Error')
-
-      @summary[:status] = {}
-      @summary[:status][:failed]    = tally_by_impact(@summary[:buckets][:failed])
-      @summary[:status][:passed]    = tally_by_impact(@summary[:buckets][:passed])
-      @summary[:status][:no_impact] = tally_by_impact(@summary[:buckets][:no_impact])
-      @summary[:status][:skipped]   = tally_by_impact(@summary[:buckets][:skipped])
-      @summary[:status][:error]     = tally_by_impact(@summary[:buckets][:error])
-
-      @summary[:compliance] = compute_compliance
+      data = Utils::InspecUtil.parse_data_for_ckl(@json)
+
+      data.keys.each do |control_id|
+        current_control = data[control_id]
+        current_control[:compliance_status] = Utils::InspecUtil.control_status(current_control, true)
+        current_control[:finding_details] = Utils::InspecUtil.control_finding_details(current_control, current_control[:compliance_status])
+      end
+
+      summary = {}
+      summary[:buckets] = {}
+      summary[:buckets][:failed]    = select_by_status(data, 'Open')
+      summary[:buckets][:passed]    = select_by_status(data, 'NotAFinding')
+      summary[:buckets][:no_impact] = select_by_status(data, 'Not_Applicable')
+      summary[:buckets][:skipped]   = select_by_status(data, 'Not_Reviewed')
+      summary[:buckets][:error]     = select_by_status(data, 'Profile_Error')
+
+      summary[:status] = {}
+      %i(failed passed no_impact skipped error).each do |key|
+        summary[:status][key] = tally_by_impact(summary[:buckets][key])
+      end
+      summary[:compliance] = compute_compliance(summary)
+      summary
     end
 
     def select_by_impact(controls, impact)
@@ -78,49 +146,13 @@ module InspecTools
       tally
     end
 
-    def compute_compliance
-      (@summary[:status][:passed][:total]*100.0/
-        (@summary[:status][:passed][:total]+
-         @summary[:status][:failed][:total]+
-         @summary[:status][:skipped][:total]+
-         @summary[:status][:error][:total])).floor
-    end
-
-    def threshold_compliance
-      compliance = true
-      failure = []
-      max = @threshold['compliance.max']
-      min = @threshold['compliance.min']
-      if max != -1 and @summary[:compliance] > max
-        compliance = false
-        failure << "Expected compliance.max:#{max} got:#{@summary[:compliance]}"
-      end
-      if min != -1 and @summary[:compliance] < min
-        compliance = false
-        failure << "Expected compliance.min:#{min} got:#{@summary[:compliance]}"
-      end
-      status = @summary[:status]
-      BUCKETS.each do |bucket|
-        TALLYS.each do |tally|
-          max = @threshold["#{bucket}.#{tally}.max"]
-          min = @threshold["#{bucket}.#{tally}.min"]
-          if max != -1 and status[bucket][tally] > max
-            compliance = false
-            failure << "Expected #{bucket}.#{tally}.max:#{max} got:#{status[bucket][tally]}"
-          end
-          if min != -1 and status[bucket][tally] < min
-            compliance = false
-            failure << "Expected #{bucket}.#{tally}.min:#{min} got:#{status[bucket][tally]}"
-          end
-        end
-      end
-      puts failure.join("\n") unless compliance
-      puts 'Compliance threshold met' if compliance
-      compliance
-    end
-
-    def parse_threshold(new_threshold)
-      @threshold.merge!(new_threshold)
+    def compute_compliance(summary)
+      (summary[:status][:passed][:total]*100.0/
+        (summary[:status][:passed][:total]+
+         summary[:status][:failed][:total]+
+         summary[:status][:skipped][:total]+
+         summary[:status][:error][:total])).floor
     end
   end
+  # rubocop:enable Metrics/ClassLength
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: inspec_tools
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.2.0
 platform: ruby
 authors:
 - Robert Thew
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-08-11 00:00:00.000000000 Z
+date: 2020-10-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize