RubyGems - inspec_tools - Versions diffs - 3.0.0 → 3.1.0.pre1 - Mend

inspec_tools 3.0.0 → 3.1.0.pre1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/inspec_tools/csv.rb +5 -1
data/lib/inspec_tools/inspec.rb +478 -4
metadata +4 -6
data/lib/utilities/xccdf/from_inspec.rb +0 -90
data/lib/utilities/xccdf/to_xccdf.rb +0 -387

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5b88a75ec28d6491c6f8070b70402898b70d0971eb1d467aaab58e8f1671c50f
-  data.tar.gz: acad2a4ee5d9c23e972e98b175575915213ea55bb8546b942191ba037392d0a8
+  metadata.gz: 6a8881f5571a113e746fedd8cb616f9ab58aae58ee2ef7938a01487a7131e0cb
+  data.tar.gz: 6202a3eb0e4816476eb2c2cb5fa2ab525f9cbad4a5a078044ef04f19c0bcf38e
 SHA512:
-  metadata.gz: aab806365dba6a0878a2351cd6e433655ddcd8dcfbf5136228a5e2b79b1110709a9f714d13e801b7cbf836564a82f72b462f1cd4e4ba319d78f8c9d35f0b6950
-  data.tar.gz: 245322d7e8d84eb755aa644dbc4fe8cba3098e467c2f055a56dd66a4ee05fc4ff30beabecf13fea9eed060e26199f9b9b6da87dbcb1cc2ff0658ee959beefef6
+  metadata.gz: 68612dd71958e27d66f97c6eb4acf48f30b5434697c6b8d07e2d4e17a9c4f49dcd37f71421dba153e07ccf8f1c030f4208fcb8afc825ba2eac4ddde18d192bd6
+  data.tar.gz: 5e061df82cdadae6b19bd0e04a69d044d8cec7cbe013e3955eb2c6f71a68558a12883cd3a353eb5964e27f3f533d2091d5a77045baf89292fef9414d763f540a

data/lib/inspec_tools/csv.rb CHANGED Viewed

@@ -74,7 +74,11 @@ module InspecTools
         control['tags']['nist'] = nist unless nist.nil? || nist.include?(nil)
         @mapping['control.tags'].each do |tag|
           if tag.first == 'cci'
-            control['tags'][tag.first] = cci_number
+            if cci_number.is_a? Array
+              control['tags'][tag.first] = cci_number
+            else
+              control['tags'][tag.first] = [cci_number]
+            end
             next
           end
           control['tags'][tag.first] = row[tag.last] unless row[tag.last].nil?

data/lib/inspec_tools/inspec.rb CHANGED Viewed

@@ -9,11 +9,12 @@ require_relative '../happy_mapper_tools/stig_checklist'
 require_relative '../happy_mapper_tools/benchmark'
 require_relative '../utilities/inspec_util'
 require_relative 'csv'
-require_relative '../utilities/xccdf/from_inspec'
-require_relative '../utilities/xccdf/to_xccdf'
+require_relative '../utilities/xccdf/xccdf_score'
 module InspecTools
   class Inspec
+    DATA_NOT_FOUND_MESSAGE = 'N/A'.freeze
     def initialize(inspec_json, metadata = {})
       @json = JSON.parse(inspec_json)
       @metadata = metadata
@@ -38,10 +39,11 @@ module InspecTools
     # @param attributes [Hash] Optional input attributes
     # @return [String] XML formatted String
     def to_xccdf(attributes, verbose = false)
-      data = Utils::FromInspec.new.parse_data_for_xccdf(@json)
+      data = parse_data_for_xccdf(@json)
       @verbose = verbose
+      @benchmark = HappyMapperTools::Benchmark::Benchmark.new
-      Utils::ToXCCDF.new(attributes || {}, data).to_xml(@metadata)
+      to_xml(@metadata, attributes, data)
     end
     ####
@@ -80,6 +82,478 @@ module InspecTools
       find_topmost_profile_name(index + 1, parent_name)
     end
+    # Build entire XML document and produce final output
+    # @param metadata [Hash] Data representing a system under scan
+    def to_xml(metadata, attributes, data)
+      attributes = {} if attributes.nil?
+      build_benchmark_header(attributes)
+      build_groups(attributes, data)
+      # Only populate results if a target is defined so that conformant XML is produced.
+      @benchmark.testresult = build_test_results(metadata, data) if metadata['fqdn']
+      @benchmark.to_xml
+    end
+    def build_benchmark_header(attributes)
+      @benchmark.title = attributes['benchmark.title']
+      @benchmark.id = attributes['benchmark.id']
+      @benchmark.description = attributes['benchmark.description']
+      @benchmark.version = attributes['benchmark.version']
+      @benchmark.xmlns = 'http://checklists.nist.gov/xccdf/1.1'
+      @benchmark.status = HappyMapperTools::Benchmark::Status.new
+      @benchmark.status.status = attributes['benchmark.status']
+      @benchmark.status.date = attributes['benchmark.status.date']
+      if attributes['benchmark.notice.id']
+        @benchmark.notice = HappyMapperTools::Benchmark::Notice.new
+        @benchmark.notice.id = attributes['benchmark.notice.id']
+      end
+      if attributes['benchmark.plaintext'] || attributes['benchmark.plaintext.id']
+        @benchmark.plaintext = HappyMapperTools::Benchmark::Plaintext.new
+        @benchmark.plaintext.plaintext = attributes['benchmark.plaintext']
+        @benchmark.plaintext.id = attributes['benchmark.plaintext.id']
+      end
+      @benchmark.reference = HappyMapperTools::Benchmark::ReferenceBenchmark.new
+      @benchmark.reference.href = attributes['reference.href']
+      @benchmark.reference.dc_publisher = attributes['reference.dc.publisher']
+      @benchmark.reference.dc_source = attributes['reference.dc.source']
+    end
+    # Translate join of Inspec results and input attributes to XCCDF Groups
+    def build_groups(attributes, data)
+      group_array = []
+      data['controls'].each do |control|
+        group = HappyMapperTools::Benchmark::Group.new
+        group.id = control['id']
+        group.title = control['gtitle']
+        group.description = "<GroupDescription>#{control['gdescription']}</GroupDescription>" if control['gdescription']
+        group.rule = HappyMapperTools::Benchmark::Rule.new
+        group.rule.id = control['rid']
+        group.rule.severity = control['severity']
+        group.rule.weight = control['rweight']
+        group.rule.version = control['rversion']
+        group.rule.title = control['title'].tr("\n", ' ') if control['title']
+        group.rule.description = "<VulnDiscussion>#{control['desc']}</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations>#{control['rationale']}</Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>"
+        if ['reference.dc.publisher', 'reference.dc.title', 'reference.dc.subject', 'reference.dc.type', 'reference.dc.identifier'].any? { |a| attributes.key?(a) }
+          group.rule.reference = build_rule_reference(attributes)
+        end
+        group.rule.ident = build_rule_idents(control['cci']) if control['cci']
+        group.rule.ident += build_rule_idents(control['legacy']) if control['legacy']
+        group.rule.fixtext = HappyMapperTools::Benchmark::Fixtext.new
+        group.rule.fixtext.fixref = control['fix_id']
+        group.rule.fixtext.fixtext = control['fix']
+        group.rule.fix = build_rule_fix(control['fix_id']) if control['fix_id']
+        group.rule.check = HappyMapperTools::Benchmark::Check.new
+        group.rule.check.system = control['checkref']
+        # content_ref is optional for schema compliance
+        if attributes['content_ref.name'] || attributes['content_ref.href']
+          group.rule.check.content_ref = HappyMapperTools::Benchmark::ContentRef.new
+          group.rule.check.content_ref.name = attributes['content_ref.name']
+          group.rule.check.content_ref.href = attributes['content_ref.href']
+        end
+        group.rule.check.content = control['check']
+        group_array << group
+      end
+      @benchmark.group = group_array
+    end
+    # Construct a Benchmark Testresult from Inspec data. This must be called after all XML processing has occurred for profiles
+    # and groups.
+    # @param metadata [Hash]
+    # @return [TestResult]
+    def build_test_results(metadata, data)
+      test_result = HappyMapperTools::Benchmark::TestResult.new
+      test_result.version = @benchmark.version
+      test_result = populate_remark(test_result, data)
+      test_result = populate_target_facts(test_result, metadata)
+      test_result = populate_identity(test_result, metadata)
+      test_result = populate_results(test_result, data)
+      populate_score(test_result, @benchmark.group)
+    end
+    # Contruct a Rule / RuleResult fix element with the provided id.
+    def build_rule_fix(fix_id)
+      HappyMapperTools::Benchmark::Fix.new.tap { |f| f.id = fix_id }
+    end
+    # Construct rule identifiers for rule
+    # @param idents [Array]
+    def build_rule_idents(idents)
+      raise "#{idents} is not an Array type." unless idents.is_a?(Array)
+      # Each rule identifier is a different element
+      idents.map do |identifier|
+        HappyMapperTools::Benchmark::Ident.new identifier
+      end
+    end
+    # Contruct a Rule reference element
+    def build_rule_reference(attributes)
+      reference = HappyMapperTools::Benchmark::ReferenceGroup.new
+      reference.dc_publisher = attributes['reference.dc.publisher']
+      reference.dc_title = attributes['reference.dc.title']
+      reference.dc_subject = attributes['reference.dc.subject']
+      reference.dc_type = attributes['reference.dc.type']
+      reference.dc_identifier = attributes['reference.dc.identifier']
+      reference
+    end
+    # Create a remark with contextual information about the Inspec version and profiles used
+    # @param result [HappyMapperTools::Benchmark::TestResult]
+    def populate_remark(result, data)
+      result.remark = "Results created using Inspec version #{data['inspec_version']}."
+      result.remark += "\n#{data['profiles'].map { |p| "Profile: #{p['name']} Version: #{p['version']}" }.join("\n")}" if data['profiles']
+      result
+    end
+    # Create all target specific information.
+    # @param result [HappyMapperTools::Benchmark::TestResult]
+    # @param metadata [Hash]
+    def populate_target_facts(result, metadata)
+      result.target = metadata['fqdn']
+      result.target_address = metadata['ip'] if metadata['ip']
+      all_facts = []
+      if metadata['mac']
+        fact = HappyMapperTools::Benchmark::Fact.new
+        fact.name = 'urn:xccdf:fact:asset:identifier:mac'
+        fact.type = 'string'
+        fact.fact = metadata['mac']
+        all_facts << fact
+      end
+      if metadata['ip']
+        fact = HappyMapperTools::Benchmark::Fact.new
+        fact.name = 'urn:xccdf:fact:asset:identifier:ipv4'
+        fact.type = 'string'
+        fact.fact = metadata['ip']
+        all_facts << fact
+      end
+      return result unless all_facts.size.nonzero?
+      facts = HappyMapperTools::Benchmark::TargetFact.new
+      facts.fact = all_facts
+      result.target_facts = facts
+      result
+    end
+    # Add information about the the account and organization executing the tests.
+    def populate_identity(test_result, metadata)
+      if metadata['identity']
+        test_result.identity = HappyMapperTools::Benchmark::IdentityType.new
+        test_result.identity.authenticated = true
+        test_result.identity.identity = metadata['identity']['identity']
+        test_result.identity.privileged = metadata['identity']['privileged']
+      end
+      test_result.organization = metadata['organization'] if metadata['organization']
+      test_result
+    end
+    # Build out the TestResult given all the control and result data.
+    def populate_results(test_result, data)
+      # NOTE: id is not an XCCDF 1.2 compliant identifier and will need to be updated when that support is added.
+      test_result.id = 'result_1'
+      test_result.starttime = run_start_time(data)
+      test_result.endtime = run_end_time(data)
+      # Build out individual results
+      all_rule_result = []
+      data['controls'].each do |control|
+        next if control['results'].nil? || control['results'].empty?
+        control_results =
+          control['results'].map do |result|
+            populate_rule_result(control, result, xccdf_status(result['status'], control['impact']))
+          end
+        # Consolidate results into single rule result do to lack of multiple=true attribute on Rule.
+        # 1. Select the unified result status
+        selected_status = control_results.reduce(control_results.first.result) { |f_status, rule_result| xccdf_and_result(f_status, rule_result.result) }
+        # 2. Only choose results with that status
+        # 3. Combine those results
+        all_rule_result << combine_results(control_results.select { |r| r.result == selected_status })
+      end
+      test_result.rule_result = all_rule_result
+      test_result
+    end
+    # Return the earliest time of execution.
+    def run_start_time(data)
+      start_times =
+        data['controls'].map do |control|
+          next if control['results'].nil?
+          control['results'].map { |result| DateTime.parse(result['start_time']) }
+        end
+      start_times.flatten.min
+    end
+    # Return the latest time of execution accounting for Inspec duration.
+    def run_end_time(data)
+      end_times =
+        data['controls'].map do |control|
+          next if control['results'].nil?
+          control['results'].map { |result| end_time(result['start_time'], result['run_time']) }
+        end
+      end_times.flatten.max
+    end
+    # Create rule-result from the control and Inspec result information
+    def populate_rule_result(control, result, result_status)
+      rule_result = HappyMapperTools::Benchmark::RuleResultType.new
+      rule_result.idref = control['rid']
+      rule_result.severity = control['severity']
+      rule_result.time = end_time(result['start_time'], result['run_time'])
+      rule_result.weight = control['rweight']
+      rule_result.result = result_status
+      rule_result.message = result_message(result, result_status) if result_message(result, result_status)
+      rule_result.instance = result['code_desc']
+      rule_result.ident = build_rule_idents(control['cci']) if control['cci']
+      rule_result.ident += build_rule_idents(control['legacy']) if control['legacy']
+      # Fix information is only necessary when there are failed tests
+      rule_result.fix = build_rule_fix(control['fix_id']) if control['fix_id'] && result_status == 'fail'
+      rule_result.check = HappyMapperTools::Benchmark::Check.new
+      rule_result.check.system = control['checkref']
+      rule_result.check.content = result['code_desc']
+      rule_result
+    end
+    # Map the Inspec result status to appropriate XCCDF test result status.
+    # XCCDF options include: pass, fail, error, unknown, notapplicable, notchecked, notselected, informational, fixed
+    #
+    # @param inspec_status [String] The reported Inspec status from an individual test
+    # @param impact [String] A value of 0.0 - 1.0
+    # @return A valid Inspec status.
+    def xccdf_status(inspec_status, impact)
+      # Currently, there is no good way to map an Inspec result status to one of XCCDF status unknown or notselected.
+      case inspec_status
+      when 'failed'
+        'fail'
+      when 'passed'
+        'pass'
+      when 'skipped'
+        if impact.to_f.zero?
+          'notapplicable'
+        else
+          'notchecked'
+        end
+      else
+        # In the event Inspec adds a new unaccounted for status, mapping to XCCDF unknown.
+        'unknown'
+      end
+    end
+    # When more than one result occurs for a rule and the specification does not declare multiple, the result must be combined.
+    # This determines the appropriate result to be selected when there are two to compare.
+    # @param one [String] A rule-result status
+    # @param two [String] A rule-result status
+    # @return The result of the AND operation.
+    def xccdf_and_result(one, two)
+      # From XCCDF specification truth table
+      # P = pass
+      # F = fail
+      # U = unknown
+      # E = error
+      # N = notapplicable
+      # K = notchecked
+      # S = notselected
+      # I = informational
+      case one
+      when 'pass'
+        %w{fail unknown}.any? { |s| s == two } ? two : one
+      when 'fail'
+        one
+      when 'unknown'
+        two == 'fail' ? two : one
+      when 'notapplicable'
+        %w{pass fail unknown}.any? { |s| s == two } ? two : one
+      when 'notchecked'
+        %w{pass fail unknown notapplicable}.any? { |s| s == two } ? two : one
+      end
+    end
+    # Combines rule results with the same result into a single rule result.
+    def combine_results(rule_results)
+      return rule_results.first if rule_results.size == 1
+      # Can combine, result, idents (duplicate, take first instance), instance - combine into an array removing duplicates
+      # check.content - Only one value allowed, combine by joining with line feed. Prior to, make sure all values are unique.
+      rule_result = HappyMapperTools::Benchmark::RuleResultType.new
+      rule_result.idref = rule_results.first.idref
+      rule_result.severity = rule_results.first.severity
+      # Take latest time
+      rule_result.time = rule_results.reduce(rule_results.first.time) { |time, r| time > r.time ? time : r.time }
+      rule_result.weight = rule_results.first.weight
+      rule_result.result = rule_results.first.result
+      rule_result.message = rule_results.reduce([]) { |messages, r| r.message ? messages.push(r.message) : messages }
+      rule_result.instance = rule_results.reduce([]) { |instances, r| r.instance ? instances.push(r.instance) : instances }.join("\n")
+      rule_result.ident = rule_results.first.ident
+      rule_result.fix = rule_results.first.fix
+      if rule_results.first.check
+        rule_result.check = HappyMapperTools::Benchmark::Check.new
+        rule_result.check.system = rule_results.first.check.system
+        rule_result.check.content = rule_results.map { |r| r.check.content }.join("\n")
+      end
+      rule_result
+    end
+    # Calculate an end time given a start time and second duration
+    def end_time(start, duration)
+      DateTime.parse(start) + (duration / (24*60*60))
+    end
+    # Builds the message information for rule results
+    # @param result [Hash] A single Inspec result
+    # @param xccdf_status [String] the xccdf calculated result status for the provided result
+    def result_message(result, xccdf_status)
+      return unless result['message'] || result['skip_message']
+      message = HappyMapperTools::Benchmark::MessageType.new
+      # Including the code of the check and the resulting message if there is one.
+      message.message = "#{result['code_desc'] ? "#{result['code_desc']}\n\n" : ''}#{result['message'] || result['skip_message']}"
+      message.severity = result_message_severity(xccdf_status)
+      message
+    end
+    # All rule-result messages require a defined severity. This determines a value to use based upon the result XCCDF status.
+    def result_message_severity(xccdf_status)
+      case xccdf_status
+      when 'fail'
+        'error'
+      when 'notapplicable'
+        'warning'
+      else
+        'info'
+      end
+    end
+    # Convert raw Inspec result json into format acceptable for XCCDF transformation.
+    def parse_data_for_xccdf(json) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+      data = {}
+      controls = []
+      if json['profiles'].nil?
+        controls = json['controls']
+      elsif json['profiles'].length == 1
+        controls = json['profiles'].last['controls']
+      else
+        json['profiles'].each do |profile|
+          controls.concat(profile['controls'])
+        end
+      end
+      c_data = {}
+      controls.each do |control|
+        c_id = control['id'].to_sym
+        c_data[c_id] = {}
+        c_data[c_id]['id']             = control['id']    || DATA_NOT_FOUND_MESSAGE
+        c_data[c_id]['title']          = control['title'] if control['title'] # Optional attribute
+        c_data[c_id]['desc']           = control['desc'] || DATA_NOT_FOUND_MESSAGE
+        c_data[c_id]['severity']       = control['tags']['severity'] || 'unknown'
+        c_data[c_id]['gid']            = control['tags']['gid'] || control['id']
+        c_data[c_id]['gtitle']         = control['tags']['gtitle'] if control['tags']['gtitle'] # Optional attribute
+        c_data[c_id]['gdescription']   = control['tags']['gdescription'] if control['tags']['gdescription'] # Optional attribute
+        c_data[c_id]['rid']            = control['tags']['rid'] || "r_#{c_data[c_id]['gid']}"
+        c_data[c_id]['rversion']       = control['tags']['rversion'] if control['tags']['rversion'] # Optional attribute
+        c_data[c_id]['rweight']        = control['tags']['rweight'] if control['tags']['rweight'] # Optional attribute where N/A is not schema compliant
+        c_data[c_id]['stig_id']        = control['tags']['stig_id'] || DATA_NOT_FOUND_MESSAGE
+        c_data[c_id]['cci']            = control['tags']['cci'] if control['tags']['cci'] # Optional attribute
+        c_data[c_id]['legacy']         = control['tags']['legacy'] if control['tags']['legacy'] # Optional attribute
+        c_data[c_id]['nist']           = control['tags']['nist'] || ['unmapped']
+        # new (post-2020) inspec output places check, fix, and rationale fields in a descriptions block
+        if control['descriptions'].is_a?(Hash) && control['descriptions'].key?('check') && control['descriptions'].key?('fix') && control['descriptions'].key?('rationale')
+          c_data[c_id]['check']          = control['descriptions']['check'] || DATA_NOT_FOUND_MESSAGE
+          c_data[c_id]['fix']            = control['descriptions']['fix'] || DATA_NOT_FOUND_MESSAGE
+          c_data[c_id]['rationale']      = control['descriptions']['rationale'] || DATA_NOT_FOUND_MESSAGE
+        else
+          c_data[c_id]['check']          = control['tags']['check'] || DATA_NOT_FOUND_MESSAGE
+          c_data[c_id]['fix']            = control['tags']['fix'] || DATA_NOT_FOUND_MESSAGE
+          c_data[c_id]['rationale']      = control['tags']['rationale'] || DATA_NOT_FOUND_MESSAGE
+        end
+        c_data[c_id]['checkref']       = control['tags']['checkref'] || DATA_NOT_FOUND_MESSAGE
+        c_data[c_id]['fix_id']         = control['tags']['fix_id'] if control['tags']['fix_id'] # Optional attribute where N/A is not schema compliant
+        c_data[c_id]['cis_family']     = control['tags']['cis_family'] || DATA_NOT_FOUND_MESSAGE
+        c_data[c_id]['cis_rid']        = control['tags']['cis_rid'] || DATA_NOT_FOUND_MESSAGE
+        c_data[c_id]['cis_level']      = control['tags']['cis_level'] || DATA_NOT_FOUND_MESSAGE
+        c_data[c_id]['impact']         = control['impact'].to_s || DATA_NOT_FOUND_MESSAGE
+        c_data[c_id]['code']           = control['code'].to_s || DATA_NOT_FOUND_MESSAGE
+        c_data[c_id]['results']        = parse_results_for_xccdf(control['results']) if control['results']
+      end
+      data['controls'] = c_data.values
+      data['profiles'] = parse_profiles_for_xccdf(json['profiles'])
+      data['status'] = 'success'
+      # If generator exists this is a more up-to-date inspec.json so look for version in the new location, else old location
+      data['inspec_version'] = json['generator'].nil? ? json['version'] : json['generator']['version']
+      data
+    end
+    # Set scores for all 4 required/recommended scoring systems.
+    def populate_score(test_result, groups)
+      score = Utils::XCCDFScore.new(groups, test_result.rule_result)
+      test_result.score = [score.default_score, score.flat_score, score.flat_unweighted_score, score.absolute_score]
+      test_result
+    end
+    # Convert profile information for result processing
+    # @param profiles [Array[Hash]] - The profiles section of the JSON output
+    def parse_profiles_for_xccdf(profiles)
+      return [] unless profiles
+      profiles.map do |profile|
+        data = {}
+        data['name'] = profile['name']
+        data['version'] = profile['version']
+        data
+      end
+    end
+    # Convert the test result data to a parseable Hash for downstream processing
+    # @param results [Array[Hash]] - The results section of the JSON output
+    def parse_results_for_xccdf(results)
+      results.map do |result|
+        data = {}
+        data['status'] = result['status']
+        data['code_desc'] = result['code_desc']
+        data['run_time'] = result['run_time']
+        data['start_time'] = result['start_time']
+        data['resource'] = result['resource']
+        data['message'] = result['message']
+        data['skip_message'] = result['skip_message']
+        data
+      end
+    end
     ###
     #  This method converts an inspec json to an array of arrays
     #

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: inspec_tools
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.1.0.pre1
 platform: ruby
 authors:
 - Robert Thew
@@ -11,7 +11,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-07-28 00:00:00.000000000 Z
+date: 2021-08-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize
@@ -350,8 +350,6 @@ files:
 - lib/utilities/mapping_validator.rb
 - lib/utilities/parser.rb
 - lib/utilities/text_cleaner.rb
-- lib/utilities/xccdf/from_inspec.rb
-- lib/utilities/xccdf/to_xccdf.rb
 - lib/utilities/xccdf/xccdf_score.rb
 homepage: https://inspec-tools.mitre.org/
 licenses:
@@ -368,9 +366,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '2.7'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubygems_version: 3.2.22
 signing_key:

data/lib/utilities/xccdf/from_inspec.rb DELETED Viewed

@@ -1,90 +0,0 @@
-module Utils
-  # Data transformation from Inspec result output into usable data for XCCDF conversions.
-  class FromInspec
-    DATA_NOT_FOUND_MESSAGE = 'N/A'.freeze
-    # Convert raw Inspec result json into format acceptable for XCCDF transformation.
-    def parse_data_for_xccdf(json)
-      data = {}
-      controls = []
-      if json['profiles'].nil?
-        controls = json['controls']
-      elsif json['profiles'].length == 1
-        controls = json['profiles'].last['controls']
-      else
-        json['profiles'].each do |profile|
-          controls.concat(profile['controls'])
-        end
-      end
-      c_data = {}
-      controls.each do |control|
-        c_id = control['id'].to_sym
-        c_data[c_id] = {}
-        c_data[c_id]['id']             = control['id']    || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['title']          = control['title'] if control['title'] # Optional attribute
-        c_data[c_id]['desc']           = control['desc'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['severity']       = control['tags']['severity'] || 'unknown'
-        c_data[c_id]['gid']            = control['tags']['gid'] || control['id']
-        c_data[c_id]['gtitle']         = control['tags']['gtitle'] if control['tags']['gtitle'] # Optional attribute
-        c_data[c_id]['gdescription']   = control['tags']['gdescription'] if control['tags']['gdescription'] # Optional attribute
-        c_data[c_id]['rid']            = control['tags']['rid'] || "r_#{c_data[c_id]['gid']}"
-        c_data[c_id]['rversion']       = control['tags']['rversion'] if control['tags']['rversion'] # Optional attribute
-        c_data[c_id]['rweight']        = control['tags']['rweight'] if control['tags']['rweight'] # Optional attribute where N/A is not schema compliant
-        c_data[c_id]['stig_id']        = control['tags']['stig_id'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['cci']            = control['tags']['cci'] if control['tags']['cci'] # Optional attribute
-        c_data[c_id]['legacy']         = control['tags']['legacy'] if control['tags']['legacy'] # Optional attribute
-        c_data[c_id]['nist']           = control['tags']['nist'] || ['unmapped']
-        c_data[c_id]['check']          = control['tags']['check'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['checkref']       = control['tags']['checkref'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['fix']            = control['tags']['fix'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['fix_id']         = control['tags']['fix_id'] if control['tags']['fix_id'] # Optional attribute where N/A is not schema compliant
-        c_data[c_id]['rationale']      = control['tags']['rationale'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['cis_family']     = control['tags']['cis_family'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['cis_rid']        = control['tags']['cis_rid'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['cis_level']      = control['tags']['cis_level'] || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['impact']         = control['impact'].to_s || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['code']           = control['code'].to_s || DATA_NOT_FOUND_MESSAGE
-        c_data[c_id]['results']        = parse_results_for_xccdf(control['results']) if control['results']
-      end
-      data['controls'] = c_data.values
-      data['profiles'] = parse_profiles_for_xccdf(json['profiles'])
-      data['status'] = 'success'
-      data['inspec_version'] = json['version']
-      data
-    end
-    private
-    # Convert profile information for result processing
-    # @param profiles [Array[Hash]] - The profiles section of the JSON output
-    def parse_profiles_for_xccdf(profiles)
-      return [] unless profiles
-      profiles.map do |profile|
-        data = {}
-        data['name'] = profile['name']
-        data['version'] = profile['version']
-        data
-      end
-    end
-    # Convert the test result data to a parseable Hash for downstream processing
-    # @param results [Array[Hash]] - The results section of the JSON output
-    def parse_results_for_xccdf(results)
-      results.map do |result|
-        data = {}
-        data['status'] = result['status']
-        data['code_desc'] = result['code_desc']
-        data['run_time'] = result['run_time']
-        data['start_time'] = result['start_time']
-        data['resource'] = result['resource']
-        data['message'] = result['message']
-        data['skip_message'] = result['skip_message']
-        data
-      end
-    end
-  end
-end

data/lib/utilities/xccdf/to_xccdf.rb DELETED Viewed

@@ -1,387 +0,0 @@
-require_relative 'xccdf_score'
-module Utils
-  # Data conversions for Inspec output into XCCDF format.
-  class ToXCCDF
-    # @param attribute [Hash] XCCDF supplemental attributes
-    # @param data [Hash] Converted Inspec output data
-    def initialize(attribute, data)
-      @attribute = attribute
-      @data = data
-      @benchmark = HappyMapperTools::Benchmark::Benchmark.new
-    end
-    # Build entire XML document and produce final output
-    # @param metadata [Hash] Data representing a system under scan
-    def to_xml(metadata)
-      build_benchmark_header
-      build_groups
-      # Only populate results if a target is defined so that conformant XML is produced.
-      @benchmark.testresult = build_test_results(metadata) if metadata['fqdn']
-      @benchmark.to_xml
-    end
-    private
-    # Sets top level XCCDF Benchmark attributes
-    def build_benchmark_header
-      @benchmark.title = @attribute['benchmark.title']
-      @benchmark.id = @attribute['benchmark.id']
-      @benchmark.description = @attribute['benchmark.description']
-      @benchmark.version = @attribute['benchmark.version']
-      @benchmark.xmlns = 'http://checklists.nist.gov/xccdf/1.1'
-      @benchmark.status = HappyMapperTools::Benchmark::Status.new
-      @benchmark.status.status = @attribute['benchmark.status']
-      @benchmark.status.date = @attribute['benchmark.status.date']
-      if @attribute['benchmark.notice.id']
-        @benchmark.notice = HappyMapperTools::Benchmark::Notice.new
-        @benchmark.notice.id = @attribute['benchmark.notice.id']
-      end
-      if @attribute['benchmark.plaintext'] || @attribute['benchmark.plaintext.id']
-        @benchmark.plaintext = HappyMapperTools::Benchmark::Plaintext.new
-        @benchmark.plaintext.plaintext = @attribute['benchmark.plaintext']
-        @benchmark.plaintext.id = @attribute['benchmark.plaintext.id']
-      end
-      @benchmark.reference = HappyMapperTools::Benchmark::ReferenceBenchmark.new
-      @benchmark.reference.href = @attribute['reference.href']
-      @benchmark.reference.dc_publisher = @attribute['reference.dc.publisher']
-      @benchmark.reference.dc_source = @attribute['reference.dc.source']
-    end
-    # Translate join of Inspec results and input attributes to XCCDF Groups
-    def build_groups
-      group_array = []
-      @data['controls'].each do |control|
-        group = HappyMapperTools::Benchmark::Group.new
-        group.id = control['id']
-        group.title = control['gtitle']
-        group.description = "<GroupDescription>#{control['gdescription']}</GroupDescription>" if control['gdescription']
-        group.rule = HappyMapperTools::Benchmark::Rule.new
-        group.rule.id = control['rid']
-        group.rule.severity = control['severity']
-        group.rule.weight = control['rweight']
-        group.rule.version = control['rversion']
-        group.rule.title = control['title'].tr("\n", ' ') if control['title']
-        group.rule.description = "<VulnDiscussion>#{control['desc']}</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>"
-        if ['reference.dc.publisher', 'reference.dc.title', 'reference.dc.subject', 'reference.dc.type', 'reference.dc.identifier'].any? { |a| @attribute.key?(a) }
-          group.rule.reference = build_rule_reference
-        end
-        group.rule.ident = build_rule_idents(control['cci']) if control['cci']
-        group.rule.ident += build_rule_idents(control['legacy']) if control['legacy']
-        group.rule.fixtext = HappyMapperTools::Benchmark::Fixtext.new
-        group.rule.fixtext.fixref = control['fix_id']
-        group.rule.fixtext.fixtext = control['fix']
-        group.rule.fix = build_rule_fix(control['fix_id']) if control['fix_id']
-        group.rule.check = HappyMapperTools::Benchmark::Check.new
-        group.rule.check.system = control['checkref']
-        # content_ref is optional for schema compliance
-        if @attribute['content_ref.name'] || @attribute['content_ref.href']
-          group.rule.check.content_ref = HappyMapperTools::Benchmark::ContentRef.new
-          group.rule.check.content_ref.name = @attribute['content_ref.name']
-          group.rule.check.content_ref.href = @attribute['content_ref.href']
-        end
-        group.rule.check.content = control['check']
-        group_array << group
-      end
-      @benchmark.group = group_array
-    end
-    # Construct a Benchmark Testresult from Inspec data. This must be called after all XML processing has occurred for profiles
-    # and groups.
-    # @param metadata [Hash]
-    # @return [TestResult]
-    def build_test_results(metadata)
-      test_result = HappyMapperTools::Benchmark::TestResult.new
-      test_result.version = @benchmark.version
-      populate_remark(test_result)
-      populate_target_facts(test_result, metadata)
-      populate_identity(test_result, metadata)
-      populate_results(test_result)
-      populate_score(test_result, @benchmark.group)
-      test_result
-    end
-    # Contruct a Rule / RuleResult fix element with the provided id.
-    def build_rule_fix(fix_id)
-      HappyMapperTools::Benchmark::Fix.new.tap { |f| f.id = fix_id }
-    end
-    # Construct rule identifiers for rule
-    # @param idents [Array]
-    def build_rule_idents(idents)
-      raise "#{idents} is not an Array type." unless idents.is_a?(Array)
-      # Each rule identifier is a different element
-      idents.map do |identifier|
-        HappyMapperTools::Benchmark::Ident.new identifier
-      end
-    end
-    # Contruct a Rule reference element
-    def build_rule_reference
-      reference = HappyMapperTools::Benchmark::ReferenceGroup.new
-      reference.dc_publisher = @attribute['reference.dc.publisher']
-      reference.dc_title = @attribute['reference.dc.title']
-      reference.dc_subject = @attribute['reference.dc.subject']
-      reference.dc_type = @attribute['reference.dc.type']
-      reference.dc_identifier = @attribute['reference.dc.identifier']
-      reference
-    end
-    # Create a remark with contextual information about the Inspec version and profiles used
-    # @param result [HappyMapperTools::Benchmark::TestResult]
-    def populate_remark(result)
-      result.remark = "Results created using Inspec version #{@data['inspec_version']}.\n#{@data['profiles'].map { |p| "Profile: #{p['name']} Version: #{p['version']}" }.join("\n")}"
-    end
-    # Create all target specific information.
-    # @param result [HappyMapperTools::Benchmark::TestResult]
-    # @param metadata [Hash]
-    def populate_target_facts(result, metadata)
-      result.target = metadata['fqdn']
-      result.target_address = metadata['ip'] if metadata['ip']
-      all_facts = []
-      if metadata['mac']
-        fact = HappyMapperTools::Benchmark::Fact.new
-        fact.name = 'urn:xccdf:fact:asset:identifier:mac'
-        fact.type = 'string'
-        fact.fact = metadata['mac']
-        all_facts << fact
-      end
-      if metadata['ip']
-        fact = HappyMapperTools::Benchmark::Fact.new
-        fact.name = 'urn:xccdf:fact:asset:identifier:ipv4'
-        fact.type = 'string'
-        fact.fact = metadata['ip']
-        all_facts << fact
-      end
-      return unless all_facts.size.nonzero?
-      facts = HappyMapperTools::Benchmark::TargetFact.new
-      facts.fact = all_facts
-      result.target_facts = facts
-    end
-    # Build out the TestResult given all the control and result data.
-    def populate_results(test_result)
-      # NOTE: id is not an XCCDF 1.2 compliant identifier and will need to be updated when that support is added.
-      test_result.id = 'result_1'
-      test_result.starttime = run_start_time
-      test_result.endtime = run_end_time
-      # Build out individual results
-      all_rule_result = []
-      @data['controls'].each do |control|
-        next if control['results'].empty?
-        control_results =
-          control['results'].map do |result|
-            populate_rule_result(control, result, xccdf_status(result['status'], control['impact']))
-          end
-        # Consolidate results into single rule result do to lack of multiple=true attribute on Rule.
-        # 1. Select the unified result status
-        selected_status = control_results.reduce(control_results.first.result) { |f_status, rule_result| xccdf_and_result(f_status, rule_result.result) }
-        # 2. Only choose results with that status
-        # 3. Combine those results
-        all_rule_result << combine_results(control_results.select { |r| r.result == selected_status })
-      end
-      test_result.rule_result = all_rule_result
-      test_result
-    end
-    # Create rule-result from the control and Inspec result information
-    def populate_rule_result(control, result, result_status)
-      rule_result = HappyMapperTools::Benchmark::RuleResultType.new
-      rule_result.idref = control['rid']
-      rule_result.severity = control['severity']
-      rule_result.time = end_time(result['start_time'], result['run_time'])
-      rule_result.weight = control['rweight']
-      rule_result.result = result_status
-      rule_result.message = result_message(result, result_status) if result_message(result, result_status)
-      rule_result.instance = result['code_desc']
-      rule_result.ident = build_rule_idents(control['cci']) if control['cci']
-      rule_result.ident += build_rule_idents(control['legacy']) if control['legacy']
-      # Fix information is only necessary when there are failed tests
-      rule_result.fix = build_rule_fix(control['fix_id']) if control['fix_id'] && result_status == 'fail'
-      rule_result.check = HappyMapperTools::Benchmark::Check.new
-      rule_result.check.system = control['checkref']
-      rule_result.check.content = result['code_desc']
-      rule_result
-    end
-    # Combines rule results with the same result into a single rule result.
-    def combine_results(rule_results)
-      return rule_results.first if rule_results.size == 1
-      # Can combine, result, idents (duplicate, take first instance), instance - combine into an array removing duplicates
-      # check.content - Only one value allowed, combine by joining with line feed. Prior to, make sure all values are unique.
-      rule_result = HappyMapperTools::Benchmark::RuleResultType.new
-      rule_result.idref = rule_results.first.idref
-      rule_result.severity = rule_results.first.severity
-      # Take latest time
-      rule_result.time = rule_results.reduce(rule_results.first.time) { |time, r| time > r.time ? time : r.time }
-      rule_result.weight = rule_results.first.weight
-      rule_result.result = rule_results.first.result
-      rule_result.message = rule_results.reduce([]) { |messages, r| r.message ? messages.push(r.message) : messages }
-      rule_result.instance = rule_results.reduce([]) { |instances, r| r.instance ? instances.push(r.instance) : instances }.join("\n")
-      rule_result.ident = rule_results.first.ident
-      rule_result.fix = rule_results.first.fix
-      if rule_results.first.check
-        rule_result.check = HappyMapperTools::Benchmark::Check.new
-        rule_result.check.system = rule_results.first.check.system
-        rule_result.check.content = rule_results.map { |r| r.check.content }.join("\n")
-      end
-      rule_result
-    end
-    # Add information about the the account and organization executing the tests.
-    def populate_identity(test_result, metadata)
-      if metadata['identity']
-        test_result.identity = HappyMapperTools::Benchmark::IdentityType.new
-        test_result.identity.authenticated = true
-        test_result.identity.identity = metadata['identity']['identity']
-        test_result.identity.privileged = metadata['identity']['privileged']
-      end
-      test_result.organization = metadata['organization'] if metadata['organization']
-    end
-    # Return the earliest time of execution.
-    def run_start_time
-      @data['controls'].map { |control| control['results'].map { |result| DateTime.parse(result['start_time']) } }.flatten.min
-    end
-    # Return the latest time of execution accounting for Inspec duration.
-    def run_end_time
-      end_times =
-        @data['controls'].map do |control|
-          control['results'].map { |result| end_time(result['start_time'], result['run_time']) }
-        end
-      end_times.flatten.max
-    end
-    # Calculate an end time given a start time and second duration
-    def end_time(start, duration)
-      DateTime.parse(start) + (duration / (24*60*60))
-    end
-    # Map the Inspec result status to appropriate XCCDF test result status.
-    # XCCDF options include: pass, fail, error, unknown, notapplicable, notchecked, notselected, informational, fixed
-    #
-    # @param inspec_status [String] The reported Inspec status from an individual test
-    # @param impact [String] A value of 0.0 - 1.0
-    # @return A valid Inspec status.
-    def xccdf_status(inspec_status, impact)
-      # Currently, there is no good way to map an Inspec result status to one of XCCDF status unknown or notselected.
-      case inspec_status
-      when 'failed'
-        'fail'
-      when 'passed'
-        'pass'
-      when 'skipped'
-        if impact.to_f.zero?
-          'notapplicable'
-        else
-          'notchecked'
-        end
-      else
-        # In the event Inspec adds a new unaccounted for status, mapping to XCCDF unknown.
-        'unknown'
-      end
-    end
-    # When more than one result occurs for a rule and the specification does not declare multiple, the result must be combined.
-    # This determines the appropriate result to be selected when there are two to compare.
-    # @param one [String] A rule-result status
-    # @param two [String] A rule-result status
-    # @return The result of the AND operation.
-    def xccdf_and_result(one, two)
-      # From XCCDF specification truth table
-      # P = pass
-      # F = fail
-      # U = unknown
-      # E = error
-      # N = notapplicable
-      # K = notchecked
-      # S = notselected
-      # I = informational
-      case one
-      when 'pass'
-        %w{fail unknown}.any? { |s| s == two } ? two : one
-      when 'fail'
-        one
-      when 'unknown'
-        two == 'fail' ? two : one
-      when 'notapplicable'
-        %w{pass fail unknown}.any? { |s| s == two } ? two : one
-      when 'notchecked'
-        %w{pass fail unknown notapplicable}.any? { |s| s == two } ? two : one
-      end
-    end
-    # Builds the message information for rule results
-    # @param result [Hash] A single Inspec result
-    # @param xccdf_status [String] the xccdf calculated result status for the provided result
-    def result_message(result, xccdf_status)
-      return unless result['message'] || result['skip_message']
-      message = HappyMapperTools::Benchmark::MessageType.new
-      # Including the code of the check and the resulting message if there is one.
-      message.message = "#{result['code_desc'] ? "#{result['code_desc']}\n\n" : ''}#{result['message'] || result['skip_message']}"
-      message.severity = result_message_severity(xccdf_status)
-      message
-    end
-    # All rule-result messages require a defined severity. This determines a value to use based upon the result XCCDF status.
-    def result_message_severity(xccdf_status)
-      case xccdf_status
-      when 'fail'
-        'error'
-      when 'notapplicable'
-        'warning'
-      else
-        'info'
-      end
-    end
-    # Set scores for all 4 required/recommended scoring systems.
-    def populate_score(test_result, groups)
-      score = Utils::XCCDFScore.new(groups, test_result.rule_result)
-      test_result.score = [score.default_score, score.flat_score, score.flat_unweighted_score, score.absolute_score]
-    end
-  end
-end