@j-schreiber/sf-cli-security-audit 0.12.3 → 0.12.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md
CHANGED
|
@@ -85,7 +85,7 @@ FLAG DESCRIPTIONS
|
|
|
85
85
|
essentially control, if a permission is allowed in a certain profile / permission set.
|
|
86
86
|
```
|
|
87
87
|
|
|
88
|
-
_See code: [src/commands/org/audit/init.ts](https://github.com/j-schreiber/js-sf-cli-security-audit/blob/v0.12.
|
|
88
|
+
_See code: [src/commands/org/audit/init.ts](https://github.com/j-schreiber/js-sf-cli-security-audit/blob/v0.12.4/src/commands/org/audit/init.ts)_
|
|
89
89
|
|
|
90
90
|
## `sf org audit run`
|
|
91
91
|
|
|
@@ -130,7 +130,7 @@ FLAG DESCRIPTIONS
|
|
|
130
130
|
never truncated.
|
|
131
131
|
```
|
|
132
132
|
|
|
133
|
-
_See code: [src/commands/org/audit/run.ts](https://github.com/j-schreiber/js-sf-cli-security-audit/blob/v0.12.
|
|
133
|
+
_See code: [src/commands/org/audit/run.ts](https://github.com/j-schreiber/js-sf-cli-security-audit/blob/v0.12.4/src/commands/org/audit/run.ts)_
|
|
134
134
|
|
|
135
135
|
## `sf org scan user-perms`
|
|
136
136
|
|
|
@@ -169,7 +169,7 @@ FLAG DESCRIPTIONS
|
|
|
169
169
|
retun 0 results).
|
|
170
170
|
```
|
|
171
171
|
|
|
172
|
-
_See code: [src/commands/org/scan/user-perms.ts](https://github.com/j-schreiber/js-sf-cli-security-audit/blob/v0.12.
|
|
172
|
+
_See code: [src/commands/org/scan/user-perms.ts](https://github.com/j-schreiber/js-sf-cli-security-audit/blob/v0.12.4/src/commands/org/scan/user-perms.ts)_
|
|
173
173
|
|
|
174
174
|
<!-- commandsstop -->
|
|
175
175
|
|
|
@@ -9,6 +9,10 @@ export declare class SettingsRuleRegistry extends RuleRegistry {
|
|
|
9
9
|
constructor();
|
|
10
10
|
resolveRules(ruleObjs: PolicyConfig['rules'], auditContext: AuditRunConfig): RegistryRuleResolveResult;
|
|
11
11
|
}
|
|
12
|
+
/**
|
|
13
|
+
* Settings policy derives its entities from the rules it has configured. Rules and
|
|
14
|
+
* entities directly correlate. If a rule is skipped, the corresponding entity is ignored.
|
|
15
|
+
*/
|
|
12
16
|
export default class SettingsPolicy extends Policy<SalesforceSetting> {
|
|
13
17
|
config: PolicyConfig;
|
|
14
18
|
auditConfig: AuditRunConfig;
|
|
@@ -36,6 +36,10 @@ export class SettingsRuleRegistry extends RuleRegistry {
|
|
|
36
36
|
return result;
|
|
37
37
|
}
|
|
38
38
|
}
|
|
39
|
+
/**
|
|
40
|
+
* Settings policy derives its entities from the rules it has configured. Rules and
|
|
41
|
+
* entities directly correlate. If a rule is skipped, the corresponding entity is ignored.
|
|
42
|
+
*/
|
|
39
43
|
export default class SettingsPolicy extends Policy {
|
|
40
44
|
config;
|
|
41
45
|
auditConfig;
|
|
@@ -45,18 +49,17 @@ export default class SettingsPolicy extends Policy {
|
|
|
45
49
|
this.auditConfig = auditConfig;
|
|
46
50
|
}
|
|
47
51
|
async resolveEntities(context) {
|
|
48
|
-
const
|
|
52
|
+
const legitSettings = getSettingsFromEnabledRules(this.config.rules);
|
|
49
53
|
this.emit('entityresolve', {
|
|
50
|
-
total:
|
|
54
|
+
total: legitSettings.length,
|
|
51
55
|
resolved: 0,
|
|
52
56
|
});
|
|
53
|
-
const settingNames = extractSettingNames(this.config.rules);
|
|
54
57
|
const settingsRetriever = MDAPI.create(context.targetOrgConnection);
|
|
55
|
-
const actuallyResolvedSettings = await settingsRetriever.resolve('Settings',
|
|
58
|
+
const actuallyResolvedSettings = await settingsRetriever.resolve('Settings', legitSettings);
|
|
56
59
|
this.removeInvalidSettingsFromResolvedRules(actuallyResolvedSettings);
|
|
57
60
|
this.emit('entityresolve', {
|
|
58
|
-
total:
|
|
59
|
-
resolved: actuallyResolvedSettings.
|
|
61
|
+
total: legitSettings.length,
|
|
62
|
+
resolved: Object.keys(actuallyResolvedSettings).length,
|
|
60
63
|
});
|
|
61
64
|
return {
|
|
62
65
|
resolvedEntities: actuallyResolvedSettings,
|
|
@@ -77,6 +80,16 @@ export default class SettingsPolicy extends Policy {
|
|
|
77
80
|
});
|
|
78
81
|
}
|
|
79
82
|
}
|
|
83
|
+
function getSettingsFromEnabledRules(rules) {
|
|
84
|
+
const settings = [];
|
|
85
|
+
for (const [ruleName, ruleConfig] of Object.entries(rules)) {
|
|
86
|
+
const maybeSettingName = findSettingsName(ruleName);
|
|
87
|
+
if (maybeSettingName && ruleConfig.enabled) {
|
|
88
|
+
settings.push(maybeSettingName);
|
|
89
|
+
}
|
|
90
|
+
}
|
|
91
|
+
return settings;
|
|
92
|
+
}
|
|
80
93
|
function isEnforceSettingsRule(cls) {
|
|
81
94
|
return cls.ruleDisplayName !== undefined;
|
|
82
95
|
}
|
|
@@ -87,22 +100,16 @@ function findIgnoredEntities(settingsMap, rules) {
|
|
|
87
100
|
if (!maybeName) {
|
|
88
101
|
continue;
|
|
89
102
|
}
|
|
103
|
+
if (!rules[ruleName].enabled) {
|
|
104
|
+
result.push({ name: maybeName, message: messages.getMessage('skip-reason.rule-not-enabled') });
|
|
105
|
+
continue;
|
|
106
|
+
}
|
|
90
107
|
if (!settingsMap[maybeName]) {
|
|
91
108
|
result.push({ name: maybeName, message: messages.getMessage('resolve-error.failed-to-resolve-setting') });
|
|
92
109
|
}
|
|
93
110
|
}
|
|
94
111
|
return result;
|
|
95
112
|
}
|
|
96
|
-
function extractSettingNames(rules) {
|
|
97
|
-
const names = [];
|
|
98
|
-
for (const ruleName of Object.keys(rules)) {
|
|
99
|
-
const maybeName = findSettingsName(ruleName);
|
|
100
|
-
if (maybeName) {
|
|
101
|
-
names.push(maybeName);
|
|
102
|
-
}
|
|
103
|
-
}
|
|
104
|
-
return names;
|
|
105
|
-
}
|
|
106
113
|
function findSettingsName(ruleName) {
|
|
107
114
|
const match = /^Enforce(.+)Settings$/.exec(ruleName);
|
|
108
115
|
return match ? match[1] : null;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"settings.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/policies/settings.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,YAA2C,MAAM,oBAAoB,CAAC;AAC7E,OAAO,eAAe,MAAM,6BAA6B,CAAC;AAC1D,OAAO,EAAE,KAAK,EAAiB,MAAM,iCAAiC,CAAC;AACvE,OAAO,MAA+B,MAAM,cAAc,CAAC;AAM3D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,kBAAkB,CAAC,CAAC;AAIjG,MAAM,OAAO,oBAAqB,SAAQ,YAAY;IACpD;QACE,KAAK,CAAC,EAAE,CAAC,CAAC;IACZ,CAAC;IAED,kDAAkD;IAClC,YAAY,CAC1B,QAA+B,EAC/B,YAA4B;QAE5B,MAAM,MAAM,GAA8B,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;QACpG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,EAAE;YAC1D,MAAM,WAAW,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;YAC/C,IAAI,WAAW,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;gBACtC,MAAM,CAAC,YAAY,CAAC,IAAI,CACtB,IAAI,eAAe,CAAC;oBAClB,WAAW,EAAE,YAAY;oBACzB,eAAe,EAAE,QAAQ;oBACzB,WAAW;oBACX,UAAU,EAAE,wBAAwB,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,IAAI,EAAE,CAAC;iBACrE,CAAC,CACH,CAAC;YACJ,CAAC;iBAAM,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;gBAC/B,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,CAAC,EAAE,CAAC,CAAC;YAChH,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC;oBACvB,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,sCAAsC,CAAC;iBACxE,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,MAAM,CAAC,OAAO,OAAO,cAAe,SAAQ,MAAyB;IACzC;IAA6B;IAAvD,YAA0B,MAAoB,EAAS,WAA2B;QAChF,KAAK,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,oBAAoB,EAAE,CAAC,CAAC;QAD/B,WAAM,GAAN,MAAM,CAAc;QAAS,gBAAW,GAAX,WAAW,CAAgB;IAElF,CAAC;IAES,KAAK,CAAC,eAAe,CAAC,OAAqB;QACnD,MAAM,aAAa,GAAG,
|
|
1
|
+
{"version":3,"file":"settings.js","sourceRoot":"","sources":["../../../../../src/libs/audit-engine/registry/policies/settings.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,YAA2C,MAAM,oBAAoB,CAAC;AAC7E,OAAO,eAAe,MAAM,6BAA6B,CAAC;AAC1D,OAAO,EAAE,KAAK,EAAiB,MAAM,iCAAiC,CAAC;AACvE,OAAO,MAA+B,MAAM,cAAc,CAAC;AAM3D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,kBAAkB,CAAC,CAAC;AAIjG,MAAM,OAAO,oBAAqB,SAAQ,YAAY;IACpD;QACE,KAAK,CAAC,EAAE,CAAC,CAAC;IACZ,CAAC;IAED,kDAAkD;IAClC,YAAY,CAC1B,QAA+B,EAC/B,YAA4B;QAE5B,MAAM,MAAM,GAA8B,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;QACpG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,EAAE;YAC1D,MAAM,WAAW,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;YAC/C,IAAI,WAAW,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;gBACtC,MAAM,CAAC,YAAY,CAAC,IAAI,CACtB,IAAI,eAAe,CAAC;oBAClB,WAAW,EAAE,YAAY;oBACzB,eAAe,EAAE,QAAQ;oBACzB,WAAW;oBACX,UAAU,EAAE,wBAAwB,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,IAAI,EAAE,CAAC;iBACrE,CAAC,CACH,CAAC;YACJ,CAAC;iBAAM,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;gBAC/B,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,CAAC,EAAE,CAAC,CAAC;YAChH,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC;oBACvB,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,sCAAsC,CAAC;iBACxE,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,CAAC,OAAO,OAAO,cAAe,SAAQ,MAAyB;IACzC;IAA6B;IAAvD,YAA0B,MAAoB,EAAS,WAA2B;QAChF,KAAK,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,oBAAoB,EAAE,CAAC,CAAC;QAD/B,WAAM,GAAN,MAAM,CAAc;QAAS,gBAAW,GAAX,WAAW,CAAgB;IAElF,CAAC;IAES,KAAK,CAAC,eAAe,CAAC,OAAqB;QACnD,MAAM,aAAa,GAAG,2BAA2B,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACrE,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,aAAa,CAAC,MAAM;YAC3B,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,MAAM,iBAAiB,GAAG,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACpE,MAAM,wBAAwB,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QAC5F,IAAI,CAAC,sCAAsC,CAAC,wBAAwB,CAAC,CAAC;QACtE,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,aAAa,CAAC,MAAM;YAC3B,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC,MAAM;SACvD,CAAC,CAAC;QACH,OAAO;YACL,gBAAgB,EAAE,wBAAwB;YAC1C,eAAe,EAAE,mBAAmB,CAAC,wBAAwB,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;SAClF,CAAC;IACJ,CAAC;IAEO,sCAAsC,CAAC,aAAgD;QAC7F,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;YACtD,IAAI,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;oBACrC,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;oBACjD,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,IAAI,CAAC;wBACnC,IAAI,EAAE,IAAI,CAAC,eAAe;wBAC1B,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,uCAAuC,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;qBAC7F,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,2BAA2B,CAAC,KAA4B;IAC/D,MAAM,QAAQ,GAAG,EAAE,CAAC;IACpB,KAAK,MAAM,CAAC,QAAQ,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3D,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QACpD,IAAI,gBAAgB,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAY;IACzC,OAAQ,GAAuB,CAAC,eAAe,KAAK,SAAS,CAAC;AAChE,CAAC;AAED,SAAS,mBAAmB,CAC1B,WAA8C,EAC9C,KAA4B;IAE5B,MAAM,MAAM,GAAG,IAAI,KAAK,EAAsB,CAAC;IAC/C,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1C,MAAM,SAAS,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC7C,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,SAAS;QACX,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,CAAC,EAAE,CAAC,CAAC;YAC/F,SAAS;QACX,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;YAC5B,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,yCAAyC,CAAC,EAAE,CAAC,CAAC;QAC5G,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAgB;IACxC,MAAM,KAAK,GAAG,uBAAuB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrD,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACjC,CAAC;AAED,MAAM,wBAAwB,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC"}
|
package/oclif.manifest.json
CHANGED
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@j-schreiber/sf-cli-security-audit",
|
|
3
3
|
"description": "Salesforce CLI plugin to automate highly configurable security audits",
|
|
4
|
-
"version": "0.12.
|
|
4
|
+
"version": "0.12.4",
|
|
5
5
|
"repository": {
|
|
6
6
|
"type": "git",
|
|
7
7
|
"url": "git+https://github.com/j-schreiber/js-sf-cli-security-audit"
|
|
@@ -90,7 +90,7 @@
|
|
|
90
90
|
"prepack": "sf-prepack",
|
|
91
91
|
"test": "wireit",
|
|
92
92
|
"test:nuts": "nyc mocha \"**/*.nut.ts\" --slow 4500 --timeout 600000 --parallel",
|
|
93
|
-
"debug:nuts": "yarn build && nyc mocha \"**/*.nut.ts\" --slow 4500 --timeout 600000 --inspect",
|
|
93
|
+
"debug:nuts": "yarn build && nyc mocha \"**/*.nut.ts\" --slow 4500 --timeout 600000 --inspect-brk",
|
|
94
94
|
"test:only": "wireit",
|
|
95
95
|
"readme": "wireit",
|
|
96
96
|
"prepare": "husky",
|