@mitre/hdf-converters 2.5.1

package/lib/data/owasp-nist-mapping.csv

@@ -0,0 +1,11 @@
+OWASP-ID,OWASP Name,NIST-ID,Rev,NIST Name
+A1,Injection,SI-10,4,Information Input Validation
+A2,Broken Authentication,SC-23,4,Session Authenticity
+A3,Sensitive Data Exposure,SI-11,4,Error Handling
+A4,XML External Entities (XXE),SI-10,4,Information Input Validation
+A5,Broken Access Control,AC-3,4,Access Enforcement
+A6,Security Misconfiguration,CM-6,4,Configuration Settings
+A7,Cross-Site Scripting (XSS),SI-10,4,Information Input Validation
+A8,Insecure Deserialization,SC-23,4,Session Authenticity
+A9,Using Components with Known Vulnerabilities,SI-2,4,Flaw Remediation
+A10,Insufficient Logging&Monitoring,AU-12,4,Audit Generation

package/lib/data/scoutsuite-nist-mapping.csv

@@ -0,0 +1,140 @@
+rule,nistid
+acm-certificate-with-close-expiration-date,SC-12
+acm-certificate-with-transparency-logging-disabled,SC-12
+cloudformation-stack-with-role,AC-6
+cloudtrail-duplicated-global-services-logging,AU-6
+cloudtrail-no-cloudwatch-integration,AU-12|SI-4(2)
+cloudtrail-no-data-logging,AU-12
+cloudtrail-no-encryption-with-kms,AU-6
+cloudtrail-no-global-services-logging,AU-12
+cloudtrail-no-log-file-validation,AU-6
+cloudtrail-no-logging,AU-12
+cloudtrail-not-configured,AU-12
+cloudwatch-alarm-without-actions,AU-12
+config-recorder-not-configured,CM-8|CM-8(2)|CM-8(6)
+ec2-ami-public,AC-3
+ec2-default-security-group-in-use,AC-3(3)
+ec2-default-security-group-with-rules,AC-3(3)
+ec2-ebs-snapshot-not-encrypted,SC-28
+ec2-ebs-snapshot-public,AC-3
+ec2-ebs-volume-not-encrypted,SC-28
+ec2-instance-in-security-group,CM-7(1)
+ec2-instance-type,CM-2
+ec2-instance-types,CM-2
+ec2-instance-with-public-ip,AC-3
+ec2-instance-with-user-data-secrets,AC-3
+ec2-security-group-opens-all-ports,CM-7(1)
+ec2-security-group-opens-all-ports-to-all,CM-7(1)
+ec2-security-group-opens-all-ports-to-self,CM-7(1)
+ec2-security-group-opens-icmp-to-all,CM-7(1)
+ec2-security-group-opens-known-port-to-all,CM-7(1)
+ec2-security-group-opens-plaintext-port,CM-7(1)
+ec2-security-group-opens-port-range,CM-7(1)
+ec2-security-group-opens-port-to-all,CM-7(1)
+ec2-security-group-whitelists-aws,CM-7(1)
+ec2-security-group-whitelists-aws-ip-from-banned-region,CM-7(1)
+ec2-security-group-whitelists-non-elastic-ips,CM-7(1)
+ec2-security-group-whitelists-unknown-aws,CM-7(1)
+ec2-security-group-whitelists-unknown-cidrs,CM-7(1)
+ec2-unused-security-group,CM-7(1)
+elb-listener-allowing-cleartext,SC-8
+elb-no-access-logs,AU-12
+elb-older-ssl-policy,SC-8
+elbv2-http-request-smuggling,SC-8
+elbv2-listener-allowing-cleartext,SC-8
+elbv2-no-access-logs,AU-12
+elbv2-no-deletion-protection,SI-7
+elbv2-older-ssl-policy,SC-8
+iam-assume-role-lacks-external-id-and-mfa,AC-17
+iam-assume-role-no-mfa,AC-6
+iam-assume-role-policy-allows-all,AC-6
+iam-ec2-role-without-instances,AC-6
+iam-group-with-inline-policies,AC-6
+iam-group-with-no-users,AC-6
+iam-human-user-with-policies,AC-6
+iam-inline-policy-allows-non-sts-action,AC-6
+iam-inline-policy-allows-NotActions,AC-6
+iam-inline-policy-for-role,AC-6
+iam-managed-policy-allows-full-privileges,AC-6
+iam-managed-policy-allows-non-sts-action,AC-6
+iam-managed-policy-allows-NotActions,AC-6
+iam-managed-policy-for-role,AC-6
+iam-managed-policy-no-attachments,AC-6
+iam-no-support-role,IR-7
+iam-password-policy-expiration-threshold,AC-2
+iam-password-policy-minimum-length,AC-2
+iam-password-policy-no-expiration,AC-2
+iam-password-policy-no-lowercase-required,AC-2
+iam-password-policy-no-number-required,AC-2
+iam-password-policy-no-symbol-required,AC-2
+iam-password-policy-no-uppercase-required,AC-2
+iam-password-policy-reuse-enabled,IA-5(1)
+iam-role-with-inline-policies,AC-6
+iam-root-account-no-hardware-mfa,IA-2(1)
+iam-root-account-no-mfa,IA-2(1)
+iam-root-account-used-recently,AC-6(9)
+iam-root-account-with-active-certs,AC-6(9)
+iam-root-account-with-active-keys,AC-6(9)
+iam-service-user-with-password,AC-2
+iam-unused-credentials-not-disabled,AC-2
+iam-user-no-key-rotation,AC-2
+iam-user-not-in-category-group,AC-2
+iam-user-not-in-common-group,AC-2
+iam-user-unused-access-key-initial-setup,AC-2
+iam-user-with-multiple-access-keys,IA-2
+iam-user-without-mfa,IA-2(1)
+iam-user-with-password-and-key,IA-2
+iam-user-with-policies,AC-2
+kms-cmk-rotation-disabled,SC-12
+logs-no-alarm-aws-configuration-changes,CM-8|CM-8(2)|CM-8(6)
+logs-no-alarm-cloudtrail-configuration-changes,AU-6
+logs-no-alarm-cmk-deletion,AC-2
+logs-no-alarm-console-authentication-failures,AC-2
+logs-no-alarm-iam-policy-changes,AC-2
+logs-no-alarm-nacl-changes,CM-6(2)
+logs-no-alarm-network-gateways-changes,AU-12|CM-6(2)
+logs-no-alarm-root-usage,AU-2
+logs-no-alarm-route-table-changes,AU-12|CM-6(2)
+logs-no-alarm-s3-policy-changes,AC-6|AU-12
+logs-no-alarm-security-group-changes,AC-2(4)
+logs-no-alarm-signin-without-mfa,AC-2
+logs-no-alarm-unauthorized-api-calls,AU-6|SI-4(2)
+logs-no-alarm-vpc-changes,CM-6(1)
+rds-instance-backup-disabled,CP-9
+rds-instance-ca-certificate-deprecated,SC-12
+rds-instance-no-minor-upgrade,SI-2
+rds-instance-short-backup-retention-period,CP-9
+rds-instance-single-az,CP-7
+rds-instance-storage-not-encrypted,SC-28
+rds-postgres-instance-with-invalid-certificate,SC-12
+rds-security-group-allows-all,CM-7(1)
+rds-snapshot-public,SC-28
+redshift-cluster-database-not-encrypted,SC-28
+redshift-cluster-no-version-upgrade,SI-2
+redshift-cluster-publicly-accessible,AC-3
+redshift-parameter-group-logging-disabled,AU-12
+redshift-parameter-group-ssl-not-required,SC-8
+redshift-security-group-whitelists-all,CM-7(1)
+route53-domain-no-autorenew,SC-2
+route53-domain-no-transferlock,SC-2
+route53-domain-transferlock-not-authorized,SC-2
+s3-bucket-allowing-cleartext,SC-28
+s3-bucket-no-default-encryption,SC-28
+s3-bucket-no-logging,AU-2|AU-12
+s3-bucket-no-mfa-delete,SI-7
+s3-bucket-no-versioning,SI-7
+s3-bucket-world-acl,AC-3(3)
+s3-bucket-world-policy-arg,AC-3(3)
+s3-bucket-world-policy-star,AC-3(3)
+ses-identity-dkim-not-enabled,SC-23
+ses-identity-dkim-not-verified,SC-23
+ses-identity-world-policy,AC-6
+sns-topic-world-policy,AC-6
+sqs-queue-world-policy,AC-6
+vpc-custom-network-acls-allow-all,SC-7
+vpc-default-network-acls-allow-all,SC-7
+vpc-network-acl-not-used,SC-7
+vpc-routing-tables-with-peering,AC-3(3)
+vpc-subnet-with-bad-acls,SC-7
+vpc-subnet-with-default-acls,SC-7
+vpc-subnet-without-flow-log,AU-12

package/lib/index.d.ts

@@ -0,0 +1,12 @@
+export * from './src/burpsuite-mapper';
+export * from './src/dbprotect-mapper';
+export * from './src/fortify-mapper';
+export * from './src/jfrog-xray-mapper';
+export * from './src/nessus-mapper';
+export * from './src/netsparker-mapper';
+export * from './src/nikto-mapper';
+export * from './src/sarif-mapper';
+export * from './src/scoutsuite-mapper';
+export * from './src/snyk-mapper';
+export * from './src/xccdf-results-mapper';
+export * from './src/zap-mapper';

package/lib/index.js

@@ -0,0 +1,25 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./src/burpsuite-mapper"), exports);
+__exportStar(require("./src/dbprotect-mapper"), exports);
+__exportStar(require("./src/fortify-mapper"), exports);
+__exportStar(require("./src/jfrog-xray-mapper"), exports);
+__exportStar(require("./src/nessus-mapper"), exports);
+__exportStar(require("./src/netsparker-mapper"), exports);
+__exportStar(require("./src/nikto-mapper"), exports);
+__exportStar(require("./src/sarif-mapper"), exports);
+__exportStar(require("./src/scoutsuite-mapper"), exports);
+__exportStar(require("./src/snyk-mapper"), exports);
+__exportStar(require("./src/xccdf-results-mapper"), exports);
+__exportStar(require("./src/zap-mapper"), exports);
+//# sourceMappingURL=index.js.map

package/lib/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,yDAAuC;AACvC,yDAAuC;AACvC,uDAAqC;AACrC,0DAAwC;AACxC,sDAAoC;AACpC,0DAAwC;AACxC,qDAAmC;AACnC,qDAAmC;AACnC,0DAAwC;AACxC,oDAAkC;AAClC,6DAA2C;AAC3C,mDAAiC"}

package/lib/package.json

@@ -0,0 +1,45 @@
+{
+    "name": "@mitre/hdf-converters",
+    "version": "2.5.1",
+    "license": "Apache-2.0",
+    "description": "Converter util library used to transform various scan results into HDF format",
+    "files": [
+        "lib"
+    ],
+    "main": "src/index.ts",
+    "publishConfig": {
+        "main": "lib/index.js"
+    },
+    "scripts": {
+        "prepack": "yarn build && cp package.json package.json.orig && cat package.json.orig | jq '.main = (.publishConfig.main)' > package.json",
+        "postpack": "mv package.json.orig package.json",
+        "build": "tsc -p ./tsconfig.build.json && cp -R ./data ./lib",
+        "lint": "eslint \"**/*.ts\" --fix",
+        "lint:ci": "eslint \"**/*.ts\" --max-warnings 0",
+        "test": "jest --silent"
+    },
+    "dependencies": {
+        "csv-parse": "^4.16.0",
+        "fast-xml-parser": "^3.19.0",
+        "htmlparser2": "^6.1.0",
+        "inspecjs": "^2.5.1",
+        "lodash": "^4.17.21"
+    },
+    "devDependencies": {
+        "@types/jest": "^27.0.0",
+        "@types/lodash": "^4.14.161",
+        "@types/node": "^15.0.1",
+        "htmlparser2": "^6.1.0",
+        "jest": "^27.0.6",
+        "quicktype": "^15.0.260",
+        "ts-jest": "^27.0.3",
+        "ts-node": "^10.0.0",
+        "typedoc": "^0.22.1"
+    },
+    "jest": {
+        "rootDir": ".",
+        "transform": {
+            "^.+\\.ts$": "ts-jest"
+        }
+    }
+}

package/lib/src/base-converter.d.ts

@@ -0,0 +1,39 @@
+import { ExecJSON } from 'inspecjs';
+export interface ILookupPath {
+    path?: string;
+    transformer?: (value: unknown) => unknown;
+    arrayTransformer?: (value: unknown[], file: unknown) => unknown[];
+    key?: string;
+}
+export declare type ObjectEntries<T> = {
+    [K in keyof T]: readonly [K, T[K]];
+}[keyof T];
+export declare type MappedTransform<T, U extends ILookupPath> = {
+    [K in keyof T]: Exclude<T[K], undefined | null> extends Array<any> ? MappedTransform<T[K], U> : T[K] extends Function ? T[K] : T[K] extends object ? MappedTransform<T[K] & (U & {
+        arrayTransformer?: (value: unknown[], file: Record<string, unknown>) => T[K][];
+    }), U> : T[K] | (U & {
+        transformer?: (value: unknown) => T[K];
+    });
+};
+export declare type MappedReform<T, U> = {
+    [K in keyof T]: Exclude<T[K], undefined | null> extends Array<any> ? MappedReform<T[K], U> : T[K] extends object ? MappedReform<T[K] & U, U> : Exclude<T[K], U>;
+};
+export declare function generateHash(data: string, algorithm?: string): string;
+export declare function parseHtml(input: unknown): string;
+export declare function impactMapping(mapping: Map<string, number>): (severity: unknown) => number;
+export declare class BaseConverter {
+    data: Record<string, unknown>;
+    mappings?: MappedTransform<ExecJSON.Execution, ILookupPath>;
+    collapseResults: boolean;
+    constructor(data: Record<string, unknown>, collapseResults?: boolean);
+    setMappings(mappings: MappedTransform<ExecJSON.Execution, ILookupPath>): void;
+    toHdf(): ExecJSON.Execution;
+    objectMap<T, V>(obj: T, fn: (v: ObjectEntries<T>) => V): {
+        [K in keyof T]: V;
+    };
+    convertInternal<T>(file: Record<string, unknown>, fields: T): MappedReform<T, ILookupPath>;
+    evaluate<T extends object>(file: Record<string, unknown>, v: Array<T> | T): T | Array<T> | MappedReform<T, ILookupPath>;
+    handleArray<T extends object>(file: Record<string, unknown>, v: Array<T & ILookupPath>): Array<T>;
+    handlePath(file: Record<string, unknown>, path: string): unknown;
+    hasPath(file: Record<string, unknown>, path: string): boolean;
+}

package/lib/src/base-converter.js

@@ -0,0 +1,216 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BaseConverter = exports.impactMapping = exports.parseHtml = exports.generateHash = void 0;
+const crypto_1 = require("crypto");
+const htmlparser = __importStar(require("htmlparser2"));
+const lodash_1 = __importDefault(require("lodash"));
+function generateHash(data, algorithm = 'sha256') {
+    const hash = (0, crypto_1.createHash)(algorithm);
+    return hash.update(data).digest('hex');
+}
+exports.generateHash = generateHash;
+function parseHtml(input) {
+    const textData = [];
+    const myParser = new htmlparser.Parser({
+        ontext(text) {
+            textData.push(text);
+        }
+    });
+    if (typeof input === 'string') {
+        myParser.write(input);
+    }
+    return textData.join('');
+}
+exports.parseHtml = parseHtml;
+function impactMapping(mapping) {
+    return (severity) => {
+        if (typeof severity === 'string' || typeof severity === 'number') {
+            return mapping.get(severity.toString().toLowerCase()) || 0;
+        }
+        else {
+            return 0;
+        }
+    };
+}
+exports.impactMapping = impactMapping;
+function collapseDuplicates(array, key, collapseResults) {
+    const seen = new Map();
+    const newArray = [];
+    let counter = 0;
+    array.forEach((item) => {
+        const propertyValue = lodash_1.default.get(item, key);
+        if (typeof propertyValue === 'string') {
+            const index = seen.get(propertyValue) || 0;
+            if (!seen.has(propertyValue)) {
+                newArray.push(item);
+                seen.set(propertyValue, counter);
+                counter++;
+            }
+            else {
+                const oldResult = lodash_1.default.get(newArray[index], 'results');
+                const descriptions = oldResult.map((element) => lodash_1.default.get(element, 'code_desc'));
+                if (collapseResults) {
+                    if (descriptions.indexOf(lodash_1.default.get(item, 'results[0].code_desc')) === -1) {
+                        lodash_1.default.set(newArray[index], 'results', oldResult.concat(lodash_1.default.get(item, 'results')));
+                    }
+                }
+                else {
+                    lodash_1.default.set(newArray[index], 'results', oldResult.concat(lodash_1.default.get(item, 'results')));
+                }
+            }
+        }
+    });
+    return newArray;
+}
+class BaseConverter {
+    constructor(data, collapseResults = false) {
+        this.data = data;
+        this.collapseResults = collapseResults;
+    }
+    setMappings(mappings) {
+        this.mappings = mappings;
+    }
+    toHdf() {
+        if (this.mappings === undefined) {
+            throw new Error('Mappings must be provided');
+        }
+        else {
+            const v = this.convertInternal(this.data, this.mappings);
+            v.profiles.forEach((element) => {
+                element.sha256 = generateHash(JSON.stringify(element));
+            });
+            return v;
+        }
+    }
+    objectMap(obj, fn) {
+        return Object.fromEntries(Object.entries(obj).map(([k, v]) => [k, fn(v)]));
+    }
+    convertInternal(file, fields) {
+        const result = this.objectMap(fields, (v) => this.evaluate(file, v));
+        return result;
+    }
+    evaluate(file, v) {
+        const transformer = lodash_1.default.get(v, 'transformer');
+        if (Array.isArray(v)) {
+            return this.handleArray(file, v);
+        }
+        else if (typeof v === 'string' ||
+            typeof v === 'number' ||
+            typeof v === 'boolean' ||
+            v === null) {
+            return v;
+        }
+        else if (lodash_1.default.has(v, 'path')) {
+            if (typeof transformer === 'function') {
+                return transformer(this.handlePath(file, lodash_1.default.get(v, 'path')));
+            }
+            const pathVal = this.handlePath(file, lodash_1.default.get(v, 'path'));
+            if (Array.isArray(pathVal)) {
+                return pathVal;
+            }
+            return pathVal;
+        }
+        if (typeof transformer === 'function') {
+            return transformer(file);
+        }
+        else {
+            return this.convertInternal(file, v);
+        }
+    }
+    handleArray(file, v) {
+        if (v.length === 0) {
+            return [];
+        }
+        if (v[0].path === undefined) {
+            const arrayTransformer = v[0].arrayTransformer;
+            v = v.map((element) => {
+                return lodash_1.default.omit(element, ['arrayTransformer']);
+            });
+            let output = [];
+            v.forEach((element) => {
+                output.push(this.evaluate(file, element));
+            });
+            if (arrayTransformer !== undefined) {
+                output = arrayTransformer(output, this.data);
+            }
+            return output;
+        }
+        else {
+            const path = v[0].path;
+            const key = v[0].key;
+            const arrayTransformer = v[0].arrayTransformer;
+            const transformer = v[0].transformer;
+            if (this.hasPath(file, path)) {
+                const pathVal = this.handlePath(file, path);
+                if (Array.isArray(pathVal)) {
+                    v = pathVal.map((element) => {
+                        return lodash_1.default.omit(this.convertInternal(element, v[0]), [
+                            'path',
+                            'transformer',
+                            'arrayTransformer',
+                            'key'
+                        ]);
+                    });
+                    if (key !== undefined) {
+                        v = collapseDuplicates(v, key, this.collapseResults);
+                    }
+                    if (arrayTransformer !== undefined) {
+                        v = arrayTransformer(v, this.data);
+                    }
+                    return v;
+                }
+                else {
+                    if (transformer !== undefined) {
+                        return [transformer(this.handlePath(file, path))];
+                    }
+                    else {
+                        return [this.handlePath(file, path)];
+                    }
+                }
+            }
+            else {
+                return [];
+            }
+        }
+    }
+    handlePath(file, path) {
+        if (path.startsWith('$.')) {
+            return lodash_1.default.get(this.data, path.slice(2)) || '';
+        }
+        else {
+            return lodash_1.default.get(file, path) || '';
+        }
+    }
+    hasPath(file, path) {
+        if (path.startsWith('$.')) {
+            return lodash_1.default.has(this.data, path.slice(2));
+        }
+        else {
+            return lodash_1.default.has(file, path);
+        }
+    }
+}
+exports.BaseConverter = BaseConverter;
+//# sourceMappingURL=base-converter.js.map

package/lib/src/base-converter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base-converter.js","sourceRoot":"","sources":["../../src/base-converter.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,mCAAkC;AAClC,wDAA0C;AAE1C,oDAAuB;AAuCvB,SAAgB,YAAY,CAAC,IAAY,EAAE,SAAS,GAAG,QAAQ;IAC7D,MAAM,IAAI,GAAG,IAAA,mBAAU,EAAC,SAAS,CAAC,CAAC;IACnC,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAHD,oCAGC;AAED,SAAgB,SAAS,CAAC,KAAc;IACtC,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC;QACrC,MAAM,CAAC,IAAY;YACjB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC;KACF,CAAC,CAAC;IACH,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;QAC7B,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;KACvB;IACD,OAAO,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAC3B,CAAC;AAXD,8BAWC;AACD,SAAgB,aAAa,CAC3B,OAA4B;IAE5B,OAAO,CAAC,QAAiB,EAAU,EAAE;QACnC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE;YAChE,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,WAAW,EAAE,CAAC,IAAI,CAAC,CAAC;SAC5D;aAAM;YACL,OAAO,CAAC,CAAC;SACV;IACH,CAAC,CAAC;AACJ,CAAC;AAVD,sCAUC;AAGD,SAAS,kBAAkB,CACzB,KAAe,EACf,GAAW,EACX,eAAwB;IAExB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,MAAM,QAAQ,GAAQ,EAAE,CAAC;IACzB,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,CAAC,OAAO,CAAC,CAAC,IAAO,EAAE,EAAE;QACxB,MAAM,aAAa,GAAG,gBAAC,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACvC,IAAI,OAAO,aAAa,KAAK,QAAQ,EAAE;YACrC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;YAC3C,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE;gBAC5B,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACpB,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;gBACjC,OAAO,EAAE,CAAC;aACX;iBAAM;gBACL,MAAM,SAAS,GAAG,gBAAC,CAAC,GAAG,CACrB,QAAQ,CAAC,KAAK,CAAC,EACf,SAAS,CACkB,CAAC;gBAC9B,MAAM,YAAY,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAC7C,gBAAC,CAAC,GAAG,CAAC,OAAO,EAAE,WAAW,CAAC,CAC5B,CAAC;gBACF,IAAI,eAAe,EAAE;oBACnB,IACE,YAAY,CAAC,OAAO,CAClB,gBAAC,CAAC,GAAG,CAAC,IAAI,EAAE,sBAAsB,CAAW,CAC9C,KAAK,CAAC,CAAC,EACR;wBACA,gBAAC,CAAC,GAAG,CACH,QAAQ,CAAC,KAAK,CAAC,EACf,SAAS,EACT,SAAS,CAAC,MAAM,CACd,gBAAC,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,CAA6B,CACnD,CACF,CAAC;qBACH;iBACF;qBAAM;oBACL,gBAAC,CAAC,GAAG,CACH,QAAQ,CAAC,KAAK,CAAC,EACf,SAAS,EACT,SAAS,CAAC,MAAM,CAAC,gBAAC,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,CAA6B,CAAC,CACrE,CAAC;iBACH;aACF;SACF;IACH,CAAC,CAAC,CAAC;IACH,OAAO,QAAQ,CAAC;AAClB,CAAC;AACD,MAAa,aAAa;IAKxB,YAAY,IAA6B,EAAE,eAAe,GAAG,KAAK;QAChE,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;IACzC,CAAC;IACD,WAAW,CACT,QAA0D;QAE1D,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IACD,KAAK;QACH,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,EAAE;YAC/B,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;SAC9C;aAAM;YACL,MAAM,CAAC,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzD,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;gBAC7B,OAAO,CAAC,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;YACzD,CAAC,CAAC,CAAC;YACH,OAAO,CAAC,CAAC;SACV;IACH,CAAC;IAED,SAAS,CAAO,GAAM,EAAE,EAA8B;QACpD,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAC1B,CAAC;IAC1B,CAAC;IACD,eAAe,CACb,IAA6B,EAC7B,MAAS;QAET,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAmB,EAAE,EAAE,CAC5D,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CACvB,CAAC;QACF,OAAO,MAAsC,CAAC;IAChD,CAAC;IAED,QAAQ,CACN,IAA6B,EAC7B,CAAe;QAEf,MAAM,WAAW,GAAG,gBAAC,CAAC,GAAG,CAAC,CAAC,EAAE,aAAa,CAAC,CAAC;QAC5C,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE;YACpB,OAAO,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;SAClC;aAAM,IACL,OAAO,CAAC,KAAK,QAAQ;YACrB,OAAO,CAAC,KAAK,QAAQ;YACrB,OAAO,CAAC,KAAK,SAAS;YACtB,CAAC,KAAK,IAAI,EACV;YACA,OAAO,CAAC,CAAC;SACV;aAAM,IAAI,gBAAC,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,EAAE;YAC3B,IAAI,OAAO,WAAW,KAAK,UAAU,EAAE;gBACrC,OAAO,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,gBAAC,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAW,CAAC,CAAC,CAAC;aACvE;YACD,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,gBAAC,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAW,CAAC,CAAC;YAClE,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE;gBAC1B,OAAO,OAAc,CAAC;aACvB;YACD,OAAO,OAAY,CAAC;SACrB;QACD,IAAI,OAAO,WAAW,KAAK,UAAU,EAAE;YACrC,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC;SAC1B;aAAM;YACL,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;SACtC;IACH,CAAC;IAED,WAAW,CACT,IAA6B,EAC7B,CAAyB;QAEzB,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE;YAClB,OAAO,EAAE,CAAC;SACX;QACD,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,EAAE;YAC3B,MAAM,gBAAgB,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC;YAC/C,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;gBACpB,OAAO,gBAAC,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,kBAAkB,CAAC,CAAoB,CAAC;YAClE,CAAC,CAAC,CAAC;YACH,IAAI,MAAM,GAAa,EAAE,CAAC;YAC1B,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;gBACpB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAM,CAAC,CAAC;YACjD,CAAC,CAAC,CAAC;YACH,IAAI,gBAAgB,KAAK,SAAS,EAAE;gBAClC,MAAM,GAAG,gBAAgB,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAQ,CAAC;aACrD;YACD,OAAO,MAAM,CAAC;SACf;aAAM;YACL,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACvB,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YACrB,MAAM,gBAAgB,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC;YAC/C,MAAM,WAAW,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;YACrC,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE;gBAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;gBAC5C,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE;oBAC1B,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,OAAgC,EAAE,EAAE;wBACnD,OAAO,gBAAC,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE;4BACjD,MAAM;4BACN,aAAa;4BACb,kBAAkB;4BAClB,KAAK;yBACN,CAAM,CAAC;oBACV,CAAC,CAAC,CAAC;oBACH,IAAI,GAAG,KAAK,SAAS,EAAE;wBACrB,CAAC,GAAG,kBAAkB,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;qBACtD;oBACD,IAAI,gBAAgB,KAAK,SAAS,EAAE;wBAClC,CAAC,GAAG,gBAAgB,CAAC,CAAC,EAAE,IAAI,CAAC,IAAI,CAAQ,CAAC;qBAC3C;oBACD,OAAO,CAAC,CAAC;iBACV;qBAAM;oBACL,IAAI,WAAW,KAAK,SAAS,EAAE;wBAC7B,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,IAAI,CAAC,CAAM,CAAC,CAAC;qBACxD;yBAAM;wBACL,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,IAAI,CAAM,CAAC,CAAC;qBAC3C;iBACF;aACF;iBAAM;gBACL,OAAO,EAAE,CAAC;aACX;SACF;IACH,CAAC;IACD,UAAU,CAAC,IAA6B,EAAE,IAAY;QACpD,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE;YACzB,OAAO,gBAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SAC9C;aAAM;YACL,OAAO,gBAAC,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;SAChC;IACH,CAAC;IACD,OAAO,CAAC,IAA6B,EAAE,IAAY;QACjD,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE;YACzB,OAAO,gBAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;SACxC;aAAM;YACL,OAAO,gBAAC,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;SAC1B;IACH,CAAC;CACF;AA7ID,sCA6IC"}

package/lib/src/burpsuite-mapper.d.ts

@@ -0,0 +1,7 @@
+import { ExecJSON } from 'inspecjs';
+import { BaseConverter, ILookupPath, MappedTransform } from './base-converter';
+export declare class BurpSuiteMapper extends BaseConverter {
+    mappings: MappedTransform<ExecJSON.Execution, ILookupPath>;
+    constructor(burpsXml: string);
+    setMappings(customMappings: MappedTransform<ExecJSON.Execution, ILookupPath>): void;
+}

package/lib/src/burpsuite-mapper.js

@@ -0,0 +1,157 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BurpSuiteMapper = void 0;
+const fast_xml_parser_1 = __importDefault(require("fast-xml-parser"));
+const inspecjs_1 = require("inspecjs");
+const lodash_1 = __importDefault(require("lodash"));
+const path_1 = __importDefault(require("path"));
+const package_json_1 = require("../package.json");
+const base_converter_1 = require("./base-converter");
+const CweNistMapping_1 = require("./mappings/CweNistMapping");
+const IMPACT_MAPPING = new Map([
+    ['high', 0.7],
+    ['medium', 0.5],
+    ['low', 0.3],
+    ['information', 0.3]
+]);
+const NAME = 'BurpSuite Pro Scan';
+const CWE_NIST_MAPPING_FILE = path_1.default.resolve(__dirname, '../data/cwe-nist-mapping.csv');
+const CWE_NIST_MAPPING = new CweNistMapping_1.CweNistMapping(CWE_NIST_MAPPING_FILE);
+const DEFAULT_NIST_TAG = ['SA-11', 'RA-5'];
+function formatCodeDesc(issue) {
+    const text = [];
+    if (lodash_1.default.has(issue, 'host.ip') && lodash_1.default.has(issue, 'host.text')) {
+        text.push(`Host: ip: ${lodash_1.default.get(issue, 'host.ip')}, url: ${lodash_1.default.get(issue, 'host.text')}`);
+    }
+    else {
+        text.push('Host: ip: , url: ');
+    }
+    if (lodash_1.default.has(issue, 'location')) {
+        text.push(`Location: ${(0, base_converter_1.parseHtml)(lodash_1.default.get(issue, 'location'))}`);
+    }
+    else {
+        text.push('Location: ');
+    }
+    if (lodash_1.default.has(issue, 'issueDetail')) {
+        text.push(`issueDetail: ${(0, base_converter_1.parseHtml)(lodash_1.default.get(issue, 'issueDetail'))}`);
+    }
+    if (lodash_1.default.has(issue, 'confidence')) {
+        text.push(`confidence: ${(0, base_converter_1.parseHtml)(lodash_1.default.get(issue, 'confidence'))}`);
+    }
+    else {
+        text.push('confidence: ');
+    }
+    return text.join('\n') + '\n';
+}
+function idToString(id) {
+    if (typeof id === 'string' || typeof id === 'number') {
+        return id.toString();
+    }
+    else {
+        return '';
+    }
+}
+function formatCweId(input) {
+    return (0, base_converter_1.parseHtml)(input).slice(1, -1).trimLeft();
+}
+function nistTag(input) {
+    let cwe = formatCweId(input).split('CWE-');
+    cwe.shift();
+    cwe = cwe.map((x) => x.split(':')[0]);
+    return CWE_NIST_MAPPING.nistFilter(cwe, DEFAULT_NIST_TAG).concat(['Rev_4']);
+}
+function parseXml(xml) {
+    const options = {
+        attributeNamePrefix: '',
+        textNodeName: 'text',
+        ignoreAttributes: false
+    };
+    return fast_xml_parser_1.default.parse(xml, options);
+}
+class BurpSuiteMapper extends base_converter_1.BaseConverter {
+    constructor(burpsXml) {
+        super(parseXml(burpsXml));
+        this.mappings = {
+            platform: {
+                name: 'Heimdall Tools',
+                release: package_json_1.version,
+                target_id: ''
+            },
+            version: package_json_1.version,
+            statistics: {
+                duration: null
+            },
+            profiles: [
+                {
+                    name: NAME,
+                    version: { path: 'issues.burpVersion' },
+                    title: NAME,
+                    maintainer: null,
+                    summary: NAME,
+                    license: null,
+                    copyright: null,
+                    copyright_email: null,
+                    supports: [],
+                    attributes: [],
+                    depends: [],
+                    groups: [],
+                    status: 'loaded',
+                    controls: [
+                        {
+                            path: 'issues.issue',
+                            key: 'id',
+                            id: { path: 'type', transformer: idToString },
+                            title: { path: 'name' },
+                            desc: { path: 'issueBackground', transformer: base_converter_1.parseHtml },
+                            impact: {
+                                path: 'severity',
+                                transformer: (0, base_converter_1.impactMapping)(IMPACT_MAPPING)
+                            },
+                            tags: {
+                                nist: {
+                                    path: 'vulnerabilityClassifications',
+                                    transformer: nistTag
+                                },
+                                cweid: {
+                                    path: 'vulnerabilityClassifications',
+                                    transformer: formatCweId
+                                },
+                                confidence: { path: 'confidence' }
+                            },
+                            descriptions: [
+                                {
+                                    data: { path: 'issueBackground', transformer: base_converter_1.parseHtml },
+                                    label: 'check'
+                                },
+                                {
+                                    data: { path: 'remediationBackground', transformer: base_converter_1.parseHtml },
+                                    label: 'fix'
+                                }
+                            ],
+                            refs: [],
+                            source_location: {},
+                            code: '',
+                            results: [
+                                {
+                                    status: inspecjs_1.ExecJSON.ControlResultStatus.Failed,
+                                    code_desc: { transformer: formatCodeDesc },
+                                    run_time: 0,
+                                    start_time: { path: '$.issues.exportTime' }
+                                }
+                            ]
+                        }
+                    ],
+                    sha256: ''
+                }
+            ]
+        };
+    }
+    setMappings(customMappings) {
+        super.setMappings(customMappings);
+    }
+}
+exports.BurpSuiteMapper = BurpSuiteMapper;
+//# sourceMappingURL=burpsuite-mapper.js.map