@mitre/inspec-objects 2.0.5 → 2.1.0

package/.github/workflows/auto-approve-and-merge.yml

@@ -2,6 +2,7 @@ name: Auto approve and Merge Dependabot PRs
 on:
   pull_request_target:
     types: [labeled]
+
 permissions:
   pull-requests: write
   contents: write

package/.github/workflows/build.yml

@@ -1,19 +1,23 @@
 name: Build and Pack TS-InSpec-Objects
+
 on:
   push:
     branches: [ main ]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build and Pack TS-InSpec-Objects
     runs-on: ubuntu-24.04
 
     steps:
-     - uses: actions/checkout@v4
+     - uses: actions/checkout@v5
 
      - name: Setup Node.js
-       uses: actions/setup-node@v4
+       uses: actions/setup-node@v6
        with:
         node-version: 22
         cache: 'npm'

package/.github/workflows/draft-release.yml

@@ -2,10 +2,13 @@ name: Draft Release
 
 on:
   push:
-    # branches to consider in the event; optional, defaults to all
     branches:
       - main
 
+permissions:
+  contents: write
+  pull-requests: read
+
 jobs:
   update_draft_release:
     runs-on: ubuntu-24.04

package/.github/workflows/e2e-test.yml

@@ -1,19 +1,23 @@
 name: Run TS-InSpec-Objects E2E Tests
+
 on:
   push:
     branches: [ main ]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Run TS-InSpec-Objects E2E Tests
     runs-on: ubuntu-24.04
 
     steps:
-     - uses: actions/checkout@v4
+     - uses: actions/checkout@v5
 
      - name: Setup Node.js
-       uses: actions/setup-node@v4
+       uses: actions/setup-node@v6
        with:
         node-version: 22
         cache: 'npm'
@@ -22,4 +26,4 @@ jobs:
        run: npm ci
 
      - name: Run e2e tests
-       run: npm test
+       run: npm run test:ci

package/.github/workflows/linter.yml

@@ -1,9 +1,13 @@
 name: Lint TS-InSpec-Objects
+
 on:
   push:
     branches: [ main ]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Lint TS-InSpec-Objects
@@ -11,10 +15,10 @@ jobs:
 
     steps:
      - name: Checkout code
-       uses: actions/checkout@v4
+       uses: actions/checkout@v5
 
      - name: Setup Node.js
-       uses: actions/setup-node@v4
+       uses: actions/setup-node@v6
        with:
         node-version: 22
         cache: 'npm'

package/.github/workflows/push-to-gpr.yml

@@ -1,17 +1,22 @@
 name: Build and Release NPM to GPR (GitHub Package Registry)
+
 on:
   release:
     types: [published]
   workflow_dispatch:
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build-deploy:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Setup node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: 22
           registry-url: 'https://npm.pkg.github.com'

package/.github/workflows/push-to-npm.yml

@@ -1,21 +1,29 @@
 name: Push @mitre/inspec-objects to NPM
+
 on:
   release:
     types: [published]
   workflow_dispatch:
 
+permissions:
+  id-token: write # required for trusted publishing's use of OIDC
+  contents: read
+
 jobs:
   build-deploy:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: setup node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: 22
           registry-url: 'https://registry.npmjs.org'
 
+      - name: Manually update npm to 11.5.1 or later which is the required version for trusted publishing to work # this step can be removed after the ubuntu runner has the correct minimum version of npm installed
+        run: npm install -g npm@latest
+
       - name: Install project dependencies
         run: npm ci
 
@@ -30,5 +38,3 @@ jobs:
 
       - name: Publish inspec-objects to NPM
         run: npm publish --access public mitre-inspec-objects-*.tgz
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/eslint.config.js

@@ -0,0 +1,41 @@
+import { defineConfig } from 'eslint/config';
+import js from '@eslint/js';
+import stylistic from '@stylistic/eslint-plugin';
+import tseslint from 'typescript-eslint';
+import unicorn from 'eslint-plugin-unicorn';
+import n from 'eslint-plugin-n';
+
+export default defineConfig([
+  {
+    ignores: ['node_modules/**', 'lib/**'],
+  },
+  js.configs.recommended,
+  ...tseslint.configs.recommended,
+  unicorn.configs.recommended,
+  stylistic.configs.customize({
+    braceStyle: '1tbs',
+    indent: [2, { SwitchCase: 1 }],
+    semi: true,
+    quoteProps: 'as-needed',
+    quotes: 'single',
+  }),
+  {
+    languageOptions: {
+      parser: tseslint.parser,
+      ecmaVersion: 'latest',
+      sourceType: 'module',
+    },
+    plugins: {
+      '@typescript-eslint': tseslint.plugin,
+      unicorn,
+      n,
+    },
+    rules: {
+      '@stylistic/quotes': ['error', 'single', { avoidEscape: true }],
+      '@typescript-eslint/no-explicit-any': 'off',
+      'unicorn/no-null': 'off',
+      'unicorn/prefer-node-protocol': 'off',
+      'unicorn/prevent-abbreviations': 'off',
+    },
+  },
+]);

package/lib/index.d.ts

@@ -3,7 +3,5 @@ export * from './parsers/oval';
 export * from './parsers/xccdf';
 export * from './utilities/diff';
 export * from './utilities/update';
-import Control from './objects/control';
-import Profile from './objects/profile';
-export { Control };
-export { Profile };
+export { default as Control } from './objects/control';
+export { default as Profile } from './objects/profile';

package/lib/index.js

@@ -7,7 +7,7 @@ tslib_1.__exportStar(require("./parsers/oval"), exports);
 tslib_1.__exportStar(require("./parsers/xccdf"), exports);
 tslib_1.__exportStar(require("./utilities/diff"), exports);
 tslib_1.__exportStar(require("./utilities/update"), exports);
-const control_1 = tslib_1.__importDefault(require("./objects/control"));
-exports.Control = control_1.default;
-const profile_1 = tslib_1.__importDefault(require("./objects/profile"));
-exports.Profile = profile_1.default;
+var control_1 = require("./objects/control");
+Object.defineProperty(exports, "Control", { enumerable: true, get: function () { return tslib_1.__importDefault(control_1).default; } });
+var profile_1 = require("./objects/profile");
+Object.defineProperty(exports, "Profile", { enumerable: true, get: function () { return tslib_1.__importDefault(profile_1).default; } });

package/lib/mappings/{CciNistMappingData.js → cci-nist-mapping-data.js}

@@ -5099,5 +5099,5 @@ exports.data = {
     'CCI-005144': 'SR-12',
     'CCI-005145': 'SR-12',
     'CCI-005146': 'SR-12',
-    'CCI-005147': 'AT-2 a 1'
+    'CCI-005147': 'AT-2 a 1',
 };

package/lib/objects/control.js

@@ -17,9 +17,9 @@ const logging_1 = require("../utilities/logging");
 function objectifyDescriptions(descs) {
     if (Array.isArray(descs)) {
         const descriptions = {};
-        descs.forEach((description) => {
+        for (const description of descs) {
             descriptions[description.label] = description.data;
-        });
+        }
         return descriptions;
     }
     return descs || {};
@@ -54,13 +54,12 @@ class Control {
      *               If provided, the properties of the data object will be assigned to the instance.
      */
     constructor(data) {
-        this.tags = {};
         this.refs = [];
         this.tags = {};
         if (data) {
-            Object.entries(lodash_1.default.cloneDeep(data)).forEach(([key, value]) => {
+            for (const [key, value] of Object.entries(structuredClone(data))) {
                 lodash_1.default.set(this, key, value);
-            });
+            }
         }
     }
     /**
@@ -100,11 +99,11 @@ class Control {
             result += `  desc "${this.desc}"\n`;
         }
         if (this.descs) {
-            Object.entries(this.descs).forEach(([key, subDesc]) => {
+            for (const [key, subDesc] of Object.entries(this.descs)) {
                 if (subDesc) {
                     result += `  desc '${key}', "${subDesc}"\n`;
                 }
-            });
+            }
         }
         if (this.impact) {
             result += `  impact ${this.impact}\n`;
@@ -113,34 +112,18 @@ class Control {
             result += `  impact ${this.impact.toFixed(1)}\n`;
         }
         if (this.refs) {
-            this.refs.forEach((ref) => {
-                var _a;
-                if (typeof ref === 'string') {
-                    result += `  ref "${ref}"\n`;
-                }
-                else {
-                    result += `  ref ${((_a = ref.ref) === null || _a === void 0 ? void 0 : _a.toString()) || ''}, url: ${ref.url || ''}`;
-                }
-            });
+            for (const ref of this.refs) {
+                result += typeof ref === 'string' ? `  ref "${ref}"\n` : `  ref ${ref.ref?.toString() || ''}, url: ${ref.url || ''}`;
+            }
         }
-        Object.entries(this.tags).forEach(([tag, value]) => {
+        for (const [tag, value] of Object.entries(this.tags)) {
             if (typeof value === 'object') {
-                if (Array.isArray(value) && typeof value[0] === 'string') {
-                    result += `  tag ${tag}: ${JSON.stringify(value)}\n`;
-                }
-                else {
-                    result += `  tag '${tag}': ${(value == null ? 'nil' : value)}\n`;
-                }
+                result += Array.isArray(value) && typeof value[0] === 'string' ? `  tag ${tag}: ${JSON.stringify(value)}\n` : `  tag '${tag}': ${(value == undefined ? 'nil' : value)}\n`;
             }
             else if (typeof value === 'string') {
-                if (value.includes('"')) {
-                    result += `  tag "${tag}": "${value}"\n`;
-                }
-                else {
-                    result += `  tag '${tag}': '${value}'\n`;
-                }
+                result += value.includes('"') ? `  tag "${tag}": "${value}"\n` : `  tag '${tag}': '${value}'\n`;
             }
-        });
+        }
         if (this.describe) {
             result += '\n';
             result += this.describe;
@@ -176,57 +159,47 @@ class Control {
         if (this.title) {
             result += `  title ${(0, global_1.escapeQuotes)(this.title)}\n`;
         }
-        else {
-            if (verbose) {
-                logger.error(`${this.id} does not have a title`);
-            }
+        else if (verbose) {
+            logger.error(`${this.id} does not have a title`);
         }
         // This is the known 'default' description - on previous version this content was repeated on descriptions processed by "descs"
         if (this.desc) {
             result += `  desc ${(0, global_1.escapeQuotes)(this.desc)}\n`;
         }
-        else {
-            if (verbose) {
-                logger.error(`${this.id} does not have a desc`);
-            }
+        else if (verbose) {
+            logger.error(`${this.id} does not have a desc`);
         }
         if (this.descs) {
-            Object.entries(this.descs).forEach(([key, subDesc]) => {
+            for (const [key, subDesc] of Object.entries(this.descs)) {
                 if (subDesc) {
                     if (key.match('default') && this.desc) {
-                        if (subDesc != this.desc) {
-                            // The "default" keyword may have the same content as the desc content for backward compatibility with different historical InSpec versions.
-                            // In that case, we can ignore writing the "default" subdescription field.
-                            // If they are different, however, someone may be trying to use the keyword "default" for a unique subdescription, which should not be done.
-                            if (verbose) {
-                                logger.error(`${this.id} has a subdescription called "default" with contents that do not match the main description. "Default" should not be used as a keyword for unique sub-descriptions.`);
-                            }
+                        // The "default" keyword may have the same content as the desc content for backward compatibility with different historical InSpec versions.
+                        // In that case, we can ignore writing the "default" subdescription field.
+                        // If they are different, however, someone may be trying to use the keyword "default" for a unique subdescription, which should not be done.
+                        if (subDesc != this.desc && verbose) {
+                            logger.error(`${this.id} has a subdescription called "default" with contents that do not match the main description. "Default" should not be used as a keyword for unique sub-descriptions.`);
                         }
                     }
                     else {
                         result += `  desc '${key}', ${(0, global_1.escapeQuotes)(subDesc)}\n`;
                     }
                 }
-                else {
-                    if (verbose) {
-                        logger.warn(`${this.id} does not have a desc for the value ${key}`);
-                    }
+                else if (verbose) {
+                    logger.warn(`${this.id} does not have a desc for the value ${key}`);
                 }
-            });
+            }
         }
         if (this.impact !== undefined) {
             result += `  impact ${(this.impact <= 0 ? this.impact.toFixed(1) : this.impact)}\n`;
         }
-        else {
-            if (verbose) {
-                logger.error(`${this.id} does not have an impact`);
-            }
+        else if (verbose) {
+            logger.error(`${this.id} does not have an impact`);
         }
-        //-------------------------------------------------------------------------
+        // -------------------------------------------------------------------------
         // This may not be necessary, leaving commented code for posterity. Once we
         // have implemented the process and determined that there isn't any side
         // effects we can remove the commented code
-        //-------------------------------------------------------------------------
+        // -------------------------------------------------------------------------
         // if (this.refs) {
         //   this.refs.forEach((ref) => {
         //     if (typeof ref === 'string') {
@@ -236,25 +209,25 @@ class Control {
         //     }
         //   });
         // }
-        Object.entries(this.tags).forEach(([tag, value]) => {
+        for (const [tag, value] of Object.entries(this.tags)) {
             if (value) {
                 if (typeof value === 'object') {
                     if (Array.isArray(value) && typeof value[0] === 'string') {
                         // The goal is to keep the style similar to cookstyle formatting
                         result += `  tag ${tag}: ${JSON.stringify(value)
-                            .replace(/"/g, "'") // replace the double quotes with single quotes, ex: ["V-72029","SV-86653"] -> ['V-72029','SV-86653']
+                            .replaceAll('"', "'") // replace the double quotes with single quotes, ex: ["V-72029","SV-86653"] -> ['V-72029','SV-86653']
                             .split("','") // split the items in the string
                             .join("', '")}\n`; // join them together using single quote and a space, ex: ['V-72029','SV-86653'] -> ['V-72029', 'SV-86653']
                     }
                     else {
                         // Convert JSON Object to Ruby Hash
                         const stringifiedObject = JSON.stringify(value, null, 2)
-                            .replace(/\n/g, '\n  ')
-                            .replace(/\{\n {6}/g, '{')
-                            .replace(/\[\n {8}/g, '[')
-                            .replace(/\n {6}\]/g, ']')
-                            .replace(/\n {4}\}/g, '}')
-                            .replace(/": \[/g, '" => [');
+                            .replaceAll('\n', '\n  ')
+                            .replaceAll(/\{\n {6}/g, '{')
+                            .replaceAll(/\[\n {8}/g, '[')
+                            .replaceAll(/\n {6}\]/g, ']')
+                            .replaceAll(/\n {4}\}/g, '}')
+                            .replaceAll('": [', '" => [');
                         result += `  tag ${tag}: ${stringifiedObject}\n`;
                     }
                 }
@@ -264,17 +237,12 @@ class Control {
             }
             else {
                 const nilTagList = ['severity', 'satisfies'];
-                if (nilTagList.includes(tag)) {
-                    result += `  tag ${tag}: nil\n`;
-                }
-                else {
-                    result += `  tag '${tag}'\n`;
-                }
+                result += nilTagList.includes(tag) ? `  tag ${tag}: nil\n` : `  tag '${tag}'\n`;
                 if (verbose) {
                     logger.info(`${this.id} does not have a value for tag: ${tag}`);
                 }
             }
-        });
+        }
         if (this.describe) {
             result += '\n';
             result += this.describe;

package/lib/objects/profile.js

@@ -53,9 +53,9 @@ class Profile {
         this.files = [];
         this.controls = [];
         if (data) {
-            Object.entries(data).forEach(([key, value]) => {
+            for (const [key, value] of Object.entries(data)) {
                 lodash_1.default.set(this, key, value);
-            });
+            }
         }
     }
     /**
@@ -79,7 +79,7 @@ class Profile {
             version: this.version,
             supports: this.supports,
             depends: this.depends,
-            //inspec_version: this.inspec_version,
+            // inspec_version: this.inspec_version,
             inspec_version: yaml_1.default.stringify(`${this.inspec_version}`, { defaultStringType: 'QUOTE_DOUBLE' }),
         });
     }
@@ -95,12 +95,12 @@ class Profile {
      */
     toUnformattedObject() {
         const unformattedProfile = new Profile(this);
-        Object.entries(this).forEach(([key, value]) => {
+        for (const [key, value] of Object.entries(this)) {
             if (typeof value === 'string') {
                 lodash_1.default.set(unformattedProfile, key, (0, global_1.unformatText)(value));
             }
-        });
-        unformattedProfile.controls = this.controls.map((control) => control.toUnformattedObject());
+        }
+        unformattedProfile.controls = this.controls.map(control => control.toUnformattedObject());
         return unformattedProfile;
     }
 }

package/lib/parsers/json.js

@@ -29,7 +29,7 @@ function processEvaluation(evaluationInput) {
         description: lodash_1.default.get(topLevelProfile.data, 'description'),
         version: topLevelProfile.data.version,
     });
-    topLevelProfile.contains.forEach((control) => {
+    for (const control of topLevelProfile.contains) {
         profile.controls.push(new control_1.default({
             id: control.data.id,
             title: control.data.title,
@@ -38,7 +38,7 @@ function processEvaluation(evaluationInput) {
             descs: (0, control_1.objectifyDescriptions)(control.hdf.wraps.descriptions),
             tags: control.hdf.wraps.tags,
         }));
-    });
+    }
     return profile;
 }
 /**
@@ -59,7 +59,7 @@ function processProfileJSON(profileInput) {
         description: lodash_1.default.get(profileInput.data, 'description'),
         version: profileInput.data.version,
     });
-    profileInput.data.controls.forEach((control) => {
+    for (const control of profileInput.data.controls) {
         const newControl = new control_1.default({
             id: control.id,
             title: control.title,
@@ -72,17 +72,15 @@ function processProfileJSON(profileInput) {
         newControl.describe = (0, update_1.getExistingDescribeFromControl)(newControl);
         // Migrate check and fix text from tags to descriptions
         if (newControl.tags.check && !newControl.descs.check) {
-            // eslint-disable-next-line  @typescript-eslint/no-non-null-assertion
             lodash_1.default.set(newControl.descs, 'check', control.tags.check);
             lodash_1.default.set(newControl.tags, 'check', undefined);
         }
         if (newControl.tags.fix && !newControl.descs.fix) {
-            // eslint-disable-next-line  @typescript-eslint/no-non-null-assertion
             lodash_1.default.set(newControl.descs, 'fix', control.tags.fix);
             lodash_1.default.set(newControl.tags, 'fix', undefined);
         }
         profile.controls.push(newControl);
-    });
+    }
     return profile;
 }
 /**
@@ -110,7 +108,7 @@ function processExecJSON(execJSON) {
  */
 function processInSpecProfile(json) {
     const convertedFile = (0, inspecjs_1.convertFile)(json, true);
-    let profile = new profile_1.default();
+    let profile;
     if (convertedFile['1_0_ExecJson']) {
         profile = processEvaluation((0, inspecjs_1.contextualizeEvaluation)(convertedFile['1_0_ExecJson'])).toUnformattedObject();
     }