Impact aggregation change

Signed-off-by: Charles Hu <[email protected]>

CHANGELOG

@@ -1,3 +1,114 @@
+v2.10.12
+
+- Hdf2ckl severity @kemley76 (#5866)
+- checklist metadata input validation on export @kemley76 (#5902)
+- gosec Mapper Rework @charleshu-8 (#5982)
+- Trufflehog mapper @andytang99 (#6013)
+- Format error message when validating checklist metadata @kemley76 (#6023)
+- gosec Mapper Rework @charleshu-8 (#5982)
+- GoSec Mapper `impact` Fix @charleshu-8 (#5952)
+
+## Dependency Updates
+
+- Bump cypress-wait-until from 1.7.2 to 3.0.2 @dependabot (#6046)
+- Bump @aws-sdk/client-config-service from 3.620.1 to 3.621.0 @dependabot (#6044)
+- Bump @types/lodash from 4.17.5 to 4.17.7 @dependabot (#6001)
+- Bump @types/node from 20.14.12 to 22.0.0 @dependabot (#6043)
+- Bump @aws-sdk/client-config-service from 3.620.0 to 3.620.1 @dependabot (#6042)
+- Bump csv-stringify from 6.5.0 to 6.5.1 @dependabot (#6041)
+- Bump @aws-sdk/client-s3 from 3.620.0 to 3.620.1 @dependabot (#6039)
+- Bump fast-xml-parser from 4.4.0 to 4.4.1 @dependabot (#6037)
+- Bump sass-loader from 15.0.0 to 16.0.0 @dependabot (#6036)
+- Bump html-loader from 5.0.0 to 5.1.0 @dependabot (#6034)
+- Bump @aws-sdk/client-config-service from 3.616.0 to 3.620.0 @dependabot (#6033)
+- Bump tailwindcss from 3.4.6 to 3.4.7 @dependabot (#6031)
+- Bump @aws-sdk/client-s3 from 3.617.0 to 3.620.0 @dependabot (#6029)
+- Bump chai and @types/chai @dependabot (#6032)
+- Bump @aws-sdk/client-sts from 3.616.0 to 3.620.0 @dependabot (#6030)
+- Bump eslint-plugin-cypress from 3.3.0 to 3.4.0 @dependabot (#6027)
+- Bump @smithy/node-http-handler from 3.1.3 to 3.1.4 @dependabot (#6025)
+- Bump yaml from 2.4.5 to 2.5.0 @dependabot (#6026)
+- Bump @nestjs/schematics from 10.1.2 to 10.1.3 @dependabot (#6024)
+- Bump @types/node from 20.14.11 to 20.14.12 @dependabot (#6020)
+- Bump @aws-sdk/client-s3 from 3.616.0 to 3.617.0 @dependabot (#6017)
+- Bump @e965/xlsx from 0.20.2 to 0.20.3 @dependabot (#6012)
+- Bump sass-loader from 14.2.1 to 15.0.0 @dependabot (#6022)
+- Bump apexcharts from 3.50.0 to 3.51.0 @dependabot (#6015)
+- Bump express-rate-limit from 7.3.1 to 7.4.0 @dependabot (#6021)
+- Bump typedoc from 0.26.4 to 0.26.5 @dependabot (#6014)
+- Bump lerna from 8.1.6 to 8.1.7 @dependabot (#6016)
+- Bump @aws-sdk/client-s3 from 3.614.0 to 3.616.0 @dependabot (#6010)
+- Bump @aws-sdk/client-config-service from 3.614.0 to 3.616.0 @dependabot (#6009)
+- Bump ts-jest from 29.2.2 to 29.2.3 @dependabot (#6008)
+- Bump @aws-sdk/client-sts from 3.614.0 to 3.616.0 @dependabot (#6011)
+- Bump eslint-plugin-prettier from 5.1.3 to 5.2.1 @dependabot (#6006)
+- Bump tailwindcss from 3.4.5 to 3.4.6 @dependabot (#6003)
+- Bump @types/node from 20.14.10 to 20.14.11 @dependabot (#6000)
+- Bump cypress from 13.13.0 to 13.13.1 @dependabot (#6002)
+- Bump semver from 7.6.2 to 7.6.3 @dependabot (#5999)
+- Bump compare-versions from 6.1.0 to 6.1.1 @dependabot (#5998)
+- Bump prettier from 3.3.2 to 3.3.3 @dependabot (#5997)
+- Bump @smithy/node-http-handler from 3.1.2 to 3.1.3 @dependabot (#5996)
+- Bump tailwindcss from 3.4.4 to 3.4.5 @dependabot (#5995)
+- Bump @aws-sdk/client-config-service from 3.609.0 to 3.614.0 @dependabot (#5991)
+- Bump winston from 3.13.0 to 3.13.1 @dependabot (#5989)
+- Bump ts-jest from 29.2.0 to 29.2.2 @dependabot (#5990)
+- Bump typedoc from 0.26.3 to 0.26.4 @dependabot (#5992)
+- Bump @aws-sdk/client-s3 from 3.613.0 to 3.614.0 @dependabot (#5993)
+- Bump @aws-sdk/client-sts from 3.613.0 to 3.614.0 @dependabot (#5988)
+- Bump @aws-sdk/client-s3 from 3.609.0 to 3.613.0 @dependabot (#5983)
+- Bump xml-formatter from 3.6.2 to 3.6.3 @dependabot (#5981)
+- Bump xml-parser-xo from 4.1.1 to 4.1.2 @dependabot (#5980)
+- Bump highlight.js from 11.9.0 to 11.10.0 @dependabot (#5978)
+- Bump @nestjs/testing from 10.3.9 to 10.3.10 @dependabot (#5956)
+- Bump @smithy/node-http-handler from 3.1.1 to 3.1.2 @dependabot (#5979)
+- Bump ts-jest from 29.1.5 to 29.2.0 @dependabot (#5977)
+- Bump tsx from 4.16.0 to 4.16.2 @dependabot (#5969)
+- Bump @nestjs/cli from 10.4.0 to 10.4.2 @dependabot (#5973)
+- Bump @types/node from 20.14.9 to 20.14.10 @dependabot (#5972)
+- Bump lerna from 8.1.5 to 8.1.6 @dependabot (#5974)
+- Bump apexcharts from 3.49.2 to 3.50.0 @dependabot (#5971)
+- Bump @aws-sdk/client-config-service from 3.606.0 to 3.609.0 @dependabot (#5966)
+- Bump eslint-plugin-vue from 9.26.0 to 9.27.0 @dependabot (#5967)
+- Bump @aws-sdk/client-s3 from 3.608.0 to 3.609.0 @dependabot (#5964)
+- Bump @nestjs/schematics from 10.1.1 to 10.1.2 @dependabot (#5968)
+- Bump @aws-sdk/client-sts from 3.606.0 to 3.609.0 @dependabot (#5963)
+- Bump @nestjs/cli from 10.3.2 to 10.4.0 @dependabot (#5965)
+- Bump @nestjs/core from 10.3.9 to 10.3.10 @dependabot (#5960)
+- Bump prettier-plugin-organize-imports from 3.2.4 to 4.0.0 @dependabot (#5958)
+- Bump tsx from 4.15.7 to 4.16.0 @dependabot (#5959)
+- Bump @nestjs/platform-express from 10.3.9 to 10.3.10 @dependabot (#5957)
+- Bump cypress from 13.12.0 to 13.13.0 @dependabot (#5954)
+- Bump @nestjs/common from 10.3.9 to 10.3.10 @dependabot (#5955)
+- Bump @aws-sdk/client-s3 from 3.606.0 to 3.608.0 @dependabot (#5953)
+- Bump typedoc from 0.26.2 to 0.26.3 @dependabot (#5947)
+- Bump lru-cache from 10.2.2 to 10.3.0 @dependabot (#5948)
+- Bump @aws-sdk/client-config-service from 3.600.0 to 3.606.0 @dependabot (#5950)
+- Bump @aws-sdk/client-s3 from 3.600.0 to 3.606.0 @dependabot (#5946)
+- Bump @smithy/node-http-handler from 3.1.0 to 3.1.1 @dependabot (#5945)
+- Bump @aws-sdk/client-sts from 3.600.0 to 3.606.0 @dependabot (#5943)
+- Bump apexcharts from 3.49.1 to 3.49.2 @dependabot (#5941)
+- Bump @types/node from 20.14.8 to 20.14.9 @dependabot (#5942)
+- Bump typedoc from 0.25.13 to 0.26.2 @dependabot (#5939)
+- Bump lerna from 8.1.3 to 8.1.5 @dependabot (#5940)
+- Bump tsx from 4.15.6 to 4.15.7 @dependabot (#5937)
+- Bump @types/node from 20.14.7 to 20.14.8 @dependabot (#5938)
+- Bump @types/node from 20.14.6 to 20.14.7 @dependabot (#5936)
+- Bump @types/uuid from 9.0.8 to 10.0.0 @dependabot (#5935)
+- Bump @types/node from 20.14.4 to 20.14.6 @dependabot (#5934)
+- Bump @aws-sdk/client-config-service from 3.598.0 to 3.600.0 @dependabot (#5931)
+- Bump cypress from 13.11.0 to 13.12.0 @dependabot (#5933)
+- Bump @aws-sdk/client-s3 from 3.596.0 to 3.600.0 @dependabot (#5929)
+- Bump @smithy/node-http-handler from 3.0.1 to 3.1.0 @dependabot (#5928)
+- Bump @types/node from 20.14.2 to 20.14.4 @dependabot (#5924)
+- Bump ts-jest from 29.1.4 to 29.1.5 @dependabot (#5925)
+- Bump tsx from 4.15.5 to 4.15.6 @dependabot (#5926)
+- Bump @aws-sdk/client-config-service from 3.596.0 to 3.598.0 @dependabot (#5922)
+- Bump ws from 7.5.9 to 7.5.10 @dependabot (#5927)
+- Bump @types/validator from 13.11.10 to 13.12.0 @dependabot (#5923)
+- Bump @aws-sdk/client-sts from 3.596.0 to 3.598.0 @dependabot (#5920)
+- Bump tsx from 4.15.2 to 4.15.5 @dependabot (#5919)
+
 v2.10.10
 
 - Revert "Bump tw-elements from 1.1.0 to 2.0.0" @charleshu-8 (#5894)

VERSION

@@ -1 +1 @@
-v2.10.10
+v2.10.12

apps/backend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "heimdall-server",
-  "version": "2.10.10",
+  "version": "2.10.11",
   "description": "",
   "license": "Apache-2.0",
   "author": "",
@@ -64,7 +64,7 @@
     "@types/js-levenshtein": "^1.1.0",
     "@types/ms": "^0.7.31",
     "@types/multer": "^1.4.5",
-    "@types/node": "^20.1.0",
+    "@types/node": "^22.0.0",
     "@types/passport-github": "^1.1.5",
     "@types/passport-jwt": "^4.0.0",
     "@types/passport-local": "^1.0.33",

apps/frontend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mitre/heimdall-lite",
-  "version": "2.10.10",
+  "version": "2.10.12",
   "description": "Heimdall-Lite 2 is a JavaScript based security results viewer and review tool supporting multiple security results formats, such as: InSpec, SonarQube, OWASP-Zap and Fortify which you can load locally or from S3 and other data sources.",
   "repository": {
     "type": "git",
@@ -44,7 +44,7 @@
     "@types/lru-cache": "^7.10.10",
     "@types/luxon": "^3.3.1",
     "@types/mustache": "^4.1.1",
-    "@types/node": "^20.1.0",
+    "@types/node": "^22.0.0",
     "@types/prismjs": "^1.16.1",
     "@types/sanitize-html": "^2.3.1",
     "@types/triple-beam": "^1.3.2",
@@ -76,7 +76,7 @@
     "file-saver": "^2.0.2",
     "highlight.js": "^11.0.0",
     "html-loader": "^5.0.0",
-    "inspecjs": "^2.10.8",
+    "inspecjs": "^2.10.11",
     "lodash": "4.17.21",
     "lru-cache": "^10.1.0",
     "luxon": "^3.0.1",

apps/frontend/src/components/cards/EvaluationInfo.vue

@@ -102,7 +102,13 @@ export default class EvaluationInfo extends Vue {
   }
 
   get duration(): string | undefined {
-    return _.get(this.file_object, 'evaluation.data.statistics.duration');
+    const duration = _.get(
+      this.file_object,
+      'evaluation.data.statistics.duration'
+    );
+    return duration === null || duration === undefined
+      ? undefined
+      : duration.toString();
   }
 
   get evaluation(): IEvaluation | undefined {

apps/frontend/src/components/cards/controltable/ControlRowCol.vue

@@ -76,7 +76,12 @@ export default class ControlRowCol extends mixins(HtmlSanitizeMixin) {
   }
 
   get resultMessage(): string | undefined {
-    return this.result.message || this.result.skip_message;
+    // Check if either `skip_message` or `message` exist
+    // If one but not the other exists, display the individual message
+    // Otherwise display both messages in a joint string
+    return this.result.skip_message && this.result.message
+      ? `-Message-\n${this.result.message}\n\n-Skip Message-\n${this.result.skip_message}`
+      : this.result.message || this.result.skip_message;
   }
 }
 </script>

apps/frontend/src/components/global/upload_tabs/FileReader.vue

@@ -35,7 +35,7 @@
                   <li>Checklist</li>
                   <li>DBProtect</li>
                   <li>Fortify</li>
-                  <li>Golang Security Checker (GoSec)</li>
+                  <li>Golang Security Checker (gosec)</li>
                   <li>Ion Channel</li>
                   <li>JFrog Xray</li>
                   <li>Nessus</li>
@@ -47,6 +47,7 @@
                   <li>Scoutsuite</li>
                   <li>Snyk</li>
                   <li>Tenable (API)</li>
+                  <li>Trufflehog</li>
                   <li>Twistlock</li>
                   <li>Veracode</li>
                   <li>XCCDF Results (native OpenSCAP and SCC outputs)</li>

apps/frontend/src/store/report_intake.ts

@@ -5,7 +5,7 @@
 import {InspecDataModule} from '@/store/data_store';
 import Store from '@/store/store';
 import {Tag} from '@/types/models';
-import {read_file_async} from '@/utilities/async_util';
+import {readFileAsync} from '@/utilities/async_util';
 import {
   ASFFResults as ASFFResultsMapper,
   BurpSuiteMapper,
@@ -14,7 +14,7 @@ import {
   DBProtectMapper,
   fingerprint,
   FortifyMapper,
-  GoSecMapper,
+  GosecMapper,
   INPUT_TYPES,
   IonChannelMapper,
   JfrogXrayMapper,
@@ -26,6 +26,7 @@ import {
   SBOMResults,
   ScoutsuiteMapper,
   SnykResults,
+  TrufflehogResults,
   TwistlockResults,
   VeracodeMapper,
   XCCDFResultsMapper,
@@ -136,7 +137,7 @@ export class InspecIntake extends VuexModule {
     const filename =
       options.file?.name || options.filename || 'Missing Filename';
     if (options.file) {
-      read = await read_file_async(options.file);
+      read = await readFileAsync(options.file);
     } else if (options.data) {
       read = options.data;
     } else {
@@ -271,9 +272,11 @@ export class InspecIntake extends VuexModule {
       case INPUT_TYPES.CHECKLIST:
         return new ChecklistResults(convertOptions.data).toHdf();
       case INPUT_TYPES.GOSEC:
-        return new GoSecMapper(convertOptions.data).toHdf();
+        return new GosecMapper(convertOptions.data).toHdf();
       case INPUT_TYPES.SBOM:
         return new SBOMResults(convertOptions.data).toHdf();
+      case INPUT_TYPES.TRUFFLEHOG:
+        return new TrufflehogResults(convertOptions.data).toHdf();
       default:
         return SnackbarModule.failure(
           `Invalid file uploaded (${filename}), no fingerprints matched.`

apps/frontend/src/utilities/async_util.ts

@@ -1,7 +1,7 @@
 /* Provides async wrappers over various common functions/tasks */
 
 /** Provides the resulting text of reading a file as a promise */
-export async function read_file_async(file: File): Promise<string> {
+export async function readFileAsync(file: File): Promise<string> {
   const reader = new FileReader();
   return new Promise((resolve, reject) => {
     reader.onerror = () => {

lerna.json

@@ -1,5 +1,5 @@
 {
   "packages": ["apps/*", "libs/*", "test"],
-  "version": "2.10.10",
+  "version": "2.10.12",
   "npmClient": "yarn"
 }

libs/hdf-converters/README.md

@@ -13,22 +13,24 @@ OHDF Converters supplies several methods to convert various types of security to
 6.  [**conveyor-mapper**] - Conveyor JSON file
 7.  [**dbprotect-mapper**] - DBProtect report in "Check Results Details" XML format
 8.  [**fortify-mapper**] - Fortify results FVDL file
-9.  [**ionchannel-mapper**] - SBOM data from Ion Channel
-10. [**jfrog-xray-mapper**] - JFrog Xray results JSON file
-11. [**nessus-mapper**] - Nessus XML results file
-12. [**netsparker-mapper**] - Netsparker XML results file
-13. [**nikto-mapper**] - Nikto results JSON file
-14. [**prisma-mapper**] - Prisma Cloud Scan Report CSV file
-15. [**sarif-mapper**] - SARIF JSON file
-16. [**sbom-mapper**] - SBOM JSON file
-17. [**scoutsuite-mapper**] - ScoutSuite results from a Javascript object
-18. [**snyk-mapper**] - Snyk results JSON file
-19. [**sonarqube-mapper**] - SonarQube vulnerabilities for the specified project name and optional branch or pull/merge request ID name from an API
-20. [**splunk-mapper**] - Splunk instance
-21. [**twistlock-mapper**] - Twistlock CLI output file
-22. [**veracode-mapper**] - Veracode Scan Results XML file
-23. [**xccdf-results-mapper**] - SCAP client XCCDF-Results XML report
-24. [**zap-mapper**] - OWASP ZAP results JSON
+9.  [**gosec-mapper**] - gosec results JSON file
+10. [**ionchannel-mapper**] - SBOM data from Ion Channel
+11. [**jfrog-xray-mapper**] - JFrog Xray results JSON file
+12. [**nessus-mapper**] - Nessus XML results file
+13. [**netsparker-mapper**] - Netsparker XML results file
+14. [**nikto-mapper**] - Nikto results JSON file
+15. [**prisma-mapper**] - Prisma Cloud Scan Report CSV file
+16. [**sarif-mapper**] - SARIF JSON file
+17. [**sbom-mapper**] - SBOM JSON file
+18. [**scoutsuite-mapper**] - ScoutSuite results from a Javascript object
+19. [**snyk-mapper**] - Snyk results JSON file
+20. [**sonarqube-mapper**] - SonarQube vulnerabilities for the specified project name and optional branch or pull/merge request ID name from an API
+21. [**splunk-mapper**] - Splunk instance
+22. [**trufflehog-mapper**] - Trufflehog results json file 
+23. [**twistlock-mapper**] - Twistlock CLI output file
+24. [**veracode-mapper**] - Veracode Scan Results XML file
+25. [**xccdf-results-mapper**] - SCAP client XCCDF-Results XML report
+26. [**zap-mapper**] - OWASP ZAP results JSON
 
 ### NOTICE
 

libs/hdf-converters/index.ts

@@ -34,6 +34,7 @@ export * from './src/scoutsuite-mapper';
 export * from './src/snyk-mapper';
 export * from './src/sonarqube-mapper';
 export * from './src/splunk-mapper';
+export * from './src/trufflehog-mapper';
 export * from './src/twistlock-mapper';
 export * from './src/utils/attestations';
 export * from './src/utils/compliance';

libs/hdf-converters/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mitre/hdf-converters",
-  "version": "2.10.8",
+  "version": "2.10.12",
   "license": "Apache-2.0",
   "description": "Converter util library used to transform various scan results into HDF format",
   "files": [
@@ -44,7 +44,7 @@
     "fast-xml-parser": "^4.2.0",
     "html-entities": "^2.3.2",
     "htmlparser2": "^9.1.0",
-    "inspecjs": "^2.10.8",
+    "inspecjs": "^2.10.11",
     "lodash": "^4.17.21",
     "moment": "^2.29.1",
     "ms": "^2.1.3",
@@ -65,7 +65,7 @@
   "devDependencies": {
     "@types/jest": "^27.0.0",
     "@types/lodash": "^4.14.161",
-    "@types/node": "^20.1.0",
+    "@types/node": "^22.0.0",
     "jest": "^27.0.6",
     "quicktype": "^15.0.260",
     "ts-jest": "^29.1.0",