From 902f99d0c097f546230125b3b8b0706ea974eaf8 Mon Sep 17 00:00:00 2001 From: Kaden Emley Date: Wed, 26 Jun 2024 16:47:59 -0400 Subject: [PATCH] updated ckl2hdf tests to consider third party tools Signed-off-by: Kaden Emley --- .../checklist-RHEL9_overrides_hdf.json | 38 ++++++++++--------- .../sample_input_report/RHEL9_overrides.ckl | 17 ++++++--- .../src/ckl-mapper/checklist-mapper.ts | 4 +- 3 files changed, 33 insertions(+), 26 deletions(-) diff --git a/libs/hdf-converters/sample_jsons/checklist_mapper/checklist-RHEL9_overrides_hdf.json b/libs/hdf-converters/sample_jsons/checklist_mapper/checklist-RHEL9_overrides_hdf.json index 42ef29e671..1bf9beaef6 100644 --- a/libs/hdf-converters/sample_jsons/checklist_mapper/checklist-RHEL9_overrides_hdf.json +++ b/libs/hdf-converters/sample_jsons/checklist_mapper/checklist-RHEL9_overrides_hdf.json @@ -32,8 +32,8 @@ "severity": "high", "weight": "10.0", "STIGRef": "Red Hat Enterprise Linux 9 Security Technical Implementation Guide :: Version 1, Release: 3 Benchmark Date: 24 Apr 2024", - "severityoverride": "medium", - "severityjustification": "both N/A and overidden" + "severityjustification": "Testing both N/A and overidden", + "severityoverride": "medium" }, "refs": [], "source_location": {}, @@ -51,7 +51,7 @@ } ], "impact": 0, - "code": "{\n \"status\": \"Not Applicable\",\n \"findingdetails\": \"\",\n \"comments\": \"\",\n \"severityoverride\": \"medium\",\n \"severityjustification\": \"both N/A and overidden\",\n \"vulnNum\": \"V-257777\",\n \"severity\": \"high\",\n \"groupTitle\": \"SRG-OS-000480-GPOS-00227\",\n \"ruleId\": \"SV-257777r925318_rule\",\n \"ruleVer\": \"RHEL-09-211010\",\n \"ruleTitle\": \"RHEL 9 must be a vendor-supported release.\",\n \"vulnDiscuss\": \"An operating system release is considered \\\"supported\\\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\\n\\nRed Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period.\",\n \"iaControls\": \"\",\n \"checkContent\": \"Verify that the version or RHEL 9 is vendor supported with the following command:\\n\\n$ cat /etc/redhat-release \\n\\nRed Hat Enterprise Linux release 9.2 (Plow)\\n\\nIf the installed version of RHEL 9 is not supported, this is a finding.\",\n \"fixText\": \"Upgrade to a supported version of RHEL 9.\",\n \"falsePositives\": \"\",\n \"falseNegatives\": \"\",\n \"documentable\": \"false\",\n \"mitigations\": \"\",\n \"potentialImpact\": \"\",\n \"thirdPartyTools\": \"\",\n \"mitigationControl\": \"\",\n \"responsibility\": \"\",\n \"securityOverrideGuidance\": \"\",\n \"checkContentRef\": \"M\",\n \"weight\": \"10.0\",\n \"class\": \"Unclass\",\n \"stigRef\": \"Red Hat Enterprise Linux 9 Security Technical Implementation Guide :: Version 1, Release: 3 Benchmark Date: 24 Apr 2024\",\n \"targetKey\": \"5551\",\n \"stigUuid\": \"\",\n \"legacyId\": \"; \",\n \"cciRef\": \"CCI-000366\"\n}", + "code": "{\n \"status\": \"Not Applicable\",\n \"findingdetails\": \"\",\n \"comments\": \"\",\n \"severityoverride\": \"medium\",\n \"severityjustification\": \"Testing both N/A and overidden\",\n \"vulnNum\": \"V-257777\",\n \"severity\": \"high\",\n \"groupTitle\": \"SRG-OS-000480-GPOS-00227\",\n \"ruleId\": \"SV-257777r925318_rule\",\n \"ruleVer\": \"RHEL-09-211010\",\n \"ruleTitle\": \"RHEL 9 must be a vendor-supported release.\",\n \"vulnDiscuss\": \"An operating system release is considered \\\"supported\\\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\\n\\nRed Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period.\",\n \"iaControls\": \"\",\n \"checkContent\": \"Verify that the version or RHEL 9 is vendor supported with the following command:\\n\\n$ cat /etc/redhat-release \\n\\nRed Hat Enterprise Linux release 9.2 (Plow)\\n\\nIf the installed version of RHEL 9 is not supported, this is a finding.\",\n \"fixText\": \"Upgrade to a supported version of RHEL 9.\",\n \"falsePositives\": \"\",\n \"falseNegatives\": \"\",\n \"documentable\": \"false\",\n \"mitigations\": \"\",\n \"potentialImpact\": \"\",\n \"thirdPartyTools\": \"\",\n \"mitigationControl\": \"\",\n \"responsibility\": \"\",\n \"securityOverrideGuidance\": \"\",\n \"checkContentRef\": \"M\",\n \"weight\": \"10.0\",\n \"class\": \"Unclass\",\n \"stigRef\": \"Red Hat Enterprise Linux 9 Security Technical Implementation Guide :: Version 1, Release: 3 Benchmark Date: 24 Apr 2024\",\n \"targetKey\": \"5551\",\n \"stigUuid\": \"\",\n \"legacyId\": \"; \",\n \"cciRef\": \"CCI-000366\"\n}", "results": [ { "status": "skipped", @@ -75,8 +75,8 @@ "severity": "medium", "weight": "10.0", "STIGRef": "Red Hat Enterprise Linux 9 Security Technical Implementation Guide :: Version 1, Release: 3 Benchmark Date: 24 Apr 2024", - "severityoverride": "low", - "severityjustification": "Overidden" + "severityjustification": "Example of overridden severity", + "severityoverride": "low" }, "refs": [], "source_location": {}, @@ -94,7 +94,7 @@ } ], "impact": 0.3, - "code": "{\n \"status\": \"Failed\",\n \"findingdetails\": \"\",\n \"comments\": \"\",\n \"severityoverride\": \"low\",\n \"severityjustification\": \"Overidden\",\n \"vulnNum\": \"V-257778\",\n \"severity\": \"medium\",\n \"groupTitle\": \"SRG-OS-000480-GPOS-00227\",\n \"ruleId\": \"SV-257778r925321_rule\",\n \"ruleVer\": \"RHEL-09-211015\",\n \"ruleTitle\": \"RHEL 9 vendor packaged system security patches and updates must be installed and up to date.\",\n \"vulnDiscuss\": \"Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.\",\n \"iaControls\": \"\",\n \"checkContent\": \"Verify RHEL 9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy.\\n\\nObtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.\\n\\nCheck that the available package security updates have been installed on the system with the following command:\\n\\n$ dnf history list | more\\n\\n ID | Command line | Date and time | Action(s) | Altered \\n------------------------------------------------------------------------------- \\n 70 | install aide | 2023-03-05 10:58 | Install | 1 \\n 69 | update -y | 2023-03-04 14:34 | Update | 18 EE \\n 68 | install vlc | 2023-02-21 17:12 | Install | 21 \\n 67 | update -y | 2023-02-21 17:04 | Update | 7 EE \\n\\nTypical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.\\n\\nIf the system is in noncompliance with the organizational patching policy, this is a finding.\",\n \"fixText\": \"Install RHEL 9 security patches and updates at the organizationally defined frequency. If system updates are installed via a centralized repository that is configured on the system, all updates can be installed with the following command:\\n\\n$ sudo dnf update\",\n \"falsePositives\": \"\",\n \"falseNegatives\": \"\",\n \"documentable\": \"false\",\n \"mitigations\": \"\",\n \"potentialImpact\": \"\",\n \"thirdPartyTools\": \"\",\n \"mitigationControl\": \"\",\n \"responsibility\": \"\",\n \"securityOverrideGuidance\": \"\",\n \"checkContentRef\": \"M\",\n \"weight\": \"10.0\",\n \"class\": \"Unclass\",\n \"stigRef\": \"Red Hat Enterprise Linux 9 Security Technical Implementation Guide :: Version 1, Release: 3 Benchmark Date: 24 Apr 2024\",\n \"targetKey\": \"5551\",\n \"stigUuid\": \"\",\n \"legacyId\": \"; \",\n \"cciRef\": \"CCI-000366\"\n}", + "code": "{\n \"status\": \"Failed\",\n \"findingdetails\": \"\",\n \"comments\": \"\",\n \"severityoverride\": \"low\",\n \"severityjustification\": \"Example of overridden severity\",\n \"vulnNum\": \"V-257778\",\n \"severity\": \"medium\",\n \"groupTitle\": \"SRG-OS-000480-GPOS-00227\",\n \"ruleId\": \"SV-257778r925321_rule\",\n \"ruleVer\": \"RHEL-09-211015\",\n \"ruleTitle\": \"RHEL 9 vendor packaged system security patches and updates must be installed and up to date.\",\n \"vulnDiscuss\": \"Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.\",\n \"iaControls\": \"\",\n \"checkContent\": \"Verify RHEL 9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy.\\n\\nObtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.\\n\\nCheck that the available package security updates have been installed on the system with the following command:\\n\\n$ dnf history list | more\\n\\n ID | Command line | Date and time | Action(s) | Altered \\n------------------------------------------------------------------------------- \\n 70 | install aide | 2023-03-05 10:58 | Install | 1 \\n 69 | update -y | 2023-03-04 14:34 | Update | 18 EE \\n 68 | install vlc | 2023-02-21 17:12 | Install | 21 \\n 67 | update -y | 2023-02-21 17:04 | Update | 7 EE \\n\\nTypical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.\\n\\nIf the system is in noncompliance with the organizational patching policy, this is a finding.\",\n \"fixText\": \"Install RHEL 9 security patches and updates at the organizationally defined frequency. If system updates are installed via a centralized repository that is configured on the system, all updates can be installed with the following command:\\n\\n$ sudo dnf update\",\n \"falsePositives\": \"\",\n \"falseNegatives\": \"\",\n \"documentable\": \"false\",\n \"mitigations\": \"\",\n \"potentialImpact\": \"\",\n \"thirdPartyTools\": \"\",\n \"mitigationControl\": \"\",\n \"responsibility\": \"\",\n \"securityOverrideGuidance\": \"\",\n \"checkContentRef\": \"M\",\n \"weight\": \"10.0\",\n \"class\": \"Unclass\",\n \"stigRef\": \"Red Hat Enterprise Linux 9 Security Technical Implementation Guide :: Version 1, Release: 3 Benchmark Date: 24 Apr 2024\",\n \"targetKey\": \"5551\",\n \"stigUuid\": \"\",\n \"legacyId\": \"; \",\n \"cciRef\": \"CCI-000366\"\n}", "results": [ { "status": "failed", @@ -123,9 +123,11 @@ "AC-8 c 2", "AC-8 c 3" ], - "severity": "medium", + "severity": "critical", "weight": "10.0", - "STIGRef": "Red Hat Enterprise Linux 9 Security Technical Implementation Guide :: Version 1, Release: 3 Benchmark Date: 24 Apr 2024" + "STIGRef": "Red Hat Enterprise Linux 9 Security Technical Implementation Guide :: Version 1, Release: 3 Benchmark Date: 24 Apr 2024", + "severityjustification": "Example high justification", + "severityoverride": "high" }, "refs": [], "source_location": {}, @@ -142,18 +144,18 @@ "label": "fix" } ], - "impact": 0, - "code": "{\n \"status\": \"Not Applicable\",\n \"findingdetails\": \"\",\n \"comments\": \"\",\n \"severityoverride\": \"\",\n \"severityjustification\": \"\",\n \"vulnNum\": \"V-257779\",\n \"severity\": \"medium\",\n \"groupTitle\": \"SRG-OS-000023-GPOS-00006\",\n \"ruleId\": \"SV-257779r925324_rule\",\n \"ruleVer\": \"RHEL-09-211020\",\n \"ruleTitle\": \"RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.\",\n \"vulnDiscuss\": \"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\\n\\nSystem use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.\\n\\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088\",\n \"iaControls\": \"\",\n \"checkContent\": \"Verify RHEL 9 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a command line user logon.\\n\\nCheck that a banner is displayed at the command line login screen with the following command:\\n\\n$ sudo cat /etc/issue\\n\\nIf the banner is set correctly it will return the following text:\\n\\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the USG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\\\"\\n\\nIf the banner text does not match the Standard Mandatory DOD Notice and Consent Banner exactly, or the line is commented out, this is a finding.\",\n \"fixText\": \"Configure RHEL 9 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via command line logon.\\n\\nEdit the \\\"/etc/issue\\\" file to replace the default text with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is:\\n\\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the USG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\\\"\",\n \"falsePositives\": \"\",\n \"falseNegatives\": \"\",\n \"documentable\": \"false\",\n \"mitigations\": \"\",\n \"potentialImpact\": \"\",\n \"thirdPartyTools\": \"\",\n \"mitigationControl\": \"\",\n \"responsibility\": \"\",\n \"securityOverrideGuidance\": \"\",\n \"checkContentRef\": \"M\",\n \"weight\": \"10.0\",\n \"class\": \"Unclass\",\n \"stigRef\": \"Red Hat Enterprise Linux 9 Security Technical Implementation Guide :: Version 1, Release: 3 Benchmark Date: 24 Apr 2024\",\n \"targetKey\": \"5551\",\n \"stigUuid\": \"\",\n \"legacyId\": \"; \",\n \"cciRef\": \"CCI-000048; CCI-001384; CCI-001385; CCI-001386; CCI-001387; CCI-001388\"\n}", + "impact": 1, + "code": "{\n \"status\": \"Failed\",\n \"findingdetails\": \"\",\n \"comments\": \"\",\n \"severityoverride\": \"high\",\n \"severityjustification\": \"Example high justification\",\n \"vulnNum\": \"V-257779\",\n \"severity\": \"medium\",\n \"groupTitle\": \"SRG-OS-000023-GPOS-00006\",\n \"ruleId\": \"SV-257779r925324_rule\",\n \"ruleVer\": \"RHEL-09-211020\",\n \"ruleTitle\": \"RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.\",\n \"vulnDiscuss\": \"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\\n\\nSystem use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.\\n\\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088\",\n \"iaControls\": \"\",\n \"checkContent\": \"Verify RHEL 9 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a command line user logon.\\n\\nCheck that a banner is displayed at the command line login screen with the following command:\\n\\n$ sudo cat /etc/issue\\n\\nIf the banner is set correctly it will return the following text:\\n\\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the USG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\\\"\\n\\nIf the banner text does not match the Standard Mandatory DOD Notice and Consent Banner exactly, or the line is commented out, this is a finding.\",\n \"fixText\": \"Configure RHEL 9 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via command line logon.\\n\\nEdit the \\\"/etc/issue\\\" file to replace the default text with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is:\\n\\n\\\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the USG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\\\"\",\n \"falsePositives\": \"\",\n \"falseNegatives\": \"\",\n \"documentable\": \"false\",\n \"mitigations\": \"\",\n \"potentialImpact\": \"\",\n \"thirdPartyTools\": \"{\\n \\\"hdfSpecificData\\\": {\\n \\\"impact\\\": 1.0,\\n \\\"severity\\\": \\\"critical\\\"\\n }\\n}\",\n \"mitigationControl\": \"\",\n \"responsibility\": \"\",\n \"securityOverrideGuidance\": \"\",\n \"checkContentRef\": \"M\",\n \"weight\": \"10.0\",\n \"class\": \"Unclass\",\n \"stigRef\": \"Red Hat Enterprise Linux 9 Security Technical Implementation Guide :: Version 1, Release: 3 Benchmark Date: 24 Apr 2024\",\n \"targetKey\": \"5551\",\n \"stigUuid\": \"\",\n \"legacyId\": \"; \",\n \"cciRef\": \"CCI-000048; CCI-001384; CCI-001385; CCI-001386; CCI-001387; CCI-001388\"\n}", "results": [ { - "status": "skipped", + "status": "failed", "code_desc": "", "start_time": "" } ] } ], - "sha256": "00f87a504cf45ffd51818a8d9ff76bcaf1c5ac0902c2e62e32de0d6ef476f393" + "sha256": "d1031b0668c47e35a3840ba84bf9d89f1522c3dcd3a8ab27da031f1abbccb922" } ], "passthrough": { @@ -194,7 +196,7 @@ "findingdetails": "", "comments": "", "severityoverride": "medium", - "severityjustification": "both N/A and overidden", + "severityjustification": "Testing both N/A and overidden", "vulnNum": "V-257777", "severity": "high", "groupTitle": "SRG-OS-000480-GPOS-00227", @@ -228,7 +230,7 @@ "findingdetails": "", "comments": "", "severityoverride": "low", - "severityjustification": "Overidden", + "severityjustification": "Example of overridden severity", "vulnNum": "V-257778", "severity": "medium", "groupTitle": "SRG-OS-000480-GPOS-00227", @@ -258,11 +260,11 @@ "cciRef": "CCI-000366" }, { - "status": "Not Applicable", + "status": "Failed", "findingdetails": "", "comments": "", - "severityoverride": "", - "severityjustification": "", + "severityoverride": "high", + "severityjustification": "Example high justification", "vulnNum": "V-257779", "severity": "medium", "groupTitle": "SRG-OS-000023-GPOS-00006", @@ -278,7 +280,7 @@ "documentable": "false", "mitigations": "", "potentialImpact": "", - "thirdPartyTools": "", + "thirdPartyTools": "{\n \"hdfSpecificData\": {\n \"impact\": 1.0,\n \"severity\": \"critical\"\n }\n}", "mitigationControl": "", "responsibility": "", "securityOverrideGuidance": "", diff --git a/libs/hdf-converters/sample_jsons/checklist_mapper/sample_input_report/RHEL9_overrides.ckl b/libs/hdf-converters/sample_jsons/checklist_mapper/sample_input_report/RHEL9_overrides.ckl index 9514e2f09c..2eefd20e53 100644 --- a/libs/hdf-converters/sample_jsons/checklist_mapper/sample_input_report/RHEL9_overrides.ckl +++ b/libs/hdf-converters/sample_jsons/checklist_mapper/sample_input_report/RHEL9_overrides.ckl @@ -188,7 +188,7 @@ If the installed version of RHEL 9 is not supported, this is a finding. medium - both N/A and overidden + Testing both N/A and overidden @@ -326,7 +326,7 @@ $ sudo dnf update low - Overidden + Example of overridden severity @@ -433,7 +433,12 @@ By using this IS (which includes any device attached to this IS), you consent to Third_Party_Tools - + { + "hdfSpecificData": { + "impact": 1.0, + "severity": "critical" + } +} Mitigation_Control @@ -503,11 +508,11 @@ By using this IS (which includes any device attached to this IS), you consent to CCI_REF CCI-001388 - Not_Applicable + Open - - + high + Example high justification diff --git a/libs/hdf-converters/src/ckl-mapper/checklist-mapper.ts b/libs/hdf-converters/src/ckl-mapper/checklist-mapper.ts index 816bc29049..dcb77360f5 100644 --- a/libs/hdf-converters/src/ckl-mapper/checklist-mapper.ts +++ b/libs/hdf-converters/src/ckl-mapper/checklist-mapper.ts @@ -509,8 +509,8 @@ export class ChecklistMapper extends BaseConverter { code: { transformer: (vulnerability: ChecklistVuln): string => { const data = parseJson(vulnerability.thirdPartyTools); - if (data.ok) { - return data.value.hdfSpecificData?.code; + if (data.ok && data.value.hdfSpecificData.code) { + return data.value.hdfSpecificData.code; } return JSON.stringify(vulnerability, null, 2); }