Hdf2ckl severity#5866
Merged
georgedias merged 81 commits intomasterfrom Jul 12, 2024
Merged
Conversation
Signed-off-by: kemley76 <kemley@mitre.org>
Signed-off-by: kemley76 <kemley@mitre.org>
Signed-off-by: kemley76 <kemley@mitre.org>
Contributor
|
Severity: Impact: |
georgedias
previously requested changes
Jun 4, 2024
Contributor
georgedias
left a comment
georgedias
left a comment
There was a problem hiding this comment.
Please see my inline comments
Signed-off-by: kemley76 <kemley@mitre.org>
Contributor
Author
|
I have made more changes regarding this issue. This includes:
Done in previous commit, but not listed out
This shows the sorting and bubble usage. The bubbles indicate impact, the text indicates severity. |
Signed-off-by: kemley76 <kemley@mitre.org>
Signed-off-by: kemley76 <kemley@mitre.org>
Amndeep7
requested changes
Jun 12, 2024
Contributor
Amndeep7
left a comment
Amndeep7
left a comment
There was a problem hiding this comment.
Currently the behavior is severity if it's there, otherwise fallback to impact.
What happens if there is a security override coming from a ckl? What should the behavior be then? I think the behavior should be the override if it's there, then the severity, then fallback to impact.
What should we do about the severity override justification? Should that be shown in the details tab?
Questions for @ejaronne
Signed-off-by: kemley76 <kemley@mitre.org>
Signed-off-by: kemley76 <kemley@mitre.org>
Signed-off-by: kemley76 <kemley@mitre.org>
Contributor
Author
|
The original issue was caused by two things:
Additional fixes that were addressed that may be beyond the scope of the original issue, but still needed to be addressed: Compute a control's severity based on
Display severity override information in results table It was also noticed that these changes affected the center "Severity Counts" ring graph. Before the "severities" in the graph were computed directly from the impact. Now, if there is a severity tag or severity override, that will be shown in the graph instead. When importing checklists, it is now impossible to see severity: none in this graph since severity: none does not exist in the checklist world. |
Signed-off-by: kemley76 <kemley@mitre.org>
Signed-off-by: kemley76 <kemley@mitre.org>
Signed-off-by: kemley76 <kemley@mitre.org>
kemley76
force-pushed
the
hdf2ckl-severity
branch
from
a08b5de to
62cedce
Compare
Contributor
Author
|
One last behavioral change was made here: |
Signed-off-by: kemley76 <kemley@mitre.org>
Contributor
Author
|
The impact and severity columns have now been separated and are being displayed with color coded chips. |
Signed-off-by: kemley76 <kemley@mitre.org>
…verity Signed-off-by: kemley76 <kemley@mitre.org>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Amndeep7
approved these changes
Jul 10, 2024
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Kaden Emley <kemley@mitre.org>
kemley76
force-pushed
the
hdf2ckl-severity
branch
from
5577f51 to
65237ef
Compare
kemley76
added
the
ready-to-merge
Amndeep7
added
ready-to-merge
Contributor
|
This pull request has a conflict. Could you fix it @kemley76? |
Signed-off-by: Kaden Emley <kemley@mitre.org>
|
aaronlippold
pushed a commit
that referenced
this pull request
Nov 20, 2024
* use severity tag in hdf2ckl mapping Signed-off-by: kemley76 <kemley@mitre.org> * use default values in severity check Signed-off-by: kemley76 <kemley@mitre.org> * update hdf2ckl test Signed-off-by: kemley76 <kemley@mitre.org> * fix inconsistencies with how severity is computed and displayed Signed-off-by: kemley76 <kemley@mitre.org> * linting Signed-off-by: kemley76 <kemley@mitre.org> * add clarifying comments for severity computation Signed-off-by: kemley76 <kemley@mitre.org> * update ckl2hdf tests * remove unecessary lowercase conversion Signed-off-by: kemley76 <kemley@mitre.org> * show severityoverride and severity justification in details panel Signed-off-by: kemley76 <kemley@mitre.org> * severity override info displayed in results table Signed-off-by: kemley76 <kemley@mitre.org> * format results view impact column to show severity as well Signed-off-by: kemley76 <kemley@mitre.org> * linting Signed-off-by: kemley76 <kemley@mitre.org> * added severity and severity overrides to hdf2ckl and ckl2hdf Signed-off-by: kemley76 <kemley@mitre.org> * ensure severity low and critical get mapped properly in hdf2ckl Signed-off-by: kemley76 <kemley@mitre.org> * fix fallbacks in ControlRowHeader for showing severity override Signed-off-by: kemley76 <kemley@mitre.org> * linting Signed-off-by: kemley76 <kemley@mitre.org> * split impact and severity into two columns Signed-off-by: kemley76 <kemley@mitre.org> * linting Signed-off-by: kemley76 <kemley@mitre.org> * add information labels on severity and impact table headers Signed-off-by: kemley76 <kemley@mitre.org> * linting Signed-off-by: kemley76 <kemley@mitre.org> * add visual spacing between delta and severity level for overridden severity Signed-off-by: kemley76 <kemley@mitre.org> * update impact ranges for results table header tooltip Signed-off-by: kemley76 <kemley@mitre.org> * removed transparancy from v-tooltip backgrounds Signed-off-by: Kaden Emley <kemley@mitre.org> * refactor checklist mapper to use result type when parsing Json Signed-off-by: Kaden Emley <kemley@mitre.org> * use severity form Third_Party_Tools section if present upon ckl2hdf Signed-off-by: Kaden Emley <kemley@mitre.org> * ensure that impact is computed using computed severity upon ckl2hdf Signed-off-by: Kaden Emley <kemley@mitre.org> * add data to ckl thirdPartyTools to ensure hdf's severity and impact are preserved Signed-off-by: Kaden Emley <kemley@mitre.org> * add severityoverride tag to control when impact and severity differ Signed-off-by: Kaden Emley <kemley@mitre.org> * recombine severity into impact column and indicate if they differ Signed-off-by: Kaden Emley <kemley@mitre.org> * linting Signed-off-by: Kaden Emley <kemley@mitre.org> * add ability to filter controls by the presence of specific tags Signed-off-by: Kaden Emley <kemley@mitre.org> * create InfoCardRow component to alert user to any severity overrides Signed-off-by: Kaden Emley <kemley@mitre.org> * bring back severity column Signed-off-by: Kaden Emley <kemley@mitre.org> * linting Signed-off-by: Kaden Emley <kemley@mitre.org> * remove impact column, only showing severity Signed-off-by: Kaden Emley <kemley@mitre.org> * revert changes to include severityoverride when severity and impact differ Signed-off-by: Kaden Emley <kemley@mitre.org> * ensure hdf to ckl to hdf doesn't add extra metadata Signed-off-by: Kaden Emley <kemley@mitre.org> * update hdf2ckl test Signed-off-by: Kaden Emley <kemley@mitre.org> * linting Signed-off-by: Kaden Emley <kemley@mitre.org> * remove extra code leftover from removed impact column Signed-off-by: Kaden Emley <kemley@mitre.org> * removed ts specific code tested in frontend test that caused error Signed-off-by: Kaden Emley <kemley@mitre.org> * linting Signed-off-by: Kaden Emley <kemley@mitre.org> * updated ckl2hdf tests to consider third party tools Signed-off-by: Kaden Emley <kemley@mitre.org> * add checklist with overrides file to sample files Signed-off-by: Kaden Emley <kemley@mitre.org> * expanded checklist override test to include non-overridden vuln severities Signed-off-by: Kaden Emley <kemley@mitre.org> * added frontend test to ensure severity overrides can be filtered properly Signed-off-by: Kaden Emley <kemley@mitre.org> * add cypress test to ensure severity override lables appear Signed-off-by: Kaden Emley <kemley@mitre.org> * clean up vue logic for severity override display Signed-off-by: Kaden Emley <kemley@mitre.org> * account for non-lowercase severity tags Signed-off-by: Kaden Emley <kemley@mitre.org> * remove unneeded code bits Signed-off-by: Kaden Emley <kemley@mitre.org> * fix sample loading in cypress test Signed-off-by: Kaden Emley <kemley@mitre.org> * fix hdf2checklist third party tools computation Signed-off-by: Kaden Emley <kemley@mitre.org> * update control search help menu with tag filter Signed-off-by: Kaden Emley <kemley@mitre.org> * fixed issue with critical severity being lost in hdf to ckl to hdf Signed-off-by: Kaden Emley <kemley@mitre.org> * fix logic and complexity of hdf2ckl addHdfSpecificData Signed-off-by: Kaden Emley <kemley@mitre.org> * linting Signed-off-by: Kaden Emley <kemley@mitre.org> * accounted for possiblity of nil severity tag when doing hdf2ckl Signed-off-by: Kaden Emley <kemley@mitre.org> * add severity name constants in inspecJs as utility Signed-off-by: Kaden Emley <kemley@mitre.org> * added test util for version replacement for ckl and xccdf reverse testing Signed-off-by: Kaden Emley <kemley@mitre.org> * add parseJson to util file with better return type Signed-off-by: Kaden Emley <kemley@mitre.org> * relocate ckl2hdf helper function Signed-off-by: Kaden Emley <kemley@mitre.org> * refactor hdf2ckl computeImpact to use standard util function Signed-off-by: Kaden Emley <kemley@mitre.org> * remove redundant 'active-class' in results table's chips Signed-off-by: Kaden Emley <kemley@mitre.org> * fix weird autoformating instances in vue Signed-off-by: Kaden Emley <kemley@mitre.org> * fix comment typo Signed-off-by: Kaden Emley <kemley@mitre.org> * fix messed up test in checklist reverse mapper Signed-off-by: Kaden Emley <kemley@mitre.org> * fix typo Co-authored-by: Amndeep Singh Mann <amann@mitre.org> * refactored to remove unecessary type casting Signed-off-by: Kaden Emley <kemley@mitre.org> * use more representative type for JSON parse output Signed-off-by: Kaden Emley <kemley@mitre.org> * simplify ckl mapper helper function Signed-off-by: Kaden Emley <kemley@mitre.org> * linting Signed-off-by: Kaden Emley <kemley@mitre.org> * remove unused imports Signed-off-by: Kaden Emley <kemley@mitre.org> * export inspecJS function for converting impact into severity Signed-off-by: Kaden Emley <kemley@mitre.org> * restart CI --------- Signed-off-by: kemley76 <kemley@mitre.org> Signed-off-by: Kaden Emley <kemley@mitre.org> Co-authored-by: Amndeep Singh Mann <amann@mitre.org> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Amndeep7
added a commit
that referenced
this pull request
Mar 19, 2026
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Amndeep7
added a commit
that referenced
this pull request
Mar 26, 2026
…6239) * testing tsconfig changes with inspecjs Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * make inspecjs's tsconfig match what we have in ts-inspec-objects and the saf cli aside from the bonus stuff coming from the top level tsconfig Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * comments are fine actually Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * reorder toplevel tsconfig changes to match the order i'm introducing in other places Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * cleanup includes and excludes in tsconfig for hdfconverters and inspecjs Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * improve types for reverse converters Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * lint everything Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * match new style tsconfig Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * swap to my fork of retry-axios until the pr is merged Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * needed to be a branch that included the compiled artifacts Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * maybe this override keyword is what is causing the undefined issue Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * ok maybe it's the initialization in the first place so let's try using declare Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * let's make it consistent and use declare in both locations then Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * types are also .ts so don't need to have separate include for them Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * updated common libs Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * simplified includes by getting rid of the duplicative ts entry Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * eslint applies to everything Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * i do not think that the cypress dependency needs to be in the include either but i guess we'll see Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * get rid of those values but no replacements yet in tsconfig for cypress tests Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * bring in the standard tsconfig Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * we don't need the types attribute Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * upgrade backend tsconfig Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * forgot to update lib to esnext instead of es2020 Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * there's no dom in the backend Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * removed unnecessary (ex. syntheticimports is enabled by default with esmoduleinterop), duplicative (ex. module resolution defined upstream), and unwanted (eg. tsx) things while cleaning stuff up Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * i think these files are unnecessary Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * frontend was directly importing winston logger stuff from hdf converters which is not something we should do - in the eslint pr should go through and actually replace it with a winston utility here Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * we're still leaving that cjs life so can use __dirname - might change back in the future idk Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * given up on .ts only and made the vitest file mts so that we could use the rootdir in that format and also not have to deal with async importing of the vitest config dep Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * just reordered imports Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * brought over as much as possible of the standard tsconfig. the big difference is the module and moduleresolution which i couldn't move to nodenext just cause of how old the stack is and how it was not playing nice with the type resolution Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * transition code to re-enable useunknownincatchvariables Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * transition code to re-enable useunknownincatchvariables Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * transition code to re-enable useunknownincatchvariables Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * transition code to re-enable useunknownincatchvariables Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * have transitioned as much as possible to the top level tsconfig Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * fix typo - unnecessary comma Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * remove unused component - no longer necessary as of #5866 Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * remove unnecessary file - vitest apparently does not choke on this like jest did Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * remove hdf converters direct dependency on ms since its use was removed in this pr: #5588 Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * Non-relative paths are not allowed when 'baseUrl' is not set. Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * tailwindcss updated again Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * does not seem like @types/triple-beam is necessary anymore in hdfconverters Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * frontend tests sometimes flake due to timeout so let's increase the time Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * idk why it didn't catch it before but there's a type mismatch that occurs there when we're trying to manually assign the type to the imported module so let's just not and it works :) Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * updated yarn lock Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * if there are foreign keys between the models then concurrent deletes could create a lock cycle so we can instead run truncate which just kills the entire db properly as opposed to doing it ourselves model by model Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * updates from master Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * cleaned up and mode imports/excludes more consistent Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * changing from our old targets to esnext enabled usedefineforclassfields (as opposed to the previous default of leaving it disabled) which mucks up vue2 dynamically injecting props since it expects nothing to be there but something *was* there (cause of the implicit define). an alternative solution would've been using declare on like every single prop but that sounds like a massive pain where the real solution is to move to vue3 + composition api. Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * unnecessary dependency: supertest Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * htmlparser2 moved to esm only so forced to go with the factory approach for making the function and then have to wrap all of the mapper classes with results classes that would have the ability to do async call on the factory func Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * remove direct dependency on concat-streams from frontend; original use was moved from a component to a utility in #1449 and then its functionality was replaced by a different dependency in #4410 Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * when we changed it to throw an actual error instead of a string, didn't update the logic here properly esp since json.stringify of an instanceof error fails out as {} Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * improve flow for checkSplunkCredential so that the timeout throw works properly Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * we had an axios interceptor that would logout the app when it would see any 401; however, we could get 401s from other places like splunk login attempts. if a login failed there and returned a 401, it would logout the heimdall app entirely which doesn't make any sense. in order to determine if the 401 came from heimdall or from a different app, we have to have the externalurl var available so made that change. Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * expected error string is slightly different Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * does not appear like we use triple-beam Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * sonarqube Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * express-rate-limit got native types as of v6 Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * bcryptjs added builtin types as of v3 Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * we don't have a direct dependency on passport-oauth2 tho some of the other strategies we have do use it Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * we don't have a direct dependency on pg though we do have an indirect one via connect-pg-simple Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * linter Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * backend doesn't interact with ts-loader anymore Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * when we moved the html export to hdf converters, didn't get rid of this dependency within the frontend Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * frontend directly uses lru-cache ^11 (as of now), and lru-cache added better types as of v8 so the @types is no longer necessary Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * when we moved the html converter out, mustache was another forgotten dependency Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * doesn't seem like we use these anymore Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * connect was dropped in replacement for also using express for the 'npx heimdall-lite' command Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * i dunno if we ever actually used this dependency Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * turns out you still need reflect-metadata due to supporting the necessary polyfills required for the experimental decorator functionality Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * cut down d3 dependency to only the subpackages we actually need Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * turns out we still need class-transformer on the backend for nestjs's validationpipe Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * not sure if html-loader was ever used, seemed to be introduced here when they were experimenting with adding svg support: mitre/heimdall-lite#153 Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * sonarqube Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * no direct dependency on highlightjs Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * don't seem to have ever used the vuetify loader Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * no longer use sinon for testing Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * forgot about the test dir in inspecjs Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * wait nvm Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * we don't use typedoc to generate documentation Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * do not use quicktype in hdf-converters tho we do use it in inspecjs Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * actually it does seem like we use it but implicitly Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * lodash is used in the backend so it should be imported Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * merge Signed-off-by: Amndeep Singh Mann <amann@mitre.org> * sonarqube Signed-off-by: Amndeep Singh Mann <amann@mitre.org> --------- Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix to #5842.