Checklist metadata validation and checklist mapper severities

pack-inspecjs.bat

@@ -0,0 +1,56 @@
+ECHO OFF
+
+SET CYPRESS_INSTALL_BINARY=0
+SET PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true
+
+SET original_dir=%cd%
+ECHO %original_dir%
+
+IF DEFINED npm_config_heimdall (
+  CD %npm_config_heimdall%/libs/inspecjs/
+) ELSE (
+  CD ../heimdall2/libs/inspecjs/
+)
+
+IF DEFINED npm_config_branch (
+  CALL git switch %npm_config_branch% || EXIT /B %ERRORLEVEL%
+) ELSE (
+  CALL git switch master || EXIT /B %ERRORLEVEL%
+)
+
+ECHO Executing - git fetch ...
+CALL git fetch || EXIT /B %ERRORLEVEL%
+
+ECHO Executing - git pull ...
+CALL git pull || EXIT /B %ERRORLEVEL%
+
+ECHO Executing - yarn install ...
+CALL yarn install || EXIT /B %ERRORLEVEL%
+
+ECHO Executing - yarn pack ...
+CALL yarn pack || EXIT /B %ERRORLEVEL%
+
+ECHO Finished generating the tarball
+
+CD %original_dir%
+
+ECHO Executing - npm install remote ...
+CALL npm i || EXIT /B %ERRORLEVEL%
+
+ECHO Executing - npm install local ...
+
+IF DEFINED npm_config_heimdall (
+  FOR /f "tokens=*" %%a IN ('dir /b %npm_config_heimdall%\libs\inspecjs\inspecjs-v*.tgz') DO (
+    SET THIS_TAR_ZIP=%npm_config_heimdall%\libs\inspecjs\%%a
+  )
+) ELSE (
+  FOR /f "tokens=*" %%a IN ('dir /b ..\heimdall2\libs\inspecjs\inspecjs-v*.tgz') DO (
+    SET THIS_TAR_ZIP=..\heimdall2\libs\inspecjs\%%a
+  )
+)
+CALL npm i %THIS_TAR_ZIP% || EXIT /B %ERRORLEVEL%
+
+ECHO Executing - npm run prepack ...
+CALL npm run prepack || EXIT /B %ERRORLEVEL%
+
+ECHO Install of local inspecjs complete.

pack-inspecjs.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+set -o errexit   # abort on nonzero exitstatus
+set -o nounset   # abort on unbound variable
+set -o pipefail  # don't hide errors within pipes
+
+ORIGINAL=$PWD
+echo $ORIGINAL
+
+cd "${npm_config_heimdall:-../heimdall2}"
+cd libs/inspecjs
+
+git switch "${npm_config_branch:-master}"
+
+echo "Executing - git fetch ..."
+git fetch
+
+echo "Executing - git pull ..."
+git pull
+
+echo "Executing - yarn install ..."
+CYPRESS_INSTALL_BINARY=0 PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true yarn install
+
+echo "Executing - yarn pack ..."
+yarn pack
+
+echo "Finished generating the tarball"
+
+cd "$ORIGINAL"
+
+echo "Executing - npm install remote ..."
+npm i
+
+echo "Executing - npm install local ..."
+npm i "${npm_config_heimdall:-../heimdall2}/libs/inspecjs/inspecjs-v"*".tgz"
+
+echo "Executing - npm run prepack ..."
+npm run prepack
+
+echo "Install of local inspecjs complete."

package.json

@@ -197,7 +197,10 @@
     "prepack:darwin:linux": "rm -rf lib && tsc",
     "pack-hdf-converters": "run-script-os",
     "pack-hdf-converters:win32": "pack-hdf-converters.bat",
-    "pack-hdf-converters:darwin:linux": "./pack-hdf-converters.sh"
+    "pack-hdf-converters:darwin:linux": "./pack-hdf-converters.sh",
+    "pack-inspecjs": "run-script-os",
+    "pack-inspecjs:win32": "pack-inspecjs.bat",
+    "pack-inspecjs:darwin:linux": "./pack-inspecjs.sh"
   },
   "types": "lib/index.d.ts",
   "jest": {

src/commands/convert/ckl2hdf.ts

@@ -23,7 +23,11 @@ export default class CKL2HDF extends Command {
     const data = fs.readFileSync(flags.input, 'utf8')
     checkInput({data, filename: flags.input}, 'checklist', 'DISA Checklist')
 
-    const converter = new Mapper(data, flags['with-raw'])
-    fs.writeFileSync(checkSuffix(flags.output), JSON.stringify(converter.toHdf()))
+    try {
+      const converter = new Mapper(data, flags['with-raw'])
+      fs.writeFileSync(checkSuffix(flags.output), JSON.stringify(converter.toHdf()))
+    } catch (error) {
+      console.error(`Error converting to hdf:\n${error}`)
+    }
   }
 }

src/commands/convert/hdf2ckl.ts

@@ -1,13 +1,7 @@
 import {Command, Flags} from '@oclif/core'
-import {contextualizeEvaluation} from 'inspecjs'
 import _ from 'lodash'
 import fs from 'fs'
-import {v4} from 'uuid'
-import {default as files} from '../../resources/files.json'
-import Mustache from 'mustache'
-import {CKLMetadata} from '../../types/checklist'
-import {convertFullPathToFilename, getProfileInfo} from '../../utils/global'
-import {getDetails} from '../../utils/checklist'
+import {Assettype, ChecklistMetadata, ChecklistResults as Mapper, Role, Techarea, validateChecklistMetadata} from '@mitre/hdf-converters'
 
 export default class HDF2CKL extends Command {
   static usage = 'convert hdf2ckl -i <hdf-scan-results-json> -o <output-ckl> [-h] [-m <metadata>] [-H <hostname>] [-F <fqdn>] [-M <mac-address>] [-I <ip-address>]'
@@ -25,54 +19,77 @@
     ip: Flags.string({char: 'I', required: false, description: 'IP address for CKL metadata'}),
   }
 
-  static examples = ['saf convert hdf2ckl -i rhel7-results.json -o rhel7.ckl --fqdn reverseproxy.example.org --hostname reverseproxy --ip 10.0.0.3 --mac 12:34:56:78:90']
+  static readonly examples = ['saf convert hdf2ckl -i rhel7-results.json -o rhel7.ckl --fqdn reverseproxy.example.org --hostname reverseproxy --ip 10.0.0.3 --mac 12:34:56:78:90:AB']
+
+  static readonly oldMetadataFormatMapping = {
+    'profiles[0].name': 'benchmark.title',
+    'profiles[0].title': 'benchmark.title',
+    stigguid: 'stigid',
+    role: 'role',
+    assettype: 'type',
+    hostname: 'hostname',
+    hostip: 'ip',
+    hostmac: 'mac',
+    techarea: 'tech_area',
+    targetkey: 'target_key',
+    webdbsite: 'web_db_site',
+    webdbinstance: 'web_db_site',
+  }
 
   async run() {
     const {flags} = await this.parse(HDF2CKL)
-    const contextualizedEvaluation = contextualizeEvaluation(JSON.parse(fs.readFileSync(flags.input, 'utf8')))
-    const profileName = contextualizedEvaluation.data.profiles[0].name
-    const controls = contextualizedEvaluation.contains.flatMap(profile => profile.contains) || []
-    const rootControls = _.uniqBy(controls, control =>
-      _.get(control, 'root.hdf.wraps.id'),
-    ).map(({root}) => root)
-    let cklData = {}
-    const cklMetadata: CKLMetadata = {
-      fileName: convertFullPathToFilename(flags.input),
-      benchmark: {
-        title: profileName || null,
-        version: '1',
-        plaintext: null,
-      },
-      stigid: profileName || null,
-      role: 'None',
-      type: 'Computing',
-      hostname: flags.hostname || _.get(contextualizedEvaluation, 'evaluation.data.passthrough.hostname') || null,
-      ip: flags.ip || _.get(contextualizedEvaluation, 'evaluation.data.passthrough.ip') || null,
-      mac: flags.mac || _.get(contextualizedEvaluation, 'evaluation.data.passthrough.mac') || null,
-      fqdn: flags.fqdn || _.get(contextualizedEvaluation, 'evaluation.data.passthrough.fqdn') || null,
-      tech_area: null,
-      target_key: '0',
-      web_or_database: 'false',
-      web_db_site: null,
-      web_db_instance: null,
+
+    /* Order of precedence for checklist metadata:
+      command flags (hostname, ip, etc.)
+      metadata flag
+      input hdf file passthrough.metadata
+      input hdf file passthrough.checklist.asset */
+
+    const defaultMetadata: ChecklistMetadata = {
+      role: Role.None, assettype: Assettype.Computing, webordatabase: 'false', profiles: [],
+      hostfqdn: '', hostip: '', hostmac: '', marking: '', techarea: Techarea.Empty, vulidmapping: 'id',
+      hostname: '', targetcomment: '', webdbinstance: '', webdbsite: '',
     }
+    const inputHDF = JSON.parse(fs.readFileSync(flags.input, 'utf8'))
+    const flagMetadata = {hostname: flags.hostname, hostip: flags.ip, hostmac: flags.mac, hostfqdn: flags.fqdn}
+    let fileMetadata = flags.metadata ? JSON.parse(fs.readFileSync(flags.metadata, 'utf8')) : {}
+
+    // to preserve backwards compatibility with old metadata format
+    if (flags.metadata && _.has(fileMetadata, 'benchmark')) {
+      let profile
+      if (_.has(fileMetadata, 'benchmark.version')) {
+        const version: string = _.get(fileMetadata, 'benchmark.version')
 
-    if (flags.metadata) {
-      const cklMetadataInput: CKLMetadata = JSON.parse(fs.readFileSync(flags.metadata, 'utf8'))
-      for (const field in cklMetadataInput) {
-        if (typeof cklMetadata[field] === 'string' || typeof cklMetadata[field] === 'object') {
-          cklMetadata[field] = cklMetadataInput[field]
+        // get sections of numbers in version string
+        const parsedVersion = version.split(/\D+/)
+          .filter(Boolean)
+          .map(s => Number.parseInt(s, 10))
+        profile = {version: parsedVersion[0], releasenumber: parsedVersion[1]}
+      } else {
+        profile = {}
+      }
+
+      const newFileMetadata = {profiles: [profile]}
+
+      for (const [newKey, oldKey] of Object.entries(HDF2CKL.oldMetadataFormatMapping)) {
+        const oldValue = _.get(fileMetadata, oldKey)
+        if (oldValue) {
+          _.set(newFileMetadata, newKey, oldValue)
         }
       }
+
+      fileMetadata = newFileMetadata
     }
 
-    cklData = {
-      releaseInfo: cklMetadata.benchmark.plaintext,
-      ...cklMetadata,
-      profileInfo: getProfileInfo(contextualizedEvaluation, cklMetadata.fileName),
-      uuid: v4(),
-      controls: rootControls.map(control => getDetails(control, profileName)),
+    const hdfMetadata = _.get(inputHDF, 'passthrough.metadata', _.get(inputHDF, 'passthrough.checklist.asset', {}))
+    const metadata = _.merge(defaultMetadata, hdfMetadata, fileMetadata, flagMetadata)
+    _.set(inputHDF, 'passthrough.metadata', metadata)
+
+    const validationResults = validateChecklistMetadata(metadata)
+    if (validationResults.ok) {
+      fs.writeFileSync(flags.output, new Mapper(inputHDF).toCkl())
+    } else {
+      console.error(`Error creating checklist:\n${validationResults.error.message}`)
     }
-    fs.writeFileSync(flags.output, Mustache.render(files['cklExport.ckl'].data, cklData).replaceAll(/[^\x00-\x7F]/g, ''))
   }
 }

src/commands/generate/ckl_metadata.ts

@@ -1,10 +1,51 @@
 import {Command, Flags} from '@oclif/core'
 import fs from 'fs'
 import promptSync from 'prompt-sync'
-import _ from 'lodash'
+import {Assettype, ChecklistMetadata, Role, Techarea, validateChecklistMetadata} from '@mitre/hdf-converters'
+import path from 'path'
 
 const prompt = promptSync()
 
+// Ensures that no empty strings are passed into the metadata
+// by returning undefined instead
+function enforceNonEmptyString(ask: string) : string | undefined {
+  const response = prompt({ask})
+  if (response)
+    return response
+  return undefined
+}
+
+function enforceInteger(ask: string): number {
+  let response = prompt({ask})
+  let intRep: number
+  while (true) {
+    intRep = Number.parseInt(response, 10)
+    const floatRep = Number.parseFloat(response)
+    if (intRep === floatRep && intRep >= 0 && !Number.isNaN(intRep))
+      break
+    console.log(`${response} is not a valid non-negative integer. Please try again`)
+    response = prompt({ask})
+  }
+
+  return intRep
+}
+
+function enforceEnum(ask: string, options: string[]): string | undefined {
+  // format prompt to show valid options (removes empty string options)
+  ask = `${ask} (${options.filter(Boolean).join('/')}) `
+  let response = prompt({ask})
+  while (true) {
+    if (options.includes(response))
+      break
+    if (!response)
+      return
+    console.log(`${response} is not a valid option. Please try again.`)
+    response = prompt({ask})
+  }
+
+  return response
+}
+
 export default class GenerateCKLMetadata extends Command {
   static usage = 'generate ckl_metadata -o <json-file> [-h]'
 
@@ -21,23 +62,39 @@
     const {flags} = await this.parse(GenerateCKLMetadata)
     console.log('Please fill in the following fields to the best of your ability, if you do not have a value, please leave the field empty.')
     const cklMetadata = {
-      benchmark: {
-        title: prompt({ask: 'What is the benchmark title? '}) || null,
-        version: prompt({ask: 'What is the benchmark version? '}) || null,
-        plaintext: prompt({ask: 'What is the notes for release info? '}) || null,
-      },
-      stigid: prompt({ask: 'What is the STIG ID? '}) || null,
-      role: prompt({ask: 'What is the computing role? (None/Workstation/Member Server/Domain Controller) '}) || null,
-      type: _.capitalize(prompt({ask: 'What is the asset type? (Computing/Non-Computing) '})) || null,
-      hostname: prompt({ask: 'What is the asset hostname? '}) || null,
-      ip: prompt({ask: 'What is the asset IP address? '}) || null,
-      mac: prompt({ask: 'What is the asset MAC address? '}) || null,
-      tech_area: prompt({ask: 'What is the tech area? (Application Review/Boundary Security/CDS Admin Review/CDS Technical Review/Database Review/Domain Name System (DNS)/Exchange Server/Host Based System Security (HBSS)/Internal Network/Mobility/Releasable Networks (REL)/Releaseable Networks (REL)/Traditional Security/UNIX OS/VVOIP Review/Web Review/Windows OS/Other Review) '}) || null, // Yes, these typos really are how the enumerations are defined in STIG viewer's source code
-      target_key: prompt({ask: 'What is the target key? '}) || null,
-      web_or_database: prompt({ask: 'Is the target a web or database? (y/n) '}).toLowerCase() === 'y',
-      web_db_site: prompt({ask: 'What is the Web or DB site? '}) || null,
-      web_db_instance: prompt({ask: 'What is the Web or DB instance? '}) || null,
+      profiles: [
+        {
+          name: enforceNonEmptyString('What is the benchmark name? (Must match with profile name listed in HDF) '),
+          title: enforceNonEmptyString('What is the benchmark title? '),
+          version: enforceInteger('What is the benchmark version? '),
+          releasenumber: enforceInteger('What is the benchmark release number? '),
+          releasedate: enforceNonEmptyString('What is the benchmark release date (YYYY/MM/DD)? '),
+          showCalendar: true,
+        },
+      ],
+      marking: enforceNonEmptyString('What is the marking? '),
+      hostname: enforceNonEmptyString('What is the asset hostname? '),
+      hostip: enforceNonEmptyString('What is the asset IP address? '),
+      hostmac: enforceNonEmptyString('What is the asset MAC address? '),
+      hostfqdn: enforceNonEmptyString('What is the asset FQDN? '),
+      targetcomment: enforceNonEmptyString('What are the target comments? '),
+      role: enforceEnum('What is the computing role?', Object.values(Role)),
+      assettype: enforceEnum('What is the asset type?', Object.values(Assettype)),
+      // Resulting techarea options have typos. Yes, these typos really are how the enumerations are defined in STIG viewer's source code
+      techarea: enforceEnum('What is the tech area? ', Object.values(Techarea)),
+      stigguid: enforceNonEmptyString('What is the STIG ID? '),
+      targetkey: enforceNonEmptyString('What is the target key? '),
+      webordatabase: String(enforceEnum('Is the target a web or database?', ['y', 'n']) === 'y'),
+      webdbsite: enforceNonEmptyString('What is the Web or DB site? '),
+      webdbinstance: enforceNonEmptyString('What is the Web or DB instance? '),
+      vulidmapping: enforceEnum('Use gid or id for vuln number?', ['gid', 'id']),
+    }
+    const validationResults = validateChecklistMetadata(cklMetadata as ChecklistMetadata)
+    if (validationResults.ok) {
+      fs.writeFileSync(flags.output, JSON.stringify(cklMetadata))
+      console.log(`Checklist metadata file written at: ${path.resolve(flags.output)}`)
+    } else {
+      console.error(`Unable to generate checklist metadata:\n${validationResults.error.message}`)
     }
-    fs.writeFileSync(flags.output, JSON.stringify(cklMetadata))
   }
 }