-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add convert CCI list workflow #6336
base: master
Are you sure you want to change the base?
Conversation
3e8e7a0
to
aa9fb80
Compare
1d5d4ff
to
f892789
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why did just this sample file for this mapper get changed and not any of the other samples for this mapper or any other mapper at all?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the HDF Converters tests GitHub Action, heimdall2/libs/hdf-converters/test/mappers/forward/xccdf_mapper.spec.ts
was purely failing for the SCAP ubuntu 1804 test, but none of the others. The failed test comprised of a bunch of key/value pairs like "ident": undefined
and the like, and upon me looking into where those values come from, "ident"
those key/value pairs don't show up in the resulting JSON since JSON.stringify removes pairs with undefined
values. Anyhow, that was the diff I saw on GitHub Actions.
Upon locally running the same test file, I saw some other test files (for different mappers) fail due to async file loading, even though those respective tests didn't seem to fail on GitHub Actions. The XCCDF test file strangely didn't have the same failing error as the GitHub Actions one. But upon regenerating the relevant "expected" HDF of that particular ubuntu 1804 test, I did a git diff
and saw that some of the NIST tags changed for existing CCIs. Just as a shot in the dark, I reckoned to commit that, and it looked like this particular test finally turned green. (Perhaps that is not "the" solution though.)
TLDR: Local HDF Converters tests didn't seem to have consistent results with the GitHub Actions' ones. Maybe witchcraft?
229d078
to
e350181
Compare
libs/hdf-converters/src/mappings/NistCciMappingData.tsCurrent state:Defines some default CCI values for a select set of NIST tags.
Desired state:Eugene is ideally working on doing a refresh of this data. libs/hdf-converters/src/utils/global.tsCurrent state:Amongst other things, it defines some constants related to NIST/CCIs and the getCCIsForNISTTags function. Desired state:Relevant constants and that function are moved over to libs/hdf-converters/src/mappings/CciNistMapping.ts. libs/hdf-converters/src/mappings/CciNistMappingData.tsCurrent state:Currently exposes an object called 'data' that contains the CCI/Nist mapping. Desired state:As already described in the peer review, I want you to turn this into two separate files that each contain a raw json blob (i.e. no 'export const data = {' stuff necessary). The first file contains the object mapping CCI to latest NIST rev. The second file contains CCI to its description. libs/hdf-converters/src/utils/CCI_List.tsCurrent state:It is used in CciNistMapping.ts to help define the two way nist/cci mapper. Desired state:Deleted libs/hdf-converters/src/mappings/CciNistMappingItem.tsCurrent state:Used to define a cci/nist mapping for use in the array form of the data which imo is pretty dumb. Desired state:Deleted libs/hdf-converters/src/mappings/CciNistMapping.tsCurrent state:Defines several types that define the JSON object generated by the xml parser run against CCI_LIST.
Desired state:Those constants defined in global are now moved here, and we've defined more constants here that expose the raw json blobs.
You'll then need to update the mappers and other locations as appropriate. Future work Update libs/inspecjs/src/raw_nist.ts to ensure that our NIST tags are all up to date. Maybe find out a way to automate this process. Review the rest of what's going on in this mappings directory to see if we can simplify implementations / reduce redundancies like we're doing now with the nist/cci stuff. |
11d47a7
to
e420048
Compare
3e4980f
to
078c006
Compare
a2d8389
to
4e5c4c4
Compare
|
||
export const NIST_TO_CCI: Record<string, string[]> = nistToCciData; | ||
|
||
export const HANDCRAFTED_DEFAULT_NIST_TO_CCI = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
difference between this HANDCRAFTED_DEFAULT_NIST_TO_CCI
and old data
is that I removed NIST->CCI mappings in data
that were otherwise already existing in NIST_TO_CCI
4e5c4c4
to
0795b23
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copilot reviewed 164 out of 178 changed files in this pull request and generated no suggestions.
Files not reviewed (14)
- libs/hdf-converters/package.json: Language not supported
- libs/hdf-converters/sample_jsons/anchore_grype_mapper/amazon-grype-hdf.json: Language not supported
- libs/hdf-converters/sample_jsons/anchore_grype_mapper/amazon-grype-withraw.json: Language not supported
- libs/hdf-converters/sample_jsons/anchore_grype_mapper/anchore-grype-hdf.json: Language not supported
- libs/hdf-converters/sample_jsons/anchore_grype_mapper/anchore-grype-withraw.json: Language not supported
- libs/hdf-converters/sample_jsons/anchore_grype_mapper/tensorflow-grype-hdf.json: Language not supported
- libs/hdf-converters/sample_jsons/anchore_grype_mapper/tensorflow-grype-withraw.json: Language not supported
- libs/hdf-converters/sample_jsons/asff_mapper/asff-aws_foundational_security_best_practices_v1.0.0-hdf.json: Language not supported
- libs/hdf-converters/sample_jsons/asff_mapper/asff-cis_aws-foundations_benchmark_v1.2.0-hdf.json: Language not supported
- libs/hdf-converters/sample_jsons/asff_mapper/prowler-hdf.json: Language not supported
- libs/hdf-converters/sample_jsons/asff_mapper/trivy-image_golang-1.12-alpine-hdf.json: Language not supported
- libs/hdf-converters/sample_jsons/burpsuite_mapper/burpsuite-hdf-withraw.json: Language not supported
- libs/hdf-converters/sample_jsons/burpsuite_mapper/burpsuite-hdf.json: Language not supported
- libs/hdf-converters/sample_jsons/checklist_mapper/converted-RHEL8V1R3.ckl: Language not supported
Comments skipped due to low confidence (1)
libs/hdf-converters/data/converters/cciListXml2json.ts:64
- The error message is unclear. It should specify the names of the output files.
console.error('You must provide the path to the input and three output files.');
31f77ee
to
544bee8
Compare
814bc66
to
813ea65
Compare
Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
…cci_util.ts, and add NIST_DESCRIPTIONS array produced from cciListXml2json Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
… it every month Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
…rsion from Signed-off-by: Joyce Quach <[email protected]>
…s/CciNistMapping.ts Signed-off-by: Joyce Quach <[email protected]>
…SON file and check in that file Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
…te obsolete files Signed-off-by: Joyce Quach <[email protected]>
…nction Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
… static analysis tags if there are already existing found NIST tags and/or mapped CCI->NIST tags Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
…lt NIST and CCI tags discussion Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
…ONIX is an empty string representing the serialized CCI tags Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
Signed-off-by: Joyce Quach <[email protected]>
e22db52
to
c7c5f81
Compare
Signed-off-by: Joyce Quach <[email protected]>
Quality Gate passedIssues Measures |
This PR adds on improvements and code cleanup to the NIST to CCI and CCI to NIST mappings that are to be used in #3315, so NIST and CCI tags are displayed at the highest Revision. All of the X->HDF mappers are updated to reflect the NIST<->CCI mapping changes. This PR should also resolve this issue: #6359, where the reported behavior on
master
has it so when CCI tags are mapped to NIST tags, if a CCI tag has no NIST tag mapping, thelibs/hdf-converters/src/mappings/CciNistMapping.ts
'sCciNistTwoWayMapper.findMatchingCciIdsByNistControl method tries to find that NIST tag's parent and sibling NIST tags which is incorrect. That private method is used by the public CciNistTwoWayMapper.cciFilter method, which is used in
libs/hdf-converters/src/ckl-mapper/checklist-jsonix-converter.ts
(CKL->jsonix, where jsonix is used for jsonix->HDF).List of changes/improvements:
U_CCI_List.cci.json
(NIST tags->CCI tags),U_CCI_List.defs.json
(NIST tag->NIST definitions),U_CCI_List.nist.json
(CCI tags->NIST tags) using a script called cciListXml2json (more details below)argparse
library and updated documentation to reflect the script's usage.apps/frontend/src/utilities/cci_util.ts
,libs/hdf-converters/src/mappings/CciNistMappingItem.ts
,libs/hdf-converters/src/utils/CCI_List.ts
since they are redundant with the below fileslibs/hdf-converters/src/mappings/NistCciMappingData.ts
,libs/hdf-converters/src/mappings/CciNistMappingData.ts
,libs/hdf-converters/src/mappings/CciNistMapping.ts
since they originally had redundant functionality with the xml2json/cciListXml2json script and mapped CCI tags to any/all NIST tags regardless of their Revision. The referenced PR would refer to the "third" NIST tag in an array of NIST tags that a CCI tag maps to, and without indication of what Revision that NIST tag comes from, but that third NIST tag may not always exist.libs/hdf-converters/src/utils/global.ts
tolibs/hdf-converters/src/mappings/CciNistMappingData.ts
libs/inspecjs/src/nist.ts
andlibs/inspecjs/src/raw_nist.ts
, otherwise the parse_nist function will not recognize the more recent NIST tags (since 2022) in the automatically-pulled NIST tags from U_CCI_List.xml*.spec.ts
tests