xccdf to hdf results in empty code_desc #1163
Comments
|
So you are trying to convert an oscap xccdf-results file to HDF-Results JSON. I would guess this is likely a bug with the nesting of the XML given the results may be pulling that code_desc from a key that may being missed by the mapper. We would be happy to chat with you about this to see if we can dig into what is causing the mapping issue and get a PR started. |
Sounds great! Is there more information I can provide? |
|
So I think what we are looking for here is that the XCCDF-Results file actually has the rendered SCAP - vs just a reference to an SCAP XML File - in the final object that we are looping over to create the HDF-Results JSON. If we are - for some reason - missing the step that populates the 'SCAP code' that would be the expected 'code of the test' we expect to be put there. I think we just have to dig in a bit with the debugger. Does this describe what you are expecting so we are clear on the expected path. |
|
I admit that I don't understand all of those details. Basically, I'm looking for the steps I provided in this issue's description to produce an HDF file that has |
|
@aaronlippold is there anything I can do to help this effort? |
|
It appears this bug is in |
* Support XCCDF generated using ComplianceAsCode: https://github.com/ComplianceAsCode/content/ * Support nested XCCDF groups * Set `code_desc` to an appropriate value (not empty string) * Refactor to remove global variables Bug: mitre/saf#1163 Fixes: mitre#4194
…ults (#4255) * Improve xccdf_results_mapper when converting XCCDF->HDF * Support XCCDF generated using ComplianceAsCode: https://github.com/ComplianceAsCode/content/ * Support nested XCCDF groups * Set `code_desc` to an appropriate value (not empty string) * Refactor to remove global variables Bug: mitre/saf#1163 Fixes: #4194 * Minor changes requested by code review * Use the "RegExp.exec()" method instead Address sonar finding typescript:S6594 * Set impact to 0 for 'notapplicable' and 'informational' results * Don't handle every array item within each array item In handleArray, the array v is looped over. For each item, the entire array is looped over again, resulting in an array v of length n resulting in an output array of length n^2, making handleArray's complexity O(n^2). However, that n^2 looping is unnecessary. Removing it brings the complexity of handleArray down to O(n), drastically reducing execution time. * "version" should use "version.text" (not just "version") * For version, prefer version over id * For version, remove unnecessary comment * Remove unnecessary String conversion * Add tsdoc to getRulesInGroup * removed 'id' as a potential path for 'version'. the complianceascode sample doesn't contain that attribute at all -> we should not have a tag for it. also updated samples but these samples updates also include changes from the baseconverter updates so warrant inspection esp for the complianceascode sample output Signed-off-by: Amndeep Singh Mann <[email protected]> * linting Signed-off-by: Amndeep Singh Mann <[email protected]> * Use triple equals for string comparson * Various fixes * Correct "refs" to comply with schema * Only include description if it has a label * make the nist family part of the regexes only match against valid nist control families Signed-off-by: Amndeep Singh Mann <[email protected]> * Use `as unknown as ControlDescription` instead of `as any` * Run lint on src/nist.ts Fixes linting issues introduced in 587282d * Regenerate samples Updates samples after 587282d * Use concise character class syntax '\d' instead of '[0-9]'. Addresses sonar finding typescript:S6353 * the treemap expects a canonized form of the nist controls that are not zero-padded. also changed default behaviors so there's no need to supply a parameter to the canonize function at all. Signed-off-by: Amndeep Singh Mann <[email protected]> * get rid of dupe nist tags - even if there were dupes in the original file, it makes no sense to have that replicated here anymore really - there are some particularly egregious cases too where a control is replicated at least 3 times in the array Signed-off-by: Amndeep Singh Mann <[email protected]> * could simplify the default_partial_config implementation and also ran the linter Signed-off-by: Amndeep Singh Mann <[email protected]> * sonarqube Signed-off-by: Amndeep Singh Mann <[email protected]> --------- Signed-off-by: Amndeep Singh Mann <[email protected]> Co-authored-by: Aaron Lippold <[email protected]> Co-authored-by: Amndeep Singh Mann <[email protected]>
|
Since mitre/heimdall2#4255 has now been merged, the remaining task is to upgrade to |
|
A release has gone out so I'm going to close this issue @candrews. Ping me if you want it to remain open for some reason. |
oscap-podman ubuntu:18.04 xccdf eval --fetch-remote-resources --profile MAC-3_Public --report report.html --results results.xml U_CAN_Ubuntu_18-04_V2R8_STIG_SCAP_1-2_Benchmark.xmlFor convenience, here's the resulting results.xmlnpx @mitre/saf convert xccdf_results2hdf -i results.xml -o results.hdfFor convenience, here's the resulting results.hdf.jsonActual:
Every instance of
code_deschas a value of empty string, for example:Expected:
code_descshould have value. Per the hdf documentation at https://github.com/mitre/saf/wiki/HDF-Mapper-and-Converter-Creation-Guide-(for-SAF-CLI-&-Heimdall2)#hdf-schema-breakdown- it should contain "Test expectations as defined by control"The text was updated successfully, but these errors were encountered: