search

Cingulara / openrmf-docs

Documentation on the OpenRMF application, including scripts to run the whole stack as well as just infrastructure with documentation on using the tool.
https://www.openrmf.io/
GNU General Public License v3.0
125 stars 27 forks source link

[BUG] Checklist from RADIX custom application has missing top level version and release info on the checklist type. #270

Closed DaleBinghamSoteriaSoft closed 2 years ago

DaleBinghamSoteriaSoft commented 2 years ago

Describe the bug When importing a Radix REL 8 checklist, the checklist does not load properly even though it says it parses correctly.

To Reproduce Steps to reproduce the behavior:

  1. Go to upload a radix mgmt exported REL ckl
  2. see it load correctly
  3. go to list the checklist
  4. notice it fails showing properly

Expected behavior The CKL loads, score is generated, and it loads properly. Worst case, it does not choke and at least shows the data, even if no release or version information is present.

Additional context Missing the top level STIG_INFO fields, so need to use this VULN section below so need to parse from the first VULN area for STIGRef, remove the title from that, remove the :: and then parse the rest.

            <STIG_DATA>
               <VULN_ATTRIBUTE>STIGRef</VULN_ATTRIBUTE>
               <ATTRIBUTE_DATA>Windows 10 Security Technical Implementation Guide :: Version 1, Release: 3 Benchmark Date: 01 Nov 2021</ATTRIBUTE_DATA>
            </STIG_DATA>
DaleBinghamSoteriaSoft commented 2 years ago

In the upload controller we need this. We may need to adjust the web UI to check against the proper stigRelease as well for upgrades possibly if the CKL is missing the top metadata. https://github.com/Cingulara/openrmf-api-upload/blob/master/src/Controllers/UploadController.cs

Need to get the VULN tags into a listing and then parse where applicable.

        // if the release info or version are odd, we need to parse the first VULN area
        if ( (newArtifact.stigVersion == "version" || string.IsNullOrEmpty(newArtifact.stigVersion) || newArtifact.stigRelease == "releaseinfo" || string.IsNullOrEmpty(newArtifact.stigRelease) )
            && vulnList.Count > 0) {
            // go get it in the first VULN
            newArtifact.stigVersion = "1";  
            string stigReference = "";
            foreach (XmlElement child in vulnList.Item(0).ChildNodes) {
                if (child.Name == "STIG_DATA") {
                    foreach (XmlElement stigdata in child.ChildNodes) {
                        if (child.ChildNodes.Item(0).Name == "VULN_ATTRIBUTE" && child.ChildNodes.Item(0).InnerText == "STIGRef")
                            stigReference = child.ChildNodes.Item(1).InnerText;
                        break; 
                    }
                }
            }
            if (!string.IsNullOrEmpty(stigReference)) { // parse it
                // remove the title and :: area
                stigReference = stigReference.Replace(newArtifact.stigType + " :: ","").Trim().Replace("Version ","");
                // Version 1, 
                newArtifact.stigVersion = stigReference.Substring(0, stigReference.IndexOf(","));
                // Release: 4 Benchmark Date: 27 Oct 2021
                newArtifact.stigRelease = stigReference.Replace(newArtifact.stigVersion + ",", "").Trim();
            }
        }
DaleBinghamSoteriaSoft commented 2 years ago

Only for custom CKL generators leaving off the top information for the checklist that we use for type, release and version in essence. This is not from normal CKL creation, SCAP or anything else.

Cingulara commented 2 years ago

This was only on a specific customer generating CKLs themselves in improper format.