Closed candrews closed 1 year ago
Hi - I'm a member of the MITRE SAF team, which is the team that manages the Heimdall Data Format (HDF). Thanks @candrews for spotting this regression in behavior.
@aaronlippold @ejaronne - wanted to bring this to your awareness as well, and would appreciate your input on corrections to this mapping.
I think what Craig has proposed above is good but for two areas:
skipped
should be mapped to review
not notApplicable
since tests can be skipped for a variety of reasons such as needing manual review due to the automation failing or not being possible.impact
field should be looked at as well to determine kind
/level
values. Specifically, if the impact is set to 0 (within some epsilon value, usually .1), then we mark that as having a none
severity, i.e. it is a notApplicable
test.
skipped
should be mapped toreview
notnotApplicable
since tests can be skipped for a variety of reasons such as needing manual review due to the automation failing or not being possible.
The HDF in this issue's description, openscap-report.hdf.json.gz, was generated by running oscap --rule xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
- all others rules were skipped. And they are all marked as skipped
as expected in the HDF. If this converter does as suggested and translates hdf skipped
to SARIF review
, then someone will be expected to review all of those results that were intentionally skipped. That drastically reduces the utility of these tools. I believe that hdf skipped
should be translated to SARIF notApplicable
.
The question is more about what action was taken - If no test was run then it is a Not Reviewed
- if the test was marked as Not Applicable
- therefore outside the bounds of the validation that is a different condition. Aka NA means that it was an active choice to not need to test the requirement.
We would have to look at the SARIF specification to determine which state is being communicated.
We would have to look at the SARIF specification to determine which state is being communicated.
The SARIF specification regarding level
seems very clear:
· "pass": The rule specified by ruleId (§3.27.5), ruleIndex (§3.27.6), and/or rule (§3.27.7) was evaluated, and no problem was found.
· "open": The specified rule was evaluated, and the tool concluded that there was insufficient information to decide whether a problem exists.
NOTE 1: This value is used by proof-based tools. Sometimes such a tool can prove that there is no violation (kind = "pass"), sometimes it can prove that there is a violation (kind = "fail"), and sometimes it does not detect a violation but is unable to prove that there is none (kind = "open"). In such a tool, a kind value of "open" might be an indication that the user should add additional assertions to enabe the tool to determine if there is a violation.
· "informational": The specified rule was evaluated and produced a purely informational result that does not indicate the presence of a problem. (See the example below.)
· "notApplicable": The rule specified by ruleId was not evaluated, because it does not apply to the analysis target.
· "review": The result requires review by a human user to decide if it represents a problem.
NOTE 2: This value is used by tools that are unable to check for certain conditions, but that wish to bring to the user’s attention the possibility that there might be a problem. For example, an accessibility checker might produce a result with the message "Do not use color alone to highlight important information," with kind = "review". A user might address this issue by visually inspecting the UI.
· "fail": The result represents a problem whose severity is specified by the level property (§3.27.10).
The problem is that the HDF specification (for lack thereof) is not clear regarding what the values of status
mean - what does a status
of skipped
mean in HDF? I'm assuming, based on the behavior of https://github.com/mitre/saf when it converted XCCDF to HDF, that HDF's status
of skipped
has the same meaning as the SARIF level
of notApplicable
.
skipped
in HDF is the same as review
from the above definition and notApplicable is the same in both. We don't really have an informational
status in HDF at the moment but I would map that to NA
at the moment given its statement of because it does not apply to the analysis target.
In OHDF:
skipped
- no tests were run - aka we have no results data so human review is required.not applicable
- the test results do not apply to the analysis target regardless of pass
, fail
or skipped
resultspass
- means the test met the expectationfailed
- means the test failed the expectationerror
- means the test threw a error, stack-trace and or did not execute as expected.These should be defined in the schema files
In OHDF:
skipped
- no tests were run - aka we have no results data so human review is required.not applicable
- the test results do not apply to the analysis target regardless ofpass
,fail
orskipped
resultspass
- means the test met the expectationfailed
- means the test failed the expectationerror
- means the test threw a error, stack-trace and or did not execute as expected.
This project only knows about these HDF status
values:
error
failed
passed
skipped
https://github.com/microsoft/sarif-sdk/blob/5b729309f4a5c006e331ebe9db3ed96f35ae5d40/src/Sarif.Converters/HdfModel/ControlResultStatus.cs#L6
The mitre/heimdall2 library similarly only knows about that same list of statuses, too: https://github.com/mitre/heimdall2/blob/351f4cf6db8fcb265810da5f3d21607064aaebd0/libs/inspecjs/src/generated_parsers/v_1_0/exec-json.ts#L299
As far as I can tell, nothing is aware of or uses the "OHDF" not_applicable
status.
Not applicable is calculated via the impact as part of the consolidated results.
When the impact of the result is set to zero the status is set to not applicable
they might need to leverage inspecjs and the contextualizedexecution files in order to extract out all the necessary information. see the reverse converters in hdf-converters: https://github.com/mitre/heimdall2/blob/master/libs/hdf-converters/src/converters-from-hdf/asff/reverse-asff-mapper.ts#L150
Not applicable is calculated via the impact as part of the consolidated results.
When the impact of the result is set to zero the status is set to not applicable
That's a simple and clear bit of logic - I can implement that :)
they might need to leverage inspecjs and the contextualizedexecution files
That is not clear to me... what benefit would that provide and what exactly is suggested? Is the aforementioned logic insufficient?
what benefit
the logic is already implemented (https://github.com/mitre/heimdall2/blob/master/libs/inspecjs/src/compat_impl/compat_inspec_1_0.ts#L234) and is available for you to just access (https://github.com/mitre/heimdall2/blob/master/libs/inspecjs/src/compat_impl/compat_inspec_1_0.ts#L212)
@aaronlippold @Amndeep7 heimdall doesn't currently map XCCDF rule result of notselected
to HDF impact
of 0
. Here's a PR that fixes that: https://github.com/mitre/heimdall2/pull/4758
And here's a PR to this project that maps HDF impact
of 0
to SARIF kind
of NotApplicable
: https://github.com/microsoft/sarif-sdk/pull/2701
This issue has been resolved as of version 4.2.1.
The SARIF generated by this tool from HDF does not have HDF's
status
mapped to SARIF'skind
andlevel
correctly.HDF's
status
can have the following values and these are thekind
/level
values I believe they should map to:passed
should map topass
andlevel
either unset ornone
failed
should map tofail
andlevel
eitherwarning
,error
, ornote
which is already implemented bySarifLevelFromHdfImpact
error
should map toreview
andlevel
either unset ornone
skipped
should map tonotApplicable
andlevel
either unset ornone
Also, if
kind
is set tofail
, thenrank
can be set. Ifkind
is any value other thanfail
, thenrank
must not be set.To reproduce:
npx @microsoft/sarif-multitool@4.2.2 convert -t Hdf -o "openscap-report.sarif" "openscap-report.hdf.json"
Here's the resulting sarif (I pretty formatted it for readability): openscap-report.sarif.gzopenscap-report.sarif
Expected: A variety of
kind
andlevel
values should be present. The SARIF is basically useless at the moment as every result shows as a finding, whether it passed or not. For some example:xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
has an HDFstatus
ofpassed
but in the SARIF has alevel
oferror
(level
should benone
or absent, andkind
should be set topassed
)xccdf_org.ssgproject.content_rule_no_netrc_files
has an HDFstatus
ofskipped
but in the SARIF has alevel
oferror
(level
should benone
or absent, andkind
should be set tonotApplicable
)rank
is present only whenkind
isfail
or absent.Actual:
kind
is never presentlevel
is always eithernote
,error
, orwarning
; thenone
value are never used.