search

mitre / inspec_tools

A command-line and ruby API of utilities, converters and tools for creating, converting and processing security baseline formats, results and data
https://inspec-tools.mitre.org/
Other
92 stars 30 forks source link

csv2inspec impact doesn't correct format "CAT I II III" severities #88

Closed rlakey closed 4 years ago

rlakey commented 4 years ago

Looks like the csv2inspec tool only correctly accounts for severities of high, medium, low to convert them to decimals otherwise it just puts the severity text in impact which causes an error similar to the one below.

For example a severity in the csv of "CAT I" turns into an "impact CAT I"

[FAIL] Control Source Code Error ./vcsa/controls/VCUI-67-000004.rb:1 uninitialized constant #<Class:#<#:0x000000000b8c1d00>>::II

Aaron suggested a case statement with multiple values like

0.0 => { none, na, N/A, nil, /not\s+appliciable/i, /cat/\s+0/i } 0.3 => { low, /cat\s+[1|I]/i, LOW, ... } 0.5 => ... 0.7 => ... 1.0 => all others { critical, severe, .... }

Bialogs commented 4 years ago

@aaronlippold on the snippet you sent me you had the impact defaulting to 0.5 if the input was:

Why do we default to 0.5? Is raising an exception also valid?

Bialogs commented 4 years ago

This is what the update will produce:

  impact 0.5
  tag severity: "CAT 2"
  tag gtitle: nil
  tag gid: nil
  tag rid: "SV-33881r1_rule"
  tag stig_id: "SRG-APP-000014"
  tag fix_id: nil
  tag cci: "CCI-000068"
  tag nist: ["AC-17 (2)", "Rev_4"]

Notice impact of 0.5 for CAT 2 severity.

aaronlippold commented 4 years ago

Hi,

I would like the severity tag to standardize on the CVSS terms 'none', 'low', 'medium', 'high' and 'critical'

CAT 4 or IV = none CAT 3 or III = low CAT 2 or II = medium CAT 1 or I = high

Thanks,

Aaron

Aaron Lippold

lippold@gmail.com

260-255-4779

twitter/aim/yahoo,etc. 'aaronlippold'

On Tue, Mar 24, 2020 at 9:52 AM Kyle notifications@github.com wrote:

This is what the update will produce:

impact 0.5 tag severity: "CAT 2" tag gtitle: nil tag gid: nil tag rid: "SV-33881r1_rule" tag stig_id: "SRG-APP-000014" tag fix_id: nil tag cci: "CCI-000068" tag nist: ["AC-17 (2)", "Rev_4"]

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mitre/inspec_tools/issues/88#issuecomment-603251513, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALK42ATQM3OWOLWQB33FFDRJC3LPANCNFSM4KO4S2AA .

Bialogs commented 4 years ago

@aaronlippold Should the severity tag be standardized for all types of conversions or just CSV?

aaronlippold commented 4 years ago

Hi

So if I have an input source: XCCDF, CSV, PDF, XLS all have severity and impact in different forms. In the end our 'inspec stubs' will always have the CVSS 3.0 standard of:

severity: 'none|low|medium|high|critical' impact: '0.0 | 0.3 | 0.5 | 0.7 | 1.0'

Aaron Lippold

lippold@gmail.com

260-255-4779

twitter/aim/yahoo,etc. 'aaronlippold'

On Tue, Mar 24, 2020 at 12:36 PM Kyle notifications@github.com wrote:

@aaronlippold https://github.com/aaronlippold Should the severity tag be standardized for all types of conversions or just CSV?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mitre/inspec_tools/issues/88#issuecomment-603352913, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALK42HUNXIRSFKQWRFTB2LRJDORRANCNFSM4KO4S2AA .

aaronlippold commented 4 years ago 

def self.get_impact(severity)
      case severity
      # 0.0 to <0.01 these are controls with no impact, they only
provide information
      # 0.01 to <0.4 these are controls with low impact
      # 0.4 to <0.7 these are controls with medium impact
      # 0.7 to <0.9 these are controls with high impact
      # 0.9 to 1.0 these are critical controls
      when severity <= 0.01 then 0.0
      when severity < 0.4 then 0.3
      when severity < 0.7 then 0.5
      when severity < 0.9 then 0.7
      when severity (0.9..1.0) then 1.0
      when /none|na|n\/a|Not[(_)|(\s*)]?Applicable/i then 0.0
      when /low|cat(agory)?\s*(III|3)/i then 0.3
      when /medium|cat(agory)?\s*(II|2)/i then 0.5
      when /high|cat(agory)?\s*(I|1)/i then 0.7
      when /'critical'/i then 1.0
      else
        puts "#{severity} is not a supported value. It should be a
Float between
             0.0 - 1.0 or the approved keywords found in the
inspec_tools README,
             defaulting to 0.5"
        0.5
      end
    end

Aaron Lippold

lippold@gmail.com

260-255-4779

twitter/aim/yahoo,etc. 'aaronlippold'

On Tue, Mar 24, 2020 at 1:35 PM Aaron Lippold lippold@gmail.com wrote:

Hi

So if I have an input source: XCCDF, CSV, PDF, XLS all have severity and impact in different forms. In the end our 'inspec stubs' will always have the CVSS 3.0 standard of:

severity: 'none|low|medium|high|critical' impact: '0.0 | 0.3 | 0.5 | 0.7 | 1.0'

Aaron Lippold

lippold@gmail.com

260-255-4779

twitter/aim/yahoo,etc. 'aaronlippold'

On Tue, Mar 24, 2020 at 12:36 PM Kyle notifications@github.com wrote:

@aaronlippold https://github.com/aaronlippold Should the severity tag be standardized for all types of conversions or just CSV?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mitre/inspec_tools/issues/88#issuecomment-603352913, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALK42HUNXIRSFKQWRFTB2LRJDORRANCNFSM4KO4S2AA .

aaronlippold commented 4 years ago

This was my attempt to capture the logic

Aaron Lippold

lippold@gmail.com

260-255-4779

twitter/aim/yahoo,etc. 'aaronlippold'

On Tue, Mar 24, 2020 at 1:38 PM Aaron Lippold lippold@gmail.com wrote:


def self.get_impact(severity)
      case severity
      # 0.0 to <0.01 these are controls with no impact, they only provide information
      # 0.01 to <0.4 these are controls with low impact
      # 0.4 to <0.7 these are controls with medium impact
      # 0.7 to <0.9 these are controls with high impact
      # 0.9 to 1.0 these are critical controls
      when severity <= 0.01 then 0.0
      when severity < 0.4 then 0.3
      when severity < 0.7 then 0.5
      when severity < 0.9 then 0.7
      when severity (0.9..1.0) then 1.0
      when /none|na|n\/a|Not[(_)|(\s*)]?Applicable/i then 0.0
      when /low|cat(agory)?\s*(III|3)/i then 0.3
      when /medium|cat(agory)?\s*(II|2)/i then 0.5
      when /high|cat(agory)?\s*(I|1)/i then 0.7
      when /'critical'/i then 1.0
      else
        puts "#{severity} is not a supported value. It should be a Float between
             0.0 - 1.0 or the approved keywords found in the inspec_tools README,
             defaulting to 0.5"
        0.5
      end
    end

Aaron Lippold

lippold@gmail.com

260-255-4779

twitter/aim/yahoo,etc. 'aaronlippold'

On Tue, Mar 24, 2020 at 1:35 PM Aaron Lippold lippold@gmail.com wrote:

Hi

So if I have an input source: XCCDF, CSV, PDF, XLS all have severity and impact in different forms. In the end our 'inspec stubs' will always have the CVSS 3.0 standard of:

severity: 'none|low|medium|high|critical' impact: '0.0 | 0.3 | 0.5 | 0.7 | 1.0'

Aaron Lippold

lippold@gmail.com

260-255-4779

twitter/aim/yahoo,etc. 'aaronlippold'

On Tue, Mar 24, 2020 at 12:36 PM Kyle notifications@github.com wrote:

@aaronlippold https://github.com/aaronlippold Should the severity tag be standardized for all types of conversions or just CSV?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mitre/inspec_tools/issues/88#issuecomment-603352913, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALK42HUNXIRSFKQWRFTB2LRJDORRANCNFSM4KO4S2AA .