SBOM Mapper (#5986)

* Initial dump Signed-off-by: Charles Hu <[email protected]> * Linting Signed-off-by: Charles Hu <[email protected]> * Linting Signed-off-by: Charles Hu <[email protected]> * Linting Signed-off-by: Charles Hu <[email protected]> * Change in license handling Signed-off-by: Charles Hu <[email protected]> * Passthrough implementation Signed-off-by: Charles Hu <[email protected]> * Finished intermediary object generation Signed-off-by: Charles Hu <[email protected]> * Linting Signed-off-by: Charles Hu <[email protected]> * Linting Signed-off-by: Charles Hu <[email protected]> * Logical density change Signed-off-by: Charles Hu <[email protected]> * Mapping progress; component flattening Signed-off-by: Charles Hu <[email protected]> * Linting Signed-off-by: Charles Hu <[email protected]> * Quick typing fix Signed-off-by: Charles Hu <[email protected]> * Mapping progress Signed-off-by: Charles Hu <[email protected]> * Formatting overhaul; additional tags; results section Signed-off-by: Charles Hu <[email protected]> * VEX ingestion; various mapping adjustments Signed-off-by: Charles Hu <[email protected]> * Test fix Signed-off-by: Charles Hu <[email protected]> * VEX ingestion fix Signed-off-by: Charles Hu <[email protected]> * Clean up Signed-off-by: Charles Hu <[email protected]> * Test fix Signed-off-by: Charles Hu <[email protected]> * VEX support Signed-off-by: Charles Hu <[email protected]> * Refactoring Signed-off-by: Charles Hu <[email protected]> * Component field filtering and vulnerability ID appending Signed-off-by: Charles Hu <[email protected]> * VEX alignment changes Signed-off-by: Charles Hu <[email protected]> * SBOM support visibility; auto cleaning control Description Signed-off-by: Charles Hu <[email protected]> * Various styling changes Signed-off-by: Charles Hu <[email protected]> * Testing update Signed-off-by: Charles Hu <[email protected]> * Linting Signed-off-by: Charles Hu <[email protected]> * Move porfile desc to summary Signed-off-by: Charles Hu <[email protected]> * Added conditional to control title genreation Signed-off-by: Charles Hu <[email protected]> * Review changes Signed-off-by: Charles Hu <[email protected]> * Adding CycloneDX types Signed-off-by: Charles Hu <[email protected]> * CWE tag fix Signed-off-by: Charles Hu <[email protected]> * Linting Signed-off-by: Charles Hu <[email protected]> * Typing Signed-off-by: Charles Hu <[email protected]> * Linting Signed-off-by: Charles Hu <[email protected]> * Linting Signed-off-by: Charles Hu <[email protected]> * Linting Signed-off-by: Charles Hu <[email protected]> * Linting Signed-off-by: Charles Hu <[email protected]> * Fixing typing errors Signed-off-by: Charles Hu <[email protected]> * Review changes Signed-off-by: Charles Hu <[email protected]> * Tag changes Signed-off-by: Charles Hu <[email protected]> * Ref refactor Signed-off-by: Charles Hu <[email protected]> * Typing refactor, component hierarchy refactor Signed-off-by: Charles Hu <[email protected]> * Typing fixes Signed-off-by: Charles Hu <[email protected]> * Continued typing edits Signed-off-by: Charles Hu <[email protected]> * Message refactor Signed-off-by: Charles Hu <[email protected]> * Tags & description field changes Signed-off-by: Charles Hu <[email protected]> * Generic testing Signed-off-by: Charles Hu <[email protected]> * Refactoring Signed-off-by: Charles Hu <[email protected]> * Typing refactor Signed-off-by: Charles Hu <[email protected]> * Eugene changes Signed-off-by: Charles Hu <[email protected]> * Descriptions field fix Signed-off-by: Charles Hu <[email protected]> * Quick review change Signed-off-by: Charles Hu <[email protected]> * Add string headers Signed-off-by: Charles Hu <[email protected]> * Added additional tests Signed-off-by: Charles Hu <[email protected]> * Lint ignore Signed-off-by: Charles Hu <[email protected]> * Linting Signed-off-by: Charles Hu <[email protected]> * Linting :( Signed-off-by: Charles Hu <[email protected]> * Linting rules change Signed-off-by: Charles Hu <[email protected]> * Linting rules exception for unused vars prefixed with _ Signed-off-by: Charles Hu <[email protected]> --------- Signed-off-by: Charles Hu <[email protected]>
mitre · Nov 20, 2024 · e1e9d5d · e1e9d5d
1 parent 432207a
commit e1e9d5d
Show file tree

Hide file tree

Showing 34 changed files with 472,556 additions and 73 deletions.
diff --git a/apps/frontend/src/components/global/upload_tabs/FileReader.vue b/apps/frontend/src/components/global/upload_tabs/FileReader.vue
@@ -33,6 +33,7 @@
                   <li>AWS Security Finding Format (ASFF)</li>
                   <li>Burp Suite</li>
                   <li>Checklist</li>
+                  <li>CycloneDX Software Bill of Materials (SBOM)</li>
                   <li>DBProtect</li>
                   <li>Fortify</li>
                   <li>Golang Security Checker (gosec)</li>

diff --git a/apps/frontend/src/store/report_intake.ts b/apps/frontend/src/store/report_intake.ts
@@ -11,6 +11,7 @@ import {
   BurpSuiteMapper,
   ChecklistResults,
   ConveyorResults as ConveyorResultsMapper,
+  CycloneDXSBOMResults,
   DBProtectMapper,
   fingerprint,
   FortifyMapper,
@@ -275,6 +276,8 @@ export class InspecIntake extends VuexModule {
         return new ChecklistResults(convertOptions.data).toHdf();
       case INPUT_TYPES.GOSEC:
         return new GosecMapper(convertOptions.data).toHdf();
+      case INPUT_TYPES.CYCLONEDX_SBOM:
+        return new CycloneDXSBOMResults(convertOptions.data).toHdf();
       case INPUT_TYPES.TRUFFLEHOG:
         return new TrufflehogResults(convertOptions.data).toHdf();
       default:

diff --git a/libs/hdf-converters/.eslintrc.js b/libs/hdf-converters/.eslintrc.js
@@ -1,33 +1,39 @@
 module.exports = {
-    parser: '@typescript-eslint/parser',
-    parserOptions: {
-        project: 'tsconfig.json',
-        sourceType: 'module',
-    },
-    plugins: ['@typescript-eslint/eslint-plugin'],
-    extends: [
-        'plugin:@typescript-eslint/eslint-recommended',
-        'plugin:@typescript-eslint/recommended',
-        'prettier',
-        'plugin:prettier/recommended',
+  parser: '@typescript-eslint/parser',
+  parserOptions: {
+    project: 'tsconfig.json',
+    sourceType: 'module'
+  },
+  plugins: ['@typescript-eslint/eslint-plugin'],
+  extends: [
+    'plugin:@typescript-eslint/eslint-recommended',
+    'plugin:@typescript-eslint/recommended',
+    'prettier',
+    'plugin:prettier/recommended'
+  ],
+  root: true,
+  env: {
+    node: true
+  },
+  rules: {
+    '@typescript-eslint/naming-convention': [
+      'warn',
+      {
+        selector: 'interface',
+        format: ['PascalCase'],
+        custom: {
+          regex: '^I[A-Z]',
+          match: true
+        }
+      }
     ],
-    root: true,
-    env: {
-        node: true,
-    },
-    rules: {
-        "@typescript-eslint/naming-convention": [
-            "warn",
-            {
-                "selector": "interface",
-                "format": ["PascalCase"],
-                "custom": {
-                    "regex": "^I[A-Z]",
-                    "match": true
-                }
-            }
-        ],
-        'object-curly-spacing': 'warn',
-        '@typescript-eslint/no-explicit-any': 'off',
-    },
+    'object-curly-spacing': 'warn',
+    '@typescript-eslint/no-explicit-any': 'off',
+    '@typescript-eslint/no-unused-vars': [
+      'warn',
+      {
+        argsIgnorePattern: '^_'
+      }
+    ]
+  }
 };
diff --git a/libs/hdf-converters/README.md b/libs/hdf-converters/README.md
@@ -5,32 +5,34 @@
 OHDF Converters supplies several methods to convert various types of security tool data to and from the OHDF standard. OHDF Converters can be used in a variety of tools, and is currently well integrated with Heimdall itself, and the [SAF CLI](https://github.com/mitre/saf).
 
 ## Supported Formats
+
 1.  [**asff-mapper**] - AWS Security Finding Format JSON file, Prowler-derived AWS Security Finding Format results from concatenated JSON blobs, and Trivy-derived AWS Security Finding Format results from concatenated JSON blobs
 2.  [**aws-config-mapper**] - AWS Config
 3.  [**burpsuite-mapper**] - BurpSuite Pro XML file
 4.  [**caat-mapper**] - Compliance Assessment and Audit Tracking (CAAT) file
 5.  [**checklist-mapper**] - Checlist Mapper format
 6.  [**conveyor-mapper**] - Conveyor JSON file
-7.  [**dbprotect-mapper**] - DBProtect report in "Check Results Details" XML format
-8.  [**fortify-mapper**] - Fortify results FVDL file
-9.  [**gosec-mapper**] - gosec results JSON file
-10. [**ionchannel-mapper**] - SBOM data from Ion Channel
-11. [**jfrog-xray-mapper**] - JFrog Xray results JSON file
-12. [**msft-secure-mapper**] - Microsoft Secure Score results file
-13. [**nessus-mapper**] - Nessus XML results file
-14. [**netsparker-mapper**] - Netsparker XML results file
-15. [**nikto-mapper**] - Nikto results JSON file
-16. [**prisma-mapper**] - Prisma Cloud Scan Report CSV file
-17. [**sarif-mapper**] - SARIF JSON file
-18. [**scoutsuite-mapper**] - ScoutSuite results from a Javascript object
-19. [**snyk-mapper**] - Snyk results JSON file
-20. [**sonarqube-mapper**] - SonarQube vulnerabilities for the specified project name and optional branch or pull/merge request ID name from an API
-21. [**splunk-mapper**] - Splunk instance
-22. [**trufflehog-mapper**] - Trufflehog results json file 
-23. [**twistlock-mapper**] - Twistlock CLI output file
-24. [**veracode-mapper**] - Veracode Scan Results XML file
-25. [**xccdf-results-mapper**] - SCAP client XCCDF-Results XML report
-26. [**zap-mapper**] - OWASP ZAP results JSON
+7.  [**cyclonedx-sbom-mapper**] - CycloneDX SBOM JSON file
+8.  [**dbprotect-mapper**] - DBProtect report in "Check Results Details" XML format
+9.  [**fortify-mapper**] - Fortify results FVDL file
+10. [**gosec-mapper**] - gosec results JSON file
+11. [**ionchannel-mapper**] - SBOM data from Ion Channel
+12. [**jfrog-xray-mapper**] - JFrog Xray results JSON file
+13. [**msft-secure-mapper**] - Microsoft Secure Score results file
+14. [**nessus-mapper**] - Nessus XML results file
+15. [**netsparker-mapper**] - Netsparker XML results file
+16. [**nikto-mapper**] - Nikto results JSON file
+17. [**prisma-mapper**] - Prisma Cloud Scan Report CSV file
+18. [**sarif-mapper**] - SARIF JSON file
+19. [**scoutsuite-mapper**] - ScoutSuite results from a Javascript object
+20. [**snyk-mapper**] - Snyk results JSON file
+21. [**sonarqube-mapper**] - SonarQube vulnerabilities for the specified project name and optional branch or pull/merge request ID name from an API
+22. [**splunk-mapper**] - Splunk instance
+23. [**trufflehog-mapper**] - Trufflehog results json file
+24. [**twistlock-mapper**] - Twistlock CLI output file
+25. [**veracode-mapper**] - Veracode Scan Results XML file
+26. [**xccdf-results-mapper**] - SCAP client XCCDF-Results XML report
+27. [**zap-mapper**] - OWASP ZAP results JSON
 
 ### NOTICE
 
@@ -48,4 +50,4 @@ This software was produced for the U. S. Government under Contract Number HHSM-5
 
 No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.
 
-For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA  22102-7539, (703) 983-6000.
+For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000.
diff --git a/libs/hdf-converters/index.ts b/libs/hdf-converters/index.ts
@@ -30,6 +30,7 @@ export * from './src/netsparker-mapper';
 export * from './src/nikto-mapper';
 export * from './src/prisma-mapper';
 export * from './src/sarif-mapper';
+export * from './src/cyclonedx-sbom-mapper';
 export * from './src/scoutsuite-mapper';
 export * from './src/snyk-mapper';
 export * from './src/sonarqube-mapper';

diff --git a/libs/hdf-converters/package.json b/libs/hdf-converters/package.json
@@ -26,6 +26,7 @@
   },
   "dependencies": {
     "@aws-sdk/client-config-service": "^3.95.0",
+    "@cyclonedx/cyclonedx-library": "^6.11.0",
     "@e965/xlsx": "^0.20.0",
     "@mdi/js": "^7.0.96",
     "@microsoft/microsoft-graph-types": "^2.40.0",