Skip to content

Commit

Permalink
SBOM Mapper (#5986)
Browse files Browse the repository at this point in the history
* Initial dump

Signed-off-by: Charles Hu <[email protected]>

* Linting

Signed-off-by: Charles Hu <[email protected]>

* Linting

Signed-off-by: Charles Hu <[email protected]>

* Linting

Signed-off-by: Charles Hu <[email protected]>

* Change in license handling

Signed-off-by: Charles Hu <[email protected]>

* Passthrough implementation

Signed-off-by: Charles Hu <[email protected]>

* Finished intermediary object generation

Signed-off-by: Charles Hu <[email protected]>

* Linting

Signed-off-by: Charles Hu <[email protected]>

* Linting

Signed-off-by: Charles Hu <[email protected]>

* Logical density change

Signed-off-by: Charles Hu <[email protected]>

* Mapping progress; component flattening

Signed-off-by: Charles Hu <[email protected]>

* Linting

Signed-off-by: Charles Hu <[email protected]>

* Quick typing fix

Signed-off-by: Charles Hu <[email protected]>

* Mapping progress

Signed-off-by: Charles Hu <[email protected]>

* Formatting overhaul; additional tags; results section

Signed-off-by: Charles Hu <[email protected]>

* VEX ingestion; various mapping adjustments

Signed-off-by: Charles Hu <[email protected]>

* Test fix

Signed-off-by: Charles Hu <[email protected]>

* VEX ingestion fix

Signed-off-by: Charles Hu <[email protected]>

* Clean up

Signed-off-by: Charles Hu <[email protected]>

* Test fix

Signed-off-by: Charles Hu <[email protected]>

* VEX support

Signed-off-by: Charles Hu <[email protected]>

* Refactoring

Signed-off-by: Charles Hu <[email protected]>

* Component field filtering and vulnerability ID appending

Signed-off-by: Charles Hu <[email protected]>

* VEX alignment changes

Signed-off-by: Charles Hu <[email protected]>

* SBOM support visibility; auto cleaning control Description

Signed-off-by: Charles Hu <[email protected]>

* Various styling changes

Signed-off-by: Charles Hu <[email protected]>

* Testing update

Signed-off-by: Charles Hu <[email protected]>

* Linting

Signed-off-by: Charles Hu <[email protected]>

* Move porfile desc to summary

Signed-off-by: Charles Hu <[email protected]>

* Added conditional to control title genreation

Signed-off-by: Charles Hu <[email protected]>

* Review changes

Signed-off-by: Charles Hu <[email protected]>

* Adding CycloneDX types

Signed-off-by: Charles Hu <[email protected]>

* CWE tag fix

Signed-off-by: Charles Hu <[email protected]>

* Linting

Signed-off-by: Charles Hu <[email protected]>

* Typing

Signed-off-by: Charles Hu <[email protected]>

* Linting

Signed-off-by: Charles Hu <[email protected]>

* Linting

Signed-off-by: Charles Hu <[email protected]>

* Linting

Signed-off-by: Charles Hu <[email protected]>

* Linting

Signed-off-by: Charles Hu <[email protected]>

* Fixing typing errors

Signed-off-by: Charles Hu <[email protected]>

* Review changes

Signed-off-by: Charles Hu <[email protected]>

* Tag changes

Signed-off-by: Charles Hu <[email protected]>

* Ref refactor

Signed-off-by: Charles Hu <[email protected]>

* Typing refactor, component hierarchy refactor

Signed-off-by: Charles Hu <[email protected]>

* Typing fixes

Signed-off-by: Charles Hu <[email protected]>

* Continued typing edits

Signed-off-by: Charles Hu <[email protected]>

* Message refactor

Signed-off-by: Charles Hu <[email protected]>

* Tags & description field changes

Signed-off-by: Charles Hu <[email protected]>

* Generic testing

Signed-off-by: Charles Hu <[email protected]>

* Refactoring

Signed-off-by: Charles Hu <[email protected]>

* Typing refactor

Signed-off-by: Charles Hu <[email protected]>

* Eugene changes

Signed-off-by: Charles Hu <[email protected]>

* Descriptions field fix

Signed-off-by: Charles Hu <[email protected]>

* Quick review change

Signed-off-by: Charles Hu <[email protected]>

* Add string headers

Signed-off-by: Charles Hu <[email protected]>

* Added additional tests

Signed-off-by: Charles Hu <[email protected]>

* Lint ignore

Signed-off-by: Charles Hu <[email protected]>

* Linting

Signed-off-by: Charles Hu <[email protected]>

* Linting :(

Signed-off-by: Charles Hu <[email protected]>

* Linting rules change

Signed-off-by: Charles Hu <[email protected]>

* Linting rules exception for unused vars prefixed with _

Signed-off-by: Charles Hu <[email protected]>

---------

Signed-off-by: Charles Hu <[email protected]>
  • Loading branch information
charleshu-8 authored Aug 19, 2024
1 parent 7a97eee commit e89ec11
Show file tree
Hide file tree
Showing 34 changed files with 472,556 additions and 73 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
<li>AWS Security Finding Format (ASFF)</li>
<li>Burp Suite</li>
<li>Checklist</li>
<li>CycloneDX Software Bill of Materials (SBOM)</li>
<li>DBProtect</li>
<li>Fortify</li>
<li>Golang Security Checker (gosec)</li>
Expand Down
3 changes: 3 additions & 0 deletions apps/frontend/src/store/report_intake.ts
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import {
BurpSuiteMapper,
ChecklistResults,
ConveyorResults as ConveyorResultsMapper,
CycloneDXSBOMResults,
DBProtectMapper,
fingerprint,
FortifyMapper,
Expand Down Expand Up @@ -275,6 +276,8 @@ export class InspecIntake extends VuexModule {
return new ChecklistResults(convertOptions.data).toHdf();
case INPUT_TYPES.GOSEC:
return new GosecMapper(convertOptions.data).toHdf();
case INPUT_TYPES.CYCLONEDX_SBOM:
return new CycloneDXSBOMResults(convertOptions.data).toHdf();
case INPUT_TYPES.TRUFFLEHOG:
return new TrufflehogResults(convertOptions.data).toHdf();
default:
Expand Down
66 changes: 36 additions & 30 deletions libs/hdf-converters/.eslintrc.js
Original file line number Diff line number Diff line change
@@ -1,33 +1,39 @@
module.exports = {
parser: '@typescript-eslint/parser',
parserOptions: {
project: 'tsconfig.json',
sourceType: 'module',
},
plugins: ['@typescript-eslint/eslint-plugin'],
extends: [
'plugin:@typescript-eslint/eslint-recommended',
'plugin:@typescript-eslint/recommended',
'prettier',
'plugin:prettier/recommended',
parser: '@typescript-eslint/parser',
parserOptions: {
project: 'tsconfig.json',
sourceType: 'module'
},
plugins: ['@typescript-eslint/eslint-plugin'],
extends: [
'plugin:@typescript-eslint/eslint-recommended',
'plugin:@typescript-eslint/recommended',
'prettier',
'plugin:prettier/recommended'
],
root: true,
env: {
node: true
},
rules: {
'@typescript-eslint/naming-convention': [
'warn',
{
selector: 'interface',
format: ['PascalCase'],
custom: {
regex: '^I[A-Z]',
match: true
}
}
],
root: true,
env: {
node: true,
},
rules: {
"@typescript-eslint/naming-convention": [
"warn",
{
"selector": "interface",
"format": ["PascalCase"],
"custom": {
"regex": "^I[A-Z]",
"match": true
}
}
],
'object-curly-spacing': 'warn',
'@typescript-eslint/no-explicit-any': 'off',
},
'object-curly-spacing': 'warn',
'@typescript-eslint/no-explicit-any': 'off',
'@typescript-eslint/no-unused-vars': [
'warn',
{
argsIgnorePattern: '^_'
}
]
}
};
44 changes: 23 additions & 21 deletions libs/hdf-converters/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,32 +5,34 @@
OHDF Converters supplies several methods to convert various types of security tool data to and from the OHDF standard. OHDF Converters can be used in a variety of tools, and is currently well integrated with Heimdall itself, and the [SAF CLI](https://github.com/mitre/saf).

## Supported Formats

1. [**asff-mapper**] - AWS Security Finding Format JSON file, Prowler-derived AWS Security Finding Format results from concatenated JSON blobs, and Trivy-derived AWS Security Finding Format results from concatenated JSON blobs
2. [**aws-config-mapper**] - AWS Config
3. [**burpsuite-mapper**] - BurpSuite Pro XML file
4. [**caat-mapper**] - Compliance Assessment and Audit Tracking (CAAT) file
5. [**checklist-mapper**] - Checlist Mapper format
6. [**conveyor-mapper**] - Conveyor JSON file
7. [**dbprotect-mapper**] - DBProtect report in "Check Results Details" XML format
8. [**fortify-mapper**] - Fortify results FVDL file
9. [**gosec-mapper**] - gosec results JSON file
10. [**ionchannel-mapper**] - SBOM data from Ion Channel
11. [**jfrog-xray-mapper**] - JFrog Xray results JSON file
12. [**msft-secure-mapper**] - Microsoft Secure Score results file
13. [**nessus-mapper**] - Nessus XML results file
14. [**netsparker-mapper**] - Netsparker XML results file
15. [**nikto-mapper**] - Nikto results JSON file
16. [**prisma-mapper**] - Prisma Cloud Scan Report CSV file
17. [**sarif-mapper**] - SARIF JSON file
18. [**scoutsuite-mapper**] - ScoutSuite results from a Javascript object
19. [**snyk-mapper**] - Snyk results JSON file
20. [**sonarqube-mapper**] - SonarQube vulnerabilities for the specified project name and optional branch or pull/merge request ID name from an API
21. [**splunk-mapper**] - Splunk instance
22. [**trufflehog-mapper**] - Trufflehog results json file
23. [**twistlock-mapper**] - Twistlock CLI output file
24. [**veracode-mapper**] - Veracode Scan Results XML file
25. [**xccdf-results-mapper**] - SCAP client XCCDF-Results XML report
26. [**zap-mapper**] - OWASP ZAP results JSON
7. [**cyclonedx-sbom-mapper**] - CycloneDX SBOM JSON file
8. [**dbprotect-mapper**] - DBProtect report in "Check Results Details" XML format
9. [**fortify-mapper**] - Fortify results FVDL file
10. [**gosec-mapper**] - gosec results JSON file
11. [**ionchannel-mapper**] - SBOM data from Ion Channel
12. [**jfrog-xray-mapper**] - JFrog Xray results JSON file
13. [**msft-secure-mapper**] - Microsoft Secure Score results file
14. [**nessus-mapper**] - Nessus XML results file
15. [**netsparker-mapper**] - Netsparker XML results file
16. [**nikto-mapper**] - Nikto results JSON file
17. [**prisma-mapper**] - Prisma Cloud Scan Report CSV file
18. [**sarif-mapper**] - SARIF JSON file
19. [**scoutsuite-mapper**] - ScoutSuite results from a Javascript object
20. [**snyk-mapper**] - Snyk results JSON file
21. [**sonarqube-mapper**] - SonarQube vulnerabilities for the specified project name and optional branch or pull/merge request ID name from an API
22. [**splunk-mapper**] - Splunk instance
23. [**trufflehog-mapper**] - Trufflehog results json file
24. [**twistlock-mapper**] - Twistlock CLI output file
25. [**veracode-mapper**] - Veracode Scan Results XML file
26. [**xccdf-results-mapper**] - SCAP client XCCDF-Results XML report
27. [**zap-mapper**] - OWASP ZAP results JSON

### NOTICE

Expand All @@ -48,4 +50,4 @@ This software was produced for the U. S. Government under Contract Number HHSM-5

No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.

For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000.
For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000.
1 change: 1 addition & 0 deletions libs/hdf-converters/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ export * from './src/netsparker-mapper';
export * from './src/nikto-mapper';
export * from './src/prisma-mapper';
export * from './src/sarif-mapper';
export * from './src/cyclonedx-sbom-mapper';
export * from './src/scoutsuite-mapper';
export * from './src/snyk-mapper';
export * from './src/sonarqube-mapper';
Expand Down
1 change: 1 addition & 0 deletions libs/hdf-converters/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
},
"dependencies": {
"@aws-sdk/client-config-service": "^3.95.0",
"@cyclonedx/cyclonedx-library": "^6.11.0",
"@e965/xlsx": "^0.20.0",
"@mdi/js": "^7.0.96",
"@microsoft/microsoft-graph-types": "^2.40.0",
Expand Down
Loading

0 comments on commit e89ec11

Please sign in to comment.