From 155f468ab38a503679a16f284869b934bee249ee Mon Sep 17 00:00:00 2001 From: degenaro Date: Tue, 8 Nov 2022 18:00:12 -0500 Subject: [PATCH] fix: Issue #24 (#25) * Issue #24 - Remove Kubernetes transformer demo - Add link to Kubernetes WG transformer demo * Issue #22 * Update precommit Signed-off-by: Ekaterina Nikonova Signed-off-by: Ekaterina Nikonova Co-authored-by: Ekaterina Nikonova --- .pre-commit-config.yaml | 2 +- Makefile | 7 +- README.md | 2 +- .../Kubernetes-Yaml-to-OSCAL-Mapping.xlsx | Bin 10318 -> 0 bytes trestle_k8s/Makefile | 32 -- trestle_k8s/README.md | 65 ----- trestle_k8s/images/k8s-to-oscal.drawio | 1 - trestle_k8s/images/k8s-to-oscal.drawio.png | Bin 25810 -> 0 bytes trestle_k8s/k8s-to-oscal.py | 274 ------------------ trestle_k8s/oscal-samples/sample-cis-k8s.json | 179 ------------ trestle_k8s/oscal-samples/sample-co.json | 147 ---------- .../oscal-samples/sample-falco-policy.json | 190 ------------ .../oscal-samples/sample-rhacm-policy.json | 137 --------- 13 files changed, 7 insertions(+), 1029 deletions(-) delete mode 100644 trestle_k8s/Kubernetes-Yaml-to-OSCAL-Mapping.xlsx delete mode 100644 trestle_k8s/Makefile delete mode 100644 trestle_k8s/README.md delete mode 100644 trestle_k8s/images/k8s-to-oscal.drawio delete mode 100644 trestle_k8s/images/k8s-to-oscal.drawio.png delete mode 100644 trestle_k8s/k8s-to-oscal.py delete mode 100644 trestle_k8s/oscal-samples/sample-cis-k8s.json delete mode 100644 trestle_k8s/oscal-samples/sample-co.json delete mode 100644 trestle_k8s/oscal-samples/sample-falco-policy.json delete mode 100644 trestle_k8s/oscal-samples/sample-rhacm-policy.json diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bda3fc6..c74da9f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,7 +33,7 @@ repos: exclude: "(oscal|third_party)" stages: [commit] - repo: https://github.com/executablebooks/mdformat - rev: 0.7.14 # Do not change version. 0.6.0 introduces breaking changes. + rev: 0.7.16 hooks: - id: mdformat exclude: "CHANGELOG.md|docs/mkdocs_code_of_conduct.md|docs/api_reference|tests/data/md" diff --git a/Makefile b/Makefile index ae71a97..a4d59c2 100644 --- a/Makefile +++ b/Makefile @@ -22,8 +22,11 @@ install: pre-commit: pre-commit install -code-format: +pre-commit-update: + pre-commit autoupdate + +code-format: pre-commit-update pre-commit run yapf --all-files -code-lint: +code-lint: pre-commit-update pre-commit run flake8 --all-files \ No newline at end of file diff --git a/README.md b/README.md index 58f52f1..1877686 100644 --- a/README.md +++ b/README.md @@ -74,7 +74,7 @@ This [demonstration](./trestle_task_osco_result_to_oscal_ar) shows how to use th *Convert Kubernetes results into partial OSCAL `assessment-results`* -This [demonstration](./trestle_k8s) shows how to use `trestle` functionality to create a Kubernetes results (YAML) to OSCAL (JSON) transformer. +Visit external site [Kubernetes WG Policy: OSCAL transformer](https://github.com/kubernetes-sigs/wg-policy-prototypes/tree/master/policy-report/oscal-transformer) for a demo of using `trestle` functionality to create a Kubernetes results (YAML) to OSCAL (JSON) transformer. ## License & Authors diff --git a/trestle_k8s/Kubernetes-Yaml-to-OSCAL-Mapping.xlsx b/trestle_k8s/Kubernetes-Yaml-to-OSCAL-Mapping.xlsx deleted file mode 100644 index 21810c8516ea6179fba5658d5f9c68f2403db0d3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 10318 zcmaKS1yEdVlQphGaCdjt5Hz^EyE_DTcemgcoZt{VxVr`q?v_D=!w-4C-DI=>zJ05v zW~y55bGqlTKJrrF5NIGUFfbsn#%jtSe+c}`cRdFaYezY6$Dcx`tjc~9w z3M230-jOGJcSeq}JfD7KE-^(rAsUBRImye>4Z-08Pp3FZxcv(msVUGsqhn(bUV%^t z9TiuWC*!c)AdTZF6nit(yaiu~)*u-hD|TB6LOc&X)=f2%L}HggN$GsAVy;#c1d|Xr z_f-?`=8-kv$2ZsjCUF_$6yn_Ij{n2>^i-f*N2^*h}Cu!5@Q)Vz>Ofm$A{rFF8(m!WlUhL+WAh=-aR@l9`C z%octc%h(5{*17UFS6M3hCF)u<0*97QwJRm!<+;eCTqhG*$!d38kJ;})kl71JP_++- zK$)$nWX?fU3uu-Z-X+GW>L=UFJ+fKA%IS_{;7u1*zJsHLC>BWC03-A59YcPGSJ8cX zNLdYa9OM~?s_ue;7~glsh zya`VtK&PwYOEx4>P>FEXEIs`X=h$rwPJt&J9P;6I*WVpIeyA0HF^U(1u9i*W78&yU z1XD*_R8B;kh4f8`leRS*n~`>)O7BIRKqknq@#aHn4)CWI6(d%sk8M`5#Qljw!RlPO zu*q)nuJqwuF9dtEso{6zpll`I)v6I@9R{nYAe0)AB0N&w*qpUmi$*6^s*!`3%s7%t ztFIFnqXE>lDvfkQW97=;4pZeyNQ*Mds2ca~ry}3+^>wVyhuCN@m76jW^`c}}58r&~ zNq&fj;o9@~iU>a;FmPl-dZ2Vg?fBz?1kXEPfG;y(AXT$#vc5rL7j5#^)P|jpZ~CB*QANH#RNs&t8Mazy2z)i@l|mFNym8 zuagSGOQPJY86BP6txX(XlXRk~V3*H@b;8Ya0M%R+sHPMbB^fiM^`)H&_VF<;s6ZX9wyBH;ME9K5Z1bSrT z?5J8W2WDg1VjAoK3vxk7mm&~1Sx`qqG2%tE$N)9f_nblSI9WrA#r#SJm!=Jc-F>Jw{99(gbl8G?x1R5z_y*h;0yXW>C})})VJM=qm(Sf=i*ch zo#9j|6>?=^V8#LM%5TOw#P6~-GJ_0<=^8Z0Px>}-n$~wIw?Q}6>9V|CC((aeCS2l*Nk7(06!>Z%0j_uA}*9`)%(1W?F4zE z*M^uza!D&=xqTRSNx$4Sw!1o(4ef&88jY&v1QkgQE7ruq#@kBVfY)2rA?n^COI&767fWzL)s7U87{Rkq60_t=P$p_gH6jn+Is zA!2MjTVu%wqks~0CI)-+ZkZMwBHqTOsWHKWhyYY^YBxXP8$e%Ub0uJy=xR3?&@rzB zRfL;aCGIbZy2d)J(0wE(V-xd!LAGx0;|{;Dx%)_YdW8;Onp?JbqGqd&eccWrRVYow z`ejzvxh&SZ4abDJ@Zc)VFPUC#`H`)T@M*&_A;A{s=!Nt{&e?G0c12&tL?!*(WD}K~ zE!|>*4>Rs1>kBU&2BjH|0micJjSR;B^~e&lI!+u&yv@i&&sfx`Ny|pfSm&qMy3|{n z9q|J4@^M|U`()s=059Chu2O!=^2gb@WLnF)cInkwwi#ydeYOngAjlD7OFG=MaJkY> z`WeCQ*)DT}9=V(4nQO0^oun_Ox+qe;Dl~Hf&*5IJFXrufgJU~vB^3P#BzH`2{J!cs zzk*w3c3qx)+&g;GVJwAot*mA1FzT2mI!;VfBm%m8n^*?g$qrUNu`UID4n-sfzr++G zUVFqe4?cR#H%gSk->Gx-0f;Qs%f3(41(J6s;K`iNv|<{lYenPCZ@z@Ld}V*gbnZIK zw$-blI)G7V&x#hmX`k`to0`S3Lg=bd_h53)&`blkv%54v8p~qd(`(BE zei~CdGI)#W;=-2>uNEE;X`(lelGoANS$TIn_SVy57a*rR-fXCx;gfrd*Yt#y^|zK8 zwA)YIOgc07G`)3-j^vUuu``+;mn}o2Fqh8y!}(r!JVi?id|3m|ymGPjI!af=4@K`5 zj$y$P#pd$bMS0~WJl2}|TKODA?yeyGS4o*Ypen7-A-cQ?P{D_~w(XC^a#@!;vRw3B ze?EhtJ%Yck4|t@0_dF0FAR=V{wmu;KGwrzAIanFm*;&0#Jkd%+w#!UNZP&CAt2Xqy zmbl5_YB6yjD@esdX$hhjRuO1}XUTcbtH>sW)JsB$9B<**TGQM$S2L{+@VnG=RYtoF zI(g)q8G@Gjj+c$NQ<*17)F4wd1xFe57sn1)&I`u)W;}pXo+d`B#2oNzjqZ@_jY2Da zdE%dC#^R;FT-X@-VK#tuYThXzNk68;_i+aW-x30Jl1W0N#}V17js*bXF}o6NU zSl86P0_FwMG(zKZXJqTfz5`k_#H$vhx^?dv8k?sS`vGGcn$cl-gU{%T4S^opX(w5G zX1Q?Q5!e;`=es@*^JWVABJi0prdzA7(1vOTqox}?h6Lxwx%kSX6rjAc!8Q94Txhac zc>ag=80^~}2ZJZ&{Jc9*hq@v3D%?Q$(qpFpG;TOr7Kx~__wt?JG2?}f4N6urcNviY zJCt{y!rm`9u*myNLkgC|p5XZEjL)w63Cog&3L*v3Gi09Si@53*lCiHmCnTb!`O6B( zN{zn5LjFPsES_RZlgSsXdm|Re)S3n0i|S7l^vEb;Yc@_CoyjSn4Q=_PH+|Md79eud4+UXFyh`ez>oTrD`0R8VrWraqn~rh9qS_ z&kwZ(o+vPmoJ-7Pf{vjpRcL|N+0x2?b?knwHkwCxqnGcQ!!(EhJLW(T&pM?TYq(C! z$O3(7bGyU4!%u?0KssC%n4`$y3OlQ3N&xhLw}V}-koP%$AiFqkOcSZ7T3zu1dqqa> z^wwkgW!&Wdx{9OyXB9U$a4<1ea&oY+HT$)gS7>NC;x?lD0INDriMO1mG1krr@0QwshVGbsIp#bkntUx;ic?D>qlGH^fr ztc*7wi$>SXl0GNPAgU}eeXl~9n6uW}djVS;LnT_E`e0nU;c|X*pchl&3?rVzoAzzI zK9a4zZWo~@+_pKuPSOTvb3OmF;xdkGYQ0-V;3nl&zl4&+uMaQpBZ_kj@7A8^`Qbh9539?k3DBUorv zuX8yU4}9J`r_3BTE{y)*9OyP9*|uSgESy5QZ#IHVStr^eT)8`lvJQeHArrm@nEn1? zd&Q`WAAN9N6?Rs}f?d7+K^s=J zMim|x3aG|NH0pN>!4}NGAG&*MzV~uc+K=~k&sPr*iSdh2$jiP24|k`^@gboSX%zdV zj)doE!&VhsP1aNQ5{CU!xj}&t4^W^slvyH6eiqpXXA}7+@5Cq5Am>Zz>*)jNM3qsj zIt25C<4D$(YZLtEv@Q2|Me*+XI^=s`PrbIQ@M(zMu~VCp043o3N{0EtUORgENE7c= zSBNb;?kt-EZlI>TkhZuYR;vWbaP=x}N+gxlz1}sN%NP$#vHHw=UX3tmwxMcBY{z^o zqNrO8Ki`t94wtujQ*X$j&b7MG>&YFKREU%iRJVEJcPJ>_0nr+O<<51`RSE=89UceA zvJE3ax9iLk-gn9Z|1ON>NQ(xaQ+OVpXDX?D4DzT4UY9T!-%?G-K-sjAB-s@fc0WCPo^vkN>AI_gs`k>h zH+vZ5&6UWA3c0d6PrKW^#dWvbTRx(m;w)vX+--Z^2xW+eeS^WdJf|GWbaVlAh*>1Q zQWfgb@yni3+b%%Jv-mnRK7YgoH)U;w1ahf94_C*Jfd%;|!cIZ7Ja*g%0aW^Es??Uj z$w(tVb9bNUhUCN!4<^g7=6Ym}i-a%pW|(UG?^$z-y`UN7mNptu)Ll4oJu-E&@{iO3 z-u12A0#Y_NWk+ov=|%MQ&h#y4%PlcO^rl$;6PpKnRU=|#SSZ; z2QVKNM+*rTZ+tF>|_k?DuBEOndJ{XG$5`j{?HlJa>W0%tHx_{fL7nw=bQy}d^u8A>b> zycf;X$~&%(z75#cIH^A|?j51^;GyJ?s!&U2`D!5JNlCZ&p!0D-zj^_Zua}MaAxREp z_5jQahyz9=l(qP`BoWfLPtxm&1dj%9VQq1*sd*j{pbJiO5V3EvvC!iqd*q}@j3K7l z=&KR22{`fq-?I)#;0voN)Csi)1;H0_ay7sUr`X@!=pXqt%p>`^B*CGN0N;!3O2k7< zly-iRT0K<((5u43Bp5`xG~@ z--I4yK^X47R#gC(p|?;d92*3ltE+eL2*@3i&7dy=H6$Vr=qM-lW*kJ-G-S=#NR?{S z2`Wuz+{a^7Pc!8Z5f?9J>xdRJO&8f1zxduo0!bb0=rgy@tTLwJ-26H6Ucj>|q zcG?mH_^0zsij38s!MQ zpX<`CEQA%VG*9Wpmv6x#hLAC(cXaMnPITf|r5kTO;FAFMny?4#mme&y=cr1r0z?%% zVnIqZm9O4_r~Cjwu52Q5ZR|O9&^R7?r?wsqLKU!J9o|1n#F*s_UH}_5?L&z$axa?2 zenuiMu8G6ZGe|wOAH0IyRV=&G+R`Dz!QI=XngcSs|-}TZ)Va27pOmikN z1sFIm)aG?QsXN{j4Pt7vr(#GXo9LM>l8o>XR4Q4m96W=*F5`qn!*0RQARv^)|F$b8 z{kS-mRukY1v+Lfssnq>#aFh*U2IeST%SY74rjD7iuk^(6+dU$^UKa9sVZr3&j)(!X{q@eN>3kdXv4;(^%iT z&R|nWB7)XU6a=Fw9Jj7TULFjwP=pijOQJhma*{J{Im&@Ed9rTVx3)$ z+QeNaejL~wW~+t9}ivadQcNI1BRFQ4B?m`L2Q9ofn| zB->Ju4?De(N!`6)ZLg@i(=zFb#5&~5PDI+9jTiF80DrXUF-hJYYT0K@w86*0+i_#^ zVI4nFq^!1y<2{*1%-d21{2-3%-mH(RadlL2d7@^WGf+M~ZZsx$(|}eO@2g>R+rDnS zNlzY#WE`S2SRf?$u8nZm`>Um!niYwYE{l94cU+334i1d){L8~Q-b?{2r9v28;9 z{=0}^JFte$L!;>qt6y6^(pn9dpOWzl*|`Wq?>0B@DIr5b1E=xEmMFw+d{v}Sipc4Q z3DS1Do5Q-5mCCT7#QXUZAryRW^)u({NI2|(4=Ki;_g}(pS};eVMDs?-k{C>RB6`Iu z3?|eiPpi7S;;y2A618o5Q1Rj)MMe`RI#Nzl%A^kl*4Y=6+>ym(?3J^T5GBsZWNP)4 zP*mOs6>%YK4=IICv4RC3oy-}y|8=VfvRoN{B6Ao~WD z8IqEGxoa>|j9dtnhSl|A_`)DIi)nW4+BLAM$Qq~o`Drl6o$S;^pqOLh6VCd2^m7Jn z{A}xk+Ab&Dw6>zUYs>c?k=hFIGV!ILGW1x5#=;4kQyF1u-JT||u}HO{_)(Wx1njFt zaf*F!orERwF71S;4-Zca7AFaY3>s@ZJyaSe2?h)Uk7wB0OZ8H?d((VEhN1N%#Jh^$ zftlB?2j3X*z3!rh?!V&AGKhsq(a55x>WY-kd}(Qe6#3woM9wIxI({*1?@U4Hh0lm0 ziG+T~Scy~U%f!QMd0*=rO0X~!ucB+U}Z^>WxafOrufa4@F|u8QCQJB@T&O|NfxEpy){ zQPR3ZNrn_01jo!HIN2D6EnM9g_Evbo4w*q1uttJ`w9zUO_Wcd6!_mXoUfRru?C2J* z37X<@iA_?|yAG88Y8P?%&aqeEVULl}L&!0bYD zej>pt9oK{CS%0um)KmTXzzxmI0a#K!@W&F5Mc5bgfJ(uH*ebac0JOH&8F?W@6%uSjFc8(f^y6V2(ow#J$5pnq8>mzy>togHI&|VCF02msF-d22{2HB=J{hkJ+>&L= zFEMgdYMn%L6<~WSG&@F$uDk5u$Gk%1eua0V?&bXI>kNG z>(~y2rBF*KiFuKX$_it^cg5vAX)$}`lL#R4S3Qvc1;zNJ2NsIs1v+nY0trfA^0IK) z77F70E8yv7$mNR`+ua#EQ$jYyiY)ik2}G%e_>0o|D!9{E(HBo39!tyw0sfbDMlVBa z$#OcYKloVUasR*5CNrE?M`OlvIOF=9o=g;gBCQ`*)3t(a7;=c|j`P^0&TmN#*HcnR z1;|g%V*;R&7Dz}ZsxtEuTn_*zQo-|8Bk{3JOISkm@setO`e*~d8Q#N)()$u&iP8J& zW2rw8$sA@o<^6#D)*8nYX5R@1-zA?^{i>LM=nXI`3#xz3Gg-L=Fj4lB&z}Yh1&a9% zSC8N7{4ea6%3hEKG<|M-9fe1ZOWrlLa+e>$OOZ6v!Ckh$47AISoH+oSI)z0ppHL5+ zbU*jM)#3=kur+9S1%Os{4$M(^R7e4!J6H%&RsQjpYzN*;;j6{+kU}0rrUi59)RXr( z6)&&!3wbdi;IDf4uW+w^K6~VVwNH`xSTQ7Ys?2A@#! zWM-k3hORHskiYxA#4M8x3jiMc<8LPBrNAsL1oH_c5uq*rl=J3sKBz5trQBTpJi6;2R0S%KAR(R zoMaqS|4iqNxxfeK&U85F^2Bb?87e#?tP$lDXn^t?r}Snl7^VUR?#Wl3(`L^(<#+m7 z-`=E(o`7_z7qz_C|K#>*X0%Vhk2v}e^iW!d^b^qy6Pi^iVYTcbv~<3YpFW+EN(lfB z>6a(@Z!u@`X6tm_0;jUQ>6S3%i8x?0CB#HnQjZ4PQT`+WvaFckpb;-se>kd0-7Ns2 z_)S?%KZ^%A!FC7()34~O$Zhl~?w^1p(UM??(%ux9kX?)i>Pqzf&Wcj{IQ0-O^AtZ? z2D7~Mq{XfwkwCmCJ7|~R9^aJTdThJ8(%Tm`S^cm<)llEafNu_X;E<5z*f(jkaEgQ! zQ=snLM0(I<8kVIr)jvzS-*Sw|mw`5R{yi62PG6NL7K5gi4%qpdK+!qs+xwe<(h*eO zbdsQcD=0s4G4T$8SS%%KhfKz<9`)~oOops>>)ZsFs>jYq_|!GD$~!`)8|>g%LsW{Q z9CWtjvsO)APr*PQA~hB+CnKcYN3n^=T;#-toFK4p(3>xGwwO7(LyIdX4CsGfcR|hW zHQZZ98uJc}lciUs3kkD1T&;bWPqd#NTh@z(10yIxZ8=r5JCq&6g*$CzLf8vqz>ace)1}c4L*^MPIpAdE+BL}O)ke>)mESKn*6~L zQ@A)Jv;Zk6#ZD=k-d+16@C%U-%^KQ6M)hUXY~z)WSc7xD@5)%!wd=)gY!2}0=BzlU z63VlzsWT~eh*RA~E8zzUNBo4kWpteGE)4svQ3@A#E)}Iid>;GzdlWG$=lZ$*kd(LF zMV#DwEMmp(CfGW=`)m_m&qQLzr!&(Wz|-LI2$ zBv_-si7i&q+C!@cyW>DQFnMoTjUy1yaf;S*L?CdU>t~4aaON3fqj{NFyY(Y9>v-^C z0|TOv6NmbZ~umkT-PWvGuLg{Bc`j zO$_sp-7A7L27zy=JRswnQ@BRX!&K7X_)I@YAhf|n!zsaeKR#GW-g`Z4Nrte-{JH?-GfKzplWS>Qj|=Y5l<_VvU3yTTEjiFt!$Ob7nUHP>b6 z#qWnI%i};!qAGrZ20Tnu#ZSQ6>1!JI@D6J?FG`k4R^b3)u;Ge_D$j&MIv9B7AS!h} znXOsEjB2i9W4rR&b>op6^4L6$+N5Vn0R~s^*kGHKi(s5A$vz&0oeBO?QfRRe773vt zi)JZ{qzaKVQfA+It1cz&kB@{xOBp~_+Ur~O)RtyR)iO)chYZ5r)_Zr=r~96quLU=^ zQcdVHr>;+iUa}2>4-*p)3Ym5q&egpd1zu^o2r(;z1ZDb9jRYpLQRk1vwaYDx%tvzl z)O-X_DWMt9ziyp5%ak?QUs}V|hW~c-dZk%t3E9~?nbn)oA0E&#+czOZTnrjlQYZIJn zA&!Dn-{Nc#OA0WL1=BcQa(GJGO&RkHnp%M~z?vnEDD1Q~llIoYkvXg5%I7MY(|$&j z(n1kh%uE)j4DG?~t~>wab(jy0V}>X{DRPoHpt4}wEEtn;|5ICdCk#gkUeuc^QJp-C z8@_&-RGX%KMyKTf0Bz#fuhQLA_6#eU^bUl0%h&)Vl)-+ncE_tsFWT>%Zg>MlH z9ud$UCBQSgII@>LL(>Kiw%^V72R@e$T7clG`XEsk(!g$~5-MGn2k1b}Vz)c}M1La( zWlw$Z%oM+%*j0S5icF^7{Q5Y-H*ENiU*S4Oa2kuC2lbZ5`RlT;$71B@KFdSjoJ6nw z*hFc3C#tIe|1i6J3VXzRYXcVL`~w5z`j|D@WyQjdNMh zt&`uP@Y2cnZ|mRWoWC9XNndznll+#MmnP9~2mj%g{B8bc8}gOo@LRkf|6)A+ZTe?3 z>a|b#TP|RKnf}>&`rG)=e$8vY>bFn_T@{&x8L4(4w!f7a^%ER3d?xBUN1C-PE| UFJ%n^0{`+%z0{5w`RlL$2Q|4X;s5{u diff --git a/trestle_k8s/Makefile b/trestle_k8s/Makefile deleted file mode 100644 index b34714f..0000000 --- a/trestle_k8s/Makefile +++ /dev/null @@ -1,32 +0,0 @@ -# -*- mode:makefile; coding:utf-8 -*- - -# Copyright (c) 2022 IBM Corp. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -all: run - -.SILENT: clone -clone: - if [ ! -d ./wg-policy-prototypes ]; then \ - git clone https://github.com/kubernetes-sigs/wg-policy-prototypes.git; \ - fi - -.SILENT: clean -clean: - rm -fr ./wg-policy-prototypes - rm -fr ./oscal - -.SILENT: run -run: clone - python k8s-to-oscal.py diff --git a/trestle_k8s/README.md b/trestle_k8s/README.md deleted file mode 100644 index e1763ab..0000000 --- a/trestle_k8s/README.md +++ /dev/null @@ -1,65 +0,0 @@ -# k8s-to-oscal - -*k8s-to-oscal.py* is a [trestle](https://github.com/IBM/compliance-trestle) based transformer from [Kubernetes YAML](https://github.com/kubernetes-sigs/wg-policy-prototypes) to [OSCAL JSON](https://pages.nist.gov/OSCAL/reference/latest/assessment-results/json-outline/). - -This demo showcases using *k8s-to-oscal.py* (built utilizing trestle functionality) to consume YAML results files and produce (partial) OSCAL assessment results. - -This demo is based on OSCAL 1.0.2 and requires trestle 1.0.x for support of AssessmentResults. - -A [spreadsheet](https://github.com/IBM/compliance-trestle-demos/blob/fixk8s-to-oscal-links/trestle_k8s/Kubernetes-Yaml-to-OSCAL-Mapping.xlsx) shows the mapping from YAML to OSCAL. - -Sample inputs can be found [here](https://github.com/kubernetes-sigs/wg-policy-prototypes/tree/master/policy-report/samples). Sample outputs can be found [here](https://github.com/IBM/compliance-trestle-demos/tree/fixk8s-to-oscal-links/trestle_k8s/oscal-samples). - -Policy Report CRD - OSCAL by the Kubernetes Policy Working Group is [here](https://docs.google.com/document/d/1RdxSz5kEdOPWPVCRNXWBM3AmeU2iBxRAKe89hN3JrtE/edit#). - -#### Prerequisites - -Python 3.7, 3.8, or 3.9. - -``` -> python -V -Python 3.9.9 -``` - -#### Demo - -![image](images/k8s-to-oscal.drawio.png) - -Download this repo. - -``` -> cd -> mkdir git -> cd git -> git clone https://github.com/IBM/compliance-trestle-demos -``` - -Install the demo dependencies, ideally in a python virtual environment. - -``` -> cd -> python -m venv venv.compliance-trestle-demos -> source venv.compliance-trestle-demos/bin/activate -> cd git/compliance-trestle-demos -> make install -``` - -Run the k8s-to-oscal demo, including fetching the sample YAMLs and invoking the trestle-based transformer to create the corresponding JSONs in OSCAL format. - -``` -> cd -> cd git/compliance-trestle-demos/trestle_k8s -> make - -2022/02/19 08:19:28 I created: sample-cis-k8s.json -2022/02/19 08:19:28 I created: sample-co.json -2022/02/19 08:19:28 I created: sample-falco-policy.json -2022/02/19 08:19:28 I created: sample-rhacm-policy.json -``` - -List the output files. - -``` -> ls oscal -sample-cis-k8s.json sample-co.json sample-falco-policy.json sample-rhacm-policy.json -``` diff --git a/trestle_k8s/images/k8s-to-oscal.drawio b/trestle_k8s/images/k8s-to-oscal.drawio deleted file mode 100644 index 9c8c4a0..0000000 --- a/trestle_k8s/images/k8s-to-oscal.drawio +++ /dev/null @@ -1 +0,0 @@ -3VrbbqMwEP2aPDYKNhB43NKkK+2utlKlbvsUucEFWgcj4zShX78m2CGQ4PSSC1RKVTyeMc6ZcwbbpAe92fKaoST8Q31MemDgL3vwqgeAAU0g/uWWTFoGwCosAYt8aSsNt9EbVo7SOo98nFYcOaWER0nVOKVxjKe8YkOM0UXV7YmS6l0TFOAtw+0UkW3rv8jnYWF1rEFp/4mjIFR3NgayZ4aUszSkIfLpYsMERz3oMUp5cTVbepjk6ClcirhxQ+96YgzH/D0BdwQm/K/twGA+D+4e7V/B28PFenI8U98Y+wIA2aSMhzSgMSKj0nrJ6Dz2cT7sQLRKn9+UJsJoCOMz5jyT2URzToUp5DMie/Ey4vcb1w/5UH1Ltq6WcuRVI1ONmLPsfrNRRAHVLMNWrUrcDWbRDHPMpHEbOwlnSudsijWAKQ4iFmCu8ZMsz8HcuIHMzDWmYjYsEw4ME8Sj1yrbkCRtsPYr8youZGo/kGY57isic3mnFye9SNEsIdjoZ0hkpk6DapIXYcTxbYJW2CyE1qsJfYoI8SihbBULx2PPG491OL9ixvFSi4zqVRSVFQQogS1KOa59wg0p2oMjgbnmSmc1Y55WM+BcmlmF/mAMZRsOCY1inm6MfJMbSsKBYZVw0KjV1X3+wKxRrJhBSbj1V/kCBzWCBh0TtHN2QYOuC9o+raBhtwXtflDQpn18QUONoKEUtE0E2JePTFwFfJ3ADkgc2meXuNkeiQO9xEWjrtQm2Vt7ZP95hVvvVLjTCoVbRo1vA6BVeN1fBJzgkW21h4LmN6Kge2gKfq3Q2O3Jsv2NsqwUe+5KU3+yVdcG+/3dU1SaYXs46HwnDoJ2cLD+tLOdDz3tzOEJOGjtWs9O8nXshNMJTaeITJ5TGm+vajlDcfpE2Uww4ksLXImjCLQuxUd8aa/6Z4khPdUjlmXNfaamz9b0OY19xu6efr5KaJpm0dkUqQvUxQ11gcPmSKMxzNDgaWjwNDR4Gho8jV1zFJ+tPU6+w/G8w+xx4HuOMdR+Jqy+IjjS2mO4pTnOcMqFeA65UXTd8dh1jwOiejzuBREcC0NnV926WNUro18UrANi6Xkj61CbbsuuEfLsB+VuM5agY1ie/YxSFY1dYMJugdmC0yDYngXy5w58ndMe+Bodfe2pe+9pdus1iWmeWzVq+7OrBJndKkHHBFM0yx91FNup8rcxcPQf \ No newline at end of file diff --git a/trestle_k8s/images/k8s-to-oscal.drawio.png b/trestle_k8s/images/k8s-to-oscal.drawio.png deleted file mode 100644 index e33b0aa518128a404cb388e1b0147aa485079b92..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 25810 zcmeFZWmp{Dwk}G5K#)La5+qn~m&Tpo+PHgns$Mtd+xb+-)Eoa*?+pLt7grrIi`*G9q;HUbyfL?*iW%hP*5H!D#&P} zprC?LQ0}omzyQviCxN4YuY2yA@=_?}gX9}1C>XsSvics52rF9$OB8w@=|7L?xw&kd z-96}eWazoMWgRTx9&XM~z#(wn(b>Y*%GT22&uiRV+}!M3-0WZ>Z7?4_k0ck@-3K=Z zScuQ?&+<@fOQ*k8#K*w}RKTPU2GjFM0Y@sfPM!$h8zIPV#?Q+P97(#kI9Tdg!jx@2 z=(*+icmz0j`0s8}R?vp1&~r-z#}2mkmcW<1CEVWm?iLF-s5ghLGf*7N&%wt522M%a zxH&rlh2(_zIk-4@`T2P{z~H+_|9eaB3UhG?0Oz!zR!}$Fe|XwmBP~6k)_*q8P0CYQ zUP|6h00PxhRkF}`_Y!dXvteGAZtk{#RsOKi-=BSVvxkq1<)3FQEWK>uz>9Fx^T-0W zwXlU+yFnd+BDQ}sp8&#H-$74Gz{XHf%|+1G-NgkV^k?l(P@n~WRILtJkR52&T_rra zZZMcD#9LOK8>%j2psZ>m#ml3rY_CkuEyeBW;h^jQ^K#emgv-k5S;OskeYI@#1q28wPWcv=rjDQieKfX$xxbfFYKSGS(_QUf! zT-Jb5JoWUn<(%ccrJda+4Lk&)TJEYILb5PjX8|oWXCXl+IRm&FR8Llu%Sl&FSr=ia zY$<49uLj}L(bp9)aMa>=;L?^;ll1Tg-j7SiUXRDkOVG~AKu-?rCM)Lx)X(c^rzoe% zqiPNHG315nxch3^D_W_z7`Q`ZHGO%UAv!L6aBW?frHh?CzqA9~*3AZ?0n{bLZ(!}K z0NgLbC1v5Q0hm+{FoB$hx4a~96&SQqyp{sGz!@oSL3KGxCq+RWAwdJ+w6~%pH&hE^ zYYVt*sAwuX0oIq&QF2#umR5uK^4a-lbL(jOYC8k3Ap^0! z8&a}9yk2k^7-*0jpN;}p#lw|f5ALa{s|Z$8byQJzw{la})Ra`vRe`ALx#_sUW%OX0 zG79Pt7X?|Enzw_KmZycgt(~5vvIeiMoTId-pdrNFS5N`&si*+)mCIQCtKF*$o@^{1BUfzIDz}DRs&g1AL=VK|Pr7G*LXkq7U$Yo>i zV$UxFby3tefNLXQ21x+N)Y6sH&~Uca0xPRQ`GmZ!xm>uNA$HaHmAld9p`vCXdhFU6WEAeT|1EW&P3u@;e1GjRK<<{}`=CyZM(N}b|lUC92MCe!uLZQGT z_zijOZPYDv>>M2RRjr^F(v!b$~@v>TZb23*OB<1cFz=Qw?IF2^=fA z`T(Dbc6M6aj%vIv+D>Y4h^w5XBtM^yzP5#+g$>xwTg}$e&eu~)Qx-1GrRt_a41*f{R2J-qUwGupjZ_8BI;aK%?JjRu-YT^~s>S_gp{|&!rPJ%Ez~m zQFKi$=B{E@u7~jt9tD$QJ!a94{92TS((htthdZ-8lCdUb_83($*04r-i3U~XnE<7#TdGG_cNPL4o$Iu8g!55IVi8)9e5s^BIAEo_n&FI-}K;` zQ0t|E6(0T7DmF6iwEGa8-mQ_n{n1qes4QK==3epP!#cAtWTsR#tIob1-gk!Jw?E znY$!Xac|%KW_#KaPNeH{a1!y_;V=$H$hN3P&jE z*uAX`4yM6P*_F|U5tSQ6zKBF|IG&DPKeMS+!c9tl-!1zCYJqv=Fiv<&@rty{@SJ8F zqWtjp+N;uNCvLE!u(&F$=_^n9TGo}O{hsU$S0@op6#c!vi!#7IiWqvK*xek&`4A1bRvvk z``wn>Y4qwh?|tSWO|GDAe~+_jG^+8}TJmRmiF@>&rLm;Kyn8R$BWmY8I&1|`-Mim% zgjOTZIT%rOV6$OFJIX-cixcc0ABV-n;Fvc1c1hGwP*Bu-jV-6Mf_#^fLC0+4^k7|t z=e4tdRba6(kGsCkQhYDBSMwjAro<_1gx;RSaq)78d^C_%$s&IF(-Igks@>!rzZ6vw zzt0HfyuVKL8o#8J@JAWSykEvH(`kx1gF)+fJE+u_bew#$$ z_XS1D@`$-0hKNK1GD57GnMp(}#akSP@4cb7T5@J}WnVxo)~<;9wiOtVhy0)ii+;j+ z&@FgVXD1|;_Dy<0Domq$B(_KIIBClK=jmD$9C5;X|8#F=B}BkSl52p)|HA|`10DF- zenfuagv;Ug%**QhzTa^hi zmqN?XPLNZcZEHbf2344$j-4e^*nf3jKuKl0LEnRXl0Z+uWCiYMI|tfDo6-2_Pam7b z2hwQKV1gN=OOl0DB6eWpc%lRJ;Zf!eHf&0dS%WuCiaTpRv-^_=yqcYhV;4|>Jr>#d zNDIud5t+Bf4Q}=BYj{+NRaLG;Z1;%o zD^;w~D1O!HH9uw+wLUiq%7mA9wtau4EHi_#TKQ?vchB!^p3=c+q$9Sg^_|8rk$<0^ zx*jXKlVI!w9Mi>ojbXqT6u&l<+io8#7U=dS+DO3J{OAS8gGslnnEt*np0hm%KN0iP z9)+`Tnf8hL2Nj=6ADRwa_Sp*Ct`)eH;+vf4MhVsXxyQS5HT)(ypw)E}?UQ9;p+WCo zRqb~6TWpx9gjdY^fMlbII+uT-K@D4I!sC=L-Z8d)y#R7COgppCKqQN>-;`JVhYE|Ltqh_-m9u}>@8tUEt~EvhRE~Q z4g~JSh}Yw^Xmz_$E6!!@G`7F*(z6*WW+!(rI_L{;NO?Hr@kuu2>E}w=4KJN(bMn$f z)(2#XU~Ld)xmiQx#CmAGw*V zByNw~O{32JF6Ww94)b~vu1GdOoduRw2^rZCSh{wV9p<#YD1E8Yvzt1^O9#9K5d8Er zMFpKn%$L-AXBE>y?|udKSsG+z8PSLH;m&}fD;=Rl2Kfx)Oo#WfE`^uosW1<&>-WyJ z^+GcqwtaArYC}hsMJ<6k$EMNi?^`I~8u4C1Vw@i*k?@-u2rwYHdl*>-qGKMcC%zCj zNh>HQP*7D}74$HPf>!_BD|Aig3q-Hrs#F@-H{JPO+mFBQkme-;A5CJ0W6;9PfIi$s zYRFJc^p-q!$oSYHp91a$JI+O?6q{d_=IEsheI0ZEVl3IrD(a{u6Dnu^u znC_`i_V{DG2cfsP-dS-mVQTZfE#h6)9ZaH4K?$7O*^9gnSZVOz*;Fm+6Rt;e`qjdA z`$|t+Fi&rT%XAzNIiBHRi-W!{s|@!@=Y*BcEp&cLwjb zR7zP0A#9-~XP{T9|B7CZ@z&}1%OuB_tdq-6zYEuwCNW)!7ZFCf3xX$WVDak?qDO0= zLBm}iam->m3*415le>Q&C~Gv@?XV5=Is}&u8#9_RLvgx(VSG8TEf|>I0(CBbP(2k! zRPNnVBI4}zwj`hMn65Bw{hj+}xzd)?OB1|NRaM#k(^I)2va0KccGT-S%@6C@!NRnt zzEaQ4=nCHEsKTD$iDV9)UEpP^&Tv^T+K|sSrc_9O)M+IMiftGP>T_wItOAqMD`mJa zyJSnZ`<{IK!`p_VxvhBV?z;QIEAtjHccm-;+sn6>IP#)vBc`DcBu;Lp_`82q>ebB_y zw_!^}?fb`Wor)t?bc(_wMshynIj;{h~!-VEQfV zdF1hQe11WznJ8h;_(i(W=l13E_MdnV9uTb~#;mkCaKk-rijW6Iu>h*;0~P;V08k-s z)td;}zv0Cf9q53|fT1+A@e(MZTG=mdbPX4GHVOs117 z_gCkYc}@jD*mdbtCOH6{W}yMErNI60^#djqpd9q=NVe+TW%Lr`>_p_(6#VG$2kU46 zj1Bk->QVq&`zL(8L$hI6z-Ee@{ACymxSVaCQlgbe((qgI$D?}z&j6r{Z}6T30LU(Q z0A7C9%PT|kmJ28s7Od$lObuKnEOql#0@3P;Gd-nwiw{`uh+6qEEzsJ*KQQwhgnrBb zl;cw0RAmG%dxYqet17~l`!Hpt(T{=wyNFvv!RVrXvKxpDhx*-!T9eikUMv zDRJ&N4c6=R^-j%;#~Lr5(g8JLB$XFRGerFuMt-DsxTw@tX0Rpy???RS8%h~quQn-Z z;yCzpW*_(8KzkSS;vPJv3l6Cdv~1-#%)tK=c&MZlbh-pedP=(oQ4RXhN8t006Z_pW zar8rB-$@BJ1Ap*Gunz^^jy(Ef`h8j8+VVxp^_Kxw3jj3#yk@UxI&y5~6lXyP=4$_x zNVhWRFuu)n8X%uysXi0YJ_pfuCjiH}+hvL{i=kJj2d|Nll5|l7OY&u1z>JSPpaqT@ z{p=G-CV4(Q_ooBH9x1|*XBzfkU?G8BDFDa4vl(=9C%DXys1##KWD-fhfg^@@D6oCh!z7_y#D*K|G7p^5|N>zq7oDoY(paHdMFfOj|H(l#`pvKM6ZDG z?5n@@^)g=7U%4V+$NGmmfG+g#{Q-0^=TAB!Iz^S;EB}Cig~i1Xy$aKVpwB|W!d9jd5D&t zj)^G__(_{Q!=#B~ezd)J`j!sdaA;)@Gd3|fUoZe;N1jyNB_qJ+45H$*q)yhbU(*U^aPau<b*u3bZsdcukjnf1xj*TZ;qUsTcuObuo8#CkTw5p~ z0fuINzZd1>T*yViM0Mvy)CUr39ZHJ(CC$H>toL8Q6}7T%J!MZ{4VlRt-VJ!jUOK}mc93?3r*FGz9BbwLa%$Ck);ZvVz zd%i6*reP0_GN`wr)(?Y~%<0PX$cO5{(vgq(IHK`rMc!IB=2YGeQaa(xw9!TMLS%=d zA7qfA5C1Hf3_mWo?(hx|)p?QAiikJzc81!VzH_0Nk4`@$5mfPfo^9vpaySV2<%htJ zZzgX)QBzQP;UnhG=4#e)x+PFWwW(VY1MJQ%d!mItHkyT4-2LrQHH`D?OOcleyY6{b zJ?l=x6loyNgWHzsv*?~I7utId18rXT`RyHC{}k}!^y3iHih!)NVn<<1BFi6?W;Wwd z#)wv~>=S(ug-G_*JRYDDp`vKnZtL+}9wE4CT=whbVugp}eG@V7f5$GE?ecW+ItyIX z|CY_QrT_dn=#b-6^`7$G!u`jT>&-UHX<1Xm1l2IuP}78<%@cola!~cdJcWb-+$|do zv)IG48UM`KvgMc%Hat@qbSX#jl(c=Ml!jptM{1*baxZ`pjtAYPV-)qdirf>i*tX!1 zN}v*du{IRox-?}OSYc~EOFn37%Y$k!O#~n1HX|V+dB2Uh0`B#u7iYSqCi-^NwjgG- ze`JfDlmEedJNf*q8iM&jdBCM^W1@~7w9~qka_@AyKnLt@i@xbUONX<6q@+@{NIy%` zbF0fPzh3RbWL(76m!5HORvf5FR_b>A9}tjqUK$p5?EgYRI{E!CQjjmBBvt=`fqXhD zUK-vnz_FB6o;!cjav9nBIKk>VliEv%O~SMl>-tQ4{9T*0|GU+mZ1L_J%S+eWg#dlL z%H_+^5>tG?pt+cKEsUjKQ|{?sU@W<+8A5Ih;x(7Juia_S#p`Yx;tH-aXzT(X+v$8v zAz;1K{6xtiRv*jmqAK#{XWfK*)w*CcZMoBzzMiR{E%d)IzvOA2E0GA<)4li4Q%BZ6 z2;oPE9!zx!k|WZUaS7WezUwD5>7tG{YDYNQ8=VPWJZo+xGjamlY_F+SBY6OYbjO_N zrlKegO#8GP`{g`N{f}tKdXh@!4^KaDbxJs3I$ftk-ej{^39Sm_;y!GU8F4hnQ{Dow zbp-xyd#x<{fc_QPQ$EM`!cq*+&rhsH#mk?iF zXNi;2O?Uj-ts)=V>0ImS-}vm~Tg9f|Ypk_(4`YiLrwpk7aJ_lVTEW)b!bdfcrKe`6 zTOQ?1(b{$Hxz-?Q2Kf?A(c?A0cpM{0;`d6=L^UjX5k#2#DB(#CD?(3YqWg%nvw{0{ z@kkX&6EFXPVl0TUzwzW<@!p%aoQ;0tN5ePR1g}hBM~grwC#S#a60djPVz6R2!r3|j z!c6;SM9{Tv7jZGTjRS54I8>wQC050YiRs$q(I@?5JJ8Vr+NVZVt*5e7zwXa5!y8_G za2`CFG5@j1%4Af`Gqy6juv!r}GsPTM6VUn8R0GC+bdkydR?89X1INEG$np1&C-mpesQsvi*FRp^ zJDy(?1nclMf1@a8 zPn*H6tdUDBVyeYRCP?yyA2DjRaxCunxl!wyqU8SuNf}ip@@6@`*11bbhbwSQ^USA_ z265Orhb!(?$)2HaxD+8td+vctn7xkH_~;1%ZbjHTLHFN+X8j#g)p1eCvJW!9AT438 zcyoDap|o~mj%|f`sQwJ*-^%ORK%GQKzVX|kcMRobhk7y>bIOwK8=t=smtB`6D{s7p zER8b1SXK$b@Z+~s zc9cg*oWe?0(e}3TUPTtyq{39{OMAuf-)vyWrNGLt0MRkqBNEa`q1M5LlvhW5;MvaR z2J&yNS)sEOzV20L?}vz+AYpD#z887Zim!|;ZBZI5T5WlhUwPi=V;P-?9d4iV%q9c} z-+LbvwQ3*4!13m5VS}!k(KoftceB#x$zvP)!*pP!tX|>mP&&B?mycU@Ai$%h(74-r zC8HFBgnR8v#VEz<@%LVEoejD4OxEk4p_i|1Y56n6c645zo^{MJtAFp7-a0`S{0ONyoje-XO_UovP+|eAt|IP6%-jR`iX6KDl2T|B~He z$7=Xt-dgNxNXJ+JZ}DiPM6GdwHYtbTf=CBcv*Trq$_smxP2Gyjo$UeJRyEe3Xz`qY zN8Z%&b(T-!;X#y3!<-KHTuoWQ+Z!~sL=lj+WPawj{H3(_UZYb61-28YMuiQkO`08J zE%gsQmWEZ>IQE`92VM9z+kRe_XGMKmY#V!fSCoP&^-5;5dOg87$Gb zwB_vQqLIPtivk+VUENZeNRrAC@7HMhfJLKM@qGQ~r+mWFFH1t!_j3wFgZp27^7|IE zHUx!QhI+nJu43oMa$t!SgUuA15MPbduqQAchBEV{zFYzp;UBfo`{Iz%#S&+3y6~OL z0>QCxHc9yf=w%$6ttp#^r#V?cxYNp{#YTIn4+r1uvw@NvpF%~ zF`;Bp3m_f=sLbRyhv@6O ze$p+aR&3CbV*aj8pG`wnvS_QF=8%j9kTiw+G_#kU{`Ll7*uWhOEBZ`w2gw4D;+oHw zybn~!&9>l9qZmnRm}?bDr{9%$K!=q2N`4Oj%r|lejsEoZk!JvJ@Q*Nw1RVK~wfz&o z0|*CPnmc~Lj$IC57h~^u1BpqaB;?l|>idfT;Sj3uZ{95cD1l?OlQBAQwY5U<82~II z(hCd8*2(;y2oipbxdMpNUi{BN)Bg(7RyX_@?!fH7mEr^1Wp^R)0K^9UKa(L%6pKc4ApmRQ75ORRjsuN^{t5X0&WPNn2UoYu@K-3r z#m0VbaJQC`k$J|D3nCO1AxRrD4)5VkaELIOuSRJc-&r-gocUf%ZG2^7Zjp6ew(b+B zM|{bCY8b!#!9ws-sI|)PhJ!2fT{;yXRkv)MCqXz(KsRM%*C*=XN(LuL`E`K7k+MU5 z)4dgzWUb};_t{)guYHoP9gpe2+__?lRX`8$B)3F_B$8~jTVU^(Ik)TR!%m!kCCDxj zQ?DyL!i~c{a4*b-j`m`E(Qbd}NF|Q)IbWpDc*@uHjxj=;8mu>DBAfp-MSbFJ<>Q7| z%^=$QAB;nu-LW^YJ6h;qI0op2hC*gFpyubWF*f7S$QKXJ9FL{_Jw)~C!xeE$Ok=mX zKs&y*o!%#N(09{PT)j{?xZ#h-grN-YKiO^w;C1xR;#hv`gH4P;{d0?6F>OargiUT) z!C&{#kk7i2sA=Ua8uanRW=jy6d7Xhur93vjGT$`%^`5GCm*Qr4+rZZMmpk4@_ zN~cMhydsWzBWlAx>%8vW&b#YPOo4|)I7SjYA z_{RfV?Y23DO35q-a+Iaj9kYT%-Q6tu4!3gbPodUls^TrgLuT{4WsU3NpF}X~@!A@7 zVbLi}7(*>N^{(d_6{&nSvnYc&KUp+yjcz1f4&ulzbc6|soLm-vF8RH53@|J%GkM0TjL+3`wF>CM&W!np#OOg7xfn={VYtf8>tB1fletfn+DTOha(>rp8RXE?LW&WNVNA1`F&<_q(l3CwXuK^HyDbRHEO%OT+%}qm zzrB2(T%k=_BR3f0oXi;;Ljsrnj!|mTL=+r>cK$6DOUK56Y2w=#;_(W5 z&i!%hK8fiADe1sI-(H)_Zgs^UigTYZLsB>N49ps2cpeAW2YcR6D}F=3b57C}fe1Yo znSi^*i)MVX3yG)lMt;&6Ha|$YuSzK#^@i5UjoG5-&~zsbza-%6{SRA=CRKYk;#ud{ z10oPcieLVZF!?Fk2KL_|ZnlNe*=~4`8D|T75-9b3Jm~vUIs5ZnCzmbH*lz?l_+t+? zlS(u`=o6?=3ciW4`C`7h=Em@UHO)7F`@z!LUY@<2AN(eg{@IJDw9)X;yn{IGFgke1 zmx|;mS%-ZkadhV6wGKVdI-`t~h6KVC4|Z9SWQ zH9p(`Dz1&p5jEWm!orY;7mIspE*l9;S~+ZYZ>m9n%meG&NBxnPRB( zXr8p~u=6EnfW21v!&EB$!ThzKxoKR~E~vMJO9K;)9Bu*jcypi76jfS&9EAVNs{8({ zz)5u`Nm5GS(gk!Z(%{N$y%faLG~@E=`W?G4{`x>DT#G^rLroI-=0RmxwX6Knqh_9r zTh?3%&!pefns6lhJEKZ=2eRUk(hzQ{WJ$BNmNOtsPjY%Kc;vPnmhsRoWabwd1Nweg z8C$tMad|s?8@n{@qVY&R#@XbeuTQ~V})mk*qgb4Gcw$j7Z@3I})*0@ztndH}RvIghk^$#3-4xS4U zD#CtC@67T4t9gq4h_x5cQqBaS?{PVwHC`?`Y#W$HL5CT|^ZfVsXQf*zz5CuW>$}?A zk0#=b<_olUL2N+>X1D~#B`Y`ZylVKlxY{^>wC?lqDl>2>Ho8{ibj!B+6$u2+U5a$5 zMX<7fOPz7ha5%^vYRYW;3&ZYwKDz1g_nZ})mCQ8)j{OB}OZJNTB7i5>buqt-#sL>P zFvp!lOinzla~LRmpUwusdJ}>bz-Ydd66f#uu%x5Xw$V{>+U59a)H^YK$G&!HJF13M z=gHdc;MuR=?&8gBlRbp3|r)Lw{9`0GrkKwM2B@k__avT z+=7;pLthxXzvY&D%kF_^`9Vz|2H`#aEYv(2 zIe(UNucawtE)Jy0{Ie~jULhYd-JH6+0A9f$4T#ojxv9>oqirlD z)<_U9m+z8o@1gAw8~VhN#^K_(s?%9h4pwdl-fX(m`*-fqKZP|kFruJZq-vDny{^w3 z+Sy7-JgCMfI-7n{*68~7@0>YcM~W>ZPp2Z735FveL$1WS3+BI%TWZC&PWKsWOy>ZV zUu;Z}sZ77K;qRXJmXko|a07DAf7&pR&-$K$VYF|@F75)dY<~YTcK`PsD&(`o|9wC1 zy&+wAGj3u4*m$@iGx}bywEamo-!^^JPM{5DU6<_~wu;dW;598L82PgPX}7^wB$H_Q zXUGSYoT7Q`LFgki;O%RL&~ALx%f3JpXLjY!%bf6m{I7Bc zg#FVt>$ODb1$C*i(P5fEwKri^t2fn83bF9h`8^nn6Kc^4kA2GP+;&MhKUjy6^`;o*WCpyggSDN$of&S8n;UHBS$yD3X;lF= z-wS~4Kx|l5vx;Ho;^WW^$SC}?S_1-4G92RA~iEEG?4y}%j35bYmaR%b~ zIg-(4UB=gwKKZ!P6> zf7{$!m7|*bqq+zXg0EUN{N~fpd~m6PF2HFYZoXZ>b+%b{V&K}gd{gdK9;p(E>?38ZiH&LgDLE$q1Qv&$bye5{@xU((D%Z-8 zJN5Au!^ZM5x`2Q{dV0D=l-|P>68^X2^sAaz^eQ(ibIt`~0av^g@y4wP3d}sb-=BE^ zU+ksDw_JPmDka&$uI?j|*4ut^99?PyH$SZ{jW+o>#UO>gn|9Fr~?=PYi9FNUN|+ z1ZlKu>|-Af%E6a4LkG6|N)soUb~kJk(=Ntv zQ2!QRLzMnweCoU=Y(9dYTahvzI%E$b76jn3EF3J27i>6;W`Iq$v8Ql_le%tEs ze7!|R9}Z#67IP&cL}lFXtUhH8a5@(X^tb@$#kp$0C&oVAH_GfNNJ{rV`n(>qf|+`# zq#8&UPO(*3D?u$NoURvG8|K&vIN6odP&6|}X;9v2AWORbK7Ed4^qV}e^_P{xa>5-@3c)6x z`h(hoB5uj(3v3SFUv(v66%w9J5ueb=53S@}?F_vs5nw#Yod>oQc4fdH2Y(NE25c&P zxnKGckd<{F&JU(g_$hVi;jZ;(jcHfy~dJ`MmaK+1(=_XZ8Uh zKOh0*KA)&p=#MnaITZ-xbyimCrjm+eHl~L$7`0lBabwt%BNfYzofQDd20VFdt{eRk zWJZKbo11;ar^P;y*c>1n@DNzFYCaYQuf0Z5RH2mo;j||Q2(aW>)fk(NPHdbFfCceu zB387tE-+`Rt>lK5eiBFh=sQKOpKpAa+y~?_nZ8dEl)&386FlBIaY8?mh0XG_d=`aW z*Sh|kTcHD@_SU9MEIxPjB;n}DN`dld}jm1MPDf_GAhAe||#&%3Gy%zQPK83W#NW{j)=C96w z{)MC1tGMre($A;b$``ngqdZ-xn_{Rh9LPM-m(g5TwZbiuFM^t)BnO*;Ln$+-(F_Royxct<^M2WfTSd*q=9t6HN*R7?d&blQ+k@Sv`3S zE%IQDRvPHOCIbilK#*ezqtZ&#dR#OR3LAKKJZL0P>M64c@_8K!$O8NYRzPQaYmCD{N27j=n>A%jOuz6qU zmY5%$n367_IB-KjR%O$TKz9^Hm6oQx`c+3*>LA?i^w#*a#UqN8uN{-(X%PC{Jfvu@ zi21}Z2HC_6ukyN`bf~QO_q3~tsM5T#4p5EDHz{-(bo2jD)DPGU#CTd1>V<|Bzna_$ zPbp_Z;hgf7*MuNKbJHPmqMi`!U&7lMm7 zd6&P6Cc$5(J=R>sRefRs_4y$Q288k@zQoz1VR@AyZVW*CV4D3#*n#CXKtcNfjhC$X z%(myg{&FyTMBTF$TWrmoeDj-$^Ywj8O!0Es!ub6;`Z?ur15zFjo7sCtc#iEGFNa-r z*J342Ff5}EO$Gs?-}_xkfY}|8_(Nm%&vK+82YLA(HtsyuCZupH2Lc zphmJpBMYwf#{9H3ML2g{+tab(G|?JBiyIefZl_B?xOV@Y$K>{DOA3Wx{yw~LpeM~y_?bIB!%8pwF}tp4Uhdb?V9}fLy8o&ALFM8`)D?Fqr(pi3 zxzTu^f%8GQL0AHkBU+^_jIJOs?&85TWjLfI6X6-+*!;_n+RY3|E`kAox)m*|4g{T? z1C0xqMZ629ZY9ke=aU!d_cFjpbfKm0xt>a|3m$#OT6$s{2jnw$u8^f2D2}VS1kD8? z&7$RNZoWNgWJ#r}n0p!MU%aJ0Pwliu<$XbNnYPn&9dQa3YD?VHtMC=uz7F8TP$P|X zw;zITMt}4dwq5=D=4@b>M`kc?`SRDz8h^%#eRR>ehW|yRqY6@P;Ayb+P%d=tXF!q0 zN4ZomGABm1=QV|^=dh0WSn3J;g7|lels>(VuLiUPD`a6b-Lj89Q9pokU? zKj;qcelJr6Dw@p~b}*Xm==p)UaXmBP21MbihHqwsX`*}tOh46C16#=KV9nohvgUqF zObEsdB(vyXgR#{ZM~if*rfEA7^m%{J$wJ76La0ZJOsH<4A}(7MGDmw3QQyGhP;;BF z^zWU}-1QBun@`33UGQt!?V#O@bKi?>al|e8ib|fK3XscfSD^`3x)WM)VD%iX4bAg) zQ%W?bbd_ZaaQQwbe(4}I*k!rWL3-s~+f2dL52y2&esAtzj7~O&4t3mz&FWc2LBVqk zo`kp8EqtH~;}GxXB!-{2e#`xr5JmjIPtdaM=%@{%yb2|ywQ4IbGf73Hm70W*vRcny zeK}+@u6Ido{U>R}%4H?l!sv&R30DV94%61i&?-!y(G~3pW)AQH)`9*)L&$08f0(Y- zWKT6VHa5}hcWRUg<}Vdy*y{c_^{hDHqSQLgJoP)-W>ydtqMZIW4dKi8Aj0a2h`B54 zzsM%eO7-!j;c!G8Y3w4s3gSL;wwAu4T))-{zl5LS#{~CfGv~!T$C)Z=e;8eWd+i=Z z43XJ8gOXa8O2;l%vQ=Gvo8ccsI(8!+(dWaj5XYMFTkeUVip7Z=iu%A68dx6w;_QsY z%N@}a2<&Hq=kAccphu0|ekzH-@o^HH=rHSF#S>GX|0m*!ZU5dnB$ol{xHEZ$QkHQ* zq8@DOp>qV))Xj@~*_it%_(;n6KhwD&n>N2Rwqs{|3-u>>wN|iGz~-7$Ejlc^?JEz{ z+XW-h{@bdAbt(yiPU%!T zKam<%2`KWGosv3Jx*jMtE}q`$H79Z0^xpZ_&Zig_y-xz`ggRQToThyx0P zB_S%qGbadnS~|`+$Fnx}7v7z8-TAFJEw%@7Fp$<9_vGhy(Si(!6i1wK|iYjZk4}G|f zxZHW{qP_M+$E>6l#=`e#X@3ZoU!V2XLfHhDw{$9)Tp~cU=Q=CUWAVM4<Z{ukZvbMB+kqJh`Og_=N#Eezd$^#W;mLhO8&h|G@8 zL+TpbZ}BS5vd)gt%?=lDGbM8IF5sh7{&52-t>yb4>AeeB5)a-wzj&OBmAAitBL)!j z(ZkP5BSn$pxusY~oq!|}>}@&bHy3(&+cs9rV8szPKdk5gr1ZrTHD$CfuQ>dQinR-` zk@ohVMS|ioKX;@Dn-EkVdnfbpNxz!&$PzjhDIPEFFU%`oS85zbG~#vbMV!+3?`_~l zkuHd%Ww)G>)aaGUFIlm>UM#zEz)Aq8q7+8oaua^s3sX%?-ys`YCc(_4JS3mQY;_Rs zE=;N|#p&|rw7!uc%v4P@h3U%%m(fCT3>qgrmeh8*B%xd4Pe<*LR7M-=!QSk77lPNg_e?l^IN@->i2O>h<@`4tEg^zRD@z)Qogk~NW9vM zMay)$9Np5p;YlKAklg+N`w53bL-V&%-3Z_@c^^Tvryd|hl|ZM~5jiXXtu|<}6%{7w zhjk9F^0c&c7HA0!yb*jFaq6_PrEWLsjHH5d9OrTyyLdU^%10$K7-Jh3V!Hf51cX{%<#Za);)DAuAw-u??a#xs4f1-kbj+q`I-UJ8+EZ6KbZb0bpPqj=g<^ZZ(o{zyRbb<5}kmSU{FE>QbFqHQ2C1GsgAqVS;g;5M|MfEfJh zc23wmhz{&5uLOu2L54y%tN0Eo9uCS=QKWe zzUc!rnO4CYJOfIy1%9(X8Nhw3?%| z22hRt4TrH%;Qedeqou@8o~ybXQfPsSm*Nl0oB$m6hVd^P&0UtuO|~iwRP&(+q|%yk zGFbU-m>=Hri-PG|V*~dq{!JjtcwV`&LLli8j@|Ug>Mh^y7zsT@xkUrE`Z+tIb?Ek+ zWu#+;X;X*>n6_TFF^XP&2ne@D(*HFB<1X8#mj&D&8p=bo=#){7B``Fz{3P{gXK+-6 z>Clz*X8kJE2>($lJ7r;AZg;NHE%K!np$q$oVfWKaAadWp?+*RZkNORhZ_Px^?+RCq zN<1v;O;&<7{MR%Fb+7 zA`0t(JrZXi9|jdbZHMxU=H7`!RZ1i2 zz5mX)rN#s>V$}S9)|F`_wJ*G_4&RW&Zd0yn6mTzR-o2Hc*saOdGmVWQ%S#L5)OIo^ zjVc5YEItacR?B&(z98ifbxC73ISZLTy1C%k%dDzAT{%qC->ao$6v$b=)GN}t7m#}V zF0A=zm+l=-I-T5u+@m-}*ax-Oh!;TD;(q1;!;XqRGu;CSGJ?NyasNfLnNFw`$OxDe zP(ObBxOct3-Nbn(8&yvv$&czA1=Lc;=ie21@A5sBvO)KB?ovQKeRX&Q6G=ut{QibU z{kK06`ad$)6CRFygzZWA>O50m^f&b5E>EOfAs?z;1IGqg-DuD%ky6SzUSZ%(2Gu)5 zaW=kO1=P1JcZrQG*~OFqhgv+$dOHs!Hr|kHyquy15*tt4$}4Dr#K!S~k91BzVxuCB zElKfR?qu=LkDKiP-7nny8z0D>Tp1#eEfTxSo#b4*5QYIUt#4UMi$LyV3SDCOyZ?T~ zf4-pr`oDOS;OG3S3>N3;jm|_>b(&{X_x?wF=k?W8y2fGJAV`KLy(?XMlO7o9ARtPU zP(lesg0uky0zrC52$FyX6dk04B0YdYC<=%I4hTvN8Nfk83lN%eHpjC(b1`dXoi*oN zoVDg3*cada-hJ`=z0b3oUD0r%Csns;(3nZS=-{yBfrf+E-23J17TK#R6CCLY)l8KZ zUsYb!D76V__iiP-xz}XL`y)|afXO~}p--Gn=a@UDublj89ta7z%+7kGNvLctB%e7$ z_ZS!*V7rY=6bP8_-=F}+`d1^@-wgBLAo)K*@)0zCgtatB4Lt@e9()XEaN}u%zF&=i z@+SNS>Kp$z)Th_q9zPZX!l=_kMG;0PzF3mC>O(6;(GsRrpo<2^hPua9-Zx*x_RGy>aXx$-`uXTgyLpWeMHsi4hS-uBHPx z9I;IQNJe0ARwov%rA9U3q?~)a6$Lns+@2|mIBjffLc+s`rPS7pymr>6 z0o&AoxIc*lSdt(vbz`Bh3Fb)pg$`<$q6&~*LMz`pX^9@40K7M4_wlY>KeFDco;38N zrFv`&%JHwRAAa2M&gJx8gRwO|_Qe1RcJL`q?!iJh~*Y&`%a)5DC^nyuFe4X{bv4FzPwAz|(O6BwP~pw8#h&qC-@_ zbD-^g5&grJc?7yCLt@d*|8+MY7gDC%Kcn(>%ivj!Q^WO<+}zwNKBi9pBa9E+&A2#9 zTxm`yd+?uNd^klF6qfPcz36axtS&!bH(GMZkafi21xdSv>IEjZb8IOr+@}1O)kHkr z*j`O?s6S4xFBGj3I)}dt-b{pI9CpngWnD1$TAr%RYb1M4|I*0}v%0nL!*xU?fyi8;$;7}Cm>fDle)Og;34yH5#`!STK0TQ7%R2qED!GcyUmp~U`^~F$j2=X zE((#LVGAnrX0`9G7iQVp8#5J+VzUW5`0z)bgYI1viA*kq)aUn4^gcnDfCSMyc?iiC zgjKd}I$MKpEw-7*t*&#^nI}bQp8MuD_>(8xKl_<`lINv&$xcGkqld3ifK>IZh;W@w zxdX}Z?L2a0vtN)JyS__X&T33NY^J!nItIC=%<2YHu3E97McTNcGpL$#NIem7^iYjF zyoPWe?9thmoakU-lUzEabuHl2xRyxR9csTsh0}q1BfnRYi$fr6g))|eRQAS$6xES; zj*^@rFveXLUe0}s^tUO?7NajTHtI;NT0N_JJ(cxRZvDC5x*;3;CPLZzLp6#Idu>89 zGHlZaPmXaPw*8CYdrWd%c4n4MyObybD+4Gehp6GJoQYN@ae8AX0qmW_q8sa5um)khgcO%^>zw zb}Vv>wnp=BthDRLEG%)E-Um@1_HSjS=YZ2=qfi_z6#G;>B2bfN;(e;8#jc1VZ*)FJ z+E!$N&+MtZEf_q=4Ca5-`bV*}#J5=bxcEWU*lt>0=p>TYjb=ra?^0+)J^-#t+)Sv{ zJgBT!TOf){_kPr-EDsQ~wx5S}8x{rqSuU-}1;3gmEDngMo{X&6H8oj)P-h*KesUw0%#OX}qSpmG1RI&0HF-Un_*#|-|t8sVA9Jz6Yz zeATZuMin*!HD0mmr1oRAGC$JmM&C*VaK_zARVnQXGUU-E?(DK=uK2lnra2*0e(9s6 zpx5|u0Rxc0^M~G;kARvi1<-|FR{-@FqXt7YhEIkma`M;^RD!ME|>7BbXpRV1;GFA%i zml=B!t2jF|sgTvr5gX#OcFwgEL3?dtVm0W3m+Db1z8w>M47p`EXio3vE3YZH9dwHC zz~vk8jV}ge%Ipw1Cn3|i{x8IYTtb=pvv|@70tRq>9Jk=&wIS71(!;!^wz7#l8&~^! zIF2rmwcj;jEW*8*aj@lL>{k1n0>nL#U6~;-OBO)A{i!{B<_!Vwn11C~HjA z$I<@zEU?G=Irymc{!WZ!YTZQp<`nm2rG1iFqgHG({bmprwnKD8WB zvuB|{87osZt|J@|5I-4e#rtA(#)c?{=@LFCC#P=2hq(HT4S~QsGq%+}T`|xfX3ELs z{h8j@cSV7MH?v)?Y3@Me-O-5_M~!2oz0AfdE8rmV$%i)}DJ4IWjgP(B9pMfVMXJdE zT`l(jXeIMzUC;g6D*nX73erdw!LG~K4J@n?WH-|_FdHEgZ-C<^#@hNpPNCv^aloqi zW#d{~p70JloX{vWs5QNXSsDWG!X{L}*e5VInZ;Obigd~Jj|E$teP>U?g_$8kGouxP zrepl0-=)+Y_}kZTAmQy7s({3`H!8XBK{7LMG0hasWSzU_tOKVBIeY@i~Z1(Gq3KX4tzofmlw{m&Koz>bEKp z3)?=KtY{6;|U5Vu3F9#o7E~6C?VzUhFY97ivNq+ey^3q4E5GFeIgr~d=MSDoEFA&=8 zo!39lSVjwUYmOIg_|?x^@b?VWUKlRG#Bf)KkITOAyY_2DY?GJ50@Zxvk}~BqdxGJ4 zI)lB;h~9?QM)QU~^x~DW(H$FYvWL=2_+v None: - """Initialize instance.""" - self.list = glob.glob(ifolder + '*.yaml') - self.list.sort() - - def __iter__(self): - """Initialize iterator.""" - self.n = 0 - return self - - def __next__(self): - """Next.""" - if self.n < len(self.list): - self.n += 1 - return self.list[self.n - 1] - else: - raise StopIteration - - -class YamlToOscal: - """Manage YAML to OSCAL transformations.""" - - def _ns(self) -> str: - """Return namespace.""" - return 'https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc' - - def _uuid(self) -> str: - """Return uuid.""" - return str(uuid.uuid4()) - - def _title(self, yaml_data: Dict) -> str: - """Return title.""" - return self._get_value(yaml_data, ['metadata', 'name']) - - def _description(self, yaml_data: Dict) -> str: - """Return description.""" - for label in ['wgpolicyk8s.io/engine', 'policy.kubernetes.io/engine']: - try: - return self._get_value(yaml_data, ['metadata', 'labels', label]) - except KeyError: - continue - return None - - def _control_selections(self) -> List[ControlSelection]: - """Return control-selection list.""" - rval = [] - rval.append(ControlSelection()) - return rval - - def _reviewed_controls(self) -> ReviewedControls: - """Return reviewed controls.""" - rval = ReviewedControls(control_selections=self._control_selections()) - return rval - - def _whitespace(self, text: str) -> str: - """Replace line ends with blanks.""" - return str(text).replace('\n', ' ') - - def _normalize(self, text: str) -> str: - """Replace slashes with underscores.""" - return text.replace('/', '_') - - def _get_value(self, yaml_data: Dict, keys: List[str]) -> Any: - """Descend yaml layers to get value for order list of keys.""" - try: - value = yaml_data - for key in keys: - value = value[key] - except KeyError: - raise KeyError - return value - - def _add_prop(self, props: List[Property], name: str, yaml_data: Dict, keys: List[str]) -> Property: - """Add property to list.""" - try: - value = self._get_value(yaml_data, keys) - prop = Property(name=self._normalize(name), value=self._whitespace(value)) - props.append(prop) - return prop - except KeyError: - return None - - def _add_prop_with_ns(self, props: List[Property], name: str, yaml_data: Dict, keys: List[str], ns, class_) -> None: - """Add property with ns and class to list.""" - try: - value = self._get_value(yaml_data, keys) - prop = Property(name=self._normalize(name), value=self._whitespace(value), ns=ns, class_=class_) - props.append(prop) - return prop - except KeyError: - return None - - def _get_result_observations(self, yaml_data: Dict, subjects: List[SubjectReference]) -> List[Observation]: - """Return result observations list.""" - observations = [] - results = yaml_data['results'] - for result in results: - observation = Observation( - uuid=self._uuid(), - description=self._description(yaml_data), - methods=['TEST-AUTOMATED'], - props=[], - subjects=subjects, - collected=_timestamp - ) - for key in result.keys(): - if key in ['properties']: - props = result[key] - for prop in props: - self._add_prop(observation.props, 'results.' + key + '.' + prop, props, [prop]) - elif key in ['resources']: - resources = result[key][0] - for resource in resources: - self._add_prop(observation.props, 'results.' + key + '.' + resource, resources, [resource]) - else: - class_map = {'policy': 'scc_rule', 'result': 'scc_result', 'message': 'scc_description'} - if key in class_map.keys(): - self._add_prop_with_ns( - observation.props, 'results.' + key, result, [key], self._ns(), class_map[key] - ) - else: - self._add_prop(observation.props, 'results.' + key, result, [key]) - observations.append(observation) - return observations - - def _get_result_properties(self, yaml_data: Dict) -> List[Property]: - """Return result property list.""" - props = [] - for key in [ - 'apiVersion', - 'kind', - 'metadata.namespace', - 'metadata.annotations.name', - 'metadata.annotations.category', - 'metadata.annotations.file', - 'metadata.annotations.version', - 'summary.pass', - 'summary.fail', - 'summary.warn', - 'summary.error', - 'summary.skip', - ]: - self._add_prop(props, key, yaml_data, key.split('.')) - return props - - def _get_local_definitions(self, yaml_data: Dict) -> LocalDefinitions1: - """Return local definitions.""" - try: - props = [] - for key in yaml_data['scope']: - compound_key = 'scope.' + key - class_map = {'namespace': 'scc_scope'} - if key in class_map.keys(): - self._add_prop_with_ns( - props, compound_key, yaml_data, compound_key.split('.'), self._ns(), class_map[key] - ) - else: - self._add_prop(props, compound_key, yaml_data, compound_key.split('.')) - inventory_item = InventoryItem(uuid=self._uuid(), description='inventory', props=props) - rval = LocalDefinitions1() - rval.inventory_items = [inventory_item] - except KeyError: - rval = None - return rval - - def _get_subjects(self, local_definitions: List[LocalDefinitions1]) -> List[SubjectReference]: - """Return subject list.""" - try: - subjects = [] - for item in local_definitions.inventory_items: - subject_reference = SubjectReference(subject_uuid=item.uuid, type='inventory-item') - subjects.append(subject_reference) - except AttributeError: - subjects = None - except TypeError: - subjects = None - return subjects - - def _get_result(self, yaml_data: Dict) -> Result: - """Return result.""" - result = Result( - uuid=self._uuid(), - title=self._title(yaml_data), - description=self._description(yaml_data), - start=_timestamp, - reviewed_controls=self._reviewed_controls(), - ) - result.props = self._get_result_properties(yaml_data) - result.local_definitions = self._get_local_definitions(yaml_data) - subjects = self._get_subjects(result.local_definitions) - result.observations = self._get_result_observations(yaml_data, subjects) - return result - - def transform(self, yaml_data_list: List[Dict]) -> Results: - """Transform yaml to OSCAL json.""" - results = Results() - for yaml_data in yaml_data_list: - result = self._get_result(yaml_data) - results.__root__.append(result) - return results - - -def main(): - """Transform k8s results to OSCAL.""" - ytoo = YamlToOscal() - # output - ofolder = 'oscal' - opath = pathlib.Path(ofolder) - opath.mkdir(parents=True, exist_ok=True) - # input - ifolder = 'wg-policy-prototypes/policy-report/samples/' - source_folder = SourceFolder(ifolder) - # create output OSCAL json file for each input k8s yaml file - try: - for ifile in source_folder: - ipath = pathlib.Path(ifile) - ofile = opath / (ipath.stem + '.json') - yaml_data = [] - with open(ipath, 'r', encoding='utf-8') as yaml_file: - for yaml_section in yaml.safe_load_all(yaml_file): - yaml_data.append(yaml_section) - results = ytoo.transform(yaml_data) - results.oscal_write(pathlib.Path(ofile)) - logger.info(f'created: {ofile.name}') - except yaml.YAMLError as e: - logger.error(e) - raise Exception(f'Exception processing {ipath.name}') - - -if __name__ == '__main__': - main() diff --git a/trestle_k8s/oscal-samples/sample-cis-k8s.json b/trestle_k8s/oscal-samples/sample-cis-k8s.json deleted file mode 100644 index 1c8f179..0000000 --- a/trestle_k8s/oscal-samples/sample-cis-k8s.json +++ /dev/null @@ -1,179 +0,0 @@ -{ - "results": [ - { - "uuid": "92a3672f-7d10-4738-8cd1-5a080468c0f1", - "title": "sample-cis-bench-api-server", - "description": "kube-cis", - "start": "2022-02-23T12:32:46+00:00", - "prop": [ - { - "name": "apiVersion", - "value": "wgpolicyk8s.io/v1alpha2" - }, - { - "name": "kind", - "value": "PolicyReport" - }, - { - "name": "metadata.annotations.name", - "value": "CIS Kubernetes Benchmarks" - }, - { - "name": "metadata.annotations.category", - "value": "API Server" - }, - { - "name": "metadata.annotations.version", - "value": "v1.5.1 - 02-14-2020" - }, - { - "name": "summary.pass", - "value": "8" - }, - { - "name": "summary.fail", - "value": "2" - }, - { - "name": "summary.warn", - "value": "0" - }, - { - "name": "summary.error", - "value": "0" - }, - { - "name": "summary.skip", - "value": "0" - } - ], - "reviewed-controls": { - "control-selections": [ - {} - ] - }, - "observations": [ - { - "uuid": "a6412809-b357-4bd6-a260-354605f66b5e", - "description": "kube-cis", - "props": [ - { - "name": "results.policy", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "api-server:anonymous-auth", - "class": "scc_rule" - }, - { - "name": "results.message", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "ensure that --anonymous-auth argument is set to false", - "class": "scc_description" - }, - { - "name": "results.result", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "warn", - "class": "scc_result" - }, - { - "name": "results.scored", - "value": "True" - }, - { - "name": "results.properties.category", - "value": "API Server" - }, - { - "name": "results.properties.index", - "value": "1.2.2" - } - ], - "methods": [ - "TEST-AUTOMATED" - ], - "collected": "2022-02-23T12:32:46+00:00" - }, - { - "uuid": "cfbf4e94-3d89-4420-87cb-73cfd1f1c2d3", - "description": "kube-cis", - "props": [ - { - "name": "results.policy", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "api-server:basic-auth-file", - "class": "scc_rule" - }, - { - "name": "results.message", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "ensure that --basic-auth-file argument is not set", - "class": "scc_description" - }, - { - "name": "results.result", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "fail", - "class": "scc_result" - }, - { - "name": "results.scored", - "value": "True" - }, - { - "name": "results.properties.category", - "value": "API Server" - }, - { - "name": "results.properties.index", - "value": "1.2.2" - } - ], - "methods": [ - "TEST-AUTOMATED" - ], - "collected": "2022-02-23T12:32:46+00:00" - }, - { - "uuid": "72bac34a-665d-42d5-845c-cfc59a2c25f3", - "description": "kube-cis", - "props": [ - { - "name": "results.policy", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "api-server:token-auth-file", - "class": "scc_rule" - }, - { - "name": "results.message", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "ensure that --token-auth-file argument is not set", - "class": "scc_description" - }, - { - "name": "results.result", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "warn", - "class": "scc_result" - }, - { - "name": "results.scored", - "value": "False" - }, - { - "name": "results.properties.category", - "value": "API Server" - }, - { - "name": "results.properties.index", - "value": "1.2.2" - } - ], - "methods": [ - "TEST-AUTOMATED" - ], - "collected": "2022-02-23T12:32:46+00:00" - } - ] - } - ] -} \ No newline at end of file diff --git a/trestle_k8s/oscal-samples/sample-co.json b/trestle_k8s/oscal-samples/sample-co.json deleted file mode 100644 index cceb16a..0000000 --- a/trestle_k8s/oscal-samples/sample-co.json +++ /dev/null @@ -1,147 +0,0 @@ -{ - "results": [ - { - "uuid": "bd7299a4-bcfa-4b8a-aaa7-154a9aee973a", - "title": "sample-fedramp-compliance-operator", - "description": "openshift-compliance-operator", - "start": "2022-02-23T12:32:46+00:00", - "prop": [ - { - "name": "apiVersion", - "value": "wgpolicyk8s.io/v1alpha2" - }, - { - "name": "kind", - "value": "PolicyReport" - }, - { - "name": "metadata.annotations.name", - "value": "FedRAMP Moderate Benchmarks" - }, - { - "name": "metadata.annotations.category", - "value": "OCP4 CoreOS" - }, - { - "name": "metadata.annotations.file", - "value": "ssg-ocp4-ds.xml" - }, - { - "name": "metadata.annotations.version", - "value": "v1.5.1 - 02-14-2020" - }, - { - "name": "summary.pass", - "value": "8" - }, - { - "name": "summary.fail", - "value": "1" - }, - { - "name": "summary.warn", - "value": "1" - }, - { - "name": "summary.error", - "value": "0" - }, - { - "name": "summary.skip", - "value": "0" - } - ], - "reviewed-controls": { - "control-selections": [ - {} - ] - }, - "observations": [ - { - "uuid": "c3ceb451-d0b9-4cf0-ae48-5537aa26e2f6", - "description": "openshift-compliance-operator", - "props": [ - { - "name": "results.policy", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open", - "class": "scc_rule" - }, - { - "name": "results.message", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "Record Events that Modify User/Group Information via open syscall - /etc/group Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.", - "class": "scc_description" - }, - { - "name": "results.result", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "fail", - "class": "scc_result" - }, - { - "name": "results.scored", - "value": "True" - }, - { - "name": "results.severity", - "value": "medium" - }, - { - "name": "results.properties.suite", - "value": "fedramp-moderate" - }, - { - "name": "results.properties.scan", - "value": "workers-scan" - } - ], - "methods": [ - "TEST-AUTOMATED" - ], - "collected": "2022-02-23T12:32:46+00:00" - }, - { - "uuid": "8bf607b3-3323-4e60-8ac4-d0a8fadf6ea3", - "description": "openshift-compliance-operator", - "props": [ - { - "name": "results.policy", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "xccdf_org.ssgproject.content_rule_sshd_limit_user_access", - "class": "scc_rule" - }, - { - "name": "results.message", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "Limit Users' SSH Access Specifying which accounts are allowed SSH access into the system reduces the possibility of unauthorized access to the system.", - "class": "scc_description" - }, - { - "name": "results.result", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "warn", - "class": "scc_result" - }, - { - "name": "results.scored", - "value": "False" - }, - { - "name": "results.properties.suite", - "value": "fedramp-moderate" - }, - { - "name": "results.properties.scan", - "value": "workers-scan" - } - ], - "methods": [ - "TEST-AUTOMATED" - ], - "collected": "2022-02-23T12:32:46+00:00" - } - ] - } - ] -} \ No newline at end of file diff --git a/trestle_k8s/oscal-samples/sample-falco-policy.json b/trestle_k8s/oscal-samples/sample-falco-policy.json deleted file mode 100644 index 9bbc344..0000000 --- a/trestle_k8s/oscal-samples/sample-falco-policy.json +++ /dev/null @@ -1,190 +0,0 @@ -{ - "results": [ - { - "uuid": "6bd25f89-4a80-45c9-b0c5-138304e98c6e", - "title": "falco-alerts-policy", - "description": "falco-agent", - "start": "2022-02-23T12:32:46+00:00", - "prop": [ - { - "name": "apiVersion", - "value": "wgpolicyk8s.io/v1alpha2" - }, - { - "name": "kind", - "value": "PolicyReport" - }, - { - "name": "metadata.namespace", - "value": "my-namespace" - }, - { - "name": "summary.fail", - "value": "1" - } - ], - "reviewed-controls": { - "control-selections": [ - {} - ] - }, - "observations": [ - { - "uuid": "fe919a82-879e-4b0f-9851-b02ae369696f", - "description": "falco-agent", - "props": [ - { - "name": "results.policy", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "Change thread namespace", - "class": "scc_rule" - }, - { - "name": "results.message", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "Falco alert created due to the Change thread namespace rule", - "class": "scc_description" - }, - { - "name": "results.result", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "fail", - "class": "scc_result" - }, - { - "name": "results.scored", - "value": "False" - }, - { - "name": "results.resources.apiVersion", - "value": "v1" - }, - { - "name": "results.resources.kind", - "value": "Pod" - }, - { - "name": "results.resources.name", - "value": "a-pod" - }, - { - "name": "results.resources.namespace", - "value": "my-namespace" - }, - { - "name": "results.properties.details", - "value": "12:57:37.086240437: Notice Namespace change (setns) by unexpected program (user=root user_loginuid=-1 command=ovnkube --init-node ..." - }, - { - "name": "results.properties.container.id", - "value": "0f8d7e2a3296" - }, - { - "name": "results.properties.evt.arg.path", - "value": "/bin/directory-created-by-event-generator" - }, - { - "name": "results.properties.proc.cmdline", - "value": "event-generator run --loop ^syscall" - }, - { - "name": "results.properties.severity", - "value": "low" - } - ], - "methods": [ - "TEST-AUTOMATED" - ], - "collected": "2022-02-23T12:32:46+00:00" - } - ] - }, - { - "uuid": "75462c11-d166-4ce6-9a45-c3c677bc4c37", - "title": "falco-alerts-policy", - "description": "falco-agent", - "start": "2022-02-23T12:32:46+00:00", - "prop": [ - { - "name": "apiVersion", - "value": "wgpolicyk8s.io/v1alpha2" - }, - { - "name": "kind", - "value": "ClusterPolicyReport" - }, - { - "name": "summary.fail", - "value": "1" - } - ], - "reviewed-controls": { - "control-selections": [ - {} - ] - }, - "observations": [ - { - "uuid": "44d0d935-51e1-4343-8eb7-4460286bfade", - "description": "falco-agent", - "props": [ - { - "name": "results.policy", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "audit", - "class": "scc_rule" - }, - { - "name": "results.message", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "audit rule violation from the kubernetes api server", - "class": "scc_description" - }, - { - "name": "results.result", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "fail", - "class": "scc_result" - }, - { - "name": "results.scored", - "value": "False" - }, - { - "name": "results.properties.details", - "value": "Warning K8s Operation performed by user not in allowed list of users" - }, - { - "name": "results.properties.severity", - "value": "medium" - }, - { - "name": "results.properties.user", - "value": "username" - }, - { - "name": "results.properties.target", - "value": "kubernetes/endpoints" - }, - { - "name": "results.properties.verb", - "value": "create" - }, - { - "name": "results.properties.uri", - "value": "/api/v1/namespaces/default/endpoints/kubernetes" - }, - { - "name": "results.properties.resp", - "value": "200" - } - ], - "methods": [ - "TEST-AUTOMATED" - ], - "collected": "2022-02-23T12:32:46+00:00" - } - ] - } - ] -} \ No newline at end of file diff --git a/trestle_k8s/oscal-samples/sample-rhacm-policy.json b/trestle_k8s/oscal-samples/sample-rhacm-policy.json deleted file mode 100644 index 9cff8a5..0000000 --- a/trestle_k8s/oscal-samples/sample-rhacm-policy.json +++ /dev/null @@ -1,137 +0,0 @@ -{ - "results": [ - { - "uuid": "ff4b5418-d429-4254-8121-d8b4bba3232f", - "title": "sample-rhacm-policy", - "description": "rhacm-configuration-policy", - "start": "2022-02-23T12:32:46+00:00", - "prop": [ - { - "name": "apiVersion", - "value": "wgpolicyk8s.io/v1alpha2" - }, - { - "name": "kind", - "value": "PolicyReport" - }, - { - "name": "summary.pass", - "value": "1" - }, - { - "name": "summary.fail", - "value": "11" - } - ], - "local-definitions": { - "inventory-items": [ - { - "uuid": "62460372-5f80-4e69-91fe-c403db0f3b8b", - "description": "inventory", - "props": [ - { - "name": "scope.apiVersion", - "value": "policy.open-cluster-management.io/v1" - }, - { - "name": "scope.kind", - "value": "Policy" - }, - { - "name": "scope.name", - "value": "policy-imagemanifestvuln" - }, - { - "name": "scope.namespace", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "cluster1", - "class": "scc_scope" - } - ] - } - ] - }, - "reviewed-controls": { - "control-selections": [ - {} - ] - }, - "observations": [ - { - "uuid": "f6e2163e-903c-4413-b4e1-c30b60b1ca21", - "description": "rhacm-configuration-policy", - "props": [ - { - "name": "results.policy", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "mustnothaveimagevuln", - "class": "scc_rule" - }, - { - "name": "results.message", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "must not have imagemanifestvulns", - "class": "scc_description" - }, - { - "name": "results.result", - "ns": "https://kubernetes.github.io/compliance-trestle/schemas/oscal/ar/scc", - "value": "fail", - "class": "scc_result" - }, - { - "name": "results.scored", - "value": "False" - }, - { - "name": "results.resources.apiVersion", - "value": "secscan.quay.redhat.com/v1alpha1" - }, - { - "name": "results.resources.kind", - "value": "ImageManifestVuln" - }, - { - "name": "results.resources.name", - "value": "sha256.8d104847fc2371a983f7cb01c7c0a3ab35b7381d6bf7ce355d9b32a08c0031f0" - }, - { - "name": "results.resources.namespace", - "value": "openshift-cluster-version" - }, - { - "name": "results.properties.details", - "value": "NonCompliant; violation - imagemanifestvulns exist and should be deleted: [sha256.8d104847fc2371a983f7cb01c7c0a3ab35b7381d6bf7ce355d9b32a08c0031f0] in namespace openshift-cluster-version" - }, - { - "name": "results.properties.standards", - "value": "NIST-CSF" - }, - { - "name": "results.properties.categories", - "value": "DE.CM Security Continuous Monitoring" - }, - { - "name": "results.properties.controls", - "value": "DE.CM-8 Vulnerability scans" - }, - { - "name": "results.properties.severity", - "value": "high" - } - ], - "methods": [ - "TEST-AUTOMATED" - ], - "subjects": [ - { - "subject-uuid": "62460372-5f80-4e69-91fe-c403db0f3b8b", - "type": "inventory-item" - } - ], - "collected": "2022-02-23T12:32:46+00:00" - } - ] - } - ] -} \ No newline at end of file