From cf13c41b962bc04a7165a0c3dabc9e1b84a6312a Mon Sep 17 00:00:00 2001 From: Lou DeGenaro Date: Mon, 2 Oct 2023 10:17:49 -0400 Subject: [PATCH 1/2] Fix: improve error message when invalid property value specified Signed-off-by: Lou DeGenaro --- tests/data/csv/soc2.sample.v1.csv | 118 ++++++++++++++++++++ tests/trestle/tasks/csv_to_oscal_cd_test.py | 14 +++ trestle/tasks/csv_to_oscal_cd.py | 20 ++-- 3 files changed, 144 insertions(+), 8 deletions(-) create mode 100644 tests/data/csv/soc2.sample.v1.csv diff --git a/tests/data/csv/soc2.sample.v1.csv b/tests/data/csv/soc2.sample.v1.csv new file mode 100644 index 000000000..78a240465 --- /dev/null +++ b/tests/data/csv/soc2.sample.v1.csv @@ -0,0 +1,118 @@ +$$Component_Title,$$Component_Description,$$Component_Type,Sub_Capability,Rule_Group_Id,Rule_Group_Description,Rule_Group_Purpose,Inputs,Additional_Outputs,Scope,Operational_Boundaries_Tags,$$Rule_Id,Implementation_Description,$$Rule_Description,$Parameter_Id,$Parameter_Description,$Parameter_Value_Alternatives,$Parameter_Value_Default,Parameter_Type,Parameter_Constraint,$$Profile_Source,$$Profile_Description,$$Control_Id_List,Rule_Data_Model_Type_List,Rule_Actual_State_Due_Renewal,Requiring_Regulation_List,$Check_Id,$Check_Description,Warn_Param_Id,Warn_Param_Remarks,Warn_Param_Value_Alternatives,Warn_Param_Value_Default,Evidence_Fetcher_Id,Evidence_Fetcher_Description,Fix_Id,Fix_Description,Rule_Implementation_Status,Rule_POAM_Reference_URL,Method,Environment,$$Namespace +A human readable name for the component.,A description of the component including information about its function.,A category describing the purpose of the component. ALLOWED VALUES interconnection:software:hardware:service:physical:process-procedure:plan:guidance:standard:validation:,Sub-Capability as defined in SGC.,A grouping of rules associated with the same objectives.,A Description of the rule group.,Purpose of the Rule Group.,Description of inputs to the rule group.,Additional outputs expected from the rule group.,"A grouping the rules belonging to the same part of the stack, e.g. IaaS or PaaS or other technology.","A grouping the rules belonging to the same geo location or environment type, e.g. Production vs. devTest.",A textual label that uniquely identifies a policy (desired state) that can be used to reference it elsewhere in this or other documents.,Psuedo code in words to list the criteria used to perform the validations,A description of the policy (desired state) including information about its purpose and scope.,A textual label that uniquely identifies the parameter associated with that policy (desired state) or controls implemented by the policy (desired state).,A description of the parameter including the purpose and use of the parameter.,ONLY for the policy (desired state) parameters: A value or set of values the parameter can take. The catalog parameters values are defined in the catalog. ,"A value recommended by Compliance Team in this profile for the parameter of the control or policy (desired state). If a CIS-benchmark exists, the default default could be the CIS-benchmark recommended value.",The parameter type.,"The parameter constraint with respect to its alternative values, e.g. one value or any combination of values or a regular expression etc.",A URL reference to the source catalog or profile for which this component is implementing controls for. A profile designates a selection and configuration of controls from one or more catalogs,A description of the profile.,A list of textual labels that uniquely identify the controls or statements that the component implements.,A list of URL references that contain the Actual State Data Model (e.g. schema or swagger API or procedure template or terraform schema). Needed by the fetcher developer. ,A Due Renewal value of the duration of time the actual state is valid before it becomes stale or obsolete or overridden. Needed by the fetcher developer. ,A list of URLs of the catalogs or profiles requiring this type of evidence.,A textual label that uniquely identifies a check of the policy (desired state) that can be used to reference it elsewhere in this or other documents.,A description of the check of the policy (desired state) including the method (interview or examine or test) and procedure details.,A textual label that uniquely identifies the parameter associated with that test warning condition. ,A description of the parameter including the purpose and use of the parameter for that test warning condition. ,A value or set of values the parameter can take for that test warning condition. ,A value recommended by Compliance Team in this test warning condition. ,A textual label that uniquely identifies a collector of the actual state (evidence) associated with the policy (desired state) that can be used to reference it elsewhere in this or other documents.,A description of the collector of the raw evidence and or actual state associated with the rule policy (desired state) including the method (interview or examine or test) and questionnaire or API details. L2 owns the Actual State Data Model.,A textual label that uniquely identifies the fix of the failed policy.,A description of the fix to remediate the failed policy.,Indicates the degree to which the a given policy is implemented. ALLOWED VALUES: IMPLEMENTED: The control is fully implemented. PARTIAL: The control is partially implemented. PLANNED: There is a plan for implementing the control as explained in the remarks. ALTERNATIVE: There is an alternative implementation for this control as explained in the remarks. NOT-APPLICABLE: This control does not apply to this system as justified in the remarks.,A URL reference to the Plan of Action and Milestones this component may be subjected to for remediation or deviation or mitigation in case of the policy (desired state) non compliance or error or failure. ,"Identifies how the observation was made. The value may be locally defined, or one of the following: EXAMINE: INTERVIEW: TEST Manual or automated : UNKNOWN","The environment, e.g. ibm-cloud.","A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name. Used in conjunction with ""class"" as the ontology concept. " +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,"A defect is the presence of an unacceptable software vulnerability (CVE or equivalent) as listed in the reference defect list (i.e., National Vulnerability Database [NVD] or other vulnerability dataset accepted for use by the organization) post the vulnerability due date.","To reduce the presence of vulnerabilities (CVEs) and flaws listed in the reference defect list (e.g., National Vulnerability Database \[NVD\]).",1. The actual state is the list software/ firmware vulnerabilities and flaws that are identified from various scans and tests along with the date when it was first identified. 1. The desired state is remediation within the timelines as per remediation standard.,List of vulnerabilities that are overdue.,,prod nonprod,os_infrastructure_scan_vulnerability_due_date_rule,"``` +func_duedate(cve_id, cvss, severity, first_seen) + if cve_id == """": + severity == DesiredInpuCVSSSeverity[i].severity + fix_days = DesiredInpuCVSSSeverity[i].fix_days + due_date = first_seen + fix_days + elseif cve_id in DesiredInputCISAKEV.vulnerabilities[i].cveID: + due_date = DesiredInputCISAKEV.vulnerabilities[i].dueDate + elseif cve_id in VulnerabilityCISOCVEOverride.vulnerabilities[i].cveID: + due_date = VulnerabilityCISOCVEOverride.vulnerabilities[i].due_date + elseif cvss >= DesiredInpuCVSSSeverity[i].min: + severity = DesiredInpuCVSSSeverity[i].severity + fix_days = DesiredInpuCVSSSeverity[i].fix_days + due_date = first_seen + fix_days + else: + DesiredInpuCVSSSeverity[i].max = 10.0 + fix_days = DesiredInpuCVSSSeverity[i].fix_days + due_date = first_seen + fix_days + return due_date + +metadata.service == +metadata.environment == ""production"" +metatada.location == + +ResourceScanFinding.scan_uid == ResourceScan.uid +ResourceScanFinding.about_uid == ResourceScan.about_uid +ResourceScan.type == ""tenable-nessus"" + +cve_due_date = func_duedate(ResourceScanFinding.id, , ResourceScanFinding.severity, ResourceScanFinding.first_detected_on) + +if cve_due_date => today: + return ""PASS"" +else: + return ""FAIL"" +```",https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.03,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,a1,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,A URL reference to the Plan of Action and Milestones this component may be subjected to for remediation or deviation or mitigation in case of the policy (desired state) non compliance or error or failure.,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,prod nonprod,os_infrastructure_scan_warning_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.03,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,a2,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,prod nonprod,container_image_scan_vulnerability_due_date_rule,"``` +metadata.service == +metadata.environment == ""production"" +metatada.location == + +ResourceScanFinding.scan_uid == ResourceScan.uid +ResourceScanFinding.about_uid == ResourceScan.about_uid +ResourceScan.type == ""container-image-scan"" + +cvss = XForce.$.[*].risk_level +cve_due_date = func_duedate(ResourceScanFinding.id, cvss, , ResourceScanFinding.first_detected_on) + +if cve_due_date => today: + return ""PASS"" +else: + return ""FAIL"" +```",https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.03,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,a3,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,prod nonprod,database_scan_vulnerability_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.03,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,b1,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,prod nonprod,database_scan_warning_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.03,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,b2,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,prod nonprod,web_scan_vulnerability_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.03,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,b2,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,pci_prod,asv_scan_cvss_4_or_higher_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,30,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,c1,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,23,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,pci_prod,asv_scan_cvss_below_4_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,90,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d1,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,83,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,prod,continuous_compliance_open_vulnerability_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.03,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d2,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,prod,customer_reported_psirt_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d3,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,pci_prod,internal_network_scan_high_vulnerability_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,30,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d4,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,23,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,pci_prod,internal_network_scan_medium_low_vulnerability_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,"90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d5,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,prod,penetration_test_vulnerability_due_date_rule,"``` +metadata.service == +metadata.environment == ""production"" + +ResourceScanFinding.scan_uid == ResourceScan.uid +ResourceScanFinding.about_uid == ResourceScan.about_uid +ResourceScan.type == ""pen-test"" + +finding_accepted_on = ResourceScanFinding.first_detected_on + 15 days + +cve_due_date = func_duedate(ResourceScanFinding.id, , ResourceScanFinding.severity, finding_accepted_on) + +if cve_due_date => today: + return ""PASS"" +else: + return ""FAIL"" +```",https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d6,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,nonprod,cicd_open_vulnerability_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.03,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d7,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_deviations_test,A defect is the presence of an unacceptable risk arising from the software/ firmware vulnerabilities and flaws past the vulnerability due date.,"To assess the risk due to the presence of software vulnerabilities (CVEs) listed in the reference defect list (e.g., National Vulnerability Database \[NVD\]).","1. The actual state is the list software/ firmware vulnerabilities and flaws that are identified from various scans and tests that are past the due date. 1. The desired state specification is to have minimal (i.e., acceptable) risk from CVEs or equivalent that are past the remediation timeline.",TBD,,prod nonprod,valid_deviation_exists_rule,"``` +metadata.service == VulnerabilityDeviations.service + +VulnerabilityDeviations.risk_status == ""open"" +VulnerabilityDeviations.risk_approval_status == ""approved"" +ResourceScanFinding.about_uid in VulnerabilityDeviations.risk_about_uid[*] +ResourceScanFinding.uid in VulnerabilityDeviations.risk_cve_id[*] +ResourceScanFinding.security_item_id in VulnerabilityDeviations.risk_security_item_id[*] + +if VulnerabilityDeviations.created_on <= {{ ResourceScanFinding.first_detected_on }} + {{ var_remediation_days }}: + if VulnerabilityDeviations.mitigation_status == ""complete"": + return ""PASS"" + elseif: + VulnerabilityDeviations.target_date > today(): + return ""PASS"" + else: + return ""FAIL"" +else: + return ""FAIL"" +```",https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d8,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_device_level_reporting,device_test,A defect occurs when a device in the desired state has not been scanned as recently as expected in the actual state at the thresholds defined for each device or device type based on the same considerations listed in HWAM-Q01 and SWAM-.,Ensure that devices expected to report VULN information to the actual state inventory have reported to prevent CVEs and CWEs from going undetected.,"1. The actual state is the list of actual devices that were scanned. 1. The desired state is the list of actual devices detected in HWAM-F01 and SWAM-, whether authorized or not.",Additional output of this defect check is a report with the list of devices checked by this defect check along with a timestamp of when this defect check was performed.,,prod nonprod,inscope_inventory_scanned_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d9,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,privileged_access_test,A defect occurs when a device in the desired state has not been privileged scanned as recently as expected in the actual state at the thresholds defined for each device or device type based on the same considerations listed in HWAM-Q01 and SWAM-.,Ensure that scan was performed with appropriate privilege in the actual state inventory to prevent systematic inability to check any applicable defect on any device.,"1. The actual state is the authorized scan result of actual state devices. 1. The desired state is the list of actual devices detected in HWAM-F01 and SWAM-, whether authorized or not.",None,,prod nonprod,privilege_scan_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e1,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,privileged_access_test,,,,,,prod nonprod,privilege_scan_unsupported_devices_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e2,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,privileged_access_test,,,,,,pci_prod,internal_network_privilege_scan_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e3,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,privileged_access_test,,,,,,pci_prod,internal_network_privilege_scan_unsupported_devices_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e4,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,definition_date_test,A defect is a collection of devices that have been scanned with an outdated scanner definition.,Ensure that data for as many tests as possible are correctly reported in the actual state inventory to prevent defects from going undetected.,"1. The actual state is the actual scanner definition e.g., version, patch number, etc. that was used for performing the scan. 1. The desired state is the desired scanner definition e.g., version, patch number, etc. that is made available by the vendor and approved to be used.",This defect check does not produce any additional output.,,prod nonprod,scanner_vulnerability_definition_last_update_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05.02_odp.01,,prior to a new scan,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e5,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,1,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,scanner_configuration_test,A defect is a collection of devices that have been scanned with an unapproved scanner configuration.,Ensure that data for all required tests are correctly reported in the actual state inventory to prevent defects from going undetected.,1. The actual state is the actual scanner configuration that was used for performing the scan. 1. The desired state is the desired scanner configuration that is approved to be used.,This defect check does not produce any additional output.,,prod nonprod,scanner_configuration_last_update_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e6,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,tester_test,A defect is test execution by a service-dependent role.,Ensure that tests are performed by an independent and approved team,1. The actual state is the role of the tester who performed the scan/ test. 1. The desired state is the approved role who is approved to perform the scan/ test.,This defect check does not produce any additional output.,,prod,tester_role_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e7,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,tester_test,,,,,,pci_prod,asv_scan_vendor_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e8,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,cisa_kev_tagging_test,A defect is the existance of the CVE Id in the CISA KEV Catalogue.,Ensure identified vulnerabilities if listed in CISA KEV Catalogue are tagged for further threat analysis,1. The actual state is the CVE id of the vulnerabilities that are identified from various scans and tests. 1. The desired state CVE ids listed in the latest CISA KEV Catalogue. ,This defect check requires an update to the vulnerability ticket.,,fr_prod,cisa_kev_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e9,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_overall_defect_check_reporting_completeness,notification_test,A defect is found if a the notification list for a vulnerability contains none of the role members that should be notified of that vulnerability.,Ensure that the required personnel were notified to help eliminate similar vulnerabilities in other systems.,1. The actual state for this check is the list of notifications sent and their recipients for each vulnerability detected during the reporting period. 1. The desired state is {{ param.ra_05_odp_4 }}.,This defect check does not produce any additional output.,,prod nonprod,scan_notification_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.04,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e10,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_overall_reporting_timeliness,scan_timeliness_test,A defect is found if the frequency between the last two scans is more than the desired frequency.,Ensure scans are performed at the organization defined frequency.,1. The actual state is the elapsed days between last scan and previous scan. 1. The desired stated is {{ ra-05_odp.1 }}.,A scan timeliness metric is generated.,,prod nonprod,scan_frequency_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.02,,1,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e11,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,2,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_overall_reporting_timeliness,scan_timeliness_test,,,,,,pci_prod,internal_network_scan_frequency_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,90,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e12,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,80,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_overall_reporting_timeliness,scan_timeliness_test,,,,,,pci_prod,internal_network_rescan_frequency_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e13,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_overall_reporting_timeliness,scan_timeliness_test,,,,,,pci_prod,asv_scan_frequency_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,90,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e14,,,,,,,,80,,,,,,,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_overall_reporting_timeliness,scan_timeliness_test,,,,,,pci_prod,asv_rescan_frequency_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e15,,,,,,,,,,,,,,,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability diff --git a/tests/trestle/tasks/csv_to_oscal_cd_test.py b/tests/trestle/tasks/csv_to_oscal_cd_test.py index 639db26e8..44ba32652 100644 --- a/tests/trestle/tasks/csv_to_oscal_cd_test.py +++ b/tests/trestle/tasks/csv_to_oscal_cd_test.py @@ -577,6 +577,20 @@ def test_execute_delete_rule_with_params(tmp_path: pathlib.Path) -> None: assert prop.value != 'allowed_admins_per_account' +def test_execute_bad_rule(tmp_path: pathlib.Path) -> None: + """Test execute add rule.""" + _, section = _get_config_section_init(tmp_path, 'test-csv-to-oscal-cd-bp.config') + section['component-definition'] = 'tests/data/csv/component-definitions/bp/component-definition.json' + # add rule + rows = _get_rows('tests/data/csv/soc2.sample.v1.csv') + rows[3][2] = '```' + with mock.patch('trestle.tasks.csv_to_oscal_cd.csv.reader') as mock_csv_reader: + mock_csv_reader.return_value = rows + tgt = csv_to_oscal_cd.CsvToOscalComponentDefinition(section) + retval = tgt.execute() + assert retval == TaskOutcome.FAILURE + + def test_execute_add_rule(tmp_path: pathlib.Path) -> None: """Test execute add rule.""" _, section = _get_config_section_init(tmp_path, 'test-csv-to-oscal-cd-bp.config') diff --git a/trestle/tasks/csv_to_oscal_cd.py b/trestle/tasks/csv_to_oscal_cd.py index 0a9fb4053..9eeb6c662 100644 --- a/trestle/tasks/csv_to_oscal_cd.py +++ b/trestle/tasks/csv_to_oscal_cd.py @@ -903,14 +903,18 @@ def __init__(self, row_number: int, rule_set: str) -> None: def add_prop(self, name: str, value: str, ns: str, class_: str) -> None: """Add prop.""" if value is not None and len(value): - prop = Property( - name=name, - value=value, - ns=ns, - class_=class_, - remarks=self._rule_set, - ) - self._props[name] = prop + try: + prop = Property( + name=name, + value=value, + ns=ns, + class_=class_, + remarks=self._rule_set, + ) + self._props[name] = prop + except Exception: + text = f'Invalid property name: {name} value: {value} remarks: {self._rule_set}' + raise RuntimeError(text) def get_props(self) -> List[Property]: """Get props.""" From b248257834f783d21c1dbec78bfababfad334165 Mon Sep 17 00:00:00 2001 From: Lou DeGenaro Date: Mon, 2 Oct 2023 13:27:59 -0400 Subject: [PATCH 2/2] feat: support #column heading name ignored Signed-off-by: Lou DeGenaro --- tests/data/csv/soc2.sample.v2.csv | 118 ++++++++++++++++++++ tests/trestle/tasks/csv_to_oscal_cd_test.py | 18 ++- trestle/tasks/csv_to_oscal_cd.py | 22 ++-- 3 files changed, 149 insertions(+), 9 deletions(-) create mode 100644 tests/data/csv/soc2.sample.v2.csv diff --git a/tests/data/csv/soc2.sample.v2.csv b/tests/data/csv/soc2.sample.v2.csv new file mode 100644 index 000000000..64ce4f8d3 --- /dev/null +++ b/tests/data/csv/soc2.sample.v2.csv @@ -0,0 +1,118 @@ +$$Component_Title,$$Component_Description,$$Component_Type,Sub_Capability,Rule_Group_Id,Rule_Group_Description,Rule_Group_Purpose,Inputs,Additional_Outputs,Scope,Operational_Boundaries_Tags,$$Rule_Id,#Implementation_Description,$$Rule_Description,$Parameter_Id,$Parameter_Description,$Parameter_Value_Alternatives,$Parameter_Value_Default,Parameter_Type,Parameter_Constraint,$$Profile_Source,$$Profile_Description,$$Control_Id_List,Rule_Data_Model_Type_List,Rule_Actual_State_Due_Renewal,Requiring_Regulation_List,$Check_Id,$Check_Description,Warn_Param_Id,Warn_Param_Remarks,Warn_Param_Value_Alternatives,Warn_Param_Value_Default,Evidence_Fetcher_Id,Evidence_Fetcher_Description,Fix_Id,Fix_Description,Rule_Implementation_Status,Rule_POAM_Reference_URL,Method,Environment,$$Namespace +A human readable name for the component.,A description of the component including information about its function.,A category describing the purpose of the component. ALLOWED VALUES interconnection:software:hardware:service:physical:process-procedure:plan:guidance:standard:validation:,Sub-Capability as defined in SGC.,A grouping of rules associated with the same objectives.,A Description of the rule group.,Purpose of the Rule Group.,Description of inputs to the rule group.,Additional outputs expected from the rule group.,"A grouping the rules belonging to the same part of the stack, e.g. IaaS or PaaS or other technology.","A grouping the rules belonging to the same geo location or environment type, e.g. Production vs. devTest.",A textual label that uniquely identifies a policy (desired state) that can be used to reference it elsewhere in this or other documents.,Psuedo code in words to list the criteria used to perform the validations,A description of the policy (desired state) including information about its purpose and scope.,A textual label that uniquely identifies the parameter associated with that policy (desired state) or controls implemented by the policy (desired state).,A description of the parameter including the purpose and use of the parameter.,ONLY for the policy (desired state) parameters: A value or set of values the parameter can take. The catalog parameters values are defined in the catalog. ,"A value recommended by Compliance Team in this profile for the parameter of the control or policy (desired state). If a CIS-benchmark exists, the default default could be the CIS-benchmark recommended value.",The parameter type.,"The parameter constraint with respect to its alternative values, e.g. one value or any combination of values or a regular expression etc.",A URL reference to the source catalog or profile for which this component is implementing controls for. A profile designates a selection and configuration of controls from one or more catalogs,A description of the profile.,A list of textual labels that uniquely identify the controls or statements that the component implements.,A list of URL references that contain the Actual State Data Model (e.g. schema or swagger API or procedure template or terraform schema). Needed by the fetcher developer. ,A Due Renewal value of the duration of time the actual state is valid before it becomes stale or obsolete or overridden. Needed by the fetcher developer. ,A list of URLs of the catalogs or profiles requiring this type of evidence.,A textual label that uniquely identifies a check of the policy (desired state) that can be used to reference it elsewhere in this or other documents.,A description of the check of the policy (desired state) including the method (interview or examine or test) and procedure details.,A textual label that uniquely identifies the parameter associated with that test warning condition. ,A description of the parameter including the purpose and use of the parameter for that test warning condition. ,A value or set of values the parameter can take for that test warning condition. ,A value recommended by Compliance Team in this test warning condition. ,A textual label that uniquely identifies a collector of the actual state (evidence) associated with the policy (desired state) that can be used to reference it elsewhere in this or other documents.,A description of the collector of the raw evidence and or actual state associated with the rule policy (desired state) including the method (interview or examine or test) and questionnaire or API details. L2 owns the Actual State Data Model.,A textual label that uniquely identifies the fix of the failed policy.,A description of the fix to remediate the failed policy.,Indicates the degree to which the a given policy is implemented. ALLOWED VALUES: IMPLEMENTED: The control is fully implemented. PARTIAL: The control is partially implemented. PLANNED: There is a plan for implementing the control as explained in the remarks. ALTERNATIVE: There is an alternative implementation for this control as explained in the remarks. NOT-APPLICABLE: This control does not apply to this system as justified in the remarks.,A URL reference to the Plan of Action and Milestones this component may be subjected to for remediation or deviation or mitigation in case of the policy (desired state) non compliance or error or failure. ,"Identifies how the observation was made. The value may be locally defined, or one of the following: EXAMINE: INTERVIEW: TEST Manual or automated : UNKNOWN","The environment, e.g. ibm-cloud.","A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name. Used in conjunction with ""class"" as the ontology concept. " +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,"A defect is the presence of an unacceptable software vulnerability (CVE or equivalent) as listed in the reference defect list (i.e., National Vulnerability Database [NVD] or other vulnerability dataset accepted for use by the organization) post the vulnerability due date.","To reduce the presence of vulnerabilities (CVEs) and flaws listed in the reference defect list (e.g., National Vulnerability Database \[NVD\]).",1. The actual state is the list software/ firmware vulnerabilities and flaws that are identified from various scans and tests along with the date when it was first identified. 1. The desired state is remediation within the timelines as per remediation standard.,List of vulnerabilities that are overdue.,,prod nonprod,os_infrastructure_scan_vulnerability_due_date_rule,"``` +func_duedate(cve_id, cvss, severity, first_seen) + if cve_id == """": + severity == DesiredInpuCVSSSeverity[i].severity + fix_days = DesiredInpuCVSSSeverity[i].fix_days + due_date = first_seen + fix_days + elseif cve_id in DesiredInputCISAKEV.vulnerabilities[i].cveID: + due_date = DesiredInputCISAKEV.vulnerabilities[i].dueDate + elseif cve_id in VulnerabilityCISOCVEOverride.vulnerabilities[i].cveID: + due_date = VulnerabilityCISOCVEOverride.vulnerabilities[i].due_date + elseif cvss >= DesiredInpuCVSSSeverity[i].min: + severity = DesiredInpuCVSSSeverity[i].severity + fix_days = DesiredInpuCVSSSeverity[i].fix_days + due_date = first_seen + fix_days + else: + DesiredInpuCVSSSeverity[i].max = 10.0 + fix_days = DesiredInpuCVSSSeverity[i].fix_days + due_date = first_seen + fix_days + return due_date + +metadata.service == +metadata.environment == ""production"" +metatada.location == + +ResourceScanFinding.scan_uid == ResourceScan.uid +ResourceScanFinding.about_uid == ResourceScan.about_uid +ResourceScan.type == ""tenable-nessus"" + +cve_due_date = func_duedate(ResourceScanFinding.id, , ResourceScanFinding.severity, ResourceScanFinding.first_detected_on) + +if cve_due_date => today: + return ""PASS"" +else: + return ""FAIL"" +```",https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.03,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,a1,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,A URL reference to the Plan of Action and Milestones this component may be subjected to for remediation or deviation or mitigation in case of the policy (desired state) non compliance or error or failure.,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,prod nonprod,os_infrastructure_scan_warning_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.03,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,a2,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,prod nonprod,container_image_scan_vulnerability_due_date_rule,"``` +metadata.service == +metadata.environment == ""production"" +metatada.location == + +ResourceScanFinding.scan_uid == ResourceScan.uid +ResourceScanFinding.about_uid == ResourceScan.about_uid +ResourceScan.type == ""container-image-scan"" + +cvss = XForce.$.[*].risk_level +cve_due_date = func_duedate(ResourceScanFinding.id, cvss, , ResourceScanFinding.first_detected_on) + +if cve_due_date => today: + return ""PASS"" +else: + return ""FAIL"" +```",https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.03,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,a3,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,prod nonprod,database_scan_vulnerability_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.03,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,b1,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,prod nonprod,database_scan_warning_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.03,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,b2,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,prod nonprod,web_scan_vulnerability_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.03,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,b2,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,pci_prod,asv_scan_cvss_4_or_higher_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,30,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,c1,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,23,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,pci_prod,asv_scan_cvss_below_4_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,90,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d1,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,83,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,prod,continuous_compliance_open_vulnerability_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.03,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d2,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,prod,customer_reported_psirt_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d3,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,pci_prod,internal_network_scan_high_vulnerability_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,30,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d4,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,23,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,pci_prod,internal_network_scan_medium_low_vulnerability_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,"90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d5,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,prod,penetration_test_vulnerability_due_date_rule,"``` +metadata.service == +metadata.environment == ""production"" + +ResourceScanFinding.scan_uid == ResourceScan.uid +ResourceScanFinding.about_uid == ResourceScan.about_uid +ResourceScan.type == ""pen-test"" + +finding_accepted_on = ResourceScanFinding.first_detected_on + 15 days + +cve_due_date = func_duedate(ResourceScanFinding.id, , ResourceScanFinding.severity, finding_accepted_on) + +if cve_due_date => today: + return ""PASS"" +else: + return ""FAIL"" +```",https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d6,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_within_due_date_test,,,,,,nonprod,cicd_open_vulnerability_due_date_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.03,,"30, 90, 180",,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d7,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,"23, 83, 173",,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,reduce_software_firmware_vulnerabilities,vulnerability_deviations_test,A defect is the presence of an unacceptable risk arising from the software/ firmware vulnerabilities and flaws past the vulnerability due date.,"To assess the risk due to the presence of software vulnerabilities (CVEs) listed in the reference defect list (e.g., National Vulnerability Database \[NVD\]).","1. The actual state is the list software/ firmware vulnerabilities and flaws that are identified from various scans and tests that are past the due date. 1. The desired state specification is to have minimal (i.e., acceptable) risk from CVEs or equivalent that are past the remediation timeline.",TBD,,prod nonprod,valid_deviation_exists_rule,"``` +metadata.service == VulnerabilityDeviations.service + +VulnerabilityDeviations.risk_status == ""open"" +VulnerabilityDeviations.risk_approval_status == ""approved"" +ResourceScanFinding.about_uid in VulnerabilityDeviations.risk_about_uid[*] +ResourceScanFinding.uid in VulnerabilityDeviations.risk_cve_id[*] +ResourceScanFinding.security_item_id in VulnerabilityDeviations.risk_security_item_id[*] + +if VulnerabilityDeviations.created_on <= {{ ResourceScanFinding.first_detected_on }} + {{ var_remediation_days }}: + if VulnerabilityDeviations.mitigation_status == ""complete"": + return ""PASS"" + elseif: + VulnerabilityDeviations.target_date > today(): + return ""PASS"" + else: + return ""FAIL"" +else: + return ""FAIL"" +```",https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d8,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_device_level_reporting,device_test,A defect occurs when a device in the desired state has not been scanned as recently as expected in the actual state at the thresholds defined for each device or device type based on the same considerations listed in HWAM-Q01 and SWAM-.,Ensure that devices expected to report VULN information to the actual state inventory have reported to prevent CVEs and CWEs from going undetected.,"1. The actual state is the list of actual devices that were scanned. 1. The desired state is the list of actual devices detected in HWAM-F01 and SWAM-, whether authorized or not.",Additional output of this defect check is a report with the list of devices checked by this defect check along with a timestamp of when this defect check was performed.,,prod nonprod,inscope_inventory_scanned_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,d9,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,privileged_access_test,A defect occurs when a device in the desired state has not been privileged scanned as recently as expected in the actual state at the thresholds defined for each device or device type based on the same considerations listed in HWAM-Q01 and SWAM-.,Ensure that scan was performed with appropriate privilege in the actual state inventory to prevent systematic inability to check any applicable defect on any device.,"1. The actual state is the authorized scan result of actual state devices. 1. The desired state is the list of actual devices detected in HWAM-F01 and SWAM-, whether authorized or not.",None,,prod nonprod,privilege_scan_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e1,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,privileged_access_test,,,,,,prod nonprod,privilege_scan_unsupported_devices_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e2,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,privileged_access_test,,,,,,pci_prod,internal_network_privilege_scan_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e3,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,privileged_access_test,,,,,,pci_prod,internal_network_privilege_scan_unsupported_devices_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e4,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,definition_date_test,A defect is a collection of devices that have been scanned with an outdated scanner definition.,Ensure that data for as many tests as possible are correctly reported in the actual state inventory to prevent defects from going undetected.,"1. The actual state is the actual scanner definition e.g., version, patch number, etc. that was used for performing the scan. 1. The desired state is the desired scanner definition e.g., version, patch number, etc. that is made available by the vendor and approved to be used.",This defect check does not produce any additional output.,,prod nonprod,scanner_vulnerability_definition_last_update_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05.02_odp.01,,prior to a new scan,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e5,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,1,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,scanner_configuration_test,A defect is a collection of devices that have been scanned with an unapproved scanner configuration.,Ensure that data for all required tests are correctly reported in the actual state inventory to prevent defects from going undetected.,1. The actual state is the actual scanner configuration that was used for performing the scan. 1. The desired state is the desired scanner configuration that is approved to be used.,This defect check does not produce any additional output.,,prod nonprod,scanner_configuration_last_update_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e6,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,tester_test,A defect is test execution by a service-dependent role.,Ensure that tests are performed by an independent and approved team,1. The actual state is the role of the tester who performed the scan/ test. 1. The desired state is the approved role who is approved to perform the scan/ test.,This defect check does not produce any additional output.,,prod,tester_role_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e7,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,tester_test,,,,,,pci_prod,asv_scan_vendor_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e8,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_completeness_of_defect_check_level_reporting,cisa_kev_tagging_test,A defect is the existance of the CVE Id in the CISA KEV Catalogue.,Ensure identified vulnerabilities if listed in CISA KEV Catalogue are tagged for further threat analysis,1. The actual state is the CVE id of the vulnerabilities that are identified from various scans and tests. 1. The desired state CVE ids listed in the latest CISA KEV Catalogue. ,This defect check requires an update to the vulnerability ticket.,,fr_prod,cisa_kev_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e9,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_overall_defect_check_reporting_completeness,notification_test,A defect is found if a the notification list for a vulnerability contains none of the role members that should be notified of that vulnerability.,Ensure that the required personnel were notified to help eliminate similar vulnerabilities in other systems.,1. The actual state for this check is the list of notifications sent and their recipients for each vulnerability detected during the reporting period. 1. The desired state is {{ param.ra_05_odp_4 }}.,This defect check does not produce any additional output.,,prod nonprod,scan_notification_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.04,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e10,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_overall_reporting_timeliness,scan_timeliness_test,A defect is found if the frequency between the last two scans is more than the desired frequency.,Ensure scans are performed at the organization defined frequency.,1. The actual state is the elapsed days between last scan and previous scan. 1. The desired stated is {{ ra-05_odp.1 }}.,A scan timeliness metric is generated.,,prod nonprod,scan_frequency_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,ra-05_odp.02,,1,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e11,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,2,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_overall_reporting_timeliness,scan_timeliness_test,,,,,,pci_prod,internal_network_scan_frequency_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,90,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e12,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,80,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_overall_reporting_timeliness,scan_timeliness_test,,,,,,pci_prod,internal_network_rescan_frequency_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e13,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/defect_checks/vuln/vuln.md https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/procedures/vuln/vuln.md,,,,,,,,,,,,,planned,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_overall_reporting_timeliness,scan_timeliness_test,,,,,,pci_prod,asv_scan_frequency_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,90,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e14,,,,,,,,80,,,,,,,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability +VULN,Vulnerability Management,Process-procedure,ensure_overall_reporting_timeliness,scan_timeliness_test,,,,,,pci_prod,asv_rescan_frequency_rule,,https://github.ibm.com/cloud-governance-framework/security-governed-content/blob/main/standards/vuln/vuln.md,not applicable,,,,,,https://raw.github.ibm.com/cloud-governance-framework/soc2-catalog/develop/catalogs/SOC2/catalog.json?token=AAANTID3ZZIHQZETE7S3JYTFD4LI2,IBM SOC a Standard Control Set,e15,,,,,,,,,,,,,,,,,,http://ibm.github.io/compliance-trestle/schemas/oscal/cd/sec_capability diff --git a/tests/trestle/tasks/csv_to_oscal_cd_test.py b/tests/trestle/tasks/csv_to_oscal_cd_test.py index 44ba32652..78a264a13 100644 --- a/tests/trestle/tasks/csv_to_oscal_cd_test.py +++ b/tests/trestle/tasks/csv_to_oscal_cd_test.py @@ -577,8 +577,8 @@ def test_execute_delete_rule_with_params(tmp_path: pathlib.Path) -> None: assert prop.value != 'allowed_admins_per_account' -def test_execute_bad_rule(tmp_path: pathlib.Path) -> None: - """Test execute add rule.""" +def test_execute_column_bad_data(tmp_path: pathlib.Path) -> None: + """Test execute column bad data.""" _, section = _get_config_section_init(tmp_path, 'test-csv-to-oscal-cd-bp.config') section['component-definition'] = 'tests/data/csv/component-definitions/bp/component-definition.json' # add rule @@ -591,6 +591,20 @@ def test_execute_bad_rule(tmp_path: pathlib.Path) -> None: assert retval == TaskOutcome.FAILURE +def test_execute_column_ignore(tmp_path: pathlib.Path) -> None: + """Test execute column ignore.""" + _, section = _get_config_section_init(tmp_path, 'test-csv-to-oscal-cd-bp.config') + section['component-definition'] = 'tests/data/csv/component-definitions/bp/component-definition.json' + # add rule + rows = _get_rows('tests/data/csv/soc2.sample.v2.csv') + rows[3][2] = '```' + with mock.patch('trestle.tasks.csv_to_oscal_cd.csv.reader') as mock_csv_reader: + mock_csv_reader.return_value = rows + tgt = csv_to_oscal_cd.CsvToOscalComponentDefinition(section) + retval = tgt.execute() + assert retval == TaskOutcome.SUCCESS + + def test_execute_add_rule(tmp_path: pathlib.Path) -> None: """Test execute add rule.""" _, section = _get_config_section_init(tmp_path, 'test-csv-to-oscal-cd-bp.config') diff --git a/trestle/tasks/csv_to_oscal_cd.py b/trestle/tasks/csv_to_oscal_cd.py index 9eeb6c662..39a07ca7d 100644 --- a/trestle/tasks/csv_to_oscal_cd.py +++ b/trestle/tasks/csv_to_oscal_cd.py @@ -125,8 +125,8 @@ def print_info(self) -> None: text1 = ' required columns: ' for text2 in CsvColumn.get_required_column_names(): if text2 in ['Rule_Description', 'Profile_Source', 'Profile_Description', 'Control_Id_List']: - text2 += '*' - logger.info(text1 + text2) + text2 += ' (see note 1)' + logger.info(text1 + '$$' + text2) text1 = ' ' text1 = ' optional columns: ' for text2 in CsvColumn.get_optional_column_names(): @@ -134,11 +134,14 @@ def print_info(self) -> None: 'Parameter_Description', 'Parameter_Value_Alternatives', 'Parameter_Value_Default']: - text2 += '*' + text2 += ' (see note 1)' if text2 in ['Check_Id', 'Check_Description']: - text2 += '+' - logger.info(text1 + text2) + text2 += ' (see note 2)' + logger.info(text1 + '$' + text2) text1 = ' ' + text1 = ' comment columns: ' + text2 = 'Informational (see note 3)' + logger.info(text1 + '#' + text2) text1 = ' output-dir = ' text2 = '(required) the path of the output directory for synthesized OSCAL .json files.' logger.info(text1 + text2) @@ -159,10 +162,13 @@ def print_info(self) -> None: text2 = '' logger.info(text1 + text2) text1 = 'Notes: ' - text2 = '* column is ignored for validation component type' + text2 = '[1] column is ignored for validation component type' logger.info(text1 + text2) text1 = ' ' - text2 = '+ column is required for validation component type' + text2 = '[2] column is required for validation component type' + logger.info(text1 + text2) + text1 = ' ' + text2 = '[3] column name starting with # causes column to be ignored' logger.info(text1 + text2) def configure(self) -> bool: @@ -557,6 +563,8 @@ def _create_rule_props(self, rule_key: tuple) -> List[Property]: # user props column_names = self._csv_mgr.get_user_column_names() for column_name in column_names: + if column_name.startswith('#'): + continue prop_name = self._get_prop_name(column_name) prop_value = self._csv_mgr.get_value(rule_key, column_name).strip() rule_set_mgr.add_prop(prop_name, prop_value, namespace, self.get_class(prop_name))