Added support for scout suite AWS scanning (#96)

mitre · May 20, 2021 · 9aed494 · 9aed494
1 parent d725af4
commit 9aed494
Show file tree

Hide file tree

Showing 12 changed files with 380 additions and 33 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -74,3 +74,9 @@ jobs:
           jq 'del(.version, .platform.release)' nessus.json-ip-10-10-23-102.json > nessus_jq.json
           jq 'del(.version, .platform.release)' ./sample_jsons/nessus_mapper/nessus_sample_hdf.json > nessus_sample_hdf.json
           diff nessus_sample_hdf.json nessus_jq.json
+      - name: Test scoutsuite mapper
+        run: |
+          heimdall_tools scoutsuite_mapper -i ./sample_jsons/scoutsuite_mapper/sample_input_jsons/scoutsuite_sample.js -o scoutsuite_output.json
+          jq 'del(.version, .platform.release)' scoutsuite_output.json > scoutsuite_output_jq.json
+          jq 'del(.version, .platform.release)' ./sample_jsons/scoutsuite_mapper/scoutsuite_hdf.json > scoutsuite_sample.json
+          diff scoutsuite_sample.json scoutsuite_output_jq.json
diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2021-03-16 17:26:37 UTC using RuboCop version 1.11.0.
+# on 2021-05-18 15:11:52 UTC using RuboCop version 1.14.0.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -19,11 +19,10 @@ Lint/DuplicateBranch:
   Exclude:
     - 'lib/heimdall_tools/dbprotect_mapper.rb'
 
-# Offense count: 3
+# Offense count: 2
 # Configuration parameters: MaximumRangeSize.
 Lint/MissingCopEnableDirective:
   Exclude:
-    - 'lib/heimdall_tools/burpsuite_mapper.rb'
     - 'lib/heimdall_tools/nessus_mapper.rb'
     - 'lib/heimdall_tools/zap_mapper.rb'
 
@@ -39,16 +38,10 @@ Lint/UnusedMethodArgument:
   Exclude:
     - 'lib/heimdall_tools/hdf.rb'
 
-# Offense count: 2
-# Configuration parameters: CheckForMethodsWithNoSideEffects.
-Lint/Void:
-  Exclude:
-    - 'lib/heimdall_tools/aws_config_mapper.rb'
-
-# Offense count: 20
+# Offense count: 32
 # Configuration parameters: IgnoredMethods, CountRepeatedAttributes.
 Metrics/AbcSize:
-  Max: 56
+  Max: 73
 
 # Offense count: 4
 # Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
@@ -61,17 +54,17 @@ Metrics/BlockLength:
 Metrics/BlockNesting:
   Max: 5
 
-# Offense count: 6
+# Offense count: 8
 # Configuration parameters: CountComments, CountAsOne.
 Metrics/ClassLength:
   Max: 171
 
-# Offense count: 7
+# Offense count: 10
 # Configuration parameters: IgnoredMethods.
 Metrics/CyclomaticComplexity:
   Max: 17
 
-# Offense count: 32
+# Offense count: 38
 # Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
 Metrics/MethodLength:
   Max: 52
@@ -81,7 +74,7 @@ Metrics/MethodLength:
 Metrics/ParameterLists:
   Max: 18
 
-# Offense count: 6
+# Offense count: 8
 # Configuration parameters: IgnoredMethods.
 Metrics/PerceivedComplexity:
   Max: 17
@@ -106,29 +99,20 @@ Naming/VariableName:
   Exclude:
     - 'lib/heimdall_tools/burpsuite_mapper.rb'
 
-# Offense count: 8
+# Offense count: 12
 # Configuration parameters: AllowedVariables.
 Style/GlobalVars:
   Exclude:
     - 'lib/heimdall_tools/jfrog_xray_mapper.rb'
     - 'lib/heimdall_tools/nessus_mapper.rb'
     - 'lib/heimdall_tools/nikto_mapper.rb'
     - 'lib/heimdall_tools/sarif_mapper.rb'
+    - 'lib/heimdall_tools/scoutsuite_mapper.rb'
     - 'lib/heimdall_tools/snyk_mapper.rb'
 
-# Offense count: 10
+# Offense count: 1
 # Configuration parameters: AllowedMethods.
 # AllowedMethods: respond_to_missing?
 Style/OptionalBooleanParameter:
   Exclude:
-    - 'lib/heimdall_tools/aws_config_mapper.rb'
-    - 'lib/heimdall_tools/burpsuite_mapper.rb'
-    - 'lib/heimdall_tools/dbprotect_mapper.rb'
-    - 'lib/heimdall_tools/fortify_mapper.rb'
-    - 'lib/heimdall_tools/jfrog_xray_mapper.rb'
-    - 'lib/heimdall_tools/nessus_mapper.rb'
-    - 'lib/heimdall_tools/netsparker_mapper.rb'
-    - 'lib/heimdall_tools/nikto_mapper.rb'
     - 'lib/heimdall_tools/sarif_mapper.rb'
-    - 'lib/heimdall_tools/snyk_mapper.rb'
-    - 'lib/heimdall_tools/zap_mapper.rb'
diff --git a/README.md b/README.md
@@ -17,6 +17,7 @@ HeimdallTools supplies several methods to convert output from various tools to "
 - **aws_config_mapper** - assess, audit, and evaluate AWS resources
 - **netsparker_mapper** - web application security scanner
 - **sarif_mapper** - static analysis results interchange format
+- **scoutsuite_mapper** - multi-cloud security auditing tool
 
 ## Want to recommend a mapper for another tool? Please use these steps:
   1. Create an [issue](https://github.com/mitre/heimdall_tools/issues/new), and email [email protected] citing the issue link so we can help
@@ -202,6 +203,22 @@ FLAGS:
 example: heimdall_tools nikto_mapper -j nikto_results.json -o nikto_results.json
 ```
 
+## scoutsuite_mapper
+
+scoutsuite_mapper translates Scout Suite results from Javascript to HDF-formatted JSON so as to be viewable on Heimdall
+
+Note: Currently this mapper only supports AWS.
+
+```
+USAGE: heimdall_tools scoutsuite_mapper -i <scoutsuite-results-js> -o <hdf-scan-results-json>
+
+FLAGS:
+    -i --input -j --javascript <scoutsuite-results-js> : path to Scout Suite results Javascript file.
+    -o --output <hdf-scan-results-json>                : path to output scan-results json.
+
+example: heimdall_tools scoutsuite_mapper -i scoutsuite_results.js -o scoutsuite_hdf.json
+```
+
 ## jfrog_xray_mapper
 
 jfrog_xray_mapper translates an JFrog Xray results JSON file into HDF format JSON to be viewable in Heimdall

diff --git a/lib/data/scoutsuite-nist-mapping.csv b/lib/data/scoutsuite-nist-mapping.csv
@@ -0,0 +1,140 @@
+rule,nistid
+acm-certificate-with-close-expiration-date,SC-12
+acm-certificate-with-transparency-logging-disabled,SC-12
+cloudformation-stack-with-role,AC-6
+cloudtrail-duplicated-global-services-logging,AU-6
+cloudtrail-no-cloudwatch-integration,AU-12|SI-4(2)
+cloudtrail-no-data-logging,AU-12
+cloudtrail-no-encryption-with-kms,AU-6
+cloudtrail-no-global-services-logging,AU-12
+cloudtrail-no-log-file-validation,AU-6
+cloudtrail-no-logging,AU-12
+cloudtrail-not-configured,AU-12
+cloudwatch-alarm-without-actions,AU-12
+config-recorder-not-configured,CM-8|CM-8(2)|CM-8(6)
+ec2-ami-public,AC-3
+ec2-default-security-group-in-use,AC-3(3)
+ec2-default-security-group-with-rules,AC-3(3)
+ec2-ebs-snapshot-not-encrypted,SC-28
+ec2-ebs-snapshot-public,AC-3
+ec2-ebs-volume-not-encrypted,SC-28
+ec2-instance-in-security-group,CM-7(1)
+ec2-instance-type,CM-2
+ec2-instance-types,CM-2
+ec2-instance-with-public-ip,AC-3
+ec2-instance-with-user-data-secrets,AC-3
+ec2-security-group-opens-all-ports,CM-7(1)
+ec2-security-group-opens-all-ports-to-all,CM-7(1)
+ec2-security-group-opens-all-ports-to-self,CM-7(1)
+ec2-security-group-opens-icmp-to-all,CM-7(1)
+ec2-security-group-opens-known-port-to-all,CM-7(1)
+ec2-security-group-opens-plaintext-port,CM-7(1)
+ec2-security-group-opens-port-range,CM-7(1)
+ec2-security-group-opens-port-to-all,CM-7(1)
+ec2-security-group-whitelists-aws,CM-7(1)
+ec2-security-group-whitelists-aws-ip-from-banned-region,CM-7(1)
+ec2-security-group-whitelists-non-elastic-ips,CM-7(1)
+ec2-security-group-whitelists-unknown-aws,CM-7(1)
+ec2-security-group-whitelists-unknown-cidrs,CM-7(1)
+ec2-unused-security-group,CM-7(1)
+elb-listener-allowing-cleartext,SC-8
+elb-no-access-logs,AU-12
+elb-older-ssl-policy,SC-8
+elbv2-http-request-smuggling,SC-8
+elbv2-listener-allowing-cleartext,SC-8
+elbv2-no-access-logs,AU-12
+elbv2-no-deletion-protection,SI-7
+elbv2-older-ssl-policy,SC-8
+iam-assume-role-lacks-external-id-and-mfa,AC-17
+iam-assume-role-no-mfa,AC-6
+iam-assume-role-policy-allows-all,AC-6
+iam-ec2-role-without-instances,AC-6
+iam-group-with-inline-policies,AC-6
+iam-group-with-no-users,AC-6
+iam-human-user-with-policies,AC-6
+iam-inline-policy-allows-non-sts-action,AC-6
+iam-inline-policy-allows-NotActions,AC-6
+iam-inline-policy-for-role,AC-6
+iam-managed-policy-allows-full-privileges,AC-6
+iam-managed-policy-allows-non-sts-action,AC-6
+iam-managed-policy-allows-NotActions,AC-6
+iam-managed-policy-for-role,AC-6
+iam-managed-policy-no-attachments,AC-6
+iam-no-support-role,IR-7
+iam-password-policy-expiration-threshold,AC-2
+iam-password-policy-minimum-length,AC-2
+iam-password-policy-no-expiration,AC-2
+iam-password-policy-no-lowercase-required,AC-2
+iam-password-policy-no-number-required,AC-2
+iam-password-policy-no-symbol-required,AC-2
+iam-password-policy-no-uppercase-required,AC-2
+iam-password-policy-reuse-enabled,IA-5(1)
+iam-role-with-inline-policies,AC-6
+iam-root-account-no-hardware-mfa,IA-2(1)
+iam-root-account-no-mfa,IA-2(1)
+iam-root-account-used-recently,AC-6(9)
+iam-root-account-with-active-certs,AC-6(9)
+iam-root-account-with-active-keys,AC-6(9)
+iam-service-user-with-password,AC-2
+iam-unused-credentials-not-disabled,AC-2
+iam-user-no-key-rotation,AC-2
+iam-user-not-in-category-group,AC-2
+iam-user-not-in-common-group,AC-2
+iam-user-unused-access-key-initial-setup,AC-2
+iam-user-with-multiple-access-keys,IA-2
+iam-user-without-mfa,IA-2(1)
+iam-user-with-password-and-key,IA-2
+iam-user-with-policies,AC-2
+kms-cmk-rotation-disabled,SC-12
+logs-no-alarm-aws-configuration-changes,CM-8|CM-8(2)|CM-8(6)
+logs-no-alarm-cloudtrail-configuration-changes,AU-6
+logs-no-alarm-cmk-deletion,AC-2
+logs-no-alarm-console-authentication-failures,AC-2
+logs-no-alarm-iam-policy-changes,AC-2
+logs-no-alarm-nacl-changes,CM-6(2)
+logs-no-alarm-network-gateways-changes,AU-12|CM-6(2)
+logs-no-alarm-root-usage,AU-2
+logs-no-alarm-route-table-changes,AU-12|CM-6(2)
+logs-no-alarm-s3-policy-changes,AC-6|AU-12
+logs-no-alarm-security-group-changes,AC-2(4)
+logs-no-alarm-signin-without-mfa,AC-2
+logs-no-alarm-unauthorized-api-calls,AU-6|SI-4(2)
+logs-no-alarm-vpc-changes,CM-6(1)
+rds-instance-backup-disabled,CP-9
+rds-instance-ca-certificate-deprecated,SC-12
+rds-instance-no-minor-upgrade,SI-2
+rds-instance-short-backup-retention-period,CP-9
+rds-instance-single-az,CP-7
+rds-instance-storage-not-encrypted,SC-28
+rds-postgres-instance-with-invalid-certificate,SC-12
+rds-security-group-allows-all,CM-7(1)
+rds-snapshot-public,SC-28
+redshift-cluster-database-not-encrypted,SC-28
+redshift-cluster-no-version-upgrade,SI-2
+redshift-cluster-publicly-accessible,AC-3
+redshift-parameter-group-logging-disabled,AU-12
+redshift-parameter-group-ssl-not-required,SC-8
+redshift-security-group-whitelists-all,CM-7(1)
+route53-domain-no-autorenew,SC-2
+route53-domain-no-transferlock,SC-2
+route53-domain-transferlock-not-authorized,SC-2
+s3-bucket-allowing-cleartext,SC-28
+s3-bucket-no-default-encryption,SC-28
+s3-bucket-no-logging,AU-2|AU-12
+s3-bucket-no-mfa-delete,SI-7
+s3-bucket-no-versioning,SI-7
+s3-bucket-world-acl,AC-3(3)
+s3-bucket-world-policy-arg,AC-3(3)
+s3-bucket-world-policy-star,AC-3(3)
+ses-identity-dkim-not-enabled,SC-23
+ses-identity-dkim-not-verified,SC-23
+ses-identity-world-policy,AC-6
+sns-topic-world-policy,AC-6
+sqs-queue-world-policy,AC-6
+vpc-custom-network-acls-allow-all,SC-7
+vpc-default-network-acls-allow-all,SC-7
+vpc-network-acl-not-used,SC-7
+vpc-routing-tables-with-peering,AC-3(3)
+vpc-subnet-with-bad-acls,SC-7
+vpc-subnet-with-default-acls,SC-7
+vpc-subnet-without-flow-log,AU-12
diff --git a/lib/heimdall_tools.rb b/lib/heimdall_tools.rb
@@ -17,4 +17,5 @@ module HeimdallTools
   autoload :AwsConfigMapper, 'heimdall_tools/aws_config_mapper'
   autoload :NetsparkerMapper, 'heimdall_tools/netsparker_mapper'
   autoload :SarifMapper, 'heimdall_tools/sarif_mapper'
+  autoload :ScoutSuiteMapper, 'heimdall_tools/scoutsuite_mapper'
 end
diff --git a/lib/heimdall_tools/aws_config_mapper.rb b/lib/heimdall_tools/aws_config_mapper.rb
@@ -57,10 +57,10 @@ def to_hdf
 
       results = HeimdallDataFormat.new(
         profile_name: 'AWS Config',
-         title: 'AWS Config',
-         summary: 'AWS Config',
-         controls: controls,
-         statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION },
+        title: 'AWS Config',
+        summary: 'AWS Config',
+        controls: controls,
+        statistics: { aws_config_sdk_version: Aws::ConfigService::GEM_VERSION },
       )
       results.to_hdf
     end

diff --git a/lib/heimdall_tools/cli.rb b/lib/heimdall_tools/cli.rb
@@ -135,6 +135,17 @@ def sarif_mapper
       puts options[:output].to_s
     end
 
+    desc 'scoutsuite_mapper', 'scoutsuite_mapper translates Scout Suite results from Javascript to HDF-formatted JSON so as to be viewable on Heimdall'
+    long_desc Help.text(:scoutsuite_mapper)
+    option :javascript, required: true, banner: 'SCOUTSUITE-RESULTS-JS', aliases: ['-i', '--input', '-j']
+    option :output, required: true, banner: 'HDF-SCAN-RESULTS-JSON', aliases: '-o'
+    def scoutsuite_mapper
+      hdf = HeimdallTools::ScoutSuiteMapper.new(File.read(options[:javascript])).to_hdf
+      File.write(options[:output], hdf)
+      puts "\rHDF Generated:\n"
+      puts options[:output].to_s
+    end
+
     desc 'version', 'prints version'
     def version
       puts VERSION

diff --git a/lib/heimdall_tools/help/scoutsuite_mapper.md b/lib/heimdall_tools/help/scoutsuite_mapper.md
@@ -0,0 +1,7 @@
+  scoutsuite_mapper translates Scout Suite results from Javascript to HDF-formatted JSON so as to be viewable on Heimdall
+
+  Note: Currently this mapper only supports AWS.
+
+Examples:
+
+  heimdall_tools scoutsuite_mapper -i <scoutsuite-results-js> -o <hdf-scan-results-json>