Added default NIST_ID tags of SA-11 and RA-5 to sonarqube_mapper

[jsa5593]

Added default NIST_ID tags of SA-11 and RA-5 to sonarqube_mapper
closes #24

[aaronlippold]

@ejaronne please propose the text needed in the README / docs for this.

[aaronlippold]

sonarqube_mapper

sonarqube_mapper pulls SonarQube results, for the specified project, from the API and outputs in HDF format Json to be viewed on Heimdall

USAGE: heimdall_tools sonarqube_mapper [OPTIONS] -n -u -o <scan-results.json>

Default / Unmapped NIST 800-53 Controls

Sonarqube does not always map ... in these cases we know that the geneneral catigory of weakness aligns to SA-11 and RA-5 in the general case. ....

Usage and Flags

FLAGS:
-n --name : Project Key of the project in SonarQube
-u --api_url : url of the SonarQube Server API. Typically ends with /api.
--auth : username:password or token [optional].
-o --output : path to output scan-results json.
-V --verbose : verbose run [optional].

example:

heimdall_tools sonarqube_mapper -n sonar_project_key -u http://sonar:9000/api -o scan_results.json

heimdall_tools sonarqube_mapper -n sonar_project_key -u http://sonar:9000/api --auth admin:admin -o scan_results.json

[aaronlippold]

@rx294 and @ejaronne please review and approve

[aaronlippold]

I really wish this had been reviewed and merged at the same time as the other PR so we could have had only one release. Now we will have a new version. Please review the PR set PRIOR to doing a release to see if this can be consolidated in the release process. -------- Aaron Lippold [email protected] 260-255-4779 twitter/aim/yahoo,etc. 'aaronlippold'

…

On Tue, Jun 16, 2020 at 6:08 PM Aaron Lippold ***@***.***> wrote: @rx294 <https://github.com/rx294> and @ejaronne <https://github.com/ejaronne> please review and approve — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#50 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALK42BM56KQHTSPRDPP5GLRW7UODANCNFSM4NMEXRBQ> .

[aaronlippold]

I pulled out the 'Rev_4' from the tags array.

[rbclark]

I pulled out the 'Rev_4' from the tags array.

It is still there in the fortify mapper, was it your intent to leave it there?

[aaronlippold]

Not sure -------- Aaron Lippold [email protected] 260-255-4779 twitter/aim/yahoo,etc. 'aaronlippold'

…

On Tue, Jul 7, 2020 at 2:54 PM Robert Clark ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In lib/heimdall_tools/sonarqube_mapper.rb <#50 (comment)>: > @@ -237,7 +237,7 @@ def get_nist_tags return ***@***.***[tag_type][parsed_tag]].flatten.uniq @aaronlippold <https://github.com/aaronlippold> has this comment been addressed? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#50 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALK42E57HDZPP3NPQIT2N3R2NVNLANCNFSM4NMEXRBQ> .

[aaronlippold]

none of the conversation tools should put the rev version in the output

[aaronlippold]

@rbclark @Bialogs can we re-review this again, and fix and merge it to close it out.