Convert Microsoft Secure Score to OHDF

apps/frontend/src/store/report_intake.ts

@@ -18,6 +18,7 @@ import {
   INPUT_TYPES,
   IonChannelMapper,
   JfrogXrayMapper,
+  MsftSecureScoreMapper,
   NessusResults,
   NetsparkerMapper,
   NiktoMapper,
@@ -229,6 +230,8 @@ export class InspecIntake extends VuexModule {
     switch (typeGuess) {
       case INPUT_TYPES.JFROG:
         return new JfrogXrayMapper(convertOptions.data).toHdf();
+      case INPUT_TYPES.MSFT_SEC_SCORE:
+        return new MsftSecureScoreMapper(convertOptions.data).toHdf();
       case INPUT_TYPES.ASFF:
         return Object.values(
           new ASFFResultsMapper(convertOptions.data).toHdf()

libs/hdf-converters/index.ts

@@ -39,3 +39,4 @@ export * from './src/utils/fingerprinting';
 export * from './src/veracode-mapper';
 export * from './src/xccdf-results-mapper';
 export * from './src/zap-mapper';
+export * from './src/msft-secure-score-mapper';

libs/hdf-converters/package.json

@@ -25,6 +25,7 @@
     "xml2json": "tsx data/converters/xml2json.ts"
   },
   "dependencies": {
+    "@microsoft/microsoft-graph-types": "^2.40.0",
     "@aws-sdk/client-config-service": "^3.95.0",
     "@e965/xlsx": "^0.20.0",
     "@mdi/js": "^7.0.96",
@@ -34,7 +35,9 @@
     "@types/ms": "^0.7.31",
     "@types/mustache": "^4.1.2",
     "@types/papaparse": "^5.3.2",
+    "@types/revalidator": "^0.3.12",
     "@types/triple-beam": "^1.3.2",
+    "@types/validator": "^13.12.0",
     "@types/xml2js": "^0.4.9",
     "axios": "^1.3.5",
     "compare-versions": "^6.0.0",
@@ -48,10 +51,12 @@
     "ms": "^2.1.3",
     "mustache": "^4.2.0",
     "papaparse": "^5.3.1",
+    "revalidator": "^0.3.1",
     "run-script-os": "^1.1.6",
     "semver": "^7.6.0",
     "tailwindcss": "^3.3.3",
     "tw-elements": "^1.0.0-beta2",
+    "validator": "^13.12.0",
     "winston": "^3.6.0",
     "xml-formatter": "^3.6.2",
     "xml-parser-xo": "^4.1.1",

libs/hdf-converters/src/msft-secure-score-mapper.ts

@@ -0,0 +1,202 @@
+import {
+  SecureScore,
+  ControlScore,
+  SecureScoreControlProfile
+} from '@microsoft/microsoft-graph-types';
+import {ExecJSON} from 'inspecjs';
+import {version as HeimdallToolsVersion} from '../package.json';
+import {BaseConverter, ILookupPath, MappedTransform} from './base-converter';
+
+export class MsftSecureScoreMapper extends BaseConverter {
+  withRaw: boolean;
+  profiles: SecureScoreControlProfile[];
+
+  private getProfiles(controlName: string): SecureScoreControlProfile[] {
+    return this.profiles.filter((p) => p.id === controlName);
+  }
+
+  mappings: MappedTransform<
+    ExecJSON.Execution & {passthrough: unknown},
+    ILookupPath
+  > = {
+    platform: {
+      name: 'Heimdall Tools',
+      release: HeimdallToolsVersion
+    },
+    version: HeimdallToolsVersion,
+    statistics: {},
+    profiles: [
+      {
+        name: 'Microsoft Secure Score',
+        version: {path: 'v4'},
+        title: {
+          transformer: (d: SecureScore) =>
+            `Azure Secure Score report: TenantID: ${d.azureTenantId}`
+        },
+        summary: 'NAME',
+        supports: [],
+        attributes: [],
+        groups: [],
+        status: 'loaded',
+        controls: [
+          {
+            path: 'controlScores',
+            id: {
+              transformer: (d: ControlScore) =>
+                `${d.controlCategory}:${d.controlName}`
+            },
+            title: {
+              transformer: (d: ControlScore) => {
+                const titles = this.getProfiles(d.controlName || '')
+                  .filter((p) => p.title !== undefined)
+                  .map((p) => p.title);
+
+                if (titles.length > 0) {
+                  return titles.join('... ');
+                } else {
+                  return `${d.controlCategory || ''}:${d.controlName || ''}`;
+                }
+              }
+            },
+            desc: {
+              transformer: (d: ControlScore) => d.description || ''
+            },
+            impact: {
+              transformer: (d: ControlScore) => {
+                // return controlCategory from the profile document where its id matches the controlName
+                const knownMaxScores = this.getProfiles(
+                  d.controlName || ''
+                ).map((p) => p.maxScore || 0);
+
+                if (knownMaxScores.length === 0) {
+                  return 0.5;
+                }
+
+                const highMaxScore = Math.max(...knownMaxScores);
+                return highMaxScore / 10.0;
+              }
+            },
+            refs: [],
+            tags: {
+              group: {
+                transformer: (d: ControlScore) => {
+                  // return controlCategory from the profile document where its id matches the controlName
+                  return this.getProfiles(d.controlName || '').map(
+                    (p) => p.controlCategory
+                  );
+                }
+              },
+              tiers: {
+                transformer: (d: ControlScore) => {
+                  // return tiers from the profile document where its id matches the controlName
+                  return this.getProfiles(d.controlName || '').map(
+                    (p) => p.tier
+                  );
+                }
+              },
+              threats: {
+                transformer: (d: ControlScore) => {
+                  // return unique threats from the profile document where its id matches the controlName
+                  const uniqs: Set<string> = new Set();
+                  this.getProfiles(d.controlName || '').forEach((p) =>
+                    p.threats?.forEach((threat) => uniqs.add(threat))
+                  );
+                  return [...uniqs];
+                }
+              },
+              services: {
+                transformer: (d: ControlScore) => {
+                  // return thrserviceeats from the profile document where its id matches the controlName
+                  return this.getProfiles(d.controlName || '').map(
+                    (p) => p.service
+                  );
+                }
+              },
+              userImpacts: {
+                transformer: (d: ControlScore) => {
+                  // return userImpacts from the profile document where its id matches the controlName
+                  return this.getProfiles(d.controlName || '')
+                    .filter((p) => p.userImpact !== undefined)
+                    .map((p) => p.userImpact);
+                }
+              }
+            },
+            source_location: {},
+            code: {
+              transformer: (
+                d: ControlScore & {implementationStatus: string}
+              ) => {
+                const profiles = this.getProfiles(d.controlName || '');
+
+                if (profiles?.length === 0) {
+                  return d.implementationStatus;
+                }
+              }
+            },
+            results: [
+              {
+                status: {
+                  transformer: (
+                    d: ControlScore & {scoreInPercentage: number}
+                  ) => {
+                    if (d.scoreInPercentage === 100) {
+                      return ExecJSON.ControlResultStatus.Passed;
+                    }
+
+                    const knownMaxScores = this.getProfiles(
+                      d.controlName || ''
+                    ).map((p) => p.maxScore || 0);
+
+                    const highMaxScore = Math.max(...knownMaxScores);
+
+                    if (knownMaxScores.length === 0) {
+                      // no Profile found matching the controlName
+                      return ExecJSON.ControlResultStatus.Failed;
+                    } else if (d.score === undefined) {
+                      return ExecJSON.ControlResultStatus.Error;
+                    } else if (d.score === highMaxScore) {
+                      return ExecJSON.ControlResultStatus.Passed;
+                    } else {
+                      return ExecJSON.ControlResultStatus.Failed;
+                    }
+                  }
+                },
+                code_desc: {
+                  transformer: (
+                    d: ControlScore & {implementationStatus: string}
+                  ) => {
+                    const remediations = this.getProfiles(d.controlName || '')
+                      .filter((p) => p.remediation !== undefined)
+                      .map((p) => p.remediation);
+
+                    if (remediations.length > 0) {
+                      return remediations.join('\n\n');
+                    }
+                  }
+                },
+                start_time: {transformer: () => this.data.createdDateTime}
+              }
+            ]
+          }
+        ],
+        sha256: ''
+      }
+    ],
+    passthrough: {
+      transformer: (data: Record<string, any>): Record<string, unknown> => {
+        return {
+          auxiliary_data: [
+            {name: 'Microsoft Secure Score', data: this.profiles}
+          ],
+          ...(this.withRaw && {raw: data})
+        };
+      }
+    }
+  };
+  constructor(secureScore_and_profiles_combined: string, withRaw = false) {
+    const rawParams = JSON.parse(secureScore_and_profiles_combined);
+    super(rawParams.secureScore, true);
+    this.withRaw = withRaw;
+    this.profiles = rawParams.profiles.value as SecureScoreControlProfile[];
+  }
+}

libs/hdf-converters/src/utils/fingerprinting.ts

@@ -9,6 +9,7 @@ export enum INPUT_TYPES {
   GOSEC = 'gosec',
   IONCHANNEL = 'ionchannel',
   JFROG = 'jfrog',
+  MSFT_SEC_SCORE = 'msft_secure_score',
   NIKTO = 'nikto',
   SARIF = 'sarif',
   SNYK = 'snyk',
@@ -36,6 +37,7 @@ const fileTypeFingerprints: Record<INPUT_TYPES, string[]> = {
     'trigger_hash'
   ],
   [INPUT_TYPES.JFROG]: ['total_count', 'data'],
+  [INPUT_TYPES.MSFT_SEC_SCORE]: ['secureScore', 'profiles'],
   [INPUT_TYPES.NIKTO]: ['banner', 'host', 'ip', 'port', 'vulnerabilities'],
   [INPUT_TYPES.SARIF]: ['$schema', 'version', 'runs'],
   [INPUT_TYPES.SNYK]: [

libs/hdf-converters/test/mappers/forward/msft_secure_score_mapper.spec.ts

@@ -0,0 +1,90 @@
+import fs from 'fs';
+import {MsftSecureScoreMapper} from '../../../src/msft-secure-score-mapper';
+import {omitVersions} from '../../utils';
+
+describe('msft_secure_score_mapper', () => {
+  it('Successfully converts Microsoft Secure Score reports', () => {
+    const mapper = new MsftSecureScoreMapper(
+      JSON.stringify({
+        secureScore: JSON.parse(
+          fs.readFileSync(
+            'sample_jsons/msft_secure_score_mapper/sample_input_report/secureScore.json',
+            {
+              encoding: 'utf-8'
+            }
+          )
+        ),
+        profiles: JSON.parse(
+          fs.readFileSync(
+            'sample_jsons/msft_secure_score_mapper/sample_input_report/profiles.json',
+            {
+              encoding: 'utf-8'
+            }
+          )
+        )
+      })
+    );
+
+    // fs.writeFileSync(
+    //   'sample_jsons/msft_secure_score_mapper/secure_score-hdf.json',
+    //   JSON.stringify(mapper.toHdf(), null, 2)
+    // );
+
+    expect(omitVersions(mapper.toHdf())).toEqual(
+      omitVersions(
+        JSON.parse(
+          fs.readFileSync(
+            'sample_jsons/msft_secure_score_mapper/secure_score-hdf.json',
+            {
+              encoding: 'utf-8'
+            }
+          )
+        )
+      )
+    );
+  });
+});
+
+describe('msft_secure_score_mapper_withraw', () => {
+  it('Successfully converts withRaw flagged Microsoft Secure Score reports', () => {
+    const mapper = new MsftSecureScoreMapper(
+      JSON.stringify({
+        secureScore: JSON.parse(
+          fs.readFileSync(
+            'sample_jsons/msft_secure_score_mapper/sample_input_report/secureScore.json',
+            {
+              encoding: 'utf-8'
+            }
+          )
+        ),
+        profiles: JSON.parse(
+          fs.readFileSync(
+            'sample_jsons/msft_secure_score_mapper/sample_input_report/profiles.json',
+            {
+              encoding: 'utf-8'
+            }
+          )
+        )
+      }),
+      true
+    );
+
+    // fs.writeFileSync(
+    //   'sample_jsons/msft_secure_score_mapper/secure_score-hdf-withraw.json',
+    //   JSON.stringify(mapper.toHdf(), null, 2)
+    // );
+
+    expect(omitVersions(mapper.toHdf())).toEqual(
+      omitVersions(
+        JSON.parse(
+          fs.readFileSync(
+            'sample_jsons/msft_secure_score_mapper/secure_score-hdf-withraw.json',
+            {
+              encoding: 'utf-8'
+            }
+          )
+        )
+      )
+    );
+  });
+});