Keep Revision info when mapping from CCI to NIST

Signed-off-by: Joyce Quach <jquach@mitre.org>

Author: jtquach1

libs/hdf-converters/data/converters/cciListXml2json.ts

@@ -34,7 +34,12 @@ export interface ICCIList {
         $: Record<string, string>;
         references?: {
           reference: {
-            $: Record<string, string>;
+            $: {
+              creator: string;
+              title: string;
+              version: string;
+              index: string;
+            };
           }[];
         }[];
         definition: string[];
@@ -43,6 +48,13 @@ export interface ICCIList {
   };
 }
 
+export type NistReference = {
+  version: string;
+  creator: string;
+  title: string;
+  nist: string;
+};
+
 // Check that we're not doing `npm test`; it will look for the arguments to the input and output files.
 const scriptIsCalled = process.argv[1].includes('cciListXml2json');
 
@@ -98,11 +110,11 @@ if (scriptIsCalled) {
 }
 
 function produceConversions(cciList: ICCIList): {
-  nists: Record<string, string[]>;
+  nists: Record<string, NistReference[]>;
   definitions: Record<string, string>;
   ccis: Record<string, string[]>;
 } {
-  const nists: Record<string, string[]> = {};
+  const nists: Record<string, NistReference[]> = {};
   const definitions: Record<string, string> = {};
   const ccis: Record<string, string[]> = {};
 
@@ -117,13 +129,18 @@ function produceConversions(cciList: ICCIList): {
     if (newestReference) {
       /* There's 1 out of the 2000+ CCI controls where this index string is composed of at
       least 2 comma-and-space-separated controls found in the latest revision. */
-      const nistIds = newestReference.$.index
+      const {version, creator, index, title} = newestReference.$;
+      const nistIds = index
         .split(/,\s*/)
         .map(parse_nist)
         .filter(is_control)
         .map((n) => n.canonize());
 
-      _.set(nists, cciId, nistIds);
+      _.set(
+        nists,
+        cciId,
+        nistIds.map((nist) => ({version, creator, title, nist}))
+      );
       _.set(definitions, cciId, cciItem.definition[0]);
 
       for (const nistId of nistIds) {

libs/hdf-converters/src/ckl-mapper/checklist-mapper.ts

@@ -54,7 +54,9 @@ function cciRef(input: string): string[] {
  */
 function nistTag(input: string): string[] {
   const identifiers: string[] = cciRef(input);
-  return CCI2NIST(identifiers, DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS);
+  return CCI2NIST(identifiers, DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS).map(
+    ({nist}) => nist
+  );
 }
 
 /**

libs/hdf-converters/src/mappings/CciNistMapping.ts

@@ -4,15 +4,20 @@ import {
   NIST_TO_CCI
 } from '../mappings/NistCciMappingData';
 import {is_control, parse_nist} from 'inspecjs';
-import {CCI_TO_NIST} from './CciNistMappingData';
+import {CCI_TO_NIST, DEFAULT_NIST_REFERENCE} from './CciNistMappingData';
+import {NistReference} from '../../data/converters/cciListXml2json';
 
 export function CCI2NIST(
   identifiers: string[],
   defaultCci2Nist: string[]
-): string[] {
-  const DEFAULT_NIST_TAGS = defaultCci2Nist;
-  const nists: string[] = _.uniq(
-    identifiers.flatMap((cci) => _.get(CCI_TO_NIST, cci, []))
+): NistReference[] {
+  const DEFAULT_NIST_TAGS = defaultCci2Nist.map((nist) => ({
+    nist,
+    ...DEFAULT_NIST_REFERENCE
+  }));
+  const nists: NistReference[] = _.uniqBy(
+    identifiers.flatMap((cci) => _.get(CCI_TO_NIST, cci, [])),
+    (ref) => ref.nist
   );
   return nists.length > 0 ? nists : DEFAULT_NIST_TAGS;
 }

libs/hdf-converters/src/mappings/CciNistMappingData.ts

@@ -1,9 +1,15 @@
 import cciToNistData from './U_CCI_List.nist.json';
 import cciToDefinitionData from './U_CCI_List.defs.json';
 import {HANDCRAFTED_DEFAULT_NIST_TO_CCI} from '../mappings/NistCciMappingData';
+import {NistReference} from '../../data/converters/cciListXml2json';
 
-export const CCI_TO_NIST: Record<string, string[]> = cciToNistData;
+export const CCI_TO_NIST: Record<string, NistReference[]> = cciToNistData;
 export const CCI_TO_DEFINITION: Record<string, string> = cciToDefinitionData;
+export const DEFAULT_NIST_REFERENCE: Omit<NistReference, 'nist'> = {
+  version: '5',
+  creator: 'NIST',
+  title: 'NIST SP 800-53 Revision 5'
+};
 
 // DEFAULT_NIST_TAG is applicable to all automated configuration tests.
 // SA-11 (DEVELOPER SECURITY TESTING AND EVALUATION) - RA-5 (VULNERABILITY SCANNING)

libs/hdf-converters/src/mappings/U_CCI_List.nist.json

@@ -81,7 +81,7 @@ function pluginNistTag(item: unknown): string[] {
 }
 function cciNistTag(input: string): string[] {
   const identifiers: string[] = parseRef(input, 'CCI');
-  return CCI2NIST(identifiers, DEFAULT_NIST_TAG);
+  return CCI2NIST(identifiers, DEFAULT_NIST_TAG).map(({nist}) => nist);
 }
 
 function parseRef(input: string, key: string): string[] {

libs/hdf-converters/src/nessus-mapper.ts

@@ -26,7 +26,7 @@ const DEFAULT_CCI_TAGS = [
   'CCI-000366'
 ];
 
-const DEFAULT_NIST_TAGS = CCI2NIST(DEFAULT_CCI_TAGS, []);
+const DEFAULT_NIST_TAGS = CCI2NIST(DEFAULT_CCI_TAGS, []).map(({nist}) => nist);
 
 function asArray<T>(arg: T | T[]): T[] {
   if (Array.isArray(arg)) {
@@ -182,7 +182,9 @@ function cciAndNistTags(input: IIdent | IIdent[]): {
   const existingNists = extractNist(input);
 
   if (existingCcis.length > 0) {
-    const nistsFromMappedCcis = CCI2NIST(existingCcis, []);
+    const nistsFromMappedCcis = CCI2NIST(existingCcis, []).map(
+      ({nist}) => nist
+    );
     output.nist.push(...nistsFromMappedCcis);
     output.cci.push(...existingCcis);
     return output;