breaking: MySQL Service and OAS updates for STIG revision data, inclu…

…ding rules, checks and fixes (#936)
NUWCDIVNPT · Mar 9, 2023 · 475616a · 475616a
1 parent 25bd54f
commit 475616a
Show file tree

Hide file tree

Showing 20 changed files with 1,893 additions and 919 deletions.
diff --git a/api/source/controllers/STIG.js b/api/source/controllers/STIG.js
@@ -8,22 +8,22 @@ const STIG = require(`../service/${config.database.type}/STIGService`)
 module.exports.importBenchmark = async function importManualBenchmark (req, res, next) {
   try {
     const extension = req.file.originalname.substring(req.file.originalname.lastIndexOf(".")+1)
+    const clobber = req.query.clobber ?? false
     if (extension.toLowerCase() != 'xml') {
       throw new SmError.ClientError(`File extension .${extension} not supported`)
     }
     let benchmark
     try {
-      benchmark = await parsers.benchmarkFromXccdf(req.file.buffer)
+      benchmark = parsers.benchmarkFromXccdf(req.file.buffer)
     }
     catch(err){
       throw new SmError.ClientError(err.message)
     }
     if (benchmark.scap) {
       throw new SmError.UnprocessableError('SCAP Benchmarks are not imported.')
     }
-    const revision = await STIG.insertManualBenchmark(benchmark, res.svcStatus)
-    const response = await STIG.getRevisionByString(revision.benchmarkId, revision.revisionStr)
-    res.json(response)
+    const revision = await STIG.insertManualBenchmark(benchmark, clobber, res.svcStatus)
+    res.json(revision)
   }
   catch(err) {
     next(err)

diff --git a/api/source/service/mysql/AssetService.js b/api/source/service/mysql/AssetService.js
@@ -419,24 +419,21 @@ exports.queryChecklist = async function (inProjection, inPredicates, elevate, us
   try {
     const columns = [
       'CAST(:assetId as char) as "assetId"',
-      'r.ruleId',
-      'r.title as "ruleTitle"',
-      'r.version',
-      'g.groupId',
-      'g.title as "groupTitle"',
-      'r.severity',
+      'rgr.ruleId',
+      'rgr.title as "ruleTitle"',
+      'rgr.version',
+      'rgr.groupId',
+      'rgr.groupTitle',
+      'rgr.severity',
       `result.api as "result"`,
       `CASE WHEN review.resultEngine = 0 THEN NULL ELSE review.resultEngine END as resultEngine`,
       `review.autoResult`,
       `status.api as "status"`
     ]
     const joins = [
       'current_rev rev',
-      'left join rev_group_map rg on rev.revId = rg.revId',
-      'left join `group` g on rg.groupId=g.groupId',
-      'left join rev_group_rule_map rgr on rg.rgId=rgr.rgId',
-      'left join rule r on rgr.ruleId=r.ruleId',
-      'left join review on r.ruleId = review.ruleId and review.assetId = :assetId',
+      'left join rev_group_rule_map rgr using (revId)',
+      'left join review on rgr.ruleId = review.ruleId and review.assetId = :assetId',
       'left join result on review.resultId=result.resultId',
       'left join status on review.statusId=status.statusId'
     ]
@@ -459,11 +456,7 @@ exports.queryChecklist = async function (inProjection, inPredicates, elevate, us
       predicates.binds.revId = revId
     }
     const groupBy = [
-      'r.ruleId',
-      'r.title',
-      'g.groupId',
-      'g.title',
-      'r.severity',
+      'rgr.rgrId',
       'result.api',
       'review.autoResult',
       'status.api',
@@ -473,7 +466,7 @@ exports.queryChecklist = async function (inProjection, inPredicates, elevate, us
       'review.comment'
     ]
     const orderBy = [
-      'substring(g.groupId from 3) + 0'
+      'substring(rgr.groupId from 3) + 0'
     ]
 
     const sql = dbUtils.makeQueryString({columns, joins, predicates, groupBy, orderBy}) 
@@ -591,78 +584,54 @@ exports.cklFromAssetStigs = async function cklFromAssetStigs (assetId, stigs, el
 
     const sqlGetAsset = "select name, fqdn, ip, mac, noncomputing, metadata from asset where assetId = ?"
     const sqlGetChecklist =`SELECT 
-      g.groupId,
-      r.severity,
-      g.title as "groupTitle",
-      r.ruleId,
-      r.title as "ruleTitle",
-      r.weight,
-      r.version,
-      r.vulnDiscussion,
-      r.iaControls,
-      r.falsePositives,
-      r.falseNegatives,
-      r.documentable,
-      r.mitigations,
-      r.potentialImpacts,
-      r.thirdPartyTools,
-      r.mitigationControl,
-      r.responsibility,
-      r.severityOverrideGuidance,
+      rgr.groupId,
+      rgr.severity,
+      rgr.groupTitle,
+      rgr.ruleId,
+      rgr.title as "ruleTitle",
+      rgr.weight,
+      rgr.version,
+      rgr.vulnDiscussion,
+      rgr.iaControls,
+      rgr.falsePositives,
+      rgr.falseNegatives,
+      rgr.documentable,
+      rgr.mitigations,
+      rgr.potentialImpacts,
+      rgr.thirdPartyTools,
+      rgr.mitigationControl,
+      rgr.responsibility,
+      rgr.severityOverrideGuidance,
       result.ckl as "result",
       LEFT(review.detail,32767) as "detail",
       LEFT(review.comment,32767) as "comment",
-      MAX(cc.content) as "checkContent",
-      MAX(fix.text) as "fixText",
-      group_concat(rcc.cci ORDER BY rcc.cci) as "ccis"
+      cc.content as "checkContent",
+      ft.text as "fixText",
+      group_concat(rgrcc.cci ORDER BY rgrcc.cci) as "ccis"
     FROM
       revision rev 
-      left join rev_group_map rg on rev.revId = rg.revId 
-      left join \`group\` g on rg.groupId = g.groupId 
-
-      left join rev_group_rule_map rgr on rg.rgId = rgr.rgId 
-      left join rule r on rgr.ruleId = r.ruleId 
-      left join severity_cat_map sc on r.severity = sc.severity 
+      left join rev_group_rule_map rgr on rev.revId = rgr.revId 
+      left join severity_cat_map sc on rgr.severity = sc.severity 
       
-      left join rule_cci_map rcc on rgr.ruleId = rcc.ruleId 
+      left join rev_group_rule_cci_map rgrcc on rgr.rgrId = rgrcc.rgrId
 
-      left join rev_group_rule_check_map rgrc on rgr.rgrId = rgrc.rgrId
-      left join \`check\` c on rgrc.checkId = c.checkId
-      left join check_content cc on c.ccId = cc.ccId
+      left join check_content cc on rgr.checkDigest = cc.digest
 
-      left join rev_group_rule_fix_map rgrf on rgr.rgrId = rgrf.rgrId
-      left join fix on rgrf.fixId = fix.fixId
+      left join fix_text ft on rgr.fixDigest = ft.digest
 
-      left join review on r.ruleId = review.ruleId and review.assetId = ?
+      left join review on rgr.ruleId = review.ruleId and review.assetId = ?
       left join result on review.resultId = result.resultId 
       left join status on review.statusId = status.statusId 
 
     WHERE
       rev.revId = ?
     GROUP BY
-      g.groupId,
-      r.severity,
-      g.title,
-      r.ruleId,
-      r.title,
-      r.weight,
-      r.version,
-      r.vulnDiscussion,
-      r.iaControls,
-      r.falsePositives,
-      r.falseNegatives,
-      r.documentable,
-      r.mitigations,
-      r.potentialImpacts,
-      r.thirdPartyTools,
-      r.mitigationControl,
-      r.responsibility,
-      r.severityOverrideGuidance,
+      rgr.rgrId,
       result.ckl,
       review.detail,
       review.comment
     order by
-      substring(g.groupId from 3) + 0 asc
+      substring(rgr.groupId from 3) + 0 asc
     `
     connection = await dbUtils.pool.getConnection()
 
@@ -831,14 +800,14 @@ exports.xccdfFromAssetStig = async function (assetId, benchmarkId, revisionStr =
     // queries and query methods
   const sqlGetAsset = "select name, fqdn, ip, mac, noncomputing, metadata from asset where assetId = ?"
   const sqlGetChecklist =`SELECT 
-    g.groupId,
-    g.title as "groupTitle",
-    r.ruleId,
-    r.title as "ruleTitle",
-    r.severity,
-    r.weight,
-    r.version,
-    c.checkId,
+    rgr.groupId,
+    rgr.groupTitle,
+    rgr.ruleId,
+    rgr.title as "ruleTitle",
+    rgr.severity,
+    rgr.weight,
+    rgr.version,
+    rgr.checkSystem,
     cc.content as "checkContent",
     result.api as "result",
     review.ts,
@@ -847,20 +816,15 @@ exports.xccdfFromAssetStig = async function (assetId, benchmarkId, revisionStr =
     review.resultEngine
   FROM
     revision rev 
-    left join rev_group_map rg on rev.revId = rg.revId
-    left join \`group\` g on rg.groupId = g.groupId 
-    left join rev_group_rule_map rgr on rg.rgId = rgr.rgId 
-    left join rule r on rgr.ruleId = r.ruleId 
-    left join rev_group_rule_check_map rgrc on rgr.rgrId = rgrc.rgrId
-    left join \`check\` c on rgrc.checkId = c.checkId
-    left join check_content cc on c.ccId = cc.ccId
-    left join review on r.ruleId = review.ruleId and review.assetId = ?
+    left join rev_group_rule_map rgr on rev.revId = rgr.revId 
+    left join check_content cc on rgr.checkDigest = cc.digest
+    left join review on rgr.ruleId = review.ruleId and review.assetId = ?
     left join result on review.resultId = result.resultId 
     left join status on review.statusId = status.statusId 
   WHERE
     rev.revId = ?
   order by
-    substring(g.groupId from 3) + 0 asc
+    substring(rgr.groupId from 3) + 0 asc
   `
   async function getBenchmarkRevision(connection, benchmarkId, revisionStr) {
     let revisionStrResolved