transform_benchmark_to_pcidss.main() - Code Metrics - Inspection of "Remove SCAP-1.3 SCAPVAL workarounds" - ComplianceAsCode/content - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — master (#6005)

unknown

created 2020-08-17 09:06 UTC

transform_benchmark_to_pcidss.main() F

↳ Parent: transform_benchmark_to_pcidss

Complexity

Conditions

Size

Total Lines	146
Code Lines	101

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	26
eloc	101
nop	0
dl	0
loc	146
rs	0
c	0
b	0
f	0

How to fix Long Method Complexity

#!/usr/bin/env python2

# Copyright 2016 Red Hat Inc., Durham, North Carolina.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
#
# Authors:
#      Martin Preisler <[email protected]>

import logging
try:
    from xml.etree import cElementTree as ElementTree
except ImportError:
    from xml.etree import ElementTree as ElementTree
import json
import sys
import os
import copy

import ssg.constants

XCCDF_NAMESPACE = ssg.constants.XCCDF12_NS
FILENAME = "PCI_DSS_v3.pdf"
REMOTE_URL = "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf"


def construct_xccdf_group(id_, desc, children, rules, rule_usage_map):
    ret = ElementTree.Element("{%s}Group" % (XCCDF_NAMESPACE))
    ret.set("id", ssg.constants.OSCAP_GROUP_PCIDSS + "-%s" % (id_))
    ret.set("selected", "true")
    title = ElementTree.Element("{%s}title" % (XCCDF_NAMESPACE))
    title.text = id_
    ret.append(title)
    description = ElementTree.Element("{%s}description" % (XCCDF_NAMESPACE))
    description.text = desc
    ret.append(description)

    for rule in rules:
        pci_dss_req_related = False
        for ref in rule.findall("./{%s}reference" % (XCCDF_NAMESPACE)):
            if ref.get("href") == REMOTE_URL and \
                    ref.text == "Req-" + id_:
                pci_dss_req_related = True
                break

        if pci_dss_req_related:
            suffix = ""
            if rule.get("id") not in rule_usage_map:
                rule_usage_map[rule.get("id")] = 1
            else:
                rule_usage_map[rule.get("id")] += 1
                suffix = "_%i" % (rule_usage_map[rule.get("id")])

            copied_rule = copy.deepcopy(rule)
            copied_rule.set("id", rule.get("id") + suffix)
            ret.append(copied_rule)

    for child_id, child_desc, child_children in children:
        child_element = construct_xccdf_group(
            child_id, child_desc, child_children,
            rules, rule_usage_map
        )
        ret.append(child_element)

    return ret


def main():
    logging.basicConfig(format='%(levelname)s:%(message)s',
                        level=logging.DEBUG)

    if len(sys.argv) < 4:
        sys.stderr.write("transform_benchmark_to_pcidss.py PCI_DSS.json "
                         "SOURCE_XCCDF DESTINATION_XCCDF\n")
        sys.exit(1)

    id_tree = None
    with open(sys.argv[1], "r") as f:
        id_tree = json.load(f)

    benchmark = ElementTree.parse(sys.argv[2])

    rules = []
    for rule in \
            benchmark.findall(".//{%s}Rule" % (XCCDF_NAMESPACE)):
        rules.append(rule)
    rule_usage_map = {}

    # only PCI-DSS related rules in that list, to speed-up processing
    filtered_rules = []
    for rule in rules:
        for ref in rule.findall("./{%s}reference" % (XCCDF_NAMESPACE)):
            if ref.get("href") == REMOTE_URL:
                filtered_rules.append(rule)
                break

    values = []
    for value in \
            benchmark.findall(".//{%s}Value" % (XCCDF_NAMESPACE)):
        values.append(value)

    # decide on usage of .iter or .getiterator method of elementtree class.
    # getiterator is deprecated in Python 3.9, but iter is not available in
    # older versions
    if getattr(benchmark, "iter", None) == None:
        parent_map = dict((c, p) for p in benchmark.getiterator() for c in p)
    else:
        parent_map = dict((c, p) for p in benchmark.iter() for c in p)
    for rule in \
            benchmark.findall(".//{%s}Rule" % (XCCDF_NAMESPACE)):
        parent_map[rule].remove(rule)
    for value in \
            benchmark.findall(".//{%s}Value" % (XCCDF_NAMESPACE)):
        parent_map[value].remove(value)
    for group in \
            benchmark.findall(".//{%s}Group" % (XCCDF_NAMESPACE)):
        parent_map[group].remove(group)

    root_element = benchmark.getroot()
    for id_, desc, children in id_tree:
        element = \
            construct_xccdf_group(id_, desc, children,
                                  filtered_rules, rule_usage_map)
        root_element.append(element)

    if len(values) > 0:
        group = ElementTree.Element("{%s}Group" % (XCCDF_NAMESPACE))
        group.set("id", ssg.constants.OSCAP_GROUP_VAL)
        group.set("selected", "true")
        title = ElementTree.Element("{%s}title" % (XCCDF_NAMESPACE))
        title.text = "Values"
        group.append(title)
        description = ElementTree.Element("{%s}description" % (XCCDF_NAMESPACE))
        description.text = "Group of values used in PCI-DSS profile"
        group.append(description)

        for value in values:
            copied_value = copy.deepcopy(value)
            group.append(copied_value)

        root_element.append(group)

    unused_rules = []
    for rule in rules:
        if rule.get("id") not in rule_usage_map:
            # this rule wasn't added yet, it would be lost unless we added it
            # to a special non-PCI-DSS group
            unused_rules.append(rule)

            for ref in rule.findall("./{%s}reference" % (XCCDF_NAMESPACE)):
                if ref.get("href") == REMOTE_URL:
                    logging.error(
                        "Rule '%s' references PCI-DSS '%s' but doesn't match "
                        "any Group ID in our requirement tree. Perhaps it's "
                        "referencing something we don't consider applicable on "
                        "the Operating System level?",
                        rule.get("id"), ref.text
                    )
                    sys.exit(1)

    if len(unused_rules) > 0:
        logging.warning(
            "%i rules don't reference PCI-DSS!" % (len(unused_rules))
        )

        group = ElementTree.Element("{%s}Group" % (XCCDF_NAMESPACE))
        group.set("id", ssg.constants.OSCAP_GROUP_NON_PCI)
        group.set("selected", "true")
        title = ElementTree.Element("{%s}title" % (XCCDF_NAMESPACE))
        title.text = "Non PCI-DSS"
        group.append(title)
        description = ElementTree.Element("{%s}description" % (XCCDF_NAMESPACE))
        description.text = "Rules that are not part of PCI-DSS"
        group.append(description)

        for rule in unused_rules:
            copied_rule = copy.deepcopy(rule)
            group.append(copied_rule)

        root_element.append(group)

    # change the Benchmark ID to avoid validation issues
    root_element.set(
        "id",
        root_element.get("id").replace("_benchmark_", "_benchmark_PCIDSS-")
    )

    for title_element in \
            root_element.findall("./{%s}title" % (XCCDF_NAMESPACE)):
        title_element.text += " (PCI-DSS centric)"

    # filter out all profiles except PCI-DSS
    for profile in \
            benchmark.findall("./{%s}Profile" % (XCCDF_NAMESPACE)):
        if profile.get("id").endswith("pci-dss"):
            # change the profile ID to avoid validation issues
            profile.set(
                "id",
                profile.get("id").replace("pci-dss", "pci-dss_centric")
            )
        else:
            root_element.remove(profile)
            continue

        # filter out old group selectors from the PCI-DSS profile
        for select in profile.findall("./{%s}select" % (XCCDF_NAMESPACE)):
            if select.get("idref").startswith(ssg.constants.OSCAP_GROUP):
                # we will remove all group selectors, all PCI-DSS groups are
                # selected by default so we don't need any in the final
                # PCI-DSS Benchmark
                profile.remove(select)

    benchmark.write(sys.argv[3])

if __name__ == "__main__":
    main()


1			#!/usr/bin/env python2
2
3			# Copyright 2016 Red Hat Inc., Durham, North Carolina.
4			#
5			# This library is free software; you can redistribute it and/or
6			# modify it under the terms of the GNU Lesser General Public
7			# License as published by the Free Software Foundation; either
8			# version 2 of the License, or (at your option) any later version.
9			#
10			# This library is distributed in the hope that it will be useful,
11			# but WITHOUT ANY WARRANTY; without even the implied warranty of
12			# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13			# Lesser General Public License for more details.
14			#
15			# You should have received a copy of the GNU Lesser General Public
16			# License along with this library; if not, write to the Free Software
17			# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
18			#
19			# Authors:
20			# Martin Preisler <[email protected]>
21
22			import logging
23			try:
24			from xml.etree import cElementTree as ElementTree
25			except ImportError:
26			from xml.etree import ElementTree as ElementTree
27			import json
28			import sys
29			import os
30			import copy
31
32			import ssg.constants
33
34			XCCDF_NAMESPACE = ssg.constants.XCCDF12_NS
35			FILENAME = "PCI_DSS_v3.pdf"
36			REMOTE_URL = "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf"
37
38
39			def construct_xccdf_group(id_, desc, children, rules, rule_usage_map):
40			ret = ElementTree.Element("{%s}Group" % (XCCDF_NAMESPACE))
41			ret.set("id", ssg.constants.OSCAP_GROUP_PCIDSS + "-%s" % (id_))
42			ret.set("selected", "true")
43			title = ElementTree.Element("{%s}title" % (XCCDF_NAMESPACE))
44			title.text = id_
45			ret.append(title)
46			description = ElementTree.Element("{%s}description" % (XCCDF_NAMESPACE))
47			description.text = desc
48			ret.append(description)
49
50			for rule in rules:
51			pci_dss_req_related = False
52			for ref in rule.findall("./{%s}reference" % (XCCDF_NAMESPACE)):
53			if ref.get("href") == REMOTE_URL and \
54			ref.text == "Req-" + id_:
55			pci_dss_req_related = True
56			break
57
58			if pci_dss_req_related:
59			suffix = ""
60			if rule.get("id") not in rule_usage_map:
61			rule_usage_map[rule.get("id")] = 1
62			else:
63			rule_usage_map[rule.get("id")] += 1
64			suffix = "_%i" % (rule_usage_map[rule.get("id")])
65
66			copied_rule = copy.deepcopy(rule)
67			copied_rule.set("id", rule.get("id") + suffix)
68			ret.append(copied_rule)
69
70			for child_id, child_desc, child_children in children:
71			child_element = construct_xccdf_group(
72			child_id, child_desc, child_children,
73			rules, rule_usage_map
74			)
75			ret.append(child_element)
76
77			return ret
78
79
80			def main():
81			logging.basicConfig(format='%(levelname)s:%(message)s',
82			level=logging.DEBUG)
83
84			if len(sys.argv) < 4:
85			sys.stderr.write("transform_benchmark_to_pcidss.py PCI_DSS.json "
86			"SOURCE_XCCDF DESTINATION_XCCDF\n")
87			sys.exit(1)
88
89			id_tree = None
90			with open(sys.argv[1], "r") as f:
91			id_tree = json.load(f)
92
93			benchmark = ElementTree.parse(sys.argv[2])
94
95			rules = []
96			for rule in \
97			benchmark.findall(".//{%s}Rule" % (XCCDF_NAMESPACE)):
98			rules.append(rule)
99			rule_usage_map = {}
100
101			# only PCI-DSS related rules in that list, to speed-up processing
102			filtered_rules = []
103			for rule in rules:
104			for ref in rule.findall("./{%s}reference" % (XCCDF_NAMESPACE)):
105			if ref.get("href") == REMOTE_URL:
106			filtered_rules.append(rule)
107			break
108
109			values = []
110			for value in \
111			benchmark.findall(".//{%s}Value" % (XCCDF_NAMESPACE)):
112			values.append(value)
113
114			# decide on usage of .iter or .getiterator method of elementtree class.
115			# getiterator is deprecated in Python 3.9, but iter is not available in
116			# older versions
117			if getattr(benchmark, "iter", None) == None:
118			parent_map = dict((c, p) for p in benchmark.getiterator() for c in p)
119			else:
120			parent_map = dict((c, p) for p in benchmark.iter() for c in p)
121			for rule in \
122			benchmark.findall(".//{%s}Rule" % (XCCDF_NAMESPACE)):
123			parent_map[rule].remove(rule)
124			for value in \
125			benchmark.findall(".//{%s}Value" % (XCCDF_NAMESPACE)):
126			parent_map[value].remove(value)
127			for group in \
128			benchmark.findall(".//{%s}Group" % (XCCDF_NAMESPACE)):
129			parent_map[group].remove(group)
130
131			root_element = benchmark.getroot()
132			for id_, desc, children in id_tree:
133			element = \
134			construct_xccdf_group(id_, desc, children,
135			filtered_rules, rule_usage_map)
136			root_element.append(element)
137
138			if len(values) > 0:
139			group = ElementTree.Element("{%s}Group" % (XCCDF_NAMESPACE))
140			group.set("id", ssg.constants.OSCAP_GROUP_VAL)
141			group.set("selected", "true")
142			title = ElementTree.Element("{%s}title" % (XCCDF_NAMESPACE))
143			title.text = "Values"
144			group.append(title)
145			description = ElementTree.Element("{%s}description" % (XCCDF_NAMESPACE))
146			description.text = "Group of values used in PCI-DSS profile"
147			group.append(description)
148
149			for value in values:
150			copied_value = copy.deepcopy(value)
151			group.append(copied_value)
152
153			root_element.append(group)
154
155			unused_rules = []
156			for rule in rules:
157			if rule.get("id") not in rule_usage_map:
158			# this rule wasn't added yet, it would be lost unless we added it
159			# to a special non-PCI-DSS group
160			unused_rules.append(rule)
161
162			for ref in rule.findall("./{%s}reference" % (XCCDF_NAMESPACE)):
163			if ref.get("href") == REMOTE_URL:
164			logging.error(
165			"Rule '%s' references PCI-DSS '%s' but doesn't match "
166			"any Group ID in our requirement tree. Perhaps it's "
167			"referencing something we don't consider applicable on "
168			"the Operating System level?",
169			rule.get("id"), ref.text
170			)
171			sys.exit(1)
172
173			if len(unused_rules) > 0:
174			logging.warning(
175			"%i rules don't reference PCI-DSS!" % (len(unused_rules))
176			)
177
178			group = ElementTree.Element("{%s}Group" % (XCCDF_NAMESPACE))
179			group.set("id", ssg.constants.OSCAP_GROUP_NON_PCI)
180			group.set("selected", "true")
181			title = ElementTree.Element("{%s}title" % (XCCDF_NAMESPACE))
182			title.text = "Non PCI-DSS"
183			group.append(title)
184			description = ElementTree.Element("{%s}description" % (XCCDF_NAMESPACE))
185			description.text = "Rules that are not part of PCI-DSS"
186			group.append(description)
187
188			for rule in unused_rules:
189			copied_rule = copy.deepcopy(rule)
190			group.append(copied_rule)
191
192			root_element.append(group)
193
194			# change the Benchmark ID to avoid validation issues
195			root_element.set(
196			"id",
197			root_element.get("id").replace("_benchmark_", "_benchmark_PCIDSS-")
198			)
199
200			for title_element in \
201			root_element.findall("./{%s}title" % (XCCDF_NAMESPACE)):
202			title_element.text += " (PCI-DSS centric)"
203
204			# filter out all profiles except PCI-DSS
205			for profile in \
206			benchmark.findall("./{%s}Profile" % (XCCDF_NAMESPACE)):
207			if profile.get("id").endswith("pci-dss"):
208			# change the profile ID to avoid validation issues
209			profile.set(
210			"id",
211			profile.get("id").replace("pci-dss", "pci-dss_centric")
212			)
213			else:
214			root_element.remove(profile)
215			continue
216
217			# filter out old group selectors from the PCI-DSS profile
218			for select in profile.findall("./{%s}select" % (XCCDF_NAMESPACE)):
219			if select.get("idref").startswith(ssg.constants.OSCAP_GROUP):
220			# we will remove all group selectors, all PCI-DSS groups are
221			# selected by default so we don't need any in the final
222			# PCI-DSS Benchmark
223			profile.remove(select)
224
225			benchmark.write(sys.argv[3])
226
227			if __name__ == "__main__":
228			main()
229

ComplianceAsCode / content

Pull Request — master (#6005)

transform_benchmark_to_pcidss.main() F

Complexity

Size

Duplication

Importance

How to fix Long Method Complexity

Long Method

Complexity

Duplication Side-by-Side

Filter issues like