Skip to content
This repository has been archived by the owner on May 3, 2020. It is now read-only.

Commit

Permalink
Merge pull request #570 from skapunker/NIST-fixes
Browse files Browse the repository at this point in the history 
NIST rating fixes
  • Loading branch information
@BuffaloWill
BuffaloWill authored Jan 31, 2020
2 parents 0faafb3 + 6f09261 commit 8745207
Show file tree
Hide file tree
Showing 5 changed files with 74 additions and 55 deletions.
73 changes: 40 additions & 33 deletions helpers/helper.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,15 +181,15 @@ def add_findings_totals(udv, findings, config_options)
end
elsif(config_options["nist800"])
findings.each do |finding|
if finding.nist800_total >= 120
if finding.nist800_total >= 240
critical += 1
elsif finding.nist800_total >= 90 and finding.nist800_total <= 80
elsif finding.nist800_total >= 150
high += 1
elsif finding.nist800_total >= 60 and finding.nist800_total <= 30
elsif finding.nist800_total >= 90
moderate += 1
elsif finding.nist800_total >= 1 and finding.nist800_total <= 20
elsif finding.nist800_total >= 50
low += 1
elsif finding.nist800_total <= 0
elsif finding.nist800_total <= 40
informational += 1
end
end
Expand Down Expand Up @@ -408,50 +408,57 @@ def compare_text(new_text, orig_text)

# created NIST800 helper to cut down repetitive code
def nist800(data)
if data["nist_impact"] == "Informational"
if data["nist_impact"] == "Very Low"
impact_val = 0
elsif data["nist_impact"] == "Low"
impact_val = 1
impact_val = 16
elsif data["nist_impact"] == "Moderate"
impact_val = 20
elsif data["nist_impact"] == "High"
impact_val = 30
elsif data["nist_impact"] == "Critical"
elsif data["nist_impact"] == "High"
impact_val = 40
elsif data["nist_impact"] == "Very High"
impact_val = 60
end

if data["nist_likelihood"] == "Low"
if data["nist_likelihood"] == "Very Low"
likelihood_val = 1
elsif data["nist_likelihood"] == "Moderate"
elsif data["nist_likelihood"] == "Low"
likelihood_val = 2
elsif data["nist_likelihood"] == "High"
elsif data["nist_likelihood"] == "Moderate"
likelihood_val = 3
elsif data["nist_likelihood"] == "High"
likelihood_val = 4
elsif data["nist_likelihood"] == "Very High"
likelihood_val = 5

end

nist800_total = impact_val * likelihood_val

# Calulate nist total numeriacl score (Numbers used not NIST offical)
# I came up with the math to match this table:
# +------------+----------+---------------+-----+----------+----------+----------+
# | Impact |
# +------------+----------+---------------+-----+----------+----------+----------+
# | | | Informational | Low | Moderate | High | Critical |
# + +----------+---------------+-----+----------+----------+----------+
# | likeihood | High | Informational | Low | Moderate | High | Critical |
# | | Moderate | Informational | Low | Moderate | Moderate | High |
# | | Low | Informational | Low | Low | Moderate | Moderate |
# +------------+----------+---------------+-----+----------+----------+----------+

if nist800_total >= 120
nist_rating = "Critical"
elsif nist800_total <= 90 and nist800_total >= 80
nist_rating = "High"
elsif nist800_total <= 60 and nist800_total >= 30
nist_rating = "Moderate"
elsif nist800_total <= 20 and nist800_total >= 1
nist_rating = "Low"
elsif nist800_total == 0
nist_rating = "Informational"
# +------------+-----------+---------------+----------+----------+----------+-----------+
# | | Impact |
# +------------+-----------+---------------+----------+----------+----------+-----------+
# | | | Very Low | Low | Moderate | High | Very High |
# + +-----------+---------------+----------+----------+----------+-----------+
# | | Very High | Very Low | Low | Moderate | High | Very High |
# | likeihood | High | Very Low | Low | Moderate | High | Very High |
# | | Moderate | Very Low | Low | Moderate | Moderate | High |
# | | Low | Very Low | Low | Low | Low | Moderate |
# | | Very Low | Very Low | Very Low | Very Low | Low | Low |
# +------------+-----------+---------------+----------+----------+----------+-----------+

if nist800_total >= 240
nist_rating = "Very High"
elsif nist800_total >= 150
nist_rating = "High"
elsif nist800_total >= 90
nist_rating = "Moderate"
elsif nist800_total >= 32
nist_rating = "Low"
elsif nist800_total < 32
nist_rating = "Very Low"
end

data['impact_val'] = impact_val
Expand Down
4 changes: 2 additions & 2 deletions server.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,8 +101,8 @@ class Server < Sinatra::Application
set :likelihood, %w[Low Medium High]

# NIST800
set :nist_likelihood, ['Low','Moderate','High']
set :nist_impact, ['Informational','Low','Moderate','High','Critical']
set :nist_likelihood, ['Very Low','Low','Moderate','High','Very High']
set :nist_impact, ['Very Low','Low','Moderate','High','Very High']

if config_options['cvssv2_scoring_override']
if config_options['cvssv2_scoring_override'] == 'true'
Expand Down
22 changes: 19 additions & 3 deletions views/create_finding.haml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -434,24 +434,40 @@
.col-lg-4
%textarea#likelihood_rationale.form-control.input-xxlarge.allowMarkupShortcut{ :rows => "3", :name => "likelihood_rationale" }

-#-------------------- End of add NIST800 findings in master database --------------------#-
-#-------------------- Start of add NIST800 findings in master database --------------------#-
- elsif @nist800
.form-group.row
%label.col-lg-2.col-form-label{ :for => "nist_impact" } Impact
.col-lg-4
%select#nist_impact.custom-select{ :name => "nist_impact" }
%option{ :value => "Informational" }= "Informational"
%option{ :value => "Very Low" }= "Very Low"
%option{ :value => "Low" }= "Low"
%option{ :value => "Moderate" }= "Moderate"
%option{ :value => "High" }= "High"
%option{ :value => "Critical" }= "Critical"
%option{ :value => "Very High" }= "Very High"
.form-group.row
%label.col-lg-2.col-form-label{ :for => "nist_likelihood" } Likelihood
.col-lg-4
%select#nist_likelihood.custom-select{ :name => "nist_likelihood" }
%option{ :value => "Very Low" }= "Very Low"
%option{ :value => "Low" }= "Low"
%option{ :value => "Moderate" }= "Moderate"
%option{ :value => "High" }= "High"
%option{ :value => "Very High" }= "Very High"
.form-group.row
%label.col-lg-2.col-form-label{ :for => "effort" } Remediation Effort
.col-lg-4
%select#effort.custom-select{ :name => "effort" }
- if @finding
- settings.effort.each do |effort|
- if effort == @finding.effort
%option{ :selected => "selected" } #{effort}
- else
%option #{effort}
- else
- settings.effort.each do |effort|
%option #{effort}

-#-------------------- End of add NIST800 findings in master database --------------------#-
- else
Expand Down
4 changes: 0 additions & 4 deletions views/findings_edit.haml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -676,10 +676,6 @@
%option{ :value => "#{r_type}", :selected => "selected" } #{risk_types[r_type]}
- else
%option{ :value => "#{r_type}"} #{risk_types[r_type]}


<!-- do not show remediation effort for NIST800, however show it for all others -->
- if !@nist800
.form-group.row
%label.col-lg-2.col-form-label{ :for => "effort" } Remediation Effort
.col-lg-4
Expand Down
26 changes: 13 additions & 13 deletions views/findings_list.haml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,19 +112,19 @@
elsif @nist800
@findings.each do |finding|
next unless finding
if finding.nist800_total >= 120
vulns["critical"] += 1
elsif finding.nist800_total >= 80 and finding.nist800_total <= 90
vulns["severe"] += 1
elsif finding.nist800_total >= 30 and finding.nist800_total <= 60
vulns["moderate"] += 1
elsif finding.nist800_total >= 1 and finding.nist800_total <= 20
vulns["low"] += 1
else finding.nist800_total == 0
vulns["informational"] += 1
if finding.nist800_total >= 240
vulns["Very High"] += 1
elsif finding.nist800_total >= 150
vulns["High"] += 1
elsif finding.nist800_total >= 90
vulns["Moderate"] += 1
elsif finding.nist800_total >= 50
vulns["Low"] += 1
else finding.nist800_total <= 40
vulns["Very Low"] += 1
end
end
labels = {"label_1" => "Critical", "label_2" => "Severe", "label_3" => "Moderate", "label_4" => "Low", "label_5" => "Informational"}
labels = {"label_1" => "Very High", "label_2" => "High", "label_3" => "Moderate", "label_4" => "Low", "label_5" => "Very Low"}
elsif @cvss
if @cvssv2_scoring_override
@findings.each do |finding|
Expand Down Expand Up @@ -189,9 +189,9 @@
<script src= '/js/d3.js'></script>
<script type= "text/javascript">
if(#{@nist800}){
var data = [{"label":"#{labels["label_1"]}", "value": #{vulns["critical"]}},{"label":"#{labels["label_2"]}", "value": #{vulns["severe"]}}, {"label":"#{labels["label_3"]}", "value":#{vulns["moderate"]}}, {"label":"#{labels["label_4"]}", "value": #{vulns["low"]}},{"label":"#{labels["label_5"]}", "value": #{vulns["informational"]}}];
var data = [{"label":"#{labels["label_1"]}", "value": #{vulns["Very High"]}},{"label":"#{labels["label_2"]}", "value": #{vulns["High"]}}, {"label":"#{labels["label_3"]}", "value":#{vulns["Moderate"]}}, {"label":"#{labels["label_4"]}", "value": #{vulns["Low"]}},{"label":"#{labels["label_5"]}", "value": #{vulns["Very Low"]}}];
}else{
var data = [{"label":"#{labels["label_1"]}", "value": #{vulns["critical"]}},{"label":"#{labels["label_2"]}", "value": #{vulns["severe"]}}, {"label":"#{labels["label_3"]}", "value":#{vulns["moderate"]}}, {"label":"#{labels["label_4"]}", "value": #{vulns["low"]}}];
var data = [{"label":"#{labels["label_1"]}", "value": #{vulns["Very High"]}},{"label":"#{labels["label_2"]}", "value": #{vulns["High"]}}, {"label":"#{labels["label_3"]}", "value":#{vulns["Moderate"]}}, {"label":"#{labels["label_4"]}", "value": #{vulns["Low"]}}, {"label":"#{labels["label_5"]}", "value": #{vulns["Very Low"]}}];
}
var w = 250;
var h = 250;
Expand Down

0 comments on commit 8745207

Please sign in to comment.