Skip to content

FEATURE: Nessus + CIS CAT Converters#2574

Open
ejohn20 wants to merge 6 commits into
devfrom
2531/converter-nessus-cis-cat
Open

FEATURE: Nessus + CIS CAT Converters#2574
ejohn20 wants to merge 6 commits into
devfrom
2531/converter-nessus-cis-cat

Conversation

@ejohn20
Copy link
Copy Markdown
Collaborator

@ejohn20 ejohn20 commented Nov 8, 2022

Creates a new converter + unit tests for Nessus (XML format) and CIS CAT (JSON format) covered in #2531

@ejohn20
Feature: Nessus & CIS CAT Converters (#2535)
466f5c9 
* feat: cis cat pro json converter

* bug: exclude passing tests from results for match forward baseline status

* feat: nessus converter v0

* bug: fingerprint targetid + empty plugin output

* feat: cis cat unit tests

* feat: nessus unit tests

* bug: omit 0 severity results + cvss override

* bug: cis cat set unknown status to warning

* feat: set rank for critical capability

* chore: update test cases

* chore: codeql cleanup

* chore: dotnet format errors

* feat: gh property tags
@ejohn20
bug: convert security severity string
358257c
@ejohn20
chore: regenerate unit test result file
27b0dd5
github-advanced-security[bot]
github-advanced-security AI found potential problems Nov 8, 2022
View reviewed changes
Comment thread src/Sarif.Converters/CisCatConverter.cs
getResultSeverity(rule.Result, out level, out kind, out rank);

//Create only if a valid is assigned
if (rank != RankConstants.None)

Check warning

Code scanning / CodeQL

Equality check on floating point values

Equality checks on floating point values can yield unexpected results.
@ejohn20 ejohn20 changed the title 2531/converter nessus cis cat FEATURE: Nessus + CIS CAT Converters Nov 9, 2022
@yongyan-gh
Copy link
Copy Markdown
Contributor

yongyan-gh commented Jan 6, 2023
edited
Loading

@ejohn20 thanks for sharing the sample CisCat/Nessus SARIF files generated by the converters for review. Have couple suggestions pls review.

cc @michaelcfanning

@yongyan-gh
Copy link
Copy Markdown
Contributor

yongyan-gh commented Jan 6, 2023
edited
Loading

  1. Both converted CisCat and Nessus SARIF files' results don't contain location object in locations property.

GitHub Advanced Security code scanning will not display a result unless it provides a location that specifies the URI of the artifact that contains the result.

If plan to be ingested by GHAS pls consider generate a location for the results.

@yongyan-gh
Copy link
Copy Markdown
Contributor

yongyan-gh commented Jan 6, 2023
edited
Loading

  1. Considering adding a help URI for each rule through helpUri property of the rule object for both CisCat and Nessus SARIF log if possible.

Providing a URI where users can find detailed information about the rule helps users to understand the result and how they can best address it. The varies SARIF viewers can render a hyperlink for users easily navigate to the Uri contains detailed information.

E.g. the rule id RUSTSEC-2019-0001 has a help Uri 'https://rustsec.org/advisories/RUSTSEC-2019-0001'

@yongyan-gh
Copy link
Copy Markdown
Contributor

yongyan-gh commented Jan 6, 2023

  1. Please provide version information through 'version', 'semanticVersion', 'dottedQuadFileVersion' properties of driver object for Nessus SARIF log.

Providing version information enables the log file consumer to determine whether the file was produced by an up to date version, and to avoid accidentally comparing log files produced by different tool versions.

yongyan-gh
yongyan-gh reviewed Jan 6, 2023
View reviewed changes
Comment thread src/Sarif.Converters/CisCatConverter.cs
run.Tool.Driver.Rules = new List<ReportingDescriptor>();
foreach (CisCatRule rule in log.Rules)
{
run.Tool.Driver.Rules.Add(CreateReportDescriptor(rule));
Copy link
Copy Markdown
Contributor

@yongyan-gh yongyan-gh Jan 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

run.Tool.Driver.Rules.Add(CreateReportDescriptor(rule));

Suggest to only log a rule if its referenced by a result and avoid logging duplicated rules.

This can be done in the results loop below and checking if the rule already exists in the `log.Rules' list.

@michaelcfanning michaelcfanning changed the base branch from main to dev May 27, 2026 13:58
michaelcfanning and others added 2 commits May 27, 2026 08:28
@michaelcfanning
Merge remote-tracking branch 'origin/dev' into 2531/converter-nessus-…
fde55e2 
…cis-cat
@michaelcfanning
Refresh Nessus and CIS CAT baselines for current SARIF serializer
e53b3ba 
After merging `dev` into this branch (3.5y stale), the converter test
expected outputs failed against current emitter output. The semantic
content is unchanged — the only differences are the `` URL
(`2.1.0-rtm.6` -> `2.1.0`) and string-array formatting (compact
`[a,b,c]` -> one-element-per-line) introduced by serializer changes
in the intervening releases.

Regenerated via the multitool `convert` verb and pretty-printed.
`Test.UnitTests.Sarif.Converters` filtered to `NessusConverter` and
`CisCatConverter` is 10/10 green.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@michaelcfanning
Copy link
Copy Markdown
Member

michaelcfanning commented May 27, 2026

Picking this up to see how close it is to landing.

Status now:

  • Merges dev cleanly; full solution builds with 0 warnings, 0 errors.
  • Pushed a baseline-refresh commit — the converter tests fail purely on stale `` URL and string-array formatting introduced by serializer changes since 2023. After regenerating the 5 expected SARIF files via the multitool, Test.UnitTests.Sarif.Converters filtered to the two converters is 10/10 green.

Still open (from @yongyan-gh's Jan-2023 review):

  1. Results have no locations[]. GHAS code scanning won't render results without an artifact location. Nessus has the host (targetId) and CIS CAT has the benchmarked system; either could synthesize a physicalLocation.artifactLocation.uri (e.g. host://<hostname>) so the results are renderable.
  2. Rules have no helpUri. Nessus has CVEs available — https://nvd.nist.gov/vuln/detail/<CVE> is a natural mapping. CIS CAT could point at the CIS Workbench rule URL.
  3. Nessus driver is missing version metadata. version is best-effort from sc_version; semanticVersion and dottedQuadFileVersion are unset. CIS CAT already sets both from BenchmarkVersion.

Each is a small, well-bounded change.

@ejohn20 — are you in a position to address these and update the PR, or would you like us to take it over?

@ejohn20
Copy link
Copy Markdown
Collaborator Author

ejohn20 commented May 27, 2026

@michaelcfanning Wow, it's been a minute since we opened this 😂 If you've got bandwidth, feel free to take it over.

I've got a deadline a couple weeks out before I'd have time to finish this one out. Let me know if you'd rather wait and I'll get it on my radar.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelcfanning michaelcfanning Awaiting requested review from michaelcfanning michaelcfanning is a code owner

@EasyRhinoMSFT EasyRhinoMSFT Awaiting requested review from EasyRhinoMSFT

@marmegh marmegh Awaiting requested review from marmegh

@cfaucon cfaucon Awaiting requested review from cfaucon cfaucon is a code owner

1 more reviewer

@yongyan-gh yongyan-gh yongyan-gh left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ejohn20 @yongyan-gh @michaelcfanning @github-advanced-security