Describe Block Code Generation Failing #22
Description
The following anomalies are occurring when extracting the describe block via the getExistingDescribeFromControl method
- The
getExistingDescribeFromControlreturn value needs to check if the last entry on the array is a blank line, it currently assumes that one exists, this causes invalid syntax being returned if there isn't a blank line at the end of the array
Example: - If we have the following logic (noticed the empty entry in the array):
[
' describe security_policy do',
" its('ClearTextPassword') { should eq 0 }",
' end',
'end',
''
]
It works as the current logic is return logic.slice(0, logic.length - 2).join('\n') // Drop trailing ['end', '\n'] from Control block.
- However if we have this logic:
[
' describe security_policy do',
" its('ClearTextPassword') { should eq 0 }",
' end',
'end',
]
The last 2 end are removed - NO Happy Feet
Replace the return with the following code
return logic.slice(0, logic.lastIndexOf('end')).join('\n') // Drop trailing ['end', '\n'] from Control block.
A solution is implemented in the Describe Block Update Fix PR
Happy Feet
- If a control starts with a space
control ...current logic fails to properly assemble the describe block due toskipRegExpformat. - It uses:
const skip = ['control\\W', ' title\\W', ' desc\\W', ' impact\\W', ' tag\\W', ' ref\\W'] - Change To:
const skip = ['control\\W', '[ ]+control\\W', '[ ]+title\\W', '[ ]+desc\\W', '[ ]+impact\\W', '[ ]+tag\\W', '[ ]+ref\\W']
A solution is implemented in the Describe Block Update Fix PR
Use V-92975 to test, included in the failed.zip
Need To Fix
- Profiles with imbedded inputs i.e,
\"#{input('LegalNoticeCaption').join("\", \"")}\"fail to properly generate the describe block as adds the input into it.
A solution is implemented in the Describe Block Update Fix PR
Use V-93149 to test, included in the failed.zip
- Profiles with tags that have arrays that span multiple lines are not being processed correctly.
Example: if atagcontains the following:
tag 'satisfies': ["SRG-OS-000004-GPOS-00004", "SRG-OS-000239-GPOS-00089",
"SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091",
"SRG-OS-000303-GPOS-00120", "SRG-OS-000476-GPOS-00221"]
The last two lines are not associated with the tag and are added to the describe block
The current workaround is when assembly the describe block (logic) to check if the line beings with a space, if they do include in
the describe block, otherwise skip them. The orphan lines that belong to the tag (in this case) do not have any spaces at the
beginning of the line.
Use SV-205625 to test, included in the failed.zip
- Profiles controls with embedded %q() cookstyle formatting fail to properly generate the describe block, it adds extraneous content form desc blocks with that are escaped with the %q.
Example output:
text from other blocks ...
The describe block
expected_c_perm = input('c_perm')
describe.one do
describe registry_key('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa') do
it { should have_property 'EveryoneIncludesAnonymous' }
its('EveryoneIncludesAnonymous') { should eq 0 }
end
c_perm = json(command: "icacls 'C:\\' | ConvertTo-Json").params.map(&:strip)[0..-3].map { |e| e.gsub('C:\\ ', '') }
describe 'C:\\ permissions are set correctly on folder structure' do
subject { c_perm.eql? expected_c_perm }
it { should eq true }
end
end
Use SV-205734 and V-93019 to test, included in the failed.zip
- Profile with pound sign (#) for a comment in the describe block duplicates next line.
Example:
#Checked Code in 2016 and it is not a validate way of checking permissions, Until a command is put together that can get all GPO's in a Domain and then check all permissions, this is manually
describe 'A manual review is required to ensure all Group Policies have the correct permisions' do
describe 'A manual review is required to ensure all Group Policies have the correct permisions' do
skip 'A manual review is required to ensure all Group Policies have the correct permissions'
end
Use SV-205741 to test, included in the failed.zip