VULCAN-559: Support for Multiple CCIs

app/constants/import_constants.rb

@@ -17,7 +17,8 @@ module ImportConstants
  OPTIONAL_MAPPING_CONSTANTS = {
  vendor_comments: 'Vendor Comments',
  mitigation: 'Mitigation',
- inspec_control_body: 'InSpec Control Body'
+ inspec_control_body: 'InSpec Control Body',
+ ident: 'CCI'
  }.freeze
 
  IMPORT_MAPPING = REQUIRED_MAPPING_CONSTANTS.merge(OPTIONAL_MAPPING_CONSTANTS)

app/models/base_rule.rb

@@ -76,7 +76,10 @@ def as_json(options = {})
  end
 
  def nist_control_family
- CCI_TO_NIST_CONSTANT[ident&.to_sym]
+ ccis = ident.to_s.split(/, */)
+ ia_controls = []
+ ccis.each { |cci| ia_controls << CCI_TO_NIST_CONSTANT[cci.to_sym] }
+ ia_controls.uniq.join(', ')
  end
 
  private

app/models/component.rb

@@ -150,6 +150,8 @@ def from_spreadsheet(spreadsheet)
  r.srg_rule_id = srg_rule.id
  # Get the inspec control body if provided
  r.inspec_control_body = row[IMPORT_MAPPING[:inspec_control_body]]
+ # It's possible to have multiple cci on the spreadsheet. Parse cci from the spreadsheet.
+ r.ident = row[IMPORT_MAPPING[:ident]]
 
  disa_rule_description = r.disa_rule_descriptions.first
  disa_rule_description.vuln_discussion = row[IMPORT_MAPPING[:vuln_discussion]]

app/models/rule.rb

@@ -39,7 +39,7 @@ class Rule < BaseRule
 
  before_validation :set_rule_id
  before_save :apply_audit_comment
- before_save :update_inspec_code
+ before_save :sort_ident, :update_inspec_code
  before_destroy :prevent_destroy_if_under_review_or_locked
  after_destroy :update_component_rules_count
  after_save :update_component_rules_count
@@ -218,9 +218,8 @@ def update_inspec_code
  control.add_tag(Inspec::Object::Tag.new('gid', "V-#{component[:prefix]}-#{rule_id}"))
  control.add_tag(Inspec::Object::Tag.new('rid', "SV-#{component[:prefix]}-#{rule_id}"))
  control.add_tag(Inspec::Object::Tag.new('stig_id', "#{component[:prefix]}-#{rule_id}"))
- control.add_tag(Inspec::Object::Tag.new('cci', ([ident] + satisfies.pluck(:ident)).uniq.sort)) if ident.present?
- control.add_tag(Inspec::Object::Tag.new('nist', ([nist_control_family] +
- satisfies.map(&:nist_control_family)).uniq.sort))
+ control.add_tag(Inspec::Object::Tag.new('cci', format_inspec_control_cci.uniq.sort)) if ident.present?
+ control.add_tag(Inspec::Object::Tag.new('nist', format_inspec_control_nist.uniq.sort))
  if desc.present?
  %i[false_negatives false_positives documentable mitigations severity_override_guidance potential_impacts
  third_party_tools mitigation_control responsibility ia_controls].each do |field|
@@ -251,6 +250,22 @@ def basic_fields
 
  private
 
+ def sort_ident
+ self.ident = ident.to_s.split(/, */).uniq.sort.join(', ')
+ end
+
+ def format_inspec_control_cci
+ rule_cci = ident.split(/, */)
+ satisfies_cci = satisfies.pluck(:ident).map { |cci| cci.split(/, */) }.flatten
+ rule_cci + satisfies_cci
+ end
+
+ def format_inspec_control_nist
+ rule_nist = nist_control_family.split(/, */)
+ statisfies_nist = satisfies.map(&:nist_control_family).map { |nist| nist.split(/, */) }.flatten
+ rule_nist + statisfies_nist
+ end
+
  def single_rule_clone?
  @single_rule_clone
  end

spec/models/rules_spec.rb

@@ -260,4 +260,12 @@
  @p1r1.reload
  end
  end
+
+ context 'rule with multiple ident' do
+ it 'should have a unique string list of cci sorted in ascending order' do
+ @p1r1.ident = 'CCI-000068, CCI-000054, CCI-000054'
+ @p1r1.save!
+ expect(@p1r1.ident).to eq('CCI-000054, CCI-000068')
+ end
+ end
 end