Convert Microsoft Secure Score to OHDF

[meme112233]

This PR introduces the converter for Microsoft SecureScore to OHDF.

Mapping is performed using the output of two Microsoft Graph API endpoints:

• https://graph.microsoft.com/v1.0/security/secureScores
  • This contains the report of the security assessment
• https://graph.microsoft.com/v1.0/security/secureScoreControlProfiles
  • This contains the details of (many, but not all) the controls evaluated as part of the security assessment

The mapper takes the output of the two endpoints as a single json document. Each document is included as an object under the keys profiles and secureScore.

{
   "secureScore":  <The full text of the secureScore endpoint output as JSON object>,
   "profiles":  <The full text of the secureScoreControlProfiles endpoint output as JSON object>
}

This combined file can be built with jq

jq -s '{"secureScore": .[0], "profiles": .[1]}' secureScore.json profiles.json

Sample combined secureScore/profiles document for testing:
combined_msft.json

Mapper design decisions of interest

• impact: Derived from the maxScore of the Profile matching the controlName
  • When no matching Profile is found, a default impact of 0.5 is used
• status:
  • success:
    • scoreInPercentage === 100
    • score === max value from maxScore field of any matching Profile
  • error:
    • score field is undefined (per API, should never happen)
  • fail:
    • any other condition
• tags
  • groups
    • controlCategory field from any matching Profiles
  • threats
    • threat field from any matching Profiles

A matching PR for the SAF-CLI is expected early next week that will support:

• CLI conversion of combined secureScore endpoints to OHDF.
  • Starting with pre-downloaded REST endpoint outputs
  • Starting from Graph API credentials

[ejaronne]

1. Profiles.value.title: recommend for controls.title
2. Perhaps the Impact should be based on Profiles.value.userImpact instead of Profiles.value.maxScore? I can't yet find the Microsoft documentation that explains the difference between these. Impact is intended to be the relative danger should this control be in a failed state.
3. Remediation: seems like a perfect opportunity as descriptions:[data:””, label:”fix”]
4. RemediationImpact: seems like a perfect opportunity as descriptions:[data:””, label:”rationale”]

[charleshu-8]

Part 1 of review, will look at mapper proper later.

[sonarcloud]

Quality Gate failed

Failed conditions
1 New Code Smells (required ≤ 0)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint