Harden findings parsing, fix 4 input-handling bugs, 4x tests + demos#6
Open
cognis-digital wants to merge 3 commits into
Open
Harden findings parsing, fix 4 input-handling bugs, 4x tests + demos#6cognis-digital wants to merge 3 commits into
cognis-digital wants to merge 3 commits into
Conversation
Error handling / real bug fixes (public API unchanged):
- parse_findings_file: malformed JSON now raises FindingsParseError with the
offending path instead of a bare `except` returning [] (which masked findings
and produced a false "all clear" on a compliance scan).
- Case-insensitive file suffixes: .JSON / .CSV / .TSV are now ingested (were
silently ignored by the case-sensitive .suffix comparison).
- Wrapper-object JSON: {"findings":[...]} / {"results":[...]} / single-object
shapes (the common SCAP/SCC exporter shapes) no longer crash scan() with an
AttributeError; _coerce_findings normalizes them.
- scan() on a missing target path now raises FileNotFoundError instead of
reporting items_scanned=1 with zero findings.
- scan(strict=True) re-raises parse errors for CI; lenient mode (default)
surfaces an unparseable file as a tracked MODERATE SS-PARSE-ERROR finding.
- emit_poam writes UTF-8 explicitly and creates parent dirs.
- normalize_control_id handles combined enhancements AC-6(2)(a) and "AC-6 (2)".
Tests: 34 -> 189 (test_parse_errors, test_crosswalk, test_resolver_edges,
test_output_formats, test_cli, test_cognis_mil). Edge cases + error paths:
malformed configs, missing/unknown STIG IDs, RMF mapping gaps, POA&M/OSCAL/SARIF
output, air-gap snapshot round-trip, audit-log tamper detection.
Demos: 5 -> 20 runnable scenarios (each exits 0, PYTHONUTF8=1), run_all.py and
docs/DEMOS.md updated.
The config used the v4 flat list form, which v5 rejects ('found unexpected type
for label docs'). Migrate to the v5 changed-files / any-glob-to-any-file shape so
the label workflow stops failing on every PR.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Deepens stigsentry across error handling, tests, and demos while keeping the
public API (
scan,emit_poam,parse_findings_file,STIG_CONTROLS) stable.Real bugs fixed
Each of these was reproduced before fixing:
parse_findings_fileused a bareexcept: return [], so a half-written/corrupt findings file scanned as zerofindings — a false "all clear" on a compliance scan. Now raises
FindingsParseErrornaming the offending path..JSON/.CSV/.TSV(any non-lowercasecase) were silently ignored. Now matched case-insensitively.
scan(). A{"findings": [...]}/{"results": [...]}/ single-object payload — the shape most OpenSCAP/SCCexporters emit — raised
AttributeError: 'str' object has no attribute 'get'.A new
_coerce_findingsnormalizes all these shapes.scan("/no/such/path")reporteditems_scanned=1with no findings instead of erroring. Now raisesFileNotFoundError.Also:
emit_poamnow writes UTF-8 explicitly and creates parent dirs;normalize_control_idhandles combined enhancements (AC-6(2)(a)) and a spacebefore the paren (
AC-6 (2)).New error-handling surface
scan(..., strict=True)re-raises parse errors (fail the build in CI).SS-PARSE-ERRORfinding and continues scanning the rest of the directory.Tests: 34 → 189
New suites:
test_parse_errors,test_crosswalk,test_resolver_edges,test_output_formats,test_cli,test_cognis_mil. Cover malformed configs,missing/unknown STIG IDs, RMF mapping gaps, POA&M/OSCAL/SARIF output edges, the
air-gap snapshot export/import round-trip, and audit-log tamper detection. The
whole suite stays fully offline (network hard-blocked in conftest).
Demos: 5 → 20
Fifteen new runnable scenarios (each exits 0 under
PYTHONUTF8=1), withdemos/run_all.pyanddocs/DEMOS.mdupdated. New scenarios cover malformedinput handling, exporter JSON shapes, the RMF mapping gap, control-ID
normalization, air-gap sneakernet, CI gate exit codes, the tamper-evident audit
trail, classification banners, severity rollup, CSV/TSV ingest, multi-format
export, POA&M→GRC mapping, OSCAL diffing, per-host triage, and a full end-to-end
pipeline.
Verification
python -m pytest -q→ 189 passed, fully offline.PYTHONUTF8=1 python demos/run_all.py→ exit 0; each demo also exits 0 standalone.