DefectDojo · mtesauro · May 21, 2023 · Apr 28, 2023 · Apr 28, 2023 · Apr 28, 2023
diff --git a/dojo/tools/aws_prowler_v3/__init__.py b/dojo/tools/aws_prowler_v3/__init__.py
@@ -0,0 +1 @@
+__author__ = 'Anderson dos Anjos Slompo - https://github.com/anderson-slompo'
diff --git a/dojo/tools/aws_prowler_v3/parser.py b/dojo/tools/aws_prowler_v3/parser.py
@@ -0,0 +1,104 @@
+
+import hashlib
+import json
+import textwrap
+from datetime import date
+
+from dojo.models import Finding
+
+
+class AWSProwlerJsonV3Parser(object):
+    SCAN_TYPE = ["AWS Prowler V3"]
+
+    def get_scan_types(self):
+        return AWSProwlerJsonV3Parser.SCAN_TYPE
+
+    def get_label_for_scan_types(self, scan_type):
+        return AWSProwlerJsonV3Parser.SCAN_TYPE[0]
+
+    def get_description_for_scan_types(self, scan_type):
+        return "Export of AWS Prowler JSON V3 format."
+
+    def get_findings(self, file, test):
+        if file.name.lower().endswith('.json'):
+            return self.process_json(file, test)
+        else:
+            raise ValueError('Unknown file format')
+
+    def process_json(self, file, test):
+        dupes = dict()
+
+        data = json.load(file)
+        for deserialized in data:
+
+            status = deserialized.get('Status')
+            if status.upper() != 'FAIL':
+                continue
+
+            account = deserialized.get('AccountId')
+            region = deserialized.get('Region')
+            provider = deserialized.get('Provider')
+            compliance = str(deserialized.get('Compliance'))
+            result_extended = deserialized.get('StatusExtended')
+            general_description = deserialized.get('Description')
+            asff_compliance_type = " / ".join(deserialized.get('CheckType'))
+            severity = deserialized.get('Severity').capitalize()
+            aws_service_name = deserialized.get('ServiceName')
+            impact = deserialized.get('Risk')
+            mitigation = deserialized.get('Remediation').get('Recommendation').get("Text")
+            mitigation = str(mitigation) + "\n" + str(deserialized.get('Remediation').get('Code'))
+            documentation = deserialized.get('Remediation').get('Recommendation').get("Url")
+            documentation = str(documentation) + "\n" + str(deserialized.get('RelatedUrl'))
+            security_domain = deserialized.get('ResourceType')
+            timestamp = deserialized.get('AssessmentStartTime')
+            resource_arn = deserialized.get('ResourceArn')
+            account_id = deserialized.get('AccountId')
+            resource_id = deserialized.get('ResourceId')
+            if not resource_arn or resource_arn == "":
+                component_name = str(provider) + "-" + str(account_id) + "-" + str(region) + "-" + str(resource_id)
+            else:
+                component_name = resource_arn
+            unique_id_from_tool = deserialized.get('FindingUniqueId')
+
+            description = "**Issue:** " + str(result_extended) + \
+                "\n**Description:** " + str(general_description) + \
+                "\n**AWS Account:** " + str(account) + " | **Region:** " + str(region) + \
+                "\n**Compliance:** " + str(compliance) + \
+                "\n**AWS Service:** " + str(aws_service_name) + \
+                "\n**ASFF Compliance Type:** " + str(asff_compliance_type) + \
+                "\n**Security Domain:** " + str(security_domain)
+
+            # improving key to get duplicates
+            dupe_key = hashlib.sha256(
+                (severity + '|' + region + '|' + result_extended).encode('utf-8')).hexdigest()
+            if dupe_key in dupes:
+                find = dupes[dupe_key]
+                if description is not None:
+                    find.description += description + "\n\n"
+                find.nb_occurences += 1
+            else:
+                find = Finding(
+                    title=textwrap.shorten(result_extended, 150),
+                    cwe=1032,  # Security Configuration Weaknesses, would like to fine tune
+                    test=test,
+                    description=description,
+                    component_name=component_name,
+                    unique_id_from_tool=unique_id_from_tool,
+                    severity=severity,
+                    references=documentation,
+                    date=date.fromisoformat(timestamp[:10]),
+                    static_finding=True,
+                    dynamic_finding=False,
+                    nb_occurences=1,
+                    mitigation=mitigation,
+                    impact=impact,
+                )
+                dupes[dupe_key] = find
+
+        return list(dupes.values())
+
+    def formatview(self, depth):
+        if depth > 1:
+            return "* "
+        else:
+            return ""
diff --git a/unittests/scans/aws_prowler_v3/many_vuln.json b/unittests/scans/aws_prowler_v3/many_vuln.json
@@ -0,0 +1,242 @@
+[
+{
+    "AssessmentStartTime": "2023-04-25T23:49:42.744599",
+    "FindingUniqueId": "prowler-aws-acm_certificates_expiration_check-999999999999-us-east-1-api.teste.teste.com",
+    "Provider": "aws",
+    "CheckID": "acm_certificates_expiration_check",
+    "CheckTitle": "Check if ACM Certificates are about to expire in specific days or less",
+    "CheckType": [
+        "Data Protection"
+    ],
+    "ServiceName": "acm",
+    "SubServiceName": "",
+    "Status": "FAIL",
+    "StatusExtended": "ACM Certificate for api.teste.teste.com is about to expire in 7 days.",
+    "Severity": "high",
+    "ResourceType": "AwsCertificateManagerCertificate",
+    "ResourceDetails": "",
+    "Description": "Check if ACM Certificates are about to expire in specific days or less",
+    "Risk": "Expired certificates can impact service availability.",
+    "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html",
+    "Remediation": {
+        "Code": {
+            "NativeIaC": "",
+            "Terraform": "",
+            "CLI": "",
+            "Other": ""
+        },
+        "Recommendation": {
+            "Text": "Monitor certificate expiration and take automated action to renew; replace or remove. Having shorter TTL for any security artifact is a general recommendation; but requires additional automation in place. If not longer required delete certificate. Use AWS config using the managed rule: acm-certificate-expiration-check.",
+            "Url": "https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html"
+        }
+    },
+    "Compliance": {
+        "FedRAMP-Low-Revision-4": [
+            "ac-17",
+            "sc-12"
+        ],
+        "NIST-800-53-Revision-4": [
+            "ac_4",
+            "ac_17_2",
+            "sc_12"
+        ],
+        "NIST-CSF-1.1": [
+            "ac_5",
+            "ds_2"
+        ],
+        "NIST-800-53-Revision-5": [
+            "sc_7_12",
+            "sc_7_16"
+        ],
+        "FedRamp-Moderate-Revision-4": [
+            "ac-4",
+            "ac-17-2",
+            "sc-12"
+        ],
+        "RBI-Cyber-Security-Framework": [
+            "annex_i_1_3"
+        ],
+        "SOC2": [
+            "cc_6_7"
+        ],
+        "FFIEC": [
+            "d3-pc-im-b-1"
+        ],
+        "CISA": [
+            "your-data-2"
+        ],
+        "HIPAA": [
+            "164_308_a_4_ii_a",
+            "164_312_e_1"
+        ],
+        "NIST-800-171-Revision-2": [
+            "3_13_1",
+            "3_13_2",
+            "3_13_8",
+            "3_13_11"
+        ],
+        "GDPR": [
+            "article_32"
+        ]
+    },
+    "Categories": [],
+    "DependsOn": [],
+    "RelatedTo": [],
+    "Notes": "",
+    "Profile": null,
+    "AccountId": "999999999999",
+    "OrganizationsInfo": null,
+    "Region": "us-east-1",
+    "ResourceId": "api.teste.teste.com",
+    "ResourceArn": "arn:aws:acm:us-east-1:999999999999:certificate/ffffffff-0000-0000-0000-000000000000",
+    "ResourceTags": {}
+},
+{
+    "AssessmentStartTime": "2023-04-25T23:49:42.744599",
+    "FindingUniqueId": "prowler-aws-accessanalyzer_enabled-999999999999-us-east-1-999999999999",
+    "Provider": "aws",
+    "CheckID": "accessanalyzer_enabled",
+    "CheckTitle": "Check if IAM Access Analyzer is enabled",
+    "CheckType": [
+        "IAM"
+    ],
+    "ServiceName": "accessanalyzer",
+    "SubServiceName": "",
+    "Status": "FAIL",
+    "StatusExtended": "IAM Access Analyzer in account 999999999999 is not enabled",
+    "Severity": "low",
+    "ResourceType": "Other",
+    "ResourceDetails": "",
+    "Description": "Check if IAM Access Analyzer is enabled",
+    "Risk": "AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.",
+    "RelatedUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html",
+    "Remediation": {
+        "Code": {
+            "NativeIaC": "",
+            "Terraform": "",
+            "CLI": "aws accessanalyzer create-analyzer --analyzer-name <NAME> --type <ACCOUNT|ORGANIZATION>",
+            "Other": ""
+        },
+        "Recommendation": {
+            "Text": "Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).",
+            "Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html"
+        }
+    },
+    "Compliance": {
+        "CIS-1.4": [
+            "1.20"
+        ],
+        "CIS-1.5": [
+            "1.20"
+        ]
+    },
+    "Categories": [],
+    "DependsOn": [],
+    "RelatedTo": [],
+    "Notes": "",
+    "Profile": null,
+    "AccountId": "999999999999",
+    "OrganizationsInfo": null,
+    "Region": "us-east-1",
+    "ResourceId": "999999999999",
+    "ResourceArn": "",
+    "ResourceTags": {}
+},
+{
+    "AssessmentStartTime": "2023-04-25T23:49:42.744599",
+    "FindingUniqueId": "prowler-aws-accessanalyzer_enabled_without_findings-999999999999-us-east-1-999999999999",
+    "Provider": "aws",
+    "CheckID": "accessanalyzer_enabled_without_findings",
+    "CheckTitle": "Check if IAM Access Analyzer is enabled without findings",
+    "CheckType": [
+        "IAM"
+    ],
+    "ServiceName": "accessanalyzer",
+    "SubServiceName": "",
+    "Status": "FAIL",
+    "StatusExtended": "IAM Access Analyzer in account 999999999999 is not enabled",
+    "Severity": "low",
+    "ResourceType": "Other",
+    "ResourceDetails": "",
+    "Description": "Check if IAM Access Analyzer is enabled without findings",
+    "Risk": "AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.",
+    "RelatedUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html",
+    "Remediation": {
+        "Code": {
+            "NativeIaC": "",
+            "Terraform": "",
+            "CLI": "aws accessanalyzer create-analyzer --analyzer-name <NAME> --type <ACCOUNT|ORGANIZATION>",
+            "Other": ""
+        },
+        "Recommendation": {
+            "Text": "Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).",
+            "Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html"
+        }
+    },
+    "Compliance": {},
+    "Categories": [],
+    "DependsOn": [],
+    "RelatedTo": [],
+    "Notes": "",
+    "Profile": null,
+    "AccountId": "999999999999",
+    "OrganizationsInfo": null,
+    "Region": "us-east-1",
+    "ResourceId": "999999999999",
+    "ResourceArn": "",
+    "ResourceTags": {}
+},
+{
+    "AssessmentStartTime": "2023-04-25T23:49:42.744599",
+    "FindingUniqueId": "prowler-aws-account_maintain_current_contact_details-999999999999-us-east-1-999999999999",
+    "Provider": "aws",
+    "CheckID": "account_maintain_current_contact_details",
+    "CheckTitle": "Maintain current contact details.",
+    "CheckType": [
+        "IAM"
+    ],
+    "ServiceName": "account",
+    "SubServiceName": "",
+    "Status": "INFO",
+    "StatusExtended": "Manual check: Login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Contact Information.",
+    "Severity": "medium",
+    "ResourceType": "Other",
+    "ResourceDetails": "",
+    "Description": "Maintain current contact details.",
+    "Risk": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details; and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy. If an AWS account is observed to be behaving in a prohibited or suspicious manner; AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation; proactive measures may be taken; including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question.",
+    "RelatedUrl": "",
+    "Remediation": {
+        "Code": {
+            "NativeIaC": "",
+            "Terraform": "",
+            "CLI": "No command available.",
+            "Other": "https://docs.bridgecrew.io/docs/iam_18-maintain-contact-details#aws-console"
+        },
+        "Recommendation": {
+            "Text": "Using the Billing and Cost Management console complete contact details.",
+            "Url": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html"
+        }
+    },
+    "Compliance": {
+        "CIS-1.4": [
+            "1.1"
+        ],
+        "ENS-RD2022": [
+            "op.ext.7.aws.am.1"
+        ],
+        "CIS-1.5": [
+            "1.1"
+        ]
+    },
+    "Categories": [],
+    "DependsOn": [],
+    "RelatedTo": [],
+    "Notes": "",
+    "Profile": null,
+    "AccountId": "999999999999",
+    "OrganizationsInfo": null,
+    "Region": "us-east-1",
+    "ResourceId": "999999999999",
+    "ResourceArn": "",
+    "ResourceTags": {}
+}]
diff --git a/unittests/scans/aws_prowler_v3/no_vuln.json b/unittests/scans/aws_prowler_v3/no_vuln.json
@@ -0,0 +1 @@
+[]
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		__author__ = 'Anderson dos Anjos Slompo - https://github.com/anderson-slompo'
anderson-slompo marked this conversation as resolved. Show resolved Hide resolved