From 25c9bc07b219cc02004cc0b84adcfdcf18d5ad2b Mon Sep 17 00:00:00 2001
From: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
Date: Fri, 10 Feb 2023 12:38:13 +0100
Subject: [PATCH] chore(compliance): add manual checks to compliance CSV
 (#1872)

Co-authored-by: Pepe Fagoaga <pepe@verica.io>
---
 prowler/lib/check/compliance.py   | 60 +++++++++++++++++++++++++++++++
 prowler/lib/outputs/compliance.py | 15 ++++++++
 prowler/lib/outputs/outputs.py    |  8 ++++-
 3 files changed, 82 insertions(+), 1 deletion(-)

diff --git a/prowler/lib/check/compliance.py b/prowler/lib/check/compliance.py
index 0ec60977..d5cb7288 100644
--- a/prowler/lib/check/compliance.py
+++ b/prowler/lib/check/compliance.py
@@ -4,6 +4,7 @@ from prowler.lib.check.compliance_models import (
     Compliance_Base_Model,
     Compliance_Requirement,
 )
+from prowler.lib.check.models import Check_Report_AWS
 from prowler.lib.logger import logger
 
 
@@ -17,6 +18,7 @@ def update_checks_metadata_with_compliance(
             for framework in bulk_compliance_frameworks.values():
                 for requirement in framework.Requirements:
                     compliance_requirements = []
+                    # Verify if check is in the requirement
                     if check in requirement.Checks:
                         # Create the Compliance_Requirement
                         requirement = Compliance_Requirement(
@@ -41,6 +43,64 @@ def update_checks_metadata_with_compliance(
                         check_compliance.append(compliance)
             # Save it into the check's metadata
             bulk_checks_metadata[check].Compliance = check_compliance
+
+        # Add requirements of Manual Controls
+        for framework in bulk_compliance_frameworks.values():
+            for requirement in framework.Requirements:
+                compliance_requirements = []
+                # Verify if requirement is Manual
+                if not requirement.Checks:
+                    compliance_requirements.append(requirement)
+                    # Create the Compliance_Model
+                    compliance = Compliance_Base_Model(
+                        Framework=framework.Framework,
+                        Provider=framework.Provider,
+                        Version=framework.Version,
+                        Description=framework.Description,
+                        Requirements=compliance_requirements,
+                    )
+                    # Include the compliance framework for the check
+                    check_compliance.append(compliance)
+            # Create metadata for Manual Control
+            manual_check_metadata = """{
+                "Provider" : "aws",
+                "CheckID" :  "manual_check",
+                "CheckTitle" : "Manual Check",
+                "CheckType" : [],
+                "ServiceName" : "",
+                "SubServiceName" : "",
+                "ResourceIdTemplate" : "",
+                "Severity" : "",
+                "ResourceType" : "",
+                "Description" : "",
+                "Risk" : "",
+                "RelatedUrl" : "",
+                "Remediation": {
+                    "Code": {
+                    "CLI": "",
+                    "NativeIaC": "",
+                    "Other": "",
+                    "Terraform": ""
+                    },
+                    "Recommendation": {
+                    "Text": "",
+                    "Url": ""
+                    }
+                },
+                "Categories" : [],
+                "Tags" : {},
+                "DependsOn" : [],
+                "RelatedTo" : [],
+                "Notes" : ""
+            }"""
+            manual_check = Check_Report_AWS(manual_check_metadata)
+            manual_check.status = "INFO"
+            manual_check.status_extended = "Manual check"
+            manual_check.resource_id = "manual_check"
+            manual_check.Compliance = check_compliance
+            # Save it into the check's metadata
+            bulk_checks_metadata["manual_check"] = manual_check
+
         return bulk_checks_metadata
     except Exception as e:
         logger.critical(f"{e.__class__.__name__}[{e.__traceback__.tb_lineno}] -- {e}")
diff --git a/prowler/lib/outputs/compliance.py b/prowler/lib/outputs/compliance.py
index e5130e9c..ddc39397 100644
--- a/prowler/lib/outputs/compliance.py
+++ b/prowler/lib/outputs/compliance.py
@@ -14,6 +14,21 @@ from prowler.lib.outputs.models import (
 )
 
 
+def add_manual_controls(output_options, audit_info, file_descriptors):
+    try:
+        # Check if MANUAL control was already added to output
+        if "manual_check" in output_options.bulk_checks_metadata:
+            manual_finding = output_options.bulk_checks_metadata["manual_check"]
+            fill_compliance(
+                output_options, manual_finding, audit_info, file_descriptors
+            )
+            del output_options.bulk_checks_metadata["manual_check"]
+    except Exception as error:
+        logger.error(
+            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+        )
+
+
 def fill_compliance(output_options, finding, audit_info, file_descriptors):
     try:
         # We have to retrieve all the check's compliance requirements
diff --git a/prowler/lib/outputs/outputs.py b/prowler/lib/outputs/outputs.py
index 8e7a6e46..d06d5719 100644
--- a/prowler/lib/outputs/outputs.py
+++ b/prowler/lib/outputs/outputs.py
@@ -12,7 +12,7 @@ from prowler.config.config import (
     orange_color,
 )
 from prowler.lib.logger import logger
-from prowler.lib.outputs.compliance import fill_compliance
+from prowler.lib.outputs.compliance import add_manual_controls, fill_compliance
 from prowler.lib.outputs.file_descriptors import fill_file_descriptors
 from prowler.lib.outputs.html import fill_html
 from prowler.lib.outputs.json import fill_json_asff
@@ -94,6 +94,12 @@ def report(check_findings, output_options, audit_info):
                                     file_descriptors,
                                 )
 
+                                add_manual_controls(
+                                    output_options,
+                                    audit_info,
+                                    file_descriptors,
+                                )
+
                             if "html" in file_descriptors:
                                 fill_html(file_descriptors["html"], finding)
                                 file_descriptors["html"].write("")