fix(securityhub): archive SecurityHub findings in empty regions (#2908)

2026-02-10 06:45:08 +00:00 · 2023-10-05 15:49:43 +02:00
parent 49a437dc0d
commit 3955450245
2 changed files with 29 additions and 37 deletions
--- a/prowler/providers/aws/lib/security_hub/security_hub.py
+++ b/prowler/providers/aws/lib/security_hub/security_hub.py
@@ -11,9 +11,12 @@ SECURITY_HUB_MAX_BATCH = 100


 def prepare_security_hub_findings(
-    findings: [], audit_info, output_options, enabled_regions: []
+    findings: [], audit_info: AWS_Audit_Info, output_options, enabled_regions: []
 ) -> dict:
    security_hub_findings_per_region = {}
+    # Create a key per region
+    for region in audit_info.audited_regions:
+        security_hub_findings_per_region[region] = []
    for finding in findings:
        # We don't send the INFO findings to AWS Security Hub
        if finding.status == "INFO":
@@ -30,10 +33,6 @@ def prepare_security_hub_findings(
        # Get the finding region
        region = finding.region

-        # Check if the security_hub_findings_per_region has the region, if not we have to create it
-        if region not in security_hub_findings_per_region:
-            security_hub_findings_per_region[region] = []
-
        # Format the finding in the JSON ASFF format
        finding_json_asff = fill_json_asff(
            Check_Output_JSON_ASFF(), audit_info, finding, output_options
@@ -117,9 +116,10 @@ def resolve_security_hub_previous_findings(
    resolve_security_hub_previous_findings archives all the findings that does not appear in the current execution
    """
    logger.info("Checking previous findings in Security Hub to archive them.")
-
-    for region, current_findings in security_hub_findings_per_region.items():
+    success_count = 0
+    for region in security_hub_findings_per_region.keys():
        try:
+            current_findings = security_hub_findings_per_region[region]
            # Get current findings IDs
            current_findings_ids = []
            for finding in current_findings:
@@ -151,14 +151,14 @@ def resolve_security_hub_previous_findings(
            logger.info(f"Archiving {len(findings_to_archive)} findings.")

            # Send archive findings to SHub
-            success_count = __send_findings_to_security_hub__(
+            success_count += __send_findings_to_security_hub__(
                findings_to_archive, region, security_hub_client
            )
-            return success_count
        except Exception as error:
            logger.error(
                f"{error.__class__.__name__} -- [{error.__traceback__.tb_lineno}]:{error} in region {region}"
            )
+    return success_count


 def __send_findings_to_security_hub__(
--- a/tests/providers/aws/lib/security_hub/security_hub_test.py
+++ b/tests/providers/aws/lib/security_hub/security_hub_test.py
@@ -159,7 +159,8 @@ class Test_SecurityHub:
                        }
                    },
                }
-            ]
+            ],
+            AWS_REGION_2: [],
        }

    def test_prepare_security_hub_findings_quiet_INFO_finding(self):
@@ -168,15 +169,12 @@ class Test_SecurityHub:
        findings = [self.generate_finding("INFO", AWS_REGION_1)]
        audit_info = self.set_mocked_audit_info()

-        assert (
-            prepare_security_hub_findings(
-                findings,
-                audit_info,
-                output_options,
-                enabled_regions,
-            )
-            == {}
-        )
+        assert prepare_security_hub_findings(
+            findings,
+            audit_info,
+            output_options,
+            enabled_regions,
+        ) == {AWS_REGION_1: [], AWS_REGION_2: []}

    def test_prepare_security_hub_findings_disabled_region(self):
        enabled_regions = [AWS_REGION_1]
@@ -184,15 +182,12 @@ class Test_SecurityHub:
        findings = [self.generate_finding("PASS", AWS_REGION_2)]
        audit_info = self.set_mocked_audit_info()

-        assert (
-            prepare_security_hub_findings(
-                findings,
-                audit_info,
-                output_options,
-                enabled_regions,
-            )
-            == {}
-        )
+        assert prepare_security_hub_findings(
+            findings,
+            audit_info,
+            output_options,
+            enabled_regions,
+        ) == {AWS_REGION_1: [], AWS_REGION_2: []}

    def test_prepare_security_hub_findings_quiet(self):
        enabled_regions = [AWS_REGION_1]
@@ -200,15 +195,12 @@ class Test_SecurityHub:
        findings = [self.generate_finding("PASS", AWS_REGION_1)]
        audit_info = self.set_mocked_audit_info()

-        assert (
-            prepare_security_hub_findings(
-                findings,
-                audit_info,
-                output_options,
-                enabled_regions,
-            )
-            == {}
-        )
+        assert prepare_security_hub_findings(
+            findings,
+            audit_info,
+            output_options,
+            enabled_regions,
+        ) == {AWS_REGION_1: [], AWS_REGION_2: []}

    @patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
    def test_batch_send_to_security_hub_one_finding(self):