ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(ecr_repositories_scan_vulnerabilities_in_latest_image): Minimum severity is configurable (#2736)

Browse Source
This commit is contained in:
Pepe Fagoaga
2023-08-18 09:17:02 +02:00
committed by GitHub
parent ac11c6729b
commit 7c45cb45ae
3 changed files with 279 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

259
tests/providers/aws/services/ecr/ecr_repositories_scan_vulnerabilities_in_latest_image/ecr_repositories_scan_vulnerabilities_in_latest_image_test.py
View File

@@ -1,5 +1,4 @@
from datetime import datetime
from re import search
from unittest import mock
from prowler.providers.aws.services.ecr.ecr_service import (
@@ -16,6 +15,7 @@ repository_name = "test_repo"
repository_arn = (
f"arn:aws:ecr:eu-west-1:{AWS_ACCOUNT_NUMBER}:repository/{repository_name}"
)
latest_tag = "test-tag"
repo_policy_public = {
"Version": "2012-10-17",
"Statement": [
@@ -118,7 +118,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
policy=repo_policy_public,
images_details=[
ImageDetails(
latest_tag="test-tag",
latest_tag=latest_tag,
latest_digest="test-digest",
image_pushed_at=datetime(2023, 1, 1),
scan_findings_status="COMPLETE",
@@ -145,11 +145,14 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert search("scanned without findings", result[0].status_extended)
assert (
result[0].status_extended
== f"ECR repository {repository_name} has imageTag {latest_tag} scanned without findings."
)
assert result[0].resource_id == repository_name
assert result[0].resource_arn == repository_arn
def test_image_scanned_with_findings(self):
def test_image_scanned_with_findings_default_severity_MEDIUM(self):
ecr_client = mock.MagicMock
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
@@ -165,7 +168,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
policy=repo_policy_public,
images_details=[
ImageDetails(
latest_tag="test-tag",
latest_tag=latest_tag,
latest_digest="test-digest",
image_pushed_at=datetime(2023, 1, 1),
scan_findings_status="COMPLETE",
@@ -180,6 +183,11 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
rules=[],
)
# Set audit_config
ecr_client.audit_config = {
"ecr_repository_vulnerability_minimum_severity": "MEDIUM"
}
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
@@ -192,7 +200,232 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search("scanned with findings:", result[0].status_extended)
assert (
result[0].status_extended
== f"ECR repository {repository_name} has imageTag {latest_tag} scanned with findings: CRITICAL->{12}, HIGH->{34}, MEDIUM->{7}."
)
assert result[0].resource_id == repository_name
assert result[0].resource_arn == repository_arn
def test_image_scanned_with_findings_default_severity_HIGH(self):
ecr_client = mock.MagicMock
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=[
ImageDetails(
latest_tag=latest_tag,
latest_digest="test-digest",
image_pushed_at=datetime(2023, 1, 1),
scan_findings_status="COMPLETE",
scan_findings_severity_count=FindingSeverityCounts(
critical=12, high=34, medium=7
),
)
],
lifecycle_policy=None,
)
],
rules=[],
)
# Set audit_config
ecr_client.audit_config = {
"ecr_repository_vulnerability_minimum_severity": "HIGH"
}
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
):
from prowler.providers.aws.services.ecr.ecr_repositories_scan_vulnerabilities_in_latest_image.ecr_repositories_scan_vulnerabilities_in_latest_image import (
ecr_repositories_scan_vulnerabilities_in_latest_image,
)
check = ecr_repositories_scan_vulnerabilities_in_latest_image()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"ECR repository {repository_name} has imageTag {latest_tag} scanned with findings: CRITICAL->{12}, HIGH->{34}."
)
assert result[0].resource_id == repository_name
assert result[0].resource_arn == repository_arn
def test_image_scanned_with_findings_default_severity_CRITICAL(self):
ecr_client = mock.MagicMock
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=[
ImageDetails(
latest_tag=latest_tag,
latest_digest="test-digest",
image_pushed_at=datetime(2023, 1, 1),
scan_findings_status="COMPLETE",
scan_findings_severity_count=FindingSeverityCounts(
critical=12, high=34, medium=7
),
)
],
lifecycle_policy=None,
)
],
rules=[],
)
# Set audit_config
ecr_client.audit_config = {
"ecr_repository_vulnerability_minimum_severity": "CRITICAL"
}
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
):
from prowler.providers.aws.services.ecr.ecr_repositories_scan_vulnerabilities_in_latest_image.ecr_repositories_scan_vulnerabilities_in_latest_image import (
ecr_repositories_scan_vulnerabilities_in_latest_image,
)
check = ecr_repositories_scan_vulnerabilities_in_latest_image()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"ECR repository {repository_name} has imageTag {latest_tag} scanned with findings: CRITICAL->{12}."
)
assert result[0].resource_id == repository_name
assert result[0].resource_arn == repository_arn
def test_image_scanned_without_CRITICAL_findings_default_severity_CRITICAL(self):
ecr_client = mock.MagicMock
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=[
ImageDetails(
latest_tag=latest_tag,
latest_digest="test-digest",
image_pushed_at=datetime(2023, 1, 1),
scan_findings_status="COMPLETE",
scan_findings_severity_count=FindingSeverityCounts(
critical=0, high=34, medium=7
),
)
],
lifecycle_policy=None,
)
],
rules=[],
)
# Set audit_config
ecr_client.audit_config = {
"ecr_repository_vulnerability_minimum_severity": "CRITICAL"
}
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
):
from prowler.providers.aws.services.ecr.ecr_repositories_scan_vulnerabilities_in_latest_image.ecr_repositories_scan_vulnerabilities_in_latest_image import (
ecr_repositories_scan_vulnerabilities_in_latest_image,
)
check = ecr_repositories_scan_vulnerabilities_in_latest_image()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"ECR repository {repository_name} has imageTag {latest_tag} scanned without findings."
)
assert result[0].resource_id == repository_name
assert result[0].resource_arn == repository_arn
def test_image_scanned_without_CRITICAL_and_HIGH_findings_default_severity_HIGH(
self,
):
ecr_client = mock.MagicMock
ecr_client.registries = {}
ecr_client.registries[AWS_REGION] = Registry(
id=AWS_ACCOUNT_NUMBER,
region=AWS_REGION,
scan_type="BASIC",
repositories=[
Repository(
name=repository_name,
arn=repository_arn,
region=AWS_REGION,
scan_on_push=True,
policy=repo_policy_public,
images_details=[
ImageDetails(
latest_tag=latest_tag,
latest_digest="test-digest",
image_pushed_at=datetime(2023, 1, 1),
scan_findings_status="COMPLETE",
scan_findings_severity_count=FindingSeverityCounts(
critical=0, high=0, medium=7
),
)
],
lifecycle_policy=None,
)
],
rules=[],
)
# Set audit_config
ecr_client.audit_config = {
"ecr_repository_vulnerability_minimum_severity": "HIGH"
}
with mock.patch(
"prowler.providers.aws.services.ecr.ecr_service.ECR",
ecr_client,
):
from prowler.providers.aws.services.ecr.ecr_repositories_scan_vulnerabilities_in_latest_image.ecr_repositories_scan_vulnerabilities_in_latest_image import (
ecr_repositories_scan_vulnerabilities_in_latest_image,
)
check = ecr_repositories_scan_vulnerabilities_in_latest_image()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"ECR repository {repository_name} has imageTag {latest_tag} scanned without findings."
)
assert result[0].resource_id == repository_name
assert result[0].resource_arn == repository_arn
@@ -212,7 +445,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
policy=repo_policy_public,
images_details=[
ImageDetails(
latest_tag="test-tag",
latest_tag=latest_tag,
latest_digest="test-digest",
image_pushed_at=datetime(2023, 1, 1),
scan_findings_status="FAILED",
@@ -239,7 +472,10 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search("with scan status FAILED", result[0].status_extended)
assert (
result[0].status_extended
== f"ECR repository {repository_name} with scan status FAILED."
)
assert result[0].resource_id == repository_name
assert result[0].resource_arn == repository_arn
@@ -259,7 +495,7 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
policy=repo_policy_public,
images_details=[
ImageDetails(
latest_tag="test-tag",
latest_tag=latest_tag,
latest_digest="test-digest",
image_pushed_at=datetime(2023, 1, 1),
scan_findings_status="",
@@ -286,6 +522,9 @@ class Test_ecr_repositories_scan_vulnerabilities_in_latest_image:
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
assert search("without a scan", result[0].status_extended)
assert (
result[0].status_extended
== f"ECR repository {repository_name} has imageTag {latest_tag} without a scan."
)
assert result[0].resource_id == repository_name
assert result[0].resource_arn == repository_arn