bugfix(securityhub): race condition fix

2026-02-10 14:55:00 +00:00 · 2020-09-18 14:52:32 +02:00
parent 0f3e6ee90b
commit c1b09b6b9d
3 changed files with 24 additions and 9 deletions
--- a/include/os_detector
+++ b/include/os_detector
@@ -104,6 +104,10 @@ gnu_get_iso8601_timestamp() {
  "$DATE_CMD" -u +"%Y-%m-%dT%H:%M:%SZ"
 }

+gsu_get_iso8601_one_minute_ago() {
+  "$DATE_CMD" -d "1 minute ago" -u +"%Y-%m-%dT%H:%M:%SZ"
+}
+
 gsu_get_iso8601_hundred_days_ago() {
  "$DATE_CMD" -d "100 days ago" -u +"%Y-%m-%dT%H:%M:%SZ"
 }
@@ -116,6 +120,10 @@ bsd_get_iso8601_hundred_days_ago() {
  "$DATE_CMD" -v-100d -u +"%Y-%m-%dT%H:%M:%SZ"
 }

+bsd_get_iso8601_one_minute_ago() {
+  "$DATE_CMD" -v-1m -u +"%Y-%m-%dT%H:%M:%SZ"
+}
+
 gnu_test_tcp_connectivity() {
  HOST=$1
  PORT=$2
@@ -159,6 +167,9 @@ if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then
  get_iso8601_timestamp() {
    gnu_get_iso8601_timestamp
  }
+  get_iso8601_one_minute_ago() {
+    gsu_get_iso8601_one_minute_ago
+  }
  get_iso8601_hundred_days_ago() {
    gsu_get_iso8601_hundred_days_ago
  }
@@ -219,6 +230,9 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then
    get_iso8601_timestamp() {
      bsd_get_iso8601_timestamp
    }
+    get_iso8601_one_minute_ago() {
+      bsd_get_iso8601_one_minute_ago
+    }
    get_iso8601_hundred_days_ago() {
      bsd_get_iso8601_hundred_days_ago
    }
--- a/include/outputs
+++ b/include/outputs
@@ -112,15 +112,13 @@ textFail(){
  level="FAIL"
  colorcode="$BAD"
  while read -r i; do
-    ignore_check_name="${i%%:*}" # Check name is everything up to the first :
-    ignore_value="${i#*${CHECK_NAME}:}" # Ignore value is everything after the first :
-    # Check to see if ignore value appears anywhere within log message.
-    resource_value=".*${ignore_value}.*"
+    ignore_check_name="${i%:*}"
+    ignore_value="${i#*${CHECK_NAME}:}"
    if [[ ${ignore_check_name} != "${CHECK_NAME}" ]]; then
      # not for this check
      continue
    fi
-    if [[ $1 =~ ${resource_value} ]]; then
+    if [[ $1 =~ .*"${ignore_value}".* ]]; then
      level="WARNING"
      colorcode="$WARNING"
      break
@@ -276,6 +274,7 @@ generateJsonAsffOutput(){
      "SchemaVersion": "2018-10-08",
      "Id": "prowler-\($TITLE_ID)-\($ACCOUNT_NUM)-\($REPREGION)-\($UNIQUE_ID)",
      "ProductArn": "arn:\($AWS_PARTITION):securityhub:\($REPREGION):\($ACCOUNT_NUM):product/\($ACCOUNT_NUM)/default",
+      "RecordState": "ACTIVE",
      "ProductFields": {
          "ProviderName": "Prowler",
          "ProviderVersion": $PROWLER_VERSION
@@ -283,7 +282,7 @@ generateJsonAsffOutput(){
      "GeneratorId": "prowler-\($CHECK_ID)",
      "AwsAccountId": $ACCOUNT_NUM,
      "Types": [
-          $TYPE
+          "\($TYPE)-Policy:\($TITLE_TEXT)"
      ],
      "FirstObservedAt": $TIMESTAMP,
      "UpdatedAt": $TIMESTAMP,
--- a/include/securityhub_integration
+++ b/include/securityhub_integration
@@ -35,13 +35,15 @@ resolveSecurityHubPreviousFails(){
  for regx in $REGIONS; do

    local check="$1"
-    
+    OLD_TIMESTAMP=$(get_iso8601_one_minute_ago)
    NEW_TIMESTAMP=$(get_iso8601_timestamp)

    PREVIOUS_DATE=$(get_iso8601_hundred_days_ago)
-    FILTER="{\"UpdatedAt\":[{\"Start\":\"$PREVIOUS_DATE\",\"End\":\"$TIMESTAMP\"}],\"GeneratorId\":[{\"Value\": \"prowler-$check\",\"Comparison\":\"PREFIX\"}],\"ComplianceStatus\":[{\"Value\": \"FAILED\",\"Comparison\":\"EQUALS\"}]}"
-    SECURITY_HUB_PREVIOUS_FINDINGS=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT get-findings --filters "${FILTER}" | jq -c --arg updated_at $NEW_TIMESTAMP  '[ .Findings[] | .RecordState="ARCHIVED" | .UpdatedAt = $updated_at ]')
+
+    FILTER="{\"UpdatedAt\":[{\"Start\":\"$PREVIOUS_DATE\",\"End\":\"$OLD_TIMESTAMP\"}],\"GeneratorId\":[{\"Value\": \"prowler-$check\",\"Comparison\":\"PREFIX\"}],\"ComplianceStatus\":[{\"Value\": \"FAILED\",\"Comparison\":\"EQUALS\"}]}"
+    SECURITY_HUB_PREVIOUS_FINDINGS=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT get-findings --filters "${FILTER}" | jq -c --arg updated_at $NEW_TIMESTAMP  '[ .Findings[] | .RecordState = "ARCHIVED" | .UpdatedAt = $updated_at ]')
    if [[ $SECURITY_HUB_PREVIOUS_FINDINGS != "[]" ]]; then
+      echo "$SECURITY_HUB_PREVIOUS_FINDINGS"
      BATCH_IMPORT_RESULT=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT batch-import-findings --findings "${SECURITY_HUB_PREVIOUS_FINDINGS}")

    # Check for success if imported