feat(securityhub): Send only FAILs but storing all in the output files (#3195)

2026-02-10 14:55:00 +00:00 · 2023-12-15 13:31:55 +01:00
parent 9a868464ee
commit fdeb523581
6 changed files with 116 additions and 86 deletions
--- a/tests/providers/aws/lib/security_hub/security_hub_test.py
+++ b/tests/providers/aws/lib/security_hub/security_hub_test.py
@@ -21,6 +21,49 @@ from tests.providers.aws.audit_info_utils import (
    set_mocked_aws_audit_info,
 )

+
+def get_security_hub_finding(status: str):
+    return {
+        "SchemaVersion": "2018-10-08",
+        "Id": f"prowler-iam_user_accesskey_unused-{AWS_ACCOUNT_NUMBER}-{AWS_REGION_EU_WEST_1}-ee26b0dd4",
+        "ProductArn": f"arn:aws:securityhub:{AWS_REGION_EU_WEST_1}::product/prowler/prowler",
+        "RecordState": "ACTIVE",
+        "ProductFields": {
+            "ProviderName": "Prowler",
+            "ProviderVersion": prowler_version,
+            "ProwlerResourceName": "test",
+        },
+        "GeneratorId": "prowler-iam_user_accesskey_unused",
+        "AwsAccountId": f"{AWS_ACCOUNT_NUMBER}",
+        "Types": ["Software and Configuration Checks"],
+        "FirstObservedAt": timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ"),
+        "UpdatedAt": timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ"),
+        "CreatedAt": timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ"),
+        "Severity": {"Label": "LOW"},
+        "Title": "Ensure Access Keys unused are disabled",
+        "Description": "test",
+        "Resources": [
+            {
+                "Type": "AwsIamAccessAnalyzer",
+                "Id": "test",
+                "Partition": "aws",
+                "Region": f"{AWS_REGION_EU_WEST_1}",
+            }
+        ],
+        "Compliance": {
+            "Status": status,
+            "RelatedRequirements": [],
+            "AssociatedStandards": [],
+        },
+        "Remediation": {
+            "Recommendation": {
+                "Text": "Run sudo yum update and cross your fingers and toes.",
+                "Url": "https://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html",
+            }
+        },
+    }
+
+
 # Mocking Security Hub Get Findings
 make_api_call = botocore.client.BaseClient._make_api_call

@@ -64,10 +107,13 @@ class Test_SecurityHub:

        return finding

-    def set_mocked_output_options(self, is_quiet):
+    def set_mocked_output_options(
+        self, is_quiet: bool = False, send_sh_only_fails: bool = False
+    ):
        output_options = MagicMock
        output_options.bulk_checks_metadata = {}
        output_options.is_quiet = is_quiet
+        output_options.send_sh_only_fails = send_sh_only_fails

        return output_options

@@ -98,47 +144,7 @@ class Test_SecurityHub:
            output_options,
            enabled_regions,
        ) == {
-            AWS_REGION_EU_WEST_1: [
-                {
-                    "SchemaVersion": "2018-10-08",
-                    "Id": f"prowler-iam_user_accesskey_unused-{AWS_ACCOUNT_NUMBER}-{AWS_REGION_EU_WEST_1}-ee26b0dd4",
-                    "ProductArn": f"arn:aws:securityhub:{AWS_REGION_EU_WEST_1}::product/prowler/prowler",
-                    "RecordState": "ACTIVE",
-                    "ProductFields": {
-                        "ProviderName": "Prowler",
-                        "ProviderVersion": prowler_version,
-                        "ProwlerResourceName": "test",
-                    },
-                    "GeneratorId": "prowler-iam_user_accesskey_unused",
-                    "AwsAccountId": f"{AWS_ACCOUNT_NUMBER}",
-                    "Types": ["Software and Configuration Checks"],
-                    "FirstObservedAt": timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ"),
-                    "UpdatedAt": timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ"),
-                    "CreatedAt": timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ"),
-                    "Severity": {"Label": "LOW"},
-                    "Title": "Ensure Access Keys unused are disabled",
-                    "Description": "test",
-                    "Resources": [
-                        {
-                            "Type": "AwsIamAccessAnalyzer",
-                            "Id": "test",
-                            "Partition": "aws",
-                            "Region": f"{AWS_REGION_EU_WEST_1}",
-                        }
-                    ],
-                    "Compliance": {
-                        "Status": "PASSED",
-                        "RelatedRequirements": [],
-                        "AssociatedStandards": [],
-                    },
-                    "Remediation": {
-                        "Recommendation": {
-                            "Text": "Run sudo yum update and cross your fingers and toes.",
-                            "Url": "https://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html",
-                        }
-                    },
-                }
-            ],
+            AWS_REGION_EU_WEST_1: [get_security_hub_finding("PASSED")],
        }

    def test_prepare_security_hub_findings_quiet_INFO_finding(self):
@@ -171,7 +177,7 @@ class Test_SecurityHub:
            enabled_regions,
        ) == {AWS_REGION_EU_WEST_1: []}

-    def test_prepare_security_hub_findings_quiet(self):
+    def test_prepare_security_hub_findings_quiet_PASS(self):
        enabled_regions = [AWS_REGION_EU_WEST_1]
        output_options = self.set_mocked_output_options(is_quiet=True)
        findings = [self.generate_finding("PASS", AWS_REGION_EU_WEST_1)]
@@ -186,6 +192,51 @@ class Test_SecurityHub:
            enabled_regions,
        ) == {AWS_REGION_EU_WEST_1: []}

+    def test_prepare_security_hub_findings_quiet_FAIL(self):
+        enabled_regions = [AWS_REGION_EU_WEST_1]
+        output_options = self.set_mocked_output_options(is_quiet=True)
+        findings = [self.generate_finding("FAIL", AWS_REGION_EU_WEST_1)]
+        audit_info = set_mocked_aws_audit_info(
+            audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
+        )
+
+        assert prepare_security_hub_findings(
+            findings,
+            audit_info,
+            output_options,
+            enabled_regions,
+        ) == {AWS_REGION_EU_WEST_1: [get_security_hub_finding("FAILED")]}
+
+    def test_prepare_security_hub_findings_send_sh_only_fails_PASS(self):
+        enabled_regions = [AWS_REGION_EU_WEST_1]
+        output_options = self.set_mocked_output_options(send_sh_only_fails=True)
+        findings = [self.generate_finding("PASS", AWS_REGION_EU_WEST_1)]
+        audit_info = set_mocked_aws_audit_info(
+            audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
+        )
+
+        assert prepare_security_hub_findings(
+            findings,
+            audit_info,
+            output_options,
+            enabled_regions,
+        ) == {AWS_REGION_EU_WEST_1: []}
+
+    def test_prepare_security_hub_findings_send_sh_only_fails_FAIL(self):
+        enabled_regions = [AWS_REGION_EU_WEST_1]
+        output_options = self.set_mocked_output_options(send_sh_only_fails=True)
+        findings = [self.generate_finding("FAIL", AWS_REGION_EU_WEST_1)]
+        audit_info = set_mocked_aws_audit_info(
+            audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
+        )
+
+        assert prepare_security_hub_findings(
+            findings,
+            audit_info,
+            output_options,
+            enabled_regions,
+        ) == {AWS_REGION_EU_WEST_1: [get_security_hub_finding("FAILED")]}
+
    def test_prepare_security_hub_findings_no_audited_regions(self):
        enabled_regions = [AWS_REGION_EU_WEST_1]
        output_options = self.set_mocked_output_options(is_quiet=False)
@@ -198,47 +249,7 @@ class Test_SecurityHub:
            output_options,
            enabled_regions,
        ) == {
-            AWS_REGION_EU_WEST_1: [
-                {
-                    "SchemaVersion": "2018-10-08",
-                    "Id": f"prowler-iam_user_accesskey_unused-{AWS_ACCOUNT_NUMBER}-{AWS_REGION_EU_WEST_1}-ee26b0dd4",
-                    "ProductArn": f"arn:aws:securityhub:{AWS_REGION_EU_WEST_1}::product/prowler/prowler",
-                    "RecordState": "ACTIVE",
-                    "ProductFields": {
-                        "ProviderName": "Prowler",
-                        "ProviderVersion": prowler_version,
-                        "ProwlerResourceName": "test",
-                    },
-                    "GeneratorId": "prowler-iam_user_accesskey_unused",
-                    "AwsAccountId": f"{AWS_ACCOUNT_NUMBER}",
-                    "Types": ["Software and Configuration Checks"],
-                    "FirstObservedAt": timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ"),
-                    "UpdatedAt": timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ"),
-                    "CreatedAt": timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ"),
-                    "Severity": {"Label": "LOW"},
-                    "Title": "Ensure Access Keys unused are disabled",
-                    "Description": "test",
-                    "Resources": [
-                        {
-                            "Type": "AwsIamAccessAnalyzer",
-                            "Id": "test",
-                            "Partition": "aws",
-                            "Region": f"{AWS_REGION_EU_WEST_1}",
-                        }
-                    ],
-                    "Compliance": {
-                        "Status": "PASSED",
-                        "RelatedRequirements": [],
-                        "AssociatedStandards": [],
-                    },
-                    "Remediation": {
-                        "Recommendation": {
-                            "Text": "Run sudo yum update and cross your fingers and toes.",
-                            "Url": "https://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html",
-                        }
-                    },
-                }
-            ],
+            AWS_REGION_EU_WEST_1: [get_security_hub_finding("PASSED")],
        }

    @patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)