#!/usr/bin/env bash

# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.

# Remediation:
#
#   https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
#
#   aws ecr put-image-scanning-configuration \
#     --region <value> \
#     --repository-name <value> \
#     --image-scanning-configuration scanOnPush=true
#
#   aws ecr describe-image-scan-findings \
#     --region <value> \
#     --repository-name <value>
#     --image-id imageTag=<value>

CHECK_ID_extra776="7.76"
CHECK_TITLE_extra776="[extra776] Check if ECR image scan found vulnerabilities in the newest image version"
CHECK_SCORED_extra776="NOT_SCORED"
CHECK_CIS_LEVEL_extra776="EXTRA"
CHECK_SEVERITY_extra776="Medium"
CHECK_ALTERNATE_check776="extra776"
CHECK_SERVICENAME_extra776="ecr"
CHECK_ASFF_RESOURCE_TYPE_extra776="AwsEcrRepository"
CHECK_RISK_extra776='Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. '
CHECK_REMEDIATION_extra776='Open the Amazon ECR console. Then look for vulnerabilities and fix them.'
CHECK_DOC_extra776='https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#describe-scan-findings'
CHECK_CAF_EPIC_extra776='Logging and Monitoring'

extra776(){
  for region in ${REGIONS}; do
    # List ECR repositories
    LIST_ECR_REPOS=$($AWSCLI ecr describe-repositories $PROFILE_OPT --region "${region}" --query "repositories[*].[repositoryName]" --output text 2>&1)
    # Handle authorization errors
    if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "$LIST_ECR_REPOS"; then
      textInfo "$region: Access Denied trying to describe ECR repositories" "$region"
      continue
    fi
    if [[ -n "$LIST_ECR_REPOS" ]]; then
      for repo in $LIST_ECR_REPOS; do
        # Check if the repository has scanOnPush enabled
        SCAN_ENABLED=$($AWSCLI ecr describe-repositories $PROFILE_OPT --region "${region}" --query "repositories[?repositoryName=='${repo}'].[imageScanningConfiguration.scanOnPush]" --output text 2>&1)
        if [[ "${SCAN_ENABLED}" == "True" ]]; then
          # Recover newest image digest
          NEWEST_IMAGE_DIGEST=$($AWSCLI ecr describe-images $PROFILE_OPT --region "${region}" --repository-name "${repo}" --query "sort_by(imageDetails,& imagePushedAt)[-1].imageDigest" --output text | head -n 1 2>&1)
          if [[ "${NEWEST_IMAGE_DIGEST}" != *"None"* ]]; then
            # Recover newest image tag
            NEWEST_IMAGE_TAG=$($AWSCLI ecr describe-images $PROFILE_OPT --region "${region}" --repository-name "${repo}" --query "sort_by(imageDetails,& imagePushedAt)[-1].imageTags[0]" --output text | head -n 1 2>&1)
            if [[ -n "${LIST_ECR_REPOS}" ]]; then
              # For this newest digest, recover the last scan status
              IMAGE_SCAN_STATUS=$($AWSCLI ecr describe-image-scan-findings $PROFILE_OPT --region "${region}" --repository-name "${repo}" --image-id imageDigest="${NEWEST_IMAGE_DIGEST}" --query "imageScanStatus.status" --output text 2>&1)
              if [[ "${IMAGE_SCAN_STATUS}" == *"ScanNotFoundException"* ]]; then
                textFail "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} without a scan" "${region}" "${repo}"
              else
                if [[ "${IMAGE_SCAN_STATUS}" == *"FAILED"* ]]; then
                  textFail "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} with scan status ${IMAGE_SCAN_STATUS}" "${region}" "${repo}"
                else
                  # For this newest digest, recover the number of findings found
                  # This search needs a JSON response to match against severity
                  FINDINGS_COUNT=$($AWSCLI ecr describe-image-scan-findings $PROFILE_OPT --region "${region}" --repository-name "${repo}" --image-id imageDigest="${NEWEST_IMAGE_DIGEST}" --query "imageScanFindings.findingSeverityCounts" --output json 2>&1)
                  if [[ -n "${FINDINGS_COUNT}" ]]; then
                      SEVERITY_CRITICAL=$(jq -r '.CRITICAL' <<< "${FINDINGS_COUNT}")
                      if [[ "${SEVERITY_CRITICAL}" != "null" ]]; then
                        textFail "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} with CRITICAL ($SEVERITY_CRITICAL) findings" "${region}" "${repo}"
                      fi
                      SEVERITY_HIGH=$(jq -r '.HIGH' <<< "${FINDINGS_COUNT}")
                      if [[ "${SEVERITY_HIGH}" != "null" ]]; then
                        textFail "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} with HIGH ($SEVERITY_HIGH) findings" "${region}" "${repo}"
                      fi
                      SEVERITY_MEDIUM=$(jq -r '.MEDIUM' <<< "${FINDINGS_COUNT}")
                      if [[ "${SEVERITY_MEDIUM}" != "null" ]]; then
                        textFail "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} with MEDIUM ($SEVERITY_MEDIUM) findings" "${region}" "${repo}"
                      fi
                      SEVERITY_LOW=$(jq -r '.LOW' <<< "${FINDINGS_COUNT}")
                      if [[ "${SEVERITY_LOW}" != "null" ]]; then
                        textInfo "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} with LOW ($SEVERITY_LOW) findings" "${region}" "${repo}"
                      fi
                      SEVERITY_INFORMATIONAL=$(jq -r '.INFORMATIONAL' <<< "${FINDINGS_COUNT}")
                      if [[ "${SEVERITY_INFORMATIONAL}" != "null" ]]; then
                        textInfo "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} with INFORMATIONAL ($SEVERITY_INFORMATIONAL) findings" "${region}" "${repo}"
                      fi
                      SEVERITY_UNDEFINED=$(jq -r '.UNDEFINED' <<< "${FINDINGS_COUNT}")
                      if [[ "${SEVERITY_UNDEFINED}" != "null" ]]; then
                        textInfo "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} with UNDEFINED ($SEVERITY_UNDEFINED) findings" "${region}" "${repo}"
                      fi
                  else
                    textPass "${region}: ECR repository ${repo} has imageTag ${NEWEST_IMAGE_TAG} without findings" "${region}" "${repo}"
                  fi
                fi
              fi
            fi
          else
            textInfo "${region}: ECR repository ${repo} has no images" "${region}"
          fi
        else
          textInfo "${region}: ECR repository ${repo} has scanOnPush disabled" "${region}" "${repo}"
        fi
      done
    else
      textInfo "${region}: No ECR repositories found" "${region}"
    fi
  done
}