Skip to content

Commit 48bfae6

Browse files
StefanFlStefanFl
authored
Revert "AWS Prowler Scan parser Upgrade and Enhancements (DefectDojo#4851)" (DefectDojo#4872)
This reverts commit cb82b74.
1 parent cb82b74 commit 48bfae6

File tree

8 files changed

+1887
-309
lines changed

8 files changed

+1887
-309
lines changed

dojo/settings/settings.dist.py

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -957,7 +957,6 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
957957
HASHCODE_ALLOWS_NULL_CWE = {
958958
'Anchore Engine Scan': True,
959959
'Anchore Grype': True,
960-
'AWS Prowler Scan': True,
961960
'Checkmarx Scan': False,
962961
'Checkmarx OSA': True,
963962
'SonarQube Scan': False,
@@ -1005,7 +1004,6 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
10051004
'Anchore Grype': DEDUPE_ALGO_HASH_CODE,
10061005
'Aqua Scan': DEDUPE_ALGO_HASH_CODE,
10071006
'AuditJS Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL,
1008-
'AWS Prowler Scan': DEDUPE_ALGO_HASH_CODE,
10091007
'Burp REST API': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL,
10101008
'CargoAudit Scan': DEDUPE_ALGO_HASH_CODE,
10111009
'Checkmarx Scan detailed': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL,

dojo/tools/aws_prowler/parser.py

Lines changed: 13 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,10 @@
1-
# For Prowler CSV Export
2-
# Based on:
3-
# PROWLER_VERSION=2.4.0-07042021
41

52
import re
63
from datetime import datetime
74
import sys
85
import io
96
import csv
107
import textwrap
11-
import hashlib
128

139
from dojo.models import Finding
1410

@@ -36,56 +32,28 @@ def get_findings(self, filename, test):
3632
account = None
3733

3834
for row in reader:
39-
# Getting all available fields from the Prowler CSV
40-
# Fields in order of appearence
4135
profile = row.get('PROFILE')
4236
account = row.get('ACCOUNT_NUM')
4337
region = row.get('REGION')
4438
title_id = row.get('TITLE_ID')
45-
result = row.get('CHECK_RESULT')
46-
scored = row.get('ITEM_SCORED')
47-
level = row.get('ITEM_LEVEL')
48-
title_text = row.get('TITLE_TEXT')
49-
result_extended = row.get('CHECK_RESULT_EXTENDED')
50-
asff_compliance_type = row.get('CHECK_ASFF_COMPLIANCE_TYPE')
39+
result = row.get('RESULT', row.get('CHECK_RESULT'))
40+
scored = row.get('SCORED')
41+
level = row.get('LEVEL')
5142
severity = row.get('SEVERITY')
52-
aws_service_name = row.get('CHECK_SERVICENAME')
53-
asff_resource_type = row.get('CHECK_ASFF_RESOURCE_TYPE')
54-
asff_type = row.get('CHECK_ASFF_TYPE')
55-
impact = row.get('CHECK_RISK')
56-
mitigation = row.get('CHECK_REMEDIATION')
57-
documentation = row.get('CHECK_DOC')
58-
security_domain = row.get('CHECK_CAF_EPIC')
59-
# get prowler check number, usefull for exceptions
60-
prowler_check_number = re.search(r'\[(.*?)\]', title_text).group(1)
43+
title_text = row.get('TITLE_TEXT')
6144
# remove '[check000] ' at the start of each title
62-
title = re.sub(r'\[.*\]\s', '', result_extended)
63-
control = re.sub(r'\[.*\]\s', '', title_text)
45+
title_text = re.sub(r'\[.*\]\s', '', title_text)
46+
notes = row.get('NOTES')
47+
6448
sev = self.getCriticalityRating(result, level, severity)
49+
description = "**Region:** " + region + "\n\n" + str(notes) + "\n"
50+
6551
if result == "INFO" or result == "PASS":
6652
active = False
6753
else:
6854
active = True
6955

70-
# creating description early will help with duplication control
71-
if not level:
72-
level = ""
73-
else:
74-
level = ", " + level
75-
description = "**Issue:** " + str(result_extended) + \
76-
"\n**Control:** " + str(control) + \
77-
"\n**AWS Account:** " + str(account) + " | **Region:** " + str(region) + \
78-
"\n**CIS Control:** " + str(title_id) + str(level) + \
79-
"\n**Prowler check:** " + str(prowler_check_number) + \
80-
"\n**AWS Service:** " + str(aws_service_name) + \
81-
"\n**ASFF Resource Type:** " + str(asff_resource_type) + \
82-
"\n**ASFF Type:** " + str(asff_type) + \
83-
"\n**ASFF Compliance Type:** " + str(asff_compliance_type) + \
84-
"\n**Security Domain:** " + str(security_domain)
85-
86-
# improving key to get duplicates
87-
dupe_key = hashlib.sha256(
88-
(sev + '|' + region + '|' + result_extended).encode('utf-8')).hexdigest()
56+
dupe_key = sev + title_text
8957
if dupe_key in dupes:
9058
find = dupes[dupe_key]
9159
if description is not None:
@@ -94,17 +62,15 @@ def get_findings(self, filename, test):
9462
else:
9563
find = Finding(
9664
active=active,
97-
title=textwrap.shorten(result_extended, 150),
65+
title=textwrap.shorten(title_text, 150),
9866
cwe=1032, # Security Configuration Weaknesses, would like to fine tune
9967
test=test,
100-
description=description,
68+
description="**AWS Account:** " + str(account) + "\n**Control:** " + str(title_text) + "\n**CIS Control:** " + str(title_id) + ", " + str(level) + "\n\n" + description,
10169
severity=sev,
102-
references=documentation,
70+
references=None,
10371
date=find_date,
10472
dynamic_finding=True,
10573
nb_occurences=1,
106-
mitigation=mitigation,
107-
impact=impact,
10874
)
10975
dupes[dupe_key] = find
11076

@@ -123,10 +89,6 @@ def getCriticalityRating(self, result, level, severity):
12389
criticality = "Info"
12490
elif result == "FAIL":
12591
if severity:
126-
# control is failing but marked as Info so we want to mark as
127-
# Low to appear in the Dojo
128-
if severity == "Informational":
129-
return "Low"
13092
return severity
13193
else:
13294
if level == "Level 1":

dojo/unittests/scans/aws_prowler/issue4450.csv

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
PROFILE,ACCOUNT_NUM,REGION,TITLE_ID,CHECK_RESULT,ITEM_SCORED,ITEM_LEVEL,TITLE_TEXT,CHECK_RESULT_EXTENDED,CHECK_ASFF_COMPLIANCE_TYPE,CHECK_SEVERITY,CHECK_SERVICENAME,CHECK_ASFF_RESOURCE_TYPE,CHECK_ASFF_TYPE,CHECK_RISK,CHECK_REMEDIATION,CHECK_DOC,CHECK_CAF_EPIC
1+
PROFILE,ACCOUNT_NUM,REGION,TITLE_ID,CHECK_RESULT,ITEM_SCORED,ITEM_LEVEL,TITLE_TEXT,CHECK_RESULT_EXTENDED,CHECK_ASFF_COMPLIANCE_TYPE,CHECK_SEVERITY,CHECK_SERVICENAME,CHECK_ASFF_RESOURCE_TYPE,CHECK_ASFF_TYPE,CHECK_RISK,CHECK_REMEDIATION,CHECK_DOC,CHECK_CAF_EPIC,
22
V2devTest,612801422404,us-west-2,1.1,PASS,Scored,Level 1,[check11] Avoid the use of the root account (Scored),Root user in the account wasn't accessed in the last 1 days,Software and Configuration Checks,High,iam,AwsAccount,Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark,"The ""root"" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.",Follow the remediation instructions of the Ensure IAM policies are attached only to groups or roles recommendation.,http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html,IAM,
33
V2devTest,612801422404,us-west-2,1.2,FAIL,Scored,Level 1,[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored),User ansible-test-user has Password enabled but MFA disabled,ens-op.acc.5.aws.iam.1,High,iam,AwsIamUser,Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark,Unauthorized access to this critical account if password is not secure or it is disclosed in any way.,Enable MFA for root account. is a simple best practice that adds an extra layer of protection on top of your user name and password. Recommended to use hardware keys over virtual MFA.,https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html,IAM,
44
V2devTest,612801422404,us-west-2,1.2,FAIL,Scored,Level 1,[check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored),User John has Password enabled but MFA disabled,ens-op.acc.5.aws.iam.1,High,iam,AwsIamUser,Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark,Unauthorized access to this critical account if password is not secure or it is disclosed in any way.,Enable MFA for root account. is a simple best practice that adds an extra layer of protection on top of your user name and password. Recommended to use hardware keys over virtual MFA.,https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html,IAM,

dojo/unittests/scans/aws_prowler/many_vuln.csv

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
1-
PROFILE,ACCOUNT_NUM,REGION,TITLE_ID,CHECK_RESULT,ITEM_SCORED,ITEM_LEVEL,TITLE_TEXT,CHECK_RESULT_EXTENDED,CHECK_ASFF_COMPLIANCE_TYPE,CHECK_SEVERITY,CHECK_SERVICENAME,CHECK_ASFF_RESOURCE_TYPE,CHECK_ASFF_TYPE,CHECK_RISK,CHECK_REMEDIATION,CHECK_DOC,CHECK_CAF_EPIC
2-
,012345678910,us-east-1,1.1,FAIL,Scored,Level 1,[check11] Avoid the use of the root account (Scored),Root user in the account wasn't accessed in the last 1 days,Software and Configuration Checks,High,iam,AwsAccount,Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark,The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.,Follow the remediation instructions of the Ensure IAM policies are attached only to groups or roles recommendation.,http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html,IAM
3-
,012345678910,us-east-1,1.3,FAIL,Scored,Level 1,[check13] Ensure credentials unused for 90 days or greater are disabled (Scored),User example_user has never used access key 1 since creation and not rotated it in the past 90 days,ens-op.acc.1.aws.iam.3 ens-op.acc.5.aws.iam.4,Medium,iam,AwsIamUser,Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark,AWS IAM users can access AWS resources using different types of credentials (passwords or access keys). It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated.,Use the credential report to ensure password_last_changed is less than 90 days ago.,https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html,IAM
4-
,012345678910,us-east-1,1.10,FAIL,Scored,Level 1,[check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored),Password Policy has weak reuse requirement (lower than 24),Software and Configuration Checks,Medium,iam,AwsAccount,Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark,Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.,Ensure "Number of passwords to remember" is set to 24.,https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html,IAM
5-
,012345678910,eu-west-2,7.5,FAIL,Not Scored,Extra,[extra75] Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark),eu-west-2: sg-01234567890qwerty is not being used!,ens-mp.com.4.aws.sg.3,Informational,ec2,AwsEc2SecurityGroup,Software and Configuration Checks,Having clear definition and scope for Security Groups creates a better administration environment.,List all the security groups and then use the cli to check if they are attached to an instance.,https://aws.amazon.com/premiumsupport/knowledge-center/ec2-find-security-group-resources/,Infrastructure Security
1+
PROFILE,ACCOUNT_NUM,REGION,TITLE_ID,RESULT,SCORED,LEVEL,TITLE_TEXT,NOTES
2+
,012345678910,eu-central-1,1.1,FAIL,Scored,Level 1,[check11] Vuln A,Note
3+
,012345678910,eu-central-1,1.4,FAIL,Scored,Level 1,[check14] Vuln B,Note
4+
,012345678910,eu-central-1,1.4,INFO,Scored,Level 1,[check14] Info A,Note
5+
,012345678910,eu-central-1,1.14,FAIL,Scored,Level 2,[check114] Vuln C,Note
6+
,012345678910,eu-central-1,1.15,INFO,Not Scored,Level 1,[check115] Info B,Note

0 commit comments

Comments
 (0)