Add AWS ARN for the specific offending Resource into the Description …

…of the ASFF parser (#10761) * Add Under Review for Jira mappings Add Under Review to the Jira configuration and 'open_status'. Some teams work within sprint cycles, so if they are integrated with Jira and their DefectDojo product, it would be nice to have 'Under Review' as an 'In-Progress' and 'Active' status / resolution, so that things currently being worked on, can be tracked. This adds flexibility to the 'Open' 'Closed' 'False Positive' or 'Risk Accepted' by adding the 'Under Review' mapping resolution for Jira so that teams can manage vulnerabilities that are in-progress or 'under review' * Update 0014_jira_conf_resolution_mappings.py * Update parser.py Add AWS ARN ProductField -> Resources:0/Id into the Description so that the actual offending resource can make its way into the Finding. * fixing whitespace fixing whitespace * Update parser.py implement cneil suggestions * Update parser.py fixing errors * Update parser.py fix typo * Update parser.py * Update parser.py * Update parser.py * Update parser.py attempting to implement cneill's suggestion on refactoring parser * Update parser.py attempt 2 * Update parser.py * Update parser.py * Update parser.py * Update test_asff_parser.py * Update test_asff_parser.py * Update test_asff_parser.py * Update test_asff_parser.py * Update test_asff_parser.py * Update test_asff_parser.py * Update test_asff_parser.py * Update test_asff_parser.py * Update test_asff_parser.py * Update test_asff_parser.py * Update test_asff_parser.py * Update test_asff_parser.py * Update test_asff_parser.py * Update test_asff_parser.py * Update test_asff_parser.py * Update test_asff_parser.py * Update test_asff_parser.py starting over on this part - adding parser = AsffParser() to common_check_finding so it can be referenced by other methods * Update test_asff_parser.py * Update test_asff_parser.py one more try * Update test_asff_parser.py * Update test_asff_parser.py * Update test_asff_parser.py * Update test_asff_parser.py * Update parser.py fix spacing * Update parser.py * Update parser.py * update parser and unit test * fix whitespace * Update test_asff_parser.py * Update parser.py * Update parser.py * remove extra line + update unit test to reflect correct format * fix csv parser - a ',' will break fix csv parser - a ',' will break. adding a + for now, but open to considering & * update spacing * fixing this - not an issue, rolling back --------- Co-authored-by: Cody Maffucci <[email protected]>
DefectDojo · Aug 26, 2024 · 7966e46 · 7966e46
1 parent 096bd04
commit 7966e46
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 2 deletions.
diff --git a/dojo/tools/asff/parser.py b/dojo/tools/asff/parser.py
@@ -26,6 +26,16 @@ def get_description_for_scan_types(self, scan_type):
         return """AWS Security Finding Format (ASFF).
         https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-syntax.html"""
 
+    def get_item_resource_arns(self, item):
+        resource_arns = []
+        if isinstance(item.get("Resources"), list):
+            for resource_block in item["Resources"]:
+                if isinstance(resource_block, dict):
+                    resource_id = resource_block.get("Id")
+                    if resource_id:
+                        resource_arns.append(resource_id)
+        return resource_arns
+
     def get_findings(self, file, test):
         data = json.load(file)
         result = []
@@ -41,9 +51,30 @@ def get_findings(self, file, test):
             else:
                 active = False
 
+            # Adding the Resources:0/Id value to the description.
+            #
+            # This is needed because every Finding in AWS from Security Hub has an
+            # associated ResourceId that contains the full AWS ARN and without it,
+            # it is much more difficult to track down the specific resource.
+            #
+            # This is different from the Finding Id - as that is from the Security Hub
+            # control and has no information about the offending resource.
+            #
+            # Retrieve the AWS ARN / Resource Id
+            resource_arns = self.get_item_resource_arns(item)
+
+            # Define the control_description
+            control_description = item.get("Description")
+
+            if resource_arns:
+                resource_arn_strings = ", ".join(resource_arns)
+                full_description = f"**AWS resource ARN:** {resource_arn_strings}\n\n{control_description}"
+            else:
+                full_description = control_description
+
             finding = Finding(
                 title=item.get("Title"),
-                description=item.get("Description"),
+                description=full_description,
                 date=dateutil.parser.parse(item.get("CreatedAt")),
                 mitigation=mitigation,
                 references=references,

diff --git a/unittests/tools/test_asff_parser.py b/unittests/tools/test_asff_parser.py
@@ -17,8 +17,13 @@ def load_sample_json(self, file_name):
             return json.load(file)
 
     def common_check_finding(self, finding, data, index, guarddutydate=False):
+        parser = AsffParser()
+        resource_arns = parser.get_item_resource_arns(data[index])
+        resource_arn_strings = ", ".join(resource_arns)
+        control_description = data[index].get("Description", "")
+        full_description = f"**AWS resource ARN:** {resource_arn_strings}\n\n{control_description}"
         self.assertEqual(finding.title, data[index]["Title"])
-        self.assertEqual(finding.description, data[index]["Description"])
+        self.assertEqual(finding.description, full_description)
         if guarddutydate:
             self.assertEqual(finding.date.date(),
                 datetime.strptime(data[0]["CreatedAt"], "%Y-%m-%dT%H:%M:%S.%fZ").date())