[ENHANCEMENT] AWS Security Hub parser: include more vulnerability det…

…ails (#8664)

* AWS Security Hub parser: include additional vulnerability details

* AWS Security Hub parser: improvements for ECR findings

* AWS Security Hub parser: mark findings as static

dojo/tools/awssecurityhub/parser.py

@@ -25,12 +25,14 @@ def get_items(self, tree: dict, test):
         # DefectDojo/django-DefectDojo/issues/2780
         findings = tree.get("Findings", tree.get("findings", None))
 
-        if not findings:
-            return list()
+        if not isinstance(findings, list):
+            raise ValueError("Incorrect Security Hub report format")
 
         for node in findings:
             item = get_item(node, test)
             key = node["Id"]
+            if not isinstance(key, str):
+                raise ValueError("Incorrect Security Hub report format")
             items[key] = item
 
         return list(items.values())
@@ -42,6 +44,8 @@ def get_item(finding: dict, test):
     title = finding.get("Title", "")
     severity = finding.get("Severity", {}).get("Label", "INFORMATIONAL").title()
     mitigation = ""
+    impact = []
+    references = []
     unsaved_vulnerability_ids = []
     if aws_scanner_type == "Inspector":
         description = f"This is an Inspector Finding\n{finding.get('Description', '')}"
@@ -50,12 +54,18 @@ def get_item(finding: dict, test):
             # Save the CVE if it is present
             if cve := vulnerability.get("Id"):
                 unsaved_vulnerability_ids.append(cve)
+            for alias in vulnerability.get("RelatedVulnerabilities", []):
+                if alias != cve:
+                    unsaved_vulnerability_ids.append(alias)
             # Add information about the vulnerable packages to the description and mitigation
             vulnerable_packages = vulnerability.get("VulnerablePackages", [])
             for package in vulnerable_packages:
                 mitigation += f"- Update {package.get('Name', '')}-{package.get('Version', '')}\n"
                 if remediation := package.get("Remediation"):
                     mitigation += f"\t- {remediation}\n"
+            if vendor := vulnerability.get("Vendor"):
+                if vendor_url := vendor.get("Url"):
+                    references.append(vendor_url)
 
         if finding.get("ProductFields", {}).get("aws/inspector/FindingStatus", "ACTIVE") == "ACTIVE":
             mitigated = None
@@ -91,27 +101,44 @@ def get_item(finding: dict, test):
             is_Mitigated = False
             active = True
 
-    resources = finding.get("Resources", "")
-    resource_id = resources[0]["Id"].split(":")[-1]
-    references = finding.get("Remediation", {}).get("Recommendation", {}).get("Url")
+    title_suffix = ""
+    for resource in finding.get("Resources", []):
+        if resource.get("Type") == "AwsEcrContainerImage":
+            details = resource.get("Details", {}).get("AwsEcrContainerImage")
+            arn = resource.get("Id")
+            if details:
+                impact.append(f"Image ARN: {arn}")
+                impact.append(f"Registry: {details.get('RegistryId')}")
+                impact.append(f"Repository: {details.get('RepositoryName')}")
+                impact.append(f"Image digest: {details.get('ImageDigest')}")
+            title_suffix = f" - Image: {arn.split('/', 1)[1]}"  # repo-name/sha256:digest
+        else:  # generic implementation
+            resource_id = resource["Id"].split(":")[-1]
+            impact.append(f"Resource: {resource_id}")
+            title_suffix = f" - Resource: {resource_id}"
+
+    if remediation_rec_url := finding.get("Remediation", {}).get("Recommendation", {}).get("Url"):
+        references.append(remediation_rec_url)
     false_p = False
 
-    finding = Finding(
-        title=f"{title} - Resource: {resource_id}",
+    result = Finding(
+        title=f"{title}{title_suffix}",
         test=test,
         description=description,
         mitigation=mitigation,
-        references=references,
+        references="\n".join(references),
         severity=severity,
-        impact=f"Resource: {resource_id}",
+        impact="\n".join(impact),
         active=active,
         verified=False,
         false_p=false_p,
         unique_id_from_tool=finding_id,
         mitigated=mitigated,
         is_mitigated=is_Mitigated,
+        static_finding=True,
+        dynamic_finding=False,
     )
     # Add the unsaved vulnerability ids
-    finding.unsaved_vulnerability_ids = unsaved_vulnerability_ids
+    result.unsaved_vulnerability_ids = unsaved_vulnerability_ids
 
-    return finding
+    return result

unittests/scans/awssecurityhub/README.md

@@ -10,7 +10,7 @@ To keep some order, let's keep them prefixed with the names of the services that
 
 * `inspector_ec2_`: findings from AWS Inspector with results of scanning EC2 instances
 
-* `inspector_ecr_`: findings from AWS Inspector with results of Enhanced ECR Scanning
+* `inspector_ecr_`: findings from AWS Inspector with results of Enhanced ECR Scanning, currently contains 7 findings with vulnerabilities associated with 8 different values of `PackageManager`
 
 * `inspector_lambda_`: findings from AWS Inspector with results of scanning Lambdas