Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prowler V4.5.0 Import/re-import issue #11210

Closed
1 of 3 tasks
ivan-morhun opened this issue Nov 7, 2024 · 2 comments
Closed
1 of 3 tasks

Prowler V4.5.0 Import/re-import issue #11210

ivan-morhun opened this issue Nov 7, 2024 · 2 comments
Labels

Comments

@ivan-morhun
Copy link
Contributor

ivan-morhun commented Nov 7, 2024

Bug description
During Prowler v4 report importing/re-importing, there is an issue with parsing the finding datetime key. If I'm not mistaken this line https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/tools/aws_prowler_v3plus/prowler_v4.py#L40 tries to get "event_time" key from the finding dict, but Prowler v4 report doesn't have such key, there is time key instead. The next step causes an issue when trying to convert ISO timestamp https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/tools/aws_prowler_v3plus/prowler_v4.py#L75

Steps to reproduce
Steps to reproduce the behavior:

  1. Try to import/re-import Prowler v4 report via API or UI

Expected behavior
Report is imported

Deployment method (select with an X)

  • Docker Compose
  • Kubernetes
  • GoDojo

Logs

{"message": "'NoneType' object is not subscriptable", "time": "2024-11-07T10:00:17.343595+00:00", "exc_info": "Traceback (most recent call last):\n File \"/usr/local/lib/python3.11/site-packages/rest_framework/views.py\", line 506, in dispatch\n response = handler(request, *args, **kwargs)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/usr/local/lib/python3.11/site-packages/rest_framework/mixins.py\", line 19, in create\n self.perform_create(serializer)\n File \"/app/dojo/api_v2/views.py\", line 2576, in perform_create\n serializer.save(push_to_jira=push_to_jira)\n File \"/app/dojo/api_v2/serializers.py\", line 2484, in save\n self.process_scan(auto_create_manager, data, context)\n File \"/app/dojo/api_v2/serializers.py\", line 2436, in process_scan\n ).process_scan(\n ^^^^^^^^^^^^^\n File \"/app/dojo/importers/default_reimporter.py\", line 94, in process_scan\n self.parsed_findings = self.parse_findings(scan, parser)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/app/dojo/importers/default_reimporter.py\", line 302, in parse_findings\n self.parsed_findings = self.parse_findings_static_test_type(scan, parser)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/app/dojo/importers/default_reimporter.py\", line 316, in parse_findings_static_test_type\n return super().parse_findings_static_test_type(scan, parser)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/app/dojo/importers/base_importer.py\", line 161, in parse_findings_static_test_type\n return parser.get_findings(scan, self.test)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/app/dojo/tools/aws_prowler_v3plus/parser.py\", line 19, in get_findings\n return AWSProwlerV4Parser().process_ocsf_json(file, test)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/app/dojo/tools/aws_prowler_v3plus/prowler_v4.py\", line 75, in process_ocsf_json\n date=date.fromisoformat(timestamp[:10]),\n ~~~~~~~~~^^^^^\nTypeError: 'NoneType' object is not subscriptable"}

Sample scan files
Example of report

[{
    "message": "EC2 AMI ami-xxxxxxx is not public.",
    "metadata": {
        "event_code": "ec2_ami_public",
        "product": {
            "name": "Prowler",
            "uid": "prowler",
            "vendor_name": "Prowler",
            "version": "4.5.0"
        },
        "profiles": [
            "cloud",
            "datetime"
        ],
        "tenant_uid": "arn:aws:organizations::xxxxxxxx:organization/o-l8a6bwph6s",
        "version": "1.3.0"
    },
    "severity_id": 5,
    "severity": "Critical",
    "status": "New",
    "status_code": "PASS",
    "status_detail": "EC2 AMI ami-xxxxxxxxxxx is not public.",
    "status_id": 1,
    "unmapped": {
        "related_url": "",
        "categories": [
            "internet-exposed"
        ],
        "depends_on": [],
        "related_to": [],
        "notes": "",
        "compliance": {
            "ISO27001-2013": [
                "A.12.6"
            ],
            "KISA-ISMS-P-2023": [
                "2.6.1",
                "2.9.3"
            ],
            "KISA-ISMS-P-2023-korean": [
                "2.6.1",
                "2.9.3"
            ],
            "AWS-Well-Architected-Framework-Security-Pillar": [
                "SEC03-BP07"
            ],
            "AWS-Account-Security-Onboarding": [
                "Disable AMI public sharing"
            ],
            "AWS-Foundational-Technical-Review": [
                "NETSEC-001"
            ]
        }
    },
    "activity_name": "Create",
    "activity_id": 1,
    "finding_info": {
        "created_time": 1730968745,
        "created_time_dt": "2024-11-07T11:39:05.010426",
        "desc": "Ensure there are no EC2 AMIs set as Public.",
        "product_uid": "prowler",
        "title": "Ensure there are no EC2 AMIs set as Public.",
        "types": [
            "Infrastructure Security"
        ],
        "uid": "prowler-aws-ec2_ami_public-xxxxxxxxx-us-west-1-ami-xxxxxxxxxx"
    },
    "resources": [
        {
            "cloud_partition": "aws",
            "region": "us-west-1",
            "data": {
                "details": ""
            },
            "group": {
                "name": "ec2"
            },
            "labels": [
            ],
            "name": "ami-xxxxxxxxxxx",
            "type": "Other",
            "uid": "arn:aws:ec2:us-west-1:xxxxxxxx:image/ami-xxxxxxxxxxx"
        }
    ],
    "category_name": "Findings",
    "category_uid": 2,
    "class_name": "Detection Finding",
    "class_uid": 2004,
    "cloud": {
        "account": {
            "name": "Test",
            "type": "AWS Account",
            "type_id": 10,
            "uid": "xxxxxxxxxxx",
            "labels": [
                "terraform:true",
                "account_id:xxxxxxxxxx",
                "author:ivan.morgun@xxxxxxxx.com",
                "git_repo:xxxx-xxxxx",
                "account_name:test"
            ]
        },
        "org": {
            "name": "o-xxxxxxxx",
            "uid": "arn:aws:organizations::xxxxxxxxxxx:organization/o-xxxxxxxx"
        },
        "provider": "aws",
        "region": "us-west-1"
    },
    "remediation": {
        "desc": "We recommend your EC2 AMIs are not publicly accessible, or generally available in the Community AMIs.",
        "references": [
            "https://docs.prowler.com/checks/aws/public-policies/public_8#cli-command",
            "https://docs.prowler.com/checks/aws/public-policies/public_8#aws-console",
            "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cancel-sharing-an-AMI.html"
        ]
    },
    "risk_details": "When your AMIs are publicly accessible, they are available in the Community AMIs where everyone with an AWS account can use them to launch EC2 instances. Your AMIs could contain snapshots of your applications (including their data), therefore exposing your snapshots in this manner is not advised.",
    "time": 1730968745,
    "time_dt": "2024-11-07T11:39:05.010426",
    "type_uid": 200401,
    "type_name": "Detection Finding: Create"
}]

Screenshots
image

@ivan-morhun ivan-morhun added the bug label Nov 7, 2024
@serhii-ciq
Copy link

The same issue here :(

ivan-morhun added a commit to ivan-morhun/django-DefectDojo that referenced this issue Nov 7, 2024
ivan-morhun added a commit to ivan-morhun/django-DefectDojo that referenced this issue Nov 7, 2024
@ivan-morhun ivan-morhun changed the title Prowler V4 Import/re-import issue Prowler V4.5.0 Import/re-import issue Nov 7, 2024
mtesauro pushed a commit that referenced this issue Nov 18, 2024
…dt' (#11213)

* #11210 prowler_v4.py Prowler v4.5.0 changed the 'event_time' key in finding with 'time_dt'

* #11210 prowler_v4.py Prowler v4.5.0 changed the 'event_time' key in finding with 'time_dt'

* Add tesst to support prowler version <4.5.0

* Return new-line

* Update tests, clean up scans

* Fix ruff

* Rename some stuff

---------

Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
@ivan-morhun
Copy link
Contributor Author

Thanks for the fix. No everything works as expected!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants