Parser for AWS Inspector2 findings #10829
Conversation
github-actions
bot
added
settings_changes
DryRun Security SummaryThe pull request primarily focuses on enhancing the integration between the DefectDojo application security platform and the AWS Inspector2 security scanning service, including documentation updates, configuration changes, a new AWS Inspector2 parser implementation, and expanded test suite. Expand for full summarySummary: The changes in this pull request primarily focus on enhancing the integration between the DefectDojo application security platform and the AWS Inspector2 security scanning service. The key changes include:
From an application security perspective, these changes are positive as they enhance the security capabilities of the DefectDojo platform by allowing it to ingest and process findings from the AWS Inspector2 security scanning service. This provides security teams with a more comprehensive view of their attack surface and potential vulnerabilities. The changes to the configuration and the implementation of the AWS Inspector2 parser demonstrate a thoughtful approach to integrating the new scanner, including considerations for deduplication, severity mapping, and the extraction of detailed vulnerability information. The expanded test suite also helps ensure the reliability and robustness of the integration, which is crucial for maintaining the overall security of the application. Files Changed:
Code AnalysisWe ran Riskiness🟢 Risk threshold not exceeded. |
dojo/tools/aws_inspector2/parser.py
Outdated
| from dojo.models import Endpoint, Finding | ||
|
|
||
|
|
||
| class AWSInspector2Parser(object): |
There was a problem hiding this comment.
A lot of AWS users use AWS Security Hub to retrieve all findings. Could you also advance this parser: https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/tools/awssecurityhub/inspector.py ?
Are the returned AWS Security Hub findings of Inspector2 equal to the returned findings of Inspector2 or are they differently formatted?
There was a problem hiding this comment.
It's definitely preferred to have a single parser that understands multiple formats vs multiple parsers - if nothing else, it's easier for people to use who might not know the difference between Inspector JSON versions.
There was a problem hiding this comment.
thank you for your attention, I'll try to answer below.
Security Hub collects findings from inspector and a few other AWS services, then it converts the findings into one common format (ASFF - AWS Security Finding Format https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) and provides API to retrieve the findings in that format. AWS Inspector provides own API with own finding format. It is not necessary to use Security Hub in order to use Inspector since those are 2 different AWS services. Answering to your @manuel-sommer question - yes, they are differently formatted.
I would extend the existing parser If I had a way to easily detect what finding format is used in an uploaded json, although the name of the parser would be misleading since AWS Security Hub and AWS Inspector are two different services.
If you believe DefectDojo needs only Security Hub parser because it is indeed an AWS service that can collect findings from other services (full list here https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html), and there is no need to support standalone AWS service report import, I'm totally okay with this approach. Thank you.
There was a problem hiding this comment.
Understood about AWS Security Hub vs AWS Inspector.
I would make sense in this case to have a parser just for AWS Inspector not that you've provided more details - TBH, I can't keep up with all the AWS whatever services.
You will need get the ruff linter happy (as well as the other tests) before the PR will be reviewed and merged (assuming we get 4 approvals).
I'm going to re-kick the tests now - if you want to do that yourself, you can close & open the PR to get them to restart assuming this isn't your first PR against DefectDojo.
dojo/settings/settings.dist.py
Outdated
| @@ -1273,6 +1273,7 @@ def saml2_attrib_map_format(dict): | |||
| "Kiuwan SCA Scan": ["description", "severity", "component_name", "component_version", "cwe"], | |||
| "Rapplex Scan": ["title", "endpoints", "severity"], | |||
| "AppCheck Web Application Scanner": ["title", "severity"], | |||
| "AWS Inspector2 Scan": ["title"], | |||
There was a problem hiding this comment.
Either add more fields as the title is probably not unique enough, or only use uniqueidfromtool. Furthermore, you forgot to edit the settings.dist.py hash sum https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/settings/.settings.dist.py.sha256sum
dojo/fixtures/test_type.json
Outdated
| }, | ||
| { | ||
| "fields": { | ||
| "name": "AWS Inspector2" | ||
| }, | ||
| "model": "dojo.test_type", | ||
| "pk": 8 |
There was a problem hiding this comment.
| }, | |
| { | |
| "fields": { | |
| "name": "AWS Inspector2" | |
| }, | |
| "model": "dojo.test_type", | |
| "pk": 8 |
This file is no longer modified when adding new parsers
dojo/tools/aws_inspector2/parser.py
Outdated
| resource_details = resource_info.get("details", {}) | ||
| resource_region = resource_info.get("region", "N/A") | ||
| endpoint_host = f"{resource_type} - {resource_id}" | ||
| if resource_type == "AWS_EC2_INSTANCE": |
There was a problem hiding this comment.
It would make the code much easier to read by converting individual if cases into a function to process each resource type. This is
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
A parser for AWS Inspector2 ("new" Inspector) findings exported with
aws inspector2 list-findingsin JSON format.Checklist
This checklist is for your information.
dev.dev.bugfixbranch.[sc-8014]