DefectDojo#11210 prowler_v4.py Prowler v4.5.0 changed the 'event_time…

…' key in finding with 'time_dt'
ivan-morhun · Nov 7, 2024 · 5caeba0 · 5caeba0
1 parent 50d01bd
commit 5caeba0
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 5 deletions.
diff --git a/dojo/tools/aws_prowler_v3plus/prowler_v4.py b/dojo/tools/aws_prowler_v3plus/prowler_v4.py
@@ -37,7 +37,9 @@ def process_ocsf_json(self, file, test):
             documentation = deserialized.get("remediation", {}).get("references", "")
             documentation = str(documentation) + "\n" + str(deserialized.get("unmapped", {}).get("related_url", ""))
             security_domain = deserialized.get("resources", [{}])[0].get("type", "")
-            timestamp = deserialized.get("event_time")
+            # Prowler v4.5.0 changed 'event_time' key in report with 'time_dt'
+            timestamp = deserialized.get(
+                "time_dt") or deserialized.get("event_time")
             resource_arn = deserialized.get("resources", [{}])[0].get("uid", "")
             resource_id = deserialized.get("resources", [{}])[0].get("name", "")
             unique_id_from_tool = deserialized.get("finding_info", {}).get("uid", "")

diff --git a/unittests/scans/aws_prowler_v3plus/many_vuln.ocsf.json b/unittests/scans/aws_prowler_v3plus/many_vuln.ocsf.json
@@ -67,7 +67,7 @@
         "provider": "aws",
         "region": "us-east-1"
     },
-    "event_time": "2024-06-03T14:15:19.382075",
+    "time_dt": "2024-06-03T14:15:19.382075",
     "remediation": {
         "desc": "Apply the principle of least privilege. Instead of AdministratorAccess, assign only the permissions necessary for specific roles and tasks. Create custom IAM policies with minimal permissions based on the principle of least privilege. If a role really needs AdministratorAccess, the trust relationship must be well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.",
         "references": [
@@ -155,7 +155,7 @@
         "provider": "aws",
         "region": "us-east-1"
     },
-    "event_time": "2024-06-03T14:15:19.382075",
+    "time_dt": "2024-06-03T14:15:19.382075",
     "remediation": {
         "desc": "Remove the AWS-managed ReadOnlyAccess policy from all roles that have a trust policy, including third-party cloud accounts, or remove third-party cloud accounts from the trust policy of all roles that need the ReadOnlyAccess policy.",
         "references": [
@@ -234,7 +234,7 @@
         "provider": "aws",
         "region": "us-east-1"
     },
-    "event_time": "2024-06-03T14:15:19.382075",
+    "time_dt": "2024-06-03T14:15:19.382075",
     "remediation": {
         "desc": "Ensure IAM Roles do not allow assume role from any role of a cross account but only from specific roles of specific accounts.",
         "references": [

diff --git a/unittests/scans/aws_prowler_v3plus/one_vuln.ocsf.json b/unittests/scans/aws_prowler_v3plus/one_vuln.ocsf.json
@@ -67,7 +67,7 @@
         "provider": "aws",
         "region": "us-east-1"
     },
-    "event_time": "2024-06-03T14:15:19.382075",
+    "time_dt": "2024-06-03T14:15:19.382075",
     "remediation": {
         "desc": "Apply the principle of least privilege. Instead of AdministratorAccess, assign only the permissions necessary for specific roles and tasks. Create custom IAM policies with minimal permissions based on the principle of least privilege. If a role really needs AdministratorAccess, the trust relationship must be well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.",
         "references": [