Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

prowler_v4.py Prowler v4.5.0 changed the 'event_time' key with 'time_dt' #11213

Open
wants to merge 7 commits into
base: bugfix
Choose a base branch
from
Open

prowler_v4.py Prowler v4.5.0 changed the 'event_time' key with 'time_dt' #11213

wants to merge 7 commits into from
+361 −1

Conversation

ivan-morhun
Copy link
Contributor

@ivan-morhun ivan-morhun commented Nov 7, 2024
edited by Maffooch
Loading

Fixes import of Prowler v4.5.0 report with changed event_time key
Closes #11210

[sc-8668]

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Nov 7, 2024
edited
Loading

DryRun Security Summary

The pull request enhances the functionality and security of the AWS Prowler V3+ parser in the DefectDojo application security tool by correctly handling the updated JSON report format, implementing deduplication of findings, and adding new test cases, while also identifying potential security considerations related to CWE ID assignment, input validation, and access control.

Expand for full summary

Summary:

The code changes in this pull request focus on enhancing the functionality and security of the AWS Prowler V3+ parser in the DefectDojo application security tool. The key changes include:

  1. Correctly handling the updated JSON report format introduced in Prowler v4.5.0, ensuring that the parser can accurately extract and process the security findings.
  2. Implementing deduplication of findings based on a unique identifier, which helps to consolidate and provide a more comprehensive view of the security issues.
  3. Adding new test cases to validate the parser's behavior with different types of AWS Prowler V3+ scan results, improving the reliability and accuracy of the tool.

While the changes appear to be generally positive, there are a few security considerations that should be addressed:

  1. The code assigns a broad CWE ID (1032 - "Security Configuration Weaknesses") to the findings, which may not provide specific guidance on the nature of the security issue. It would be better to fine-tune the CWE ID to more accurately reflect the type of security weakness identified.
  2. The code does not perform any input validation or sanitization on the data extracted from the Prowler JSON report, which could potentially lead to issues if the report contains malformed or malicious data.
  3. The code does not implement any access control or authorization mechanisms, which could be a concern if the findings are used in a sensitive or critical environment.

Overall, the changes in this pull request are focused on improving the functionality and reliability of the AWS Prowler V3+ parser, which is an important component of the DefectDojo application security tool. However, it's important to address the identified security considerations to ensure the robustness and security of the application.

Files Changed:

  1. unittests/scans/aws_prowler_v3plus/one_vuln_after_4_5_0.ocsf.json and unittests/scans/aws_prowler_v3plus/many_vuln_after_4_5_0.ocsf.json:

    • These files contain OCSF JSON data generated by the AWS Prowler security tool, which identifies security issues in an AWS environment.
    • The key findings include overly permissive IAM roles with the "AdministratorAccess" policy, IAM roles with cross-account "ReadOnlyAccess" policy, and IAM roles with permissive trust relationships.
    • The recommendation is to apply the principle of least privilege and carefully manage trust relationships between accounts to prevent unauthorized access and potential data breaches.

  2. unittests/tools/test_aws_prowler_v3plus_parser.py:

    • The changes in this file are related to the AWS Prowler V3+ parser in the DefectDojo application security tool.
    • The changes include adding the date field to the findings and handling different types of scan results, which improves the reliability and accuracy of the tool.
    • The new test cases cover various scenarios, ensuring that the parser can correctly handle different types of scan results.

  3. dojo/tools/aws_prowler_v3plus/prowler_v4.py:

    • This file is responsible for processing the OCSF JSON data generated by the AWS Prowler v4 tool.
    • The code changes handle the format changes introduced in Prowler v4.5.0 and implement deduplication of findings.
    • However, the code could benefit from additional security considerations, such as input validation, fine-tuning of CWE IDs, and access control mechanisms.

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@ivan-morhun
Copy link
Contributor Author

@kiblik I created a new PR. However, the tests failed to install packages on the Docker image. How can I re-run them?

@kiblik
Copy link
Contributor

kiblik commented Nov 7, 2024

@kiblik I created a new PR. However, the tests failed to install packages on the Docker image. How can I re-run them?

Bit sad but close and reopen of PR usually helps

@ivan-morhun ivan-morhun closed this Nov 7, 2024
@ivan-morhun ivan-morhun reopened this Nov 7, 2024
@ivan-morhun
Copy link
Contributor Author

@kiliczsh Thanks a lot. Your advice helped.

@ivan-morhun ivan-morhun changed the title #11210 prowler_v4.py Prowler v4.5.0 changed the 'event_time' key with 'time_dt' prowler_v4.py Prowler v4.5.0 changed the 'event_time' key with 'time_dt' Nov 7, 2024
mtesauro
mtesauro approved these changes Nov 7, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch reopened this Nov 15, 2024
@Maffooch Maffooch requested a review from cneill November 16, 2024 00:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro mtesauro approved these changes

@cneill cneill cneill approved these changes

@grendel513 grendel513 grendel513 approved these changes

Assignees
No one assigned
Labels
parser unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@ivan-morhun @kiblik @grendel513 @cneill @mtesauro @Maffooch