DefectDojo · ivan-morhun · Nov 7, 2024 · Nov 7, 2024 · Nov 7, 2024 · Nov 7, 2024
diff --git a/dojo/tools/aws_prowler_v3plus/prowler_v4.py b/dojo/tools/aws_prowler_v3plus/prowler_v4.py
@@ -37,7 +37,8 @@ def process_ocsf_json(self, file, test):
             documentation = deserialized.get("remediation", {}).get("references", "")
             documentation = str(documentation) + "\n" + str(deserialized.get("unmapped", {}).get("related_url", ""))
             security_domain = deserialized.get("resources", [{}])[0].get("type", "")
-            timestamp = deserialized.get("event_time")
+            # Prowler v4.5.0 changed 'event_time' key in report with 'time_dt'
+            timestamp = deserialized.get("time_dt") or deserialized.get("event_time")
             resource_arn = deserialized.get("resources", [{}])[0].get("uid", "")
             resource_id = deserialized.get("resources", [{}])[0].get("name", "")
             unique_id_from_tool = deserialized.get("finding_info", {}).get("uid", "")

diff --git a/unittests/scans/aws_prowler_v3plus/many_vuln_after_4_5_0.ocsf.json b/unittests/scans/aws_prowler_v3plus/many_vuln_after_4_5_0.ocsf.json
@@ -0,0 +1,247 @@
+[{
+    "metadata": {
+        "event_code": "iam_role_administratoraccess_policy_permissive_trust_relationship",
+        "product": {
+            "name": "Prowler",
+            "vendor_name": "Prowler",
+            "version": "4.2.1"
+        },
+        "version": "1.2.0"
+    },
+    "severity_id": 4,
+    "severity": "High",
+    "status": "New",
+    "status_code": "FAIL",
+    "status_detail": "IAM Role myAdministratorExecutionRole has AdministratorAccess policy attached that has too permissive trust relationship.",
+    "status_id": 3,
+    "unmapped": {
+        "check_type": "",
+        "related_url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator",
+        "categories": "trustboundaries",
+        "depends_on": "",
+        "related_to": "",
+        "notes": "CAF Security Epic: IAM",
+        "compliance": {}
+    },
+    "activity_name": "Create",
+    "activity_id": 1,
+    "finding_info": {
+        "created_time": "2024-06-03T14:15:19.382075",
+        "desc": "Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship",
+        "product_uid": "prowler",
+        "title": "Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship",
+        "uid": "prowler-aws-iam_role_administratoraccess_policy_permissive_trust_relationship-123456789012-us-east-1-myAdministratorExecutionRole"
+    },
+    "resources": [
+        {
+            "cloud_partition": "aws",
+            "region": "us-east-1",
+            "data": {
+                "details": ""
+            },
+            "group": {
+                "name": "iam"
+            },
+            "labels": [],
+            "name": "myAdministratorExecutionRole",
+            "type": "AwsIamRole",
+            "uid": "arn:aws:iam::123456789012:role/myAdministratorExecutionRole"
+        }
+    ],
+    "category_name": "Findings",
+    "category_uid": 2,
+    "class_name": "DetectionFinding",
+    "class_uid": 2004,
+    "cloud": {
+        "account": {
+            "name": "",
+            "type": "AWS_Account",
+            "type_id": 10,
+            "uid": "123456789012",
+            "labels": []
+        },
+        "org": {
+            "name": "",
+            "uid": ""
+        },
+        "provider": "aws",
+        "region": "us-east-1"
+    },
+    "time_dt": "2024-06-03T14:15:19.382075",
+    "remediation": {
+        "desc": "Apply the principle of least privilege. Instead of AdministratorAccess, assign only the permissions necessary for specific roles and tasks. Create custom IAM policies with minimal permissions based on the principle of least privilege. If a role really needs AdministratorAccess, the trust relationship must be well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.",
+        "references": [
+            "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege"
+        ]
+    },
+    "risk_details": "The AWS-managed AdministratorAccess policy grants all actions for all AWS services and for all resources in the account and as such exposes the customer to a significant data leakage threat. It is therefore particularly important that the trust relationship is well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.",
+    "type_uid": 200401,
+    "type_name": "Create"
+},{
+    "metadata": {
+        "event_code": "iam_role_cross_account_readonlyaccess_policy",
+        "product": {
+            "name": "Prowler",
+            "vendor_name": "Prowler",
+            "version": "4.2.1"
+        },
+        "version": "1.2.0"
+    },
+    "severity_id": 4,
+    "severity": "High",
+    "status": "New",
+    "status_code": "FAIL",
+    "status_detail": "IAM Role AuditRole gives cross account read-only access.",
+    "status_id": 3,
+    "unmapped": {
+        "check_type": "",
+        "related_url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#awsmp_readonlyaccess",
+        "categories": "trustboundaries",
+        "depends_on": "",
+        "related_to": "",
+        "notes": "CAF Security Epic: IAM",
+        "compliance": {
+            "MITRE-ATTACK": [
+                "T1078"
+            ],
+            "AWS-Foundational-Technical-Review": [
+                "IAM-0012"
+            ]
+        }
+    },
+    "activity_name": "Create",
+    "activity_id": 1,
+    "finding_info": {
+        "created_time": "2024-06-03T14:15:19.382075",
+        "desc": "Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts",
+        "product_uid": "prowler",
+        "title": "Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts",
+        "uid": "prowler-aws-iam_role_cross_account_readonlyaccess_policy-123456789012-us-east-1-AuditRole"
+    },
+    "resources": [
+        {
+            "cloud_partition": "aws",
+            "region": "us-east-1",
+            "data": {
+                "details": ""
+            },
+            "group": {
+                "name": "iam"
+            },
+            "labels": [
+                "some-label=some value"
+            ],
+            "name": "AuditRole",
+            "type": "AwsIamRole",
+            "uid": "arn:aws:iam::123456789012:role/AuditRole"
+        }
+    ],
+    "category_name": "Findings",
+    "category_uid": 2,
+    "class_name": "DetectionFinding",
+    "class_uid": 2004,
+    "cloud": {
+        "account": {
+            "name": "",
+            "type": "AWS_Account",
+            "type_id": 10,
+            "uid": "123456789012",
+            "labels": []
+        },
+        "org": {
+            "name": "",
+            "uid": ""
+        },
+        "provider": "aws",
+        "region": "us-east-1"
+    },
+    "time_dt": "2024-06-03T14:15:19.382075",
+    "remediation": {
+        "desc": "Remove the AWS-managed ReadOnlyAccess policy from all roles that have a trust policy, including third-party cloud accounts, or remove third-party cloud accounts from the trust policy of all roles that need the ReadOnlyAccess policy.",
+        "references": [
+            "https://docs.securestate.vmware.com/rule-docs/aws-iam-role-cross-account-readonlyaccess-policy"
+        ]
+    },
+    "risk_details": "The AWS-managed ReadOnlyAccess policy is highly potent and exposes the customer to a significant data leakage threat. It should be granted very conservatively. For granting access to 3rd party vendors, consider using alternative managed policies, such as ViewOnlyAccess or SecurityAudit.",
+    "type_uid": 200401,
+    "type_name": "Create"
+},{
+    "metadata": {
+        "event_code": "iam_role_permissive_trust_relationship",
+        "product": {
+            "name": "Prowler",
+            "vendor_name": "Prowler",
+            "version": "4.2.1"
+        },
+        "version": "1.2.0"
+    },
+    "severity_id": 4,
+    "severity": "High",
+    "status": "Suppressed",
+    "status_code": "FAIL",
+    "status_detail": "IAM Role CrossAccountResourceAccessRole has permissive trust relationship to other accounts",
+    "status_id": 3,
+    "unmapped": {
+        "check_type": "",
+        "related_url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts",
+        "categories": "trustboundaries",
+        "depends_on": "",
+        "related_to": "",
+        "notes": "CAF Security Epic: IAM",
+        "compliance": {}
+    },
+    "activity_name": "Create",
+    "activity_id": 1,
+    "finding_info": {
+        "created_time": "2024-06-03T14:15:19.382075",
+        "desc": "Ensure IAM Roles do not allow assume role from any role of a cross account",
+        "product_uid": "prowler",
+        "title": "Ensure IAM Roles do not allow assume role from any role of a cross account",
+        "uid": "prowler-aws-iam_role_permissive_trust_relationship-123456789012-us-east-1-CrossAccountResourceAccessRole"
+    },
+    "resources": [
+        {
+            "cloud_partition": "aws",
+            "region": "us-east-1",
+            "data": {
+                "details": ""
+            },
+            "group": {
+                "name": "iam"
+            },
+            "labels": [],
+            "name": "CrossAccountResourceAccessRole",
+            "type": "AwsIamRole",
+            "uid": "arn:aws:iam::123456789012:role/CrossAccountResourceAccessRole"
+        }
+    ],
+    "category_name": "Findings",
+    "category_uid": 2,
+    "class_name": "DetectionFinding",
+    "class_uid": 2004,
+    "cloud": {
+        "account": {
+            "name": "",
+            "type": "AWS_Account",
+            "type_id": 10,
+            "uid": "123456789012",
+            "labels": []
+        },
+        "org": {
+            "name": "",
+            "uid": ""
+        },
+        "provider": "aws",
+        "region": "us-east-1"
+    },
+    "time_dt": "2024-06-03T14:15:19.382075",
+    "remediation": {
+        "desc": "Ensure IAM Roles do not allow assume role from any role of a cross account but only from specific roles of specific accounts.",
+        "references": [
+            "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-roles"
+        ]
+    },
+    "risk_details": "If an IAM role allows assume role from any role of a cross account, it can lead to privilege escalation.",
+    "type_uid": 200401,
+    "type_name": "Create"
+}]
diff --git a/unittests/scans/aws_prowler_v3plus/one_vuln_after_4_5_0.ocsf.json b/unittests/scans/aws_prowler_v3plus/one_vuln_after_4_5_0.ocsf.json
@@ -0,0 +1,80 @@
+[{
+    "metadata": {
+        "event_code": "iam_role_administratoraccess_policy_permissive_trust_relationship",
+        "product": {
+            "name": "Prowler",
+            "vendor_name": "Prowler",
+            "version": "4.2.1"
+        },
+        "version": "1.2.0"
+    },
+    "severity_id": 4,
+    "severity": "High",
+    "status": "New",
+    "status_code": "FAIL",
+    "status_detail": "IAM Role myAdministratorExecutionRole has AdministratorAccess policy attached that has too permissive trust relationship.",
+    "status_id": 3,
+    "unmapped": {
+        "check_type": "",
+        "related_url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator",
+        "categories": "trustboundaries",
+        "depends_on": "",
+        "related_to": "",
+        "notes": "CAF Security Epic: IAM",
+        "compliance": {}
+    },
+    "activity_name": "Create",
+    "activity_id": 1,
+    "finding_info": {
+        "created_time": "2024-06-03T14:15:19.382075",
+        "desc": "Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship",
+        "product_uid": "prowler",
+        "title": "Ensure IAM Roles with attached AdministratorAccess policy have a well defined trust relationship",
+        "uid": "prowler-aws-iam_role_administratoraccess_policy_permissive_trust_relationship-123456789012-us-east-1-myAdministratorExecutionRole"
+    },
+    "resources": [
+        {
+            "cloud_partition": "aws",
+            "region": "us-east-1",
+            "data": {
+                "details": ""
+            },
+            "group": {
+                "name": "iam"
+            },
+            "labels": [],
+            "name": "myAdministratorExecutionRole",
+            "type": "AwsIamRole",
+            "uid": "arn:aws:iam::123456789012:role/myAdministratorExecutionRole"
+        }
+    ],
+    "category_name": "Findings",
+    "category_uid": 2,
+    "class_name": "DetectionFinding",
+    "class_uid": 2004,
+    "cloud": {
+        "account": {
+            "name": "",
+            "type": "AWS_Account",
+            "type_id": 10,
+            "uid": "123456789012",
+            "labels": []
+        },
+        "org": {
+            "name": "",
+            "uid": ""
+        },
+        "provider": "aws",
+        "region": "us-east-1"
+    },
+    "time_dt": "2024-06-03T14:15:19.382075",
+    "remediation": {
+        "desc": "Apply the principle of least privilege. Instead of AdministratorAccess, assign only the permissions necessary for specific roles and tasks. Create custom IAM policies with minimal permissions based on the principle of least privilege. If a role really needs AdministratorAccess, the trust relationship must be well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.",
+        "references": [
+            "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege"
+        ]
+    },
+    "risk_details": "The AWS-managed AdministratorAccess policy grants all actions for all AWS services and for all resources in the account and as such exposes the customer to a significant data leakage threat. It is therefore particularly important that the trust relationship is well defined to restrict it usage only to the Principal, Action, Audience and Subject intended for it.",
+    "type_uid": 200401,
+    "type_name": "Create"
+}]