From 17196680dca92d587af95bc328000406375092c2 Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Mon, 23 Sep 2024 18:32:02 +0100 Subject: [PATCH 1/8] move security hub finding interface to common --- packages/common/src/types.ts | 18 ++++++++++++++ .../obligations/aws-vulnerabilities.test.ts | 9 +++---- .../src/obligations/aws-vulnerabilities.ts | 24 ++----------------- 3 files changed, 25 insertions(+), 26 deletions(-) diff --git a/packages/common/src/types.ts b/packages/common/src/types.ts index 0f54381dc..07bb496c9 100644 --- a/packages/common/src/types.ts +++ b/packages/common/src/types.ts @@ -1,5 +1,6 @@ import { type StrategyOptions } from '@octokit/auth-app'; import type { + aws_securityhub_findings, github_repositories, repocop_vulnerabilities, } from '@prisma/client'; @@ -106,3 +107,20 @@ export const SLAs: Record = { }; export type NonEmptyArray = [T, ...T[]]; + +type Resource = { + Id: string; + Tags: Record; + Region: string; + Type: string; +}; + +export type SecurityHubFinding = Pick< + aws_securityhub_findings, + 'first_observed_at' | 'aws_account_id' | 'aws_account_name' | 'title' +> & { + remediation: { Recommendation: { Text: string; Url: string } }; + severity: { Label: SecurityHubSeverity; Normalized: number }; + resources: Resource[]; + product_fields: { ControlId: string; StandardsArn: string }; +}; diff --git a/packages/obligatron/src/obligations/aws-vulnerabilities.test.ts b/packages/obligatron/src/obligations/aws-vulnerabilities.test.ts index 618cf1599..2c29f3a6e 100644 --- a/packages/obligatron/src/obligations/aws-vulnerabilities.test.ts +++ b/packages/obligatron/src/obligations/aws-vulnerabilities.test.ts @@ -1,7 +1,5 @@ -import { - fsbpFindingsToObligatronResults, - type SecurityHubFinding, -} from './aws-vulnerabilities'; +import type { SecurityHubFinding } from 'common/src/types'; +import { fsbpFindingsToObligatronResults } from './aws-vulnerabilities'; describe('The dependency vulnerabilities obligation', () => { const resource1 = { @@ -18,6 +16,9 @@ describe('The dependency vulnerabilities obligation', () => { const oneResourceFinding: SecurityHubFinding = { resources: [resource1], + title: 'title', + aws_account_name: 'accountName', + remediation: { Recommendation: { Text: 'text', Url: 'url' } }, severity: { Label: 'HIGH', Normalized: 75 }, aws_account_id: '0123456', first_observed_at: new Date('2020-01-01'), diff --git a/packages/obligatron/src/obligations/aws-vulnerabilities.ts b/packages/obligatron/src/obligations/aws-vulnerabilities.ts index 123c09887..241892cc0 100644 --- a/packages/obligatron/src/obligations/aws-vulnerabilities.ts +++ b/packages/obligatron/src/obligations/aws-vulnerabilities.ts @@ -1,33 +1,13 @@ -import type { aws_securityhub_findings, PrismaClient } from '@prisma/client'; +import type { PrismaClient } from '@prisma/client'; import { getFsbpFindings } from 'common/src/database-queries'; import { isWithinSlaTime, stringToSeverity, toNonEmptyArray, } from 'common/src/functions'; +import type { SecurityHubFinding } from 'common/src/types'; import type { ObligationResult } from '.'; -type Resource = { - Id: string; - Tags: Record; - Region: string; - Type: string; -}; - -type ProductFields = { - ControlId: string; - StandardsArn: string; -}; - -export type SecurityHubFinding = Pick< - aws_securityhub_findings, - 'first_observed_at' | 'aws_account_id' -> & { - severity: { Label: string; Normalized: number }; - resources: Resource[]; - product_fields: ProductFields; -}; - type Failure = { resource: string; controlId: string; From 63296075796e7452cc7b672cbacfd81e027c9035 Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Mon, 23 Sep 2024 18:59:23 +0100 Subject: [PATCH 2/8] adjust how cloudbuster interacts with db results --- packages/cloudbuster/src/findings.ts | 16 +++++++------- packages/cloudbuster/src/index.ts | 1 + packages/cloudbuster/src/types.ts | 2 +- packages/common/src/database-queries.ts | 28 +++++++++++++------------ packages/common/src/types.ts | 4 ++-- 5 files changed, 26 insertions(+), 25 deletions(-) diff --git a/packages/cloudbuster/src/findings.ts b/packages/cloudbuster/src/findings.ts index 8caccb101..f1f298e11 100644 --- a/packages/cloudbuster/src/findings.ts +++ b/packages/cloudbuster/src/findings.ts @@ -1,28 +1,26 @@ -import type { aws_securityhub_findings } from '@prisma/client'; import { isWithinSlaTime, stringToSeverity } from 'common/src/functions'; -import type { Severity } from 'common/src/types'; +import type { SecurityHubFinding, Severity } from 'common/src/types'; import type { Finding, GroupedFindings } from './types'; /** * Transforms a SQL row into a finding */ -export function transformFinding(finding: aws_securityhub_findings): Finding { +export function transformFinding(finding: SecurityHubFinding): Finding { let severity: Severity = 'unknown'; let priority = null; let remediationUrl = null; let resources = null; if ( - finding.severity && typeof finding.severity === 'object' && 'Label' in finding.severity && 'Normalized' in finding.severity ) { severity = stringToSeverity(finding.severity['Label'] as string); - priority = finding.severity['Normalized'] as number; + priority = finding.severity['Normalized']; } - if (finding.remediation && typeof finding.remediation === 'object') { + if (typeof finding.remediation === 'object') { const remediation = finding.remediation as { Recommendation: { Url: string | null; @@ -38,11 +36,11 @@ export function transformFinding(finding: aws_securityhub_findings): Finding { } } - if (finding.resources && Array.isArray(finding.resources)) { + if (Array.isArray(finding.resources)) { resources = finding.resources .map((r) => { - if (r && typeof r === 'object' && 'Id' in r) { - return r['Id'] as string; + if (typeof r === 'object' && 'Id' in r) { + return r['Id']; } return null; }) diff --git a/packages/cloudbuster/src/index.ts b/packages/cloudbuster/src/index.ts index 6ed60b65b..7537c9f88 100644 --- a/packages/cloudbuster/src/index.ts +++ b/packages/cloudbuster/src/index.ts @@ -5,6 +5,7 @@ import type { SecurityHubSeverity } from 'common/types'; import { getConfig } from './config'; import { createDigestsFromFindings, sendDigest } from './digests'; import { transformFinding } from './findings'; +import type { Finding } from './types'; type LambdaHandlerProps = { severities?: SecurityHubSeverity[]; diff --git a/packages/cloudbuster/src/types.ts b/packages/cloudbuster/src/types.ts index 3fae9c783..a126f172f 100644 --- a/packages/cloudbuster/src/types.ts +++ b/packages/cloudbuster/src/types.ts @@ -8,7 +8,7 @@ export interface Finding { resources: string[]; remediationUrl: string | null; severity: Severity; - priority: number | null; + priority: number | null; //TODO remove isWithinSla: boolean; } diff --git a/packages/common/src/database-queries.ts b/packages/common/src/database-queries.ts index c43f94314..04b5b3ca4 100644 --- a/packages/common/src/database-queries.ts +++ b/packages/common/src/database-queries.ts @@ -1,24 +1,26 @@ import type { aws_securityhub_findings, PrismaClient } from '@prisma/client'; -import type { SecurityHubSeverity } from './types'; +import type { SecurityHubFinding, SecurityHubSeverity } from './types'; /** * Queries the database for FSBP findings */ + export async function getFsbpFindings( prisma: PrismaClient, severities: SecurityHubSeverity[], -): Promise { - const findings = await prisma.aws_securityhub_findings.findMany({ - where: { - OR: severities.map((s) => ({ - severity: { path: ['Label'], equals: s }, - })), - AND: { - generator_id: { - startsWith: 'aws-foundational-security-best-practices/v/1.0.0', +): Promise { + const findings: aws_securityhub_findings[] = + await prisma.aws_securityhub_findings.findMany({ + where: { + OR: severities.map((s) => ({ + severity: { path: ['Label'], equals: s }, + })), + AND: { + generator_id: { + startsWith: 'aws-foundational-security-best-practices/v/1.0.0', + }, }, }, - }, - }); + }); - return findings; + return findings as unknown as SecurityHubFinding[]; } diff --git a/packages/common/src/types.ts b/packages/common/src/types.ts index 07bb496c9..41d5b4967 100644 --- a/packages/common/src/types.ts +++ b/packages/common/src/types.ts @@ -119,8 +119,8 @@ export type SecurityHubFinding = Pick< aws_securityhub_findings, 'first_observed_at' | 'aws_account_id' | 'aws_account_name' | 'title' > & { - remediation: { Recommendation: { Text: string; Url: string } }; + remediation: { Recommendation: { Url: string } }; severity: { Label: SecurityHubSeverity; Normalized: number }; resources: Resource[]; - product_fields: { ControlId: string; StandardsArn: string }; + product_fields: { ControlId: string }; }; From 990ebeef60566e6ade087a717b2b3325a634fec6 Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Mon, 23 Sep 2024 19:28:29 +0100 Subject: [PATCH 3/8] create table interface for fsbp findings --- packages/cloudbuster/src/index.ts | 54 +++++++++++++++++-- packages/common/src/types.ts | 2 +- .../obligations/aws-vulnerabilities.test.ts | 4 +- 3 files changed, 52 insertions(+), 8 deletions(-) diff --git a/packages/cloudbuster/src/index.ts b/packages/cloudbuster/src/index.ts index 7537c9f88..38fc4412c 100644 --- a/packages/cloudbuster/src/index.ts +++ b/packages/cloudbuster/src/index.ts @@ -1,16 +1,55 @@ import { Anghammarad } from '@guardian/anghammarad'; +import { isWithinSlaTime, stringToSeverity } from 'common/functions'; import { getFsbpFindings } from 'common/src/database-queries'; import { getPrismaClient } from 'common/src/database-setup'; -import type { SecurityHubSeverity } from 'common/types'; +import type { SecurityHubFinding, SecurityHubSeverity } from 'common/src/types'; import { getConfig } from './config'; import { createDigestsFromFindings, sendDigest } from './digests'; import { transformFinding } from './findings'; -import type { Finding } from './types'; type LambdaHandlerProps = { severities?: SecurityHubSeverity[]; }; +interface GuFsbpFinding { + severity: SecurityHubSeverity; + controlId: string; + title: string; + repo: string | undefined; + stack: string | undefined; + stage: string | undefined; + app: string | undefined; + first_observed_at: Date | undefined; + arn: string; + aws_account_name: string | undefined; + aws_account_id: string; + within_sla: boolean; +} + +function shFindingToGuFindings(finding: SecurityHubFinding): GuFsbpFinding[] { + const transformedFindings = finding.resources.map((r) => { + const guFinding: GuFsbpFinding = { + severity: finding.severity.Label, + controlId: finding.product_fields.ControlId, + title: finding.title, + repo: r.Tags?.['gu:repo'] ?? undefined, + stack: r.Tags?.Stack ?? undefined, + stage: r.Tags?.Stage ?? undefined, + app: r.Tags?.App ?? undefined, + first_observed_at: finding.first_observed_at ?? undefined, + arn: r.Id, + aws_account_name: finding.aws_account_name ?? undefined, + aws_account_id: finding.aws_account_id, + within_sla: isWithinSlaTime( + finding.first_observed_at, + stringToSeverity(finding.severity.Label), + ), + }; + return guFinding; + }); + return transformedFindings; +} + export async function main(input: LambdaHandlerProps) { // When manually invoking the function in AWS for testing, // it can be cumbersome to manually type this object as an input. @@ -26,11 +65,16 @@ export async function main(input: LambdaHandlerProps) { `Starting Cloudbuster. Level of severities that will be scanned: ${severities.join(', ')}`, ); - const findings = (await getFsbpFindings(prisma, severities)).map((f) => - transformFinding(f), - ); + const dbResults = (await getFsbpFindings(prisma, severities)).slice(0, 5); //TODO: remove slice when ready to go live + + const findings = dbResults.map((f) => transformFinding(f)); + const digests = createDigestsFromFindings(findings); + const tableContents = dbResults.flatMap(shFindingToGuFindings); + + console.table(tableContents); + // *** NOTIFICATION SENDING *** const anghammaradClient = new Anghammarad(); diff --git a/packages/common/src/types.ts b/packages/common/src/types.ts index 41d5b4967..d75d3011e 100644 --- a/packages/common/src/types.ts +++ b/packages/common/src/types.ts @@ -110,7 +110,7 @@ export type NonEmptyArray = [T, ...T[]]; type Resource = { Id: string; - Tags: Record; + Tags: Record | null; Region: string; Type: string; }; diff --git a/packages/obligatron/src/obligations/aws-vulnerabilities.test.ts b/packages/obligatron/src/obligations/aws-vulnerabilities.test.ts index 2c29f3a6e..a14f2fca3 100644 --- a/packages/obligatron/src/obligations/aws-vulnerabilities.test.ts +++ b/packages/obligatron/src/obligations/aws-vulnerabilities.test.ts @@ -18,11 +18,11 @@ describe('The dependency vulnerabilities obligation', () => { resources: [resource1], title: 'title', aws_account_name: 'accountName', - remediation: { Recommendation: { Text: 'text', Url: 'url' } }, + remediation: { Recommendation: { Url: 'url' } }, severity: { Label: 'HIGH', Normalized: 75 }, aws_account_id: '0123456', first_observed_at: new Date('2020-01-01'), - product_fields: { ControlId: 'S.1', StandardsArn: 'arn:1' }, + product_fields: { ControlId: 'S.1' }, }; const twoResourceFinding: SecurityHubFinding = { From 5d285b83c6a538366f055875540a77bbddce5bfc Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Tue, 24 Sep 2024 10:22:16 +0100 Subject: [PATCH 4/8] add cloudbuster table to GitHub --- packages/cloudbuster/src/index.ts | 74 +++++++++---------- .../migration.sql | 19 +++++ packages/common/prisma/schema.prisma | 19 +++++ 3 files changed, 73 insertions(+), 39 deletions(-) create mode 100644 packages/common/prisma/migrations/20240924073347_create_fsbp_table/migration.sql diff --git a/packages/cloudbuster/src/index.ts b/packages/cloudbuster/src/index.ts index 38fc4412c..84ddf1143 100644 --- a/packages/cloudbuster/src/index.ts +++ b/packages/cloudbuster/src/index.ts @@ -1,4 +1,5 @@ import { Anghammarad } from '@guardian/anghammarad'; +import type { cloudbuster_fsbp_vulnerabilities } from '@prisma/client'; import { isWithinSlaTime, stringToSeverity } from 'common/functions'; import { getFsbpFindings } from 'common/src/database-queries'; import { getPrismaClient } from 'common/src/database-setup'; @@ -11,42 +12,32 @@ type LambdaHandlerProps = { severities?: SecurityHubSeverity[]; }; -interface GuFsbpFinding { - severity: SecurityHubSeverity; - controlId: string; - title: string; - repo: string | undefined; - stack: string | undefined; - stage: string | undefined; - app: string | undefined; - first_observed_at: Date | undefined; - arn: string; - aws_account_name: string | undefined; - aws_account_id: string; - within_sla: boolean; -} - -function shFindingToGuFindings(finding: SecurityHubFinding): GuFsbpFinding[] { - const transformedFindings = finding.resources.map((r) => { - const guFinding: GuFsbpFinding = { - severity: finding.severity.Label, - controlId: finding.product_fields.ControlId, - title: finding.title, - repo: r.Tags?.['gu:repo'] ?? undefined, - stack: r.Tags?.Stack ?? undefined, - stage: r.Tags?.Stage ?? undefined, - app: r.Tags?.App ?? undefined, - first_observed_at: finding.first_observed_at ?? undefined, - arn: r.Id, - aws_account_name: finding.aws_account_name ?? undefined, - aws_account_id: finding.aws_account_id, - within_sla: isWithinSlaTime( - finding.first_observed_at, - stringToSeverity(finding.severity.Label), - ), - }; - return guFinding; - }); +function findingsToGuardianFormat( + finding: SecurityHubFinding, +): cloudbuster_fsbp_vulnerabilities[] { + const transformedFindings: cloudbuster_fsbp_vulnerabilities[] = + finding.resources.map((r) => { + const guFinding: cloudbuster_fsbp_vulnerabilities = { + severity: finding.severity.Label, + control_id: finding.product_fields.ControlId, + title: finding.title, + aws_region: r.Region, + repo: r.Tags?.['gu:repo'] ?? null, + stack: r.Tags?.['Stack'] ?? null, + stage: r.Tags?.Stage ?? null, + app: r.Tags?.App ?? null, + first_observed_at: finding.first_observed_at, + arn: r.Id, + aws_account_name: finding.aws_account_name, + aws_account_id: finding.aws_account_id, + within_sla: isWithinSlaTime( + finding.first_observed_at, + stringToSeverity(finding.severity.Label), + ), + remediation: finding.remediation.Recommendation.Url, + }; + return guFinding; + }); return transformedFindings; } @@ -69,12 +60,17 @@ export async function main(input: LambdaHandlerProps) { const findings = dbResults.map((f) => transformFinding(f)); - const digests = createDigestsFromFindings(findings); - - const tableContents = dbResults.flatMap(shFindingToGuFindings); + const tableContents = dbResults.flatMap(findingsToGuardianFormat); console.table(tableContents); + await prisma.cloudbuster_fsbp_vulnerabilities.deleteMany(); + await prisma.cloudbuster_fsbp_vulnerabilities.createMany({ + data: tableContents, + }); + + const digests = createDigestsFromFindings(findings); + // *** NOTIFICATION SENDING *** const anghammaradClient = new Anghammarad(); diff --git a/packages/common/prisma/migrations/20240924073347_create_fsbp_table/migration.sql b/packages/common/prisma/migrations/20240924073347_create_fsbp_table/migration.sql new file mode 100644 index 000000000..4b25f6d18 --- /dev/null +++ b/packages/common/prisma/migrations/20240924073347_create_fsbp_table/migration.sql @@ -0,0 +1,19 @@ +-- CreateTable +CREATE TABLE "cloudbuster_fsbp_vulnerabilities" ( + "arn" TEXT NOT NULL, + "aws_account_id" TEXT NOT NULL, + "aws_account_name" TEXT, + "aws_region" TEXT NOT NULL, + "control_id" TEXT NOT NULL, + "first_observed_at" TIMESTAMP(6), + "repo" TEXT, + "stack" TEXT, + "stage" TEXT, + "app" TEXT, + "severity" TEXT NOT NULL, + "title" TEXT NOT NULL, + "within_sla" BOOLEAN NOT NULL, + "remediation" TEXT, + + CONSTRAINT "cloudbuster_fsbp_vulnerabilities_pkey" PRIMARY KEY ("arn","control_id") +); diff --git a/packages/common/prisma/schema.prisma b/packages/common/prisma/schema.prisma index dd8702a62..c2836eedc 100644 --- a/packages/common/prisma/schema.prisma +++ b/packages/common/prisma/schema.prisma @@ -230,6 +230,25 @@ model aws_organizations_roots { @@ignore } +model cloudbuster_fsbp_vulnerabilities { + arn String + aws_account_id String + aws_account_name String? + aws_region String + control_id String + first_observed_at DateTime? @db.Timestamp(6) + repo String? + stack String? + stage String? + app String? + severity String + title String + within_sla Boolean + remediation String? + + @@id([arn, control_id]) +} + model github_repositories { cq_sync_time DateTime? @map("_cq_sync_time") @db.Timestamp(6) cq_source_name String? @map("_cq_source_name") From b42f4a304f67349fde935dfa3785f5940c3fff1b Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Tue, 24 Sep 2024 10:35:03 +0100 Subject: [PATCH 5/8] test findingsToGuardianFormat --- packages/cloudbuster/src/findings.test.ts | 52 ++++++++++++++++++++++- packages/cloudbuster/src/findings.ts | 30 +++++++++++++ packages/cloudbuster/src/index.ts | 35 +-------------- 3 files changed, 83 insertions(+), 34 deletions(-) diff --git a/packages/cloudbuster/src/findings.test.ts b/packages/cloudbuster/src/findings.test.ts index 26ea7cd9f..0d5ffd738 100644 --- a/packages/cloudbuster/src/findings.test.ts +++ b/packages/cloudbuster/src/findings.test.ts @@ -1,6 +1,56 @@ -import { groupFindingsByAccount } from './findings'; +import type { SecurityHubFinding } from 'common/types'; +import { findingsToGuardianFormat, groupFindingsByAccount } from './findings'; import type { Finding, GroupedFindings } from './types'; +describe('findingsToGuardianFormat', () => { + const resource1 = { + Id: 'arn:instance:1', + Tags: { Stack: 'myStack', FakeTag: 'fake' }, + Region: 'some-region', + Type: 'some-type', + }; + const resource2 = { + ...resource1, + Id: 'arn:instance:2', + }; + + const x: SecurityHubFinding = { + title: 'title', + aws_account_name: 'accountName', + remediation: { Recommendation: { Url: 'url' } }, + severity: { Label: 'HIGH', Normalized: 75 }, + aws_account_id: '0123456', + first_observed_at: new Date('2020-01-01'), + product_fields: { ControlId: 'S.1' }, + resources: [resource1, resource2], + }; + it('should return n elements if n resources are associated with a finding', () => { + const actual = findingsToGuardianFormat(x); + expect(actual.length).toEqual(2); + }); + it('should return the relevant data in the appropriate fields', () => { + const actual = findingsToGuardianFormat(x); + const expected = { + severity: 'HIGH', + control_id: 'S.1', + title: 'title', + aws_region: 'some-region', + repo: null, + stack: 'myStack', + stage: null, + app: null, + first_observed_at: new Date('2020-01-01'), + arn: 'arn:instance:1', + aws_account_name: 'accountName', + aws_account_id: '0123456', + within_sla: false, + remediation: 'url', + }; + expect(actual[0]).toEqual(expected); + expect(actual[1]).toEqual({ ...expected, arn: 'arn:instance:2' }); + }); +}); + function mockFinding(awsAccountId: string, title: string): Finding { return { awsAccountId, diff --git a/packages/cloudbuster/src/findings.ts b/packages/cloudbuster/src/findings.ts index f1f298e11..f528493ef 100644 --- a/packages/cloudbuster/src/findings.ts +++ b/packages/cloudbuster/src/findings.ts @@ -1,7 +1,37 @@ +import type { cloudbuster_fsbp_vulnerabilities } from '@prisma/client'; import { isWithinSlaTime, stringToSeverity } from 'common/src/functions'; import type { SecurityHubFinding, Severity } from 'common/src/types'; import type { Finding, GroupedFindings } from './types'; +export function findingsToGuardianFormat( + finding: SecurityHubFinding, +): cloudbuster_fsbp_vulnerabilities[] { + const transformedFindings: cloudbuster_fsbp_vulnerabilities[] = + finding.resources.map((r) => { + const guFinding: cloudbuster_fsbp_vulnerabilities = { + severity: finding.severity.Label, + control_id: finding.product_fields.ControlId, + title: finding.title, + aws_region: r.Region, + repo: r.Tags?.['gu:repo'] ?? null, + stack: r.Tags?.['Stack'] ?? null, + stage: r.Tags?.Stage ?? null, + app: r.Tags?.App ?? null, + first_observed_at: finding.first_observed_at, + arn: r.Id, + aws_account_name: finding.aws_account_name, + aws_account_id: finding.aws_account_id, + within_sla: isWithinSlaTime( + finding.first_observed_at, + stringToSeverity(finding.severity.Label), + ), + remediation: finding.remediation.Recommendation.Url, + }; + return guFinding; + }); + return transformedFindings; +} + /** * Transforms a SQL row into a finding */ diff --git a/packages/cloudbuster/src/index.ts b/packages/cloudbuster/src/index.ts index 84ddf1143..d0c188123 100644 --- a/packages/cloudbuster/src/index.ts +++ b/packages/cloudbuster/src/index.ts @@ -1,46 +1,15 @@ import { Anghammarad } from '@guardian/anghammarad'; -import type { cloudbuster_fsbp_vulnerabilities } from '@prisma/client'; -import { isWithinSlaTime, stringToSeverity } from 'common/functions'; import { getFsbpFindings } from 'common/src/database-queries'; import { getPrismaClient } from 'common/src/database-setup'; -import type { SecurityHubFinding, SecurityHubSeverity } from 'common/src/types'; +import type { SecurityHubSeverity } from 'common/src/types'; import { getConfig } from './config'; import { createDigestsFromFindings, sendDigest } from './digests'; -import { transformFinding } from './findings'; +import { findingsToGuardianFormat, transformFinding } from './findings'; type LambdaHandlerProps = { severities?: SecurityHubSeverity[]; }; -function findingsToGuardianFormat( - finding: SecurityHubFinding, -): cloudbuster_fsbp_vulnerabilities[] { - const transformedFindings: cloudbuster_fsbp_vulnerabilities[] = - finding.resources.map((r) => { - const guFinding: cloudbuster_fsbp_vulnerabilities = { - severity: finding.severity.Label, - control_id: finding.product_fields.ControlId, - title: finding.title, - aws_region: r.Region, - repo: r.Tags?.['gu:repo'] ?? null, - stack: r.Tags?.['Stack'] ?? null, - stage: r.Tags?.Stage ?? null, - app: r.Tags?.App ?? null, - first_observed_at: finding.first_observed_at, - arn: r.Id, - aws_account_name: finding.aws_account_name, - aws_account_id: finding.aws_account_id, - within_sla: isWithinSlaTime( - finding.first_observed_at, - stringToSeverity(finding.severity.Label), - ), - remediation: finding.remediation.Recommendation.Url, - }; - return guFinding; - }); - return transformedFindings; -} - export async function main(input: LambdaHandlerProps) { // When manually invoking the function in AWS for testing, // it can be cumbersome to manually type this object as an input. From b7c298958ceffc87ad8706527bc7fd47fddbc80f Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Mon, 30 Sep 2024 16:34:47 +0100 Subject: [PATCH 6/8] move fsbp migration later in time --- .../migration.sql | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename packages/common/prisma/migrations/{20240924073347_create_fsbp_table => 20240930103347_create_fsbp_table}/migration.sql (100%) diff --git a/packages/common/prisma/migrations/20240924073347_create_fsbp_table/migration.sql b/packages/common/prisma/migrations/20240930103347_create_fsbp_table/migration.sql similarity index 100% rename from packages/common/prisma/migrations/20240924073347_create_fsbp_table/migration.sql rename to packages/common/prisma/migrations/20240930103347_create_fsbp_table/migration.sql From 92ef4bfcf5cf713fef3f3a8f097b3f27c7cdabc5 Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Mon, 30 Sep 2024 16:39:15 +0100 Subject: [PATCH 7/8] create a cloudbuster write test --- .../migration.sql | 3 ++- sql/ci.sql | 22 +++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/packages/common/prisma/migrations/20240930103347_create_fsbp_table/migration.sql b/packages/common/prisma/migrations/20240930103347_create_fsbp_table/migration.sql index 4b25f6d18..5f0d55b2c 100644 --- a/packages/common/prisma/migrations/20240930103347_create_fsbp_table/migration.sql +++ b/packages/common/prisma/migrations/20240930103347_create_fsbp_table/migration.sql @@ -1,4 +1,3 @@ --- CreateTable CREATE TABLE "cloudbuster_fsbp_vulnerabilities" ( "arn" TEXT NOT NULL, "aws_account_id" TEXT NOT NULL, @@ -17,3 +16,5 @@ CREATE TABLE "cloudbuster_fsbp_vulnerabilities" ( CONSTRAINT "cloudbuster_fsbp_vulnerabilities_pkey" PRIMARY KEY ("arn","control_id") ); + +GRANT ALL ON public.cloudbuster_fsbp_vulnerabilities TO cloudbuster; diff --git a/sql/ci.sql b/sql/ci.sql index a7a66c96c..e0cf0956f 100644 --- a/sql/ci.sql +++ b/sql/ci.sql @@ -29,6 +29,28 @@ VALUES ( SET ROLE cloudbuster; -- It should be able to read from this table SELECT * FROM aws_securityhub_findings LIMIT 1; +INSERT INTO cloudbuster_fsbp_vulnerabilities +( + arn + , aws_account_id + , aws_region + , control_id + , severity + , title + , within_sla +) +VALUES ( + 'arn:aws:securityhub:eu-west-1:123456789012:product/aws/securityhub/finding/12345678901234567890123456789012' + , '123456789012' + , 'eu-west-1' + , 'control-id' + , 'CRITICAL' + , 'title' + , TRUE +); + +DELETE FROM cloudbuster_fsbp_vulnerabilities +WHERE arn = 'arn:aws:securityhub:eu-west-1:123456789012:product/aws/securityhub/finding/12345678901234567890123456789012'; -- Switch to the `dataaudit` user and test access to the tables/views used in the data-audit app From fcfadb496e6a61914bc2a4e4acc65a4f841fc10f Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Mon, 30 Sep 2024 16:42:52 +0100 Subject: [PATCH 8/8] delete test db entries for local reusability --- sql/ci.sql | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/sql/ci.sql b/sql/ci.sql index e0cf0956f..4325eaf0f 100644 --- a/sql/ci.sql +++ b/sql/ci.sql @@ -25,6 +25,9 @@ VALUES ( , '{}' ); +DELETE FROM obligatron_results +WHERE obligation_name = 'OBLIGATION'; + -- Switch to the `cloudbuster` user and test access to the tables used in the cloudbuster app SET ROLE cloudbuster; -- It should be able to read from this table @@ -76,6 +79,9 @@ INSERT INTO audit_results ( ); SELECT * FROM audit_results LIMIT 1; +DELETE FROM audit_results +WHERE name = 'test'; + -- The user github_actions_usage... SET ROLE github_actions_usage; @@ -97,6 +103,9 @@ INSERT INTO guardian_github_actions_usage ( ); SELECT * FROM guardian_github_actions_usage LIMIT 1; +DELETE FROM guardian_github_actions_usage +WHERE full_name = 'guardian/service-catalogue'; + -- Switch back to the original user RESET role;