forked from DefectDojo/django-DefectDojo
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtest_awssecurityhub_parser.py
More file actions
161 lines (143 loc) · 10.1 KB
/
test_awssecurityhub_parser.py
File metadata and controls
161 lines (143 loc) · 10.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
from dojo.models import Test
from dojo.tools.awssecurityhub.parser import AwsSecurityHubParser
from unittests.dojo_test_case import DojoTestCase, get_unit_tests_scans_path
def sample_path(file_name: str):
return get_unit_tests_scans_path("awssecurityhub") / file_name
class TestAwsSecurityHubParser(DojoTestCase):
def test_one_finding(self):
with sample_path("config_one_finding.json").open(encoding="utf-8") as test_file:
parser = AwsSecurityHubParser()
findings = parser.get_findings(test_file, Test())
self.assertEqual(1, len(findings))
self.validate_locations(findings)
finding = findings[0]
self.assertEqual("Info", finding.severity)
self.assertTrue(finding.is_mitigated)
self.assertFalse(finding.active)
self.assertEqual("https://docs.aws.amazon.com/console/securityhub/IAM.5/remediation", finding.references)
def test_one_finding_active(self):
with sample_path("config_one_finding_active.json").open(encoding="utf-8") as test_file:
parser = AwsSecurityHubParser()
findings = parser.get_findings(test_file, Test())
self.assertEqual(1, len(findings))
self.validate_locations(findings)
finding = findings[0]
self.assertEqual("Medium", finding.severity)
self.assertFalse(finding.is_mitigated)
self.assertTrue(finding.active)
def test_many_findings(self):
with sample_path("config_many_findings.json").open(encoding="utf-8") as test_file:
parser = AwsSecurityHubParser()
findings = parser.get_findings(test_file, Test())
self.assertEqual(3, len(findings))
self.validate_locations(findings)
finding = findings[0]
self.assertEqual(finding.component_name, "AwsAccount")
self.assertEqual("This is a Security Hub Finding \nThis AWS control checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password.\n**AWS Finding ARN:** arn:aws:securityhub:us-east-1:012345678912:subscription/aws-foundational-security-best-practices/v/1.0.0/IAM.5/finding/de861909-2d26-4e45-bd86-19d2ab6ceef1\n**Resource IDs:** AWS::::Account:012345678912\n**AwsAccountId:** 012345678912\n**Generator ID:** aws-foundational-security-best-practices/v/1.0.0/IAM.5\n", finding.description)
def test_repeated_findings(self):
with sample_path("config_repeated_findings.json").open(encoding="utf-8") as test_file:
parser = AwsSecurityHubParser()
findings = parser.get_findings(test_file, Test())
self.assertEqual(1, len(findings))
self.validate_locations(findings)
def test_unique_id(self):
with sample_path("config_one_finding.json").open(encoding="utf-8") as test_file:
parser = AwsSecurityHubParser()
findings = parser.get_findings(test_file, Test())
self.validate_locations(findings)
self.assertEqual(
"arn:aws:securityhub:us-east-1:012345678912:subscription/aws-foundational-security-best-practices/v/1.0.0/IAM.5/finding/de861909-2d26-4e45-bd86-19d2ab6ceef1",
findings[0].unique_id_from_tool,
)
def test_inspector_ec2(self):
with sample_path("inspector_ec2_cve.json").open(encoding="utf-8") as test_file:
parser = AwsSecurityHubParser()
findings = parser.get_findings(test_file, Test())
self.assertEqual(5, len(findings))
self.validate_locations(findings)
finding = findings[0]
self.assertEqual("CVE-2022-3643 - kernel - Resource: i-11111111111111111", finding.title)
self.assertEqual("Resource: i-11111111111111111", finding.impact)
self.assertEqual(1, len(finding.unsaved_vulnerability_ids))
self.assertEqual("CVE-2022-3643", finding.unsaved_vulnerability_ids[0])
self.assertEqual("- Update kernel-4.14.301\n\t- yum update kernel\n", finding.mitigation)
# Verify CVSS v3 extraction via parse_cvss_data helper
self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", finding.cvssv3)
self.assertIn("CVSS v3 vector:", finding.severity_justification)
self.assertIn("AWS severity: CRITICAL", finding.severity_justification)
location = self.get_unsaved_locations(finding)[0]
self.assertEqual("AwsEc2Instance_arn_aws_ec2_us-east-1_XXXXXXXXXXXX_i-11111111111111111".lower(), location.host.lower())
def test_inspector_ec2_with_no_vulnerabilities(self):
with sample_path("inspector_ec2_cve_no_vulnerabilities.json").open(encoding="utf-8") as test_file:
parser = AwsSecurityHubParser()
findings = parser.get_findings(test_file, Test())
self.assertEqual(1, len(findings))
self.validate_locations(findings)
finding = findings[0]
self.assertEqual(finding.component_name, "AwsEc2Instance")
def test_inspector_ec2_ghsa(self):
with sample_path("inspector_ec2_ghsa.json").open(encoding="utf-8") as test_file:
parser = AwsSecurityHubParser()
findings = parser.get_findings(test_file, Test())
self.assertEqual(1, len(findings))
self.validate_locations(findings)
finding = findings[0]
self.assertEqual("Medium", finding.severity)
self.assertFalse(finding.is_mitigated)
self.assertTrue(finding.active)
self.assertIn("GHSA-p98r-538v-jgw5", finding.title)
self.assertSetEqual({"CVE-2023-34256", "GHSA-p98r-538v-jgw5"}, set(finding.unsaved_vulnerability_ids))
self.assertEqual("https://github.com/bottlerocket-os/bottlerocket/security/advisories/GHSA-p98r-538v-jgw5", finding.references)
# Verify backward compatibility: no CVSS data in this fixture
self.assertIsNone(finding.cvssv3)
location = self.get_unsaved_locations(finding)[0]
self.assertEqual("AwsEc2Instance_arn_aws_ec2_eu-central-1_012345678912_instance_i-07c11cc535d830123".lower(), location.host.lower())
def test_inspector_ecr(self):
with sample_path("inspector_ecr.json").open(encoding="utf-8") as test_file:
parser = AwsSecurityHubParser()
findings = parser.get_findings(test_file, Test())
self.assertEqual(7, len(findings))
self.validate_locations(findings)
finding = findings[0]
self.assertEqual("Medium", finding.severity)
self.assertFalse(finding.is_mitigated)
self.assertTrue(finding.active)
self.assertEqual("CVE-2023-2650 - openssl - Image: repo-os/sha256:af965ef68c78374a5f987fce98c0ddfa45801df2395bf012c50b863e65978d74", finding.title)
self.assertIn("repo-os/sha256:af965ef68c78374a5f987fce98c0ddfa45801df2395bf012c50b863e65978d74", finding.impact)
self.assertIn("Repository: repo-os", finding.impact)
self.assertEqual(0.0014, finding.epss_score)
# Verify CVSS v3 extraction from the ECR fixture
self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", finding.cvssv3)
location = self.get_unsaved_locations(finding)[0]
self.assertEqual("AwsEcrContainerImage_arn_aws_ecr_eu-central-1_123456789012_repository_repo-os_sha256_af965ef68c78374a5f987fce98c0ddfa45801df2395bf012c50b863e65978d74".lower(), location.host.lower())
def test_guardduty(self):
with sample_path("guardduty.json").open(encoding="utf-8") as test_file:
parser = AwsSecurityHubParser()
findings = parser.get_findings(test_file, Test())
self.assertEqual(4, len(findings))
self.validate_locations(findings)
finding = findings[0]
self.assertEqual("Medium", finding.severity)
self.assertTrue(finding.active)
finding = findings[3]
self.assertEqual("Low", finding.severity)
self.assertTrue(finding.active)
self.assertEqual("User AssumedRole : 123123123 is anomalously invoking APIs commonly used in Discovery tactics. - Resource: 123123123", finding.title)
self.assertEqual("TTPs/Discovery/IAMUser-AnomalousBehavior\n[https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html)", finding.mitigation)
location = self.get_unsaved_locations(findings[0])[0]
self.assertEqual("AwsEc2Instance_arn_aws_ec2_us-east-1_123456789012_instance_i-1234567890".lower(), location.host.lower())
self.assertEqual("This is a GuardDuty Finding\nAPIs commonly used in Discovery tactics were invoked by user AssumedRole : 123123123, under anomalous circumstances. Such activity is not typically seen from this user.\n**AWS Finding ARN:** arn:aws:guardduty:us-east-1:123456789012:detector/123456789/finding/2123123123123\n**SourceURL:** [https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=2123123123123](https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=2123123123123)\n**AwsAccountId:** 123456789012\n**Region:** us-east-1\n**Generator ID:** arn:aws:guardduty:us-east-1:123456789012:detector/123456789\n", finding.description)
def test_issue_10956(self):
with sample_path("issue_10956.json").open(encoding="utf-8") as test_file:
parser = AwsSecurityHubParser()
findings = parser.get_findings(test_file, Test())
self.assertEqual(1, len(findings))
self.validate_locations(findings)
finding = findings[0]
self.assertEqual("0.00239", finding.epss_score)
def test_missing_account_id(self):
with sample_path("missing_account_id.json").open(encoding="utf-8") as test_file:
parser = AwsSecurityHubParser()
findings = parser.get_findings(test_file, Test())
self.assertEqual(1, len(findings))
self.validate_locations(findings)