From 41bf5ded077f9e5bdabaaf7bcb20a54aa5583da4 Mon Sep 17 00:00:00 2001 From: 1101-1 <70093559+1101-1@users.noreply.github.com> Date: Mon, 9 Dec 2024 15:52:34 +0500 Subject: [PATCH] [aws][feat] Take only active findings for GuardDuty and Inspector2 services (#2299) --- plugins/aws/fix_plugin_aws/resource/guardduty.py | 4 +++- plugins/aws/fix_plugin_aws/resource/inspector.py | 5 ++++- plugins/aws/fix_plugin_aws/resource/ssm.py | 2 +- ...ngs__foo_test.json => list-findings__foo_test_false.json} | 0 ...st.json => list-findings__EQUALS_test_EQUALS_ACTIVE.json} | 0 5 files changed, 8 insertions(+), 3 deletions(-) rename plugins/aws/test/resources/files/guardduty/{list-findings__foo_test.json => list-findings__foo_test_false.json} (100%) rename plugins/aws/test/resources/files/inspector2/{list-findings__EQUALS_test.json => list-findings__EQUALS_test_EQUALS_ACTIVE.json} (100%) diff --git a/plugins/aws/fix_plugin_aws/resource/guardduty.py b/plugins/aws/fix_plugin_aws/resource/guardduty.py index 14b4e89492..2ea226773d 100644 --- a/plugins/aws/fix_plugin_aws/resource/guardduty.py +++ b/plugins/aws/fix_plugin_aws/resource/guardduty.py @@ -699,7 +699,9 @@ def add_finding( "FindingIds", expected_errors=["BadRequestException"], DetectorId=detector_id, - FindingCriteria={"Criterion": {"accountId": {"Eq": [builder.account.id]}}}, + FindingCriteria={ + "Criterion": {"accountId": {"Eq": [builder.account.id]}, "service.archived": {"Eq": ["false"]}}, + }, ): detector_id for detector_id in detector_ids } diff --git a/plugins/aws/fix_plugin_aws/resource/inspector.py b/plugins/aws/fix_plugin_aws/resource/inspector.py index 12246e961d..a8b318dd6c 100644 --- a/plugins/aws/fix_plugin_aws/resource/inspector.py +++ b/plugins/aws/fix_plugin_aws/resource/inspector.py @@ -151,7 +151,10 @@ def add_finding( action="list-findings", result_name="findings", expected_errors=["AccessDeniedException"], - filterCriteria={"awsAccountId": [{"comparison": "EQUALS", "value": f"{builder.account.id}"}]}, + filterCriteria={ + "awsAccountId": [{"comparison": "EQUALS", "value": f"{builder.account.id}"}], + "findingStatus": [{"comparison": "EQUALS", "value": "ACTIVE"}], + }, ): if finding := AwsInspectorFinding.from_api(item, builder): for fr in finding.finding_resources or []: diff --git a/plugins/aws/fix_plugin_aws/resource/ssm.py b/plugins/aws/fix_plugin_aws/resource/ssm.py index 38d7446545..f27916b5d1 100644 --- a/plugins/aws/fix_plugin_aws/resource/ssm.py +++ b/plugins/aws/fix_plugin_aws/resource/ssm.py @@ -384,7 +384,7 @@ class AwsSSMResourceCompliance(AwsResource, PhantomBaseResource): compliance_details: Optional[Dict[str, str]] = field(default=None, metadata={"description": "A Key:Value tag combination for the compliance item."}) # fmt: skip def parse_finding(self) -> Finding: - title = self.title or "" + title = self.title or (self.compliance_details or {}).get("DocumentName") or "" severity = SEVERITY_MAPPING.get(self.severity or "", Severity.medium) details = self.compliance_details if self.execution_summary: diff --git a/plugins/aws/test/resources/files/guardduty/list-findings__foo_test.json b/plugins/aws/test/resources/files/guardduty/list-findings__foo_test_false.json similarity index 100% rename from plugins/aws/test/resources/files/guardduty/list-findings__foo_test.json rename to plugins/aws/test/resources/files/guardduty/list-findings__foo_test_false.json diff --git a/plugins/aws/test/resources/files/inspector2/list-findings__EQUALS_test.json b/plugins/aws/test/resources/files/inspector2/list-findings__EQUALS_test_EQUALS_ACTIVE.json similarity index 100% rename from plugins/aws/test/resources/files/inspector2/list-findings__EQUALS_test.json rename to plugins/aws/test/resources/files/inspector2/list-findings__EQUALS_test_EQUALS_ACTIVE.json