fix awssecurityhub findings

dojo/tools/awssecurityhub/compliance.py

@@ -7,13 +7,24 @@ def get_item(self, finding: dict, test):
         finding_id = finding.get("Id", "")
         title = finding.get("Title", "")
         severity = finding.get("Severity", {}).get("Label", "INFORMATIONAL").title()
+        resource_arns = []
+        for resource in finding.get("Resources", []):
+            if arn := resource.get("Id"):
+                resource_arns.append(arn)
         mitigation = ""
         impact = []
         references = []
         unsaved_vulnerability_ids = []
         epss_score = None
         mitigation = finding.get("Remediation", {}).get("Recommendation", {}).get("Text", "")
-        description = "This is a Security Hub Finding \n" + finding.get("Description", "")
+        mitigation += "\n" + finding.get("Remediation", {}).get("Recommendation", {}).get("Url", "")
+        description = "This is a Security Hub Finding \n" + finding.get("Description", "") + "\n"
+        description += f"**AWS Finding ARN:** {finding_id}\n"
+        description += f"**Resource IDs:** {', '.join(set(resource_arns))}\n"
+        description += f"**AwsAccountId:** {finding.get('AwsAccountId', '')}\n"
+        if finding.get('Region'):
+            description += f"**Region:** {finding.get('Region', '')}\n"
+        description += f"**Generator ID:** {finding.get('GeneratorId', '')}\n"
         if finding.get("Compliance", {}).get("Status", "PASSED") == "PASSED":
             is_Mitigated = True
             active = False

dojo/tools/awssecurityhub/guardduty.py

@@ -15,7 +15,7 @@ def get_item(self, finding: dict, test):
         mitigations = finding.get("FindingProviderFields", {}).get("Types")
         for mitigate in mitigations:
             mitigation += mitigate + "\n"
-        mitigation += "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html"
+        mitigation += "[https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html)"
         active = True
         if finding.get("RecordState") == "ACTIVE":
             is_Mitigated = False
@@ -29,12 +29,16 @@ def get_item(self, finding: dict, test):
                     mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ")
             else:
                 mitigated = datetime.utcnow()
-        description = f"This is a GuardDuty Finding\n{finding.get('Description', '')}"
-        description += f"SourceURL: {finding.get('SourceUrl', '')}\n"
-        description += f"AwsAccountId: {finding.get('AwsAccountId', '')}\n"
-        description += f"Region: {finding.get('Region', '')}\n"
+        description = f"This is a GuardDuty Finding\n{finding.get('Description', '')}" + "\n"
+        description += f"**AWS Finding ARN:** {finding_id}\n"
+        if finding.get('SourceUrl'):
+            sourceurl = "[" + finding.get('SourceUrl') + "](" + finding.get('SourceUrl') + ")"
+            description += f"**SourceURL:** {sourceurl}\n"
+        description += f"**AwsAccountId:** {finding.get('AwsAccountId', '')}\n"
+        description += f"**Region:** {finding.get('Region', '')}\n"
+        description += f"**Generator ID:** {finding.get('GeneratorId', '')}\n"
         title_suffix = ""
-        hosts = list()
+        hosts = []
         for resource in finding.get("Resources", []):
             component_name = resource.get("Type")
             if component_name in ("AwsEcrContainerImage", "AwsEc2Instance"):
@@ -73,7 +77,7 @@ def get_item(self, finding: dict, test):
             dynamic_finding=False,
             component_name=component_name,
         )
-        result.unsaved_endpoints = list()
+        result.unsaved_endpoints = []
         result.unsaved_endpoints.extend(hosts)
         if epss_score is not None:
             result.epss_score = epss_score

dojo/tools/awssecurityhub/inspector.py

@@ -12,7 +12,10 @@ def get_item(self, finding: dict, test):
         references = []
         unsaved_vulnerability_ids = []
         epss_score = None
-        description = f"This is an Inspector Finding\n{finding.get('Description', '')}"
+        description = f"This is an Inspector Finding\n{finding.get('Description', '')}" + "\n"
+        description += f"**AWS Finding ARN:** {finding_id}\n"
+        description += f"**AwsAccountId:** {finding.get('AwsAccountId', '')}\n"
+        description += f"**Region:** {finding.get('Region', '')}\n"
         vulnerabilities = finding.get("Vulnerabilities", [])
         for vulnerability in vulnerabilities:
             # Save the CVE if it is present
@@ -47,7 +50,7 @@ def get_item(self, finding: dict, test):
             else:
                 mitigated = datetime.utcnow()
         title_suffix = ""
-        hosts = list()
+        hosts = []
         for resource in finding.get("Resources", []):
             component_name = resource.get("Type")
             hosts.append(Endpoint(host=f"{component_name} {resource.get('Id')}"))
@@ -85,7 +88,7 @@ def get_item(self, finding: dict, test):
             dynamic_finding=False,
             component_name=component_name,
         )
-        result.unsaved_endpoints = list()
+        result.unsaved_endpoints = []
         result.unsaved_endpoints.extend(hosts)
         if epss_score is not None:
             result.epss_score = epss_score

unittests/tools/test_awssecurityhub_parser.py

@@ -39,6 +39,7 @@ def test_many_findings(self):
             self.assertEqual(3, len(findings))
             finding = findings[0]
             self.assertEqual(finding.component_name, "AwsAccount")
+            self.assertEqual("This is a Security Hub Finding \nThis AWS control checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password.\n**AWS Finding ARN:** arn:aws:securityhub:us-east-1:012345678912:subscription/aws-foundational-security-best-practices/v/1.0.0/IAM.5/finding/de861909-2d26-4e45-bd86-19d2ab6ceef1\n**Resource IDs:** AWS::::Account:012345678912\n**AwsAccountId:** 012345678912\n**Generator ID:** aws-foundational-security-best-practices/v/1.0.0/IAM.5\n", finding.description)
 
     def test_repeated_findings(self):
         with open(get_unit_tests_path() + sample_path("config_repeated_findings.json")) as test_file:
@@ -121,6 +122,7 @@ def test_guardduty(self):
             self.assertEqual("Low", finding.severity)
             self.assertTrue(finding.active)
             self.assertEqual("User AssumedRole : 123123123 is anomalously invoking APIs commonly used in Discovery tactics. - Resource: 123123123", finding.title)
-            self.assertEqual("TTPs/Discovery/IAMUser-AnomalousBehavior\nhttps://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html", finding.mitigation)
+            self.assertEqual("TTPs/Discovery/IAMUser-AnomalousBehavior\n[https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html)", finding.mitigation)
             endpoint = findings[0].unsaved_endpoints[0]
             self.assertEqual('AwsEc2Instance arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890', endpoint.host)
+            self.assertEqual("This is a GuardDuty Finding\nAPIs commonly used in Discovery tactics were invoked by user AssumedRole : 123123123, under anomalous circumstances. Such activity is not typically seen from this user.\n**AWS Finding ARN:** arn:aws:guardduty:us-east-1:123456789012:detector/123456789/finding/2123123123123\n**SourceURL:** [https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=2123123123123](https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=2123123123123)\n**AwsAccountId:** 123456789012\n**Region:** us-east-1\n**Generator ID:** arn:aws:guardduty:us-east-1:123456789012:detector/123456789\n", finding.description)