Closed mahesh-ppro closed 2 weeks ago
Hi @mahesh-ppro, if you provide an anonymized sample file, then I can make a PR like I did for Aqua Scan.
Hello @manuel-sommer , Here is the sample json file content which works for AWS Security Hub scan.
{
"findings": [
{
"AWS Account Id": "123456",
"Severity": "MEDIUM",
"Fix Available": "YES",
"Finding Type": "PACKAGE_VULNERABILITY",
"Title": "CVE-2024-123456 - kernel, kernel-tools",
"Description": "In the Linux kernel, the following vulnerability has been resolved:bpf: Fix overrunning reservations in ringbuf",
"Finding ARN": "arn:aws:inspector2:us-east-1:123456:finding/aaa",
"First Seen": "2024-08-20T07:18:28.348Z",
"Last Seen": "2024-08-28T15:15:59.254Z",
"Last Updated": "2024-08-28T15:15:59.254Z",
"Resource ID": "i-1234xxyyy",
"Container Image Tags": "",
"Region": "us-east-1",
"Platform": "AMAZON_LINUX_2023",
"Resource Tags": "Name:xx-yy",
"Affected Packages": "kernel, kernel-tools",
"Package Installed Version": "kernel[0/6.1.77/99.164.amzn2023/X86_64], kernel-tools[0/6.1.77/99.164.amzn2023/X86_64]",
"Fixed in Version": "kernel[0:6.1.97-104.177.amzn2023], kernel-tools[0:6.1.97-104.177.amzn2023]",
"Package Remediation": "kernel[sudo dnf check-update], kernel-tools[sudo dnf check-update]",
"File Path": "",
"Network Paths": "",
"Age (Days)": "34",
"Remediation": "None Provided",
"Inspector Score": "5.5",
"Inspector Score Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"Status": "ACTIVE",
"Vulnerability Id": "CVE-2024-123456",
"Vendor": "AMAZON_CVE",
"Vendor Severity": "Medium",
"Vendor Advisory": "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-123456.json",
"Vendor Advisory Published": "2024-07-17T00:00:00Z",
"NVD CVSS3 Score": "5.5",
"NVD CVSS3 Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"NVD CVSS2 Score": "",
"NVD CVSS2 Vector": "",
"Vendor CVSS3 Score": "5.5",
"Vendor CVSS3 Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"Vendor CVSS2 Score": "",
"Vendor CVSS2 Vector": "",
"Resource Type": "AWS_EC2_INSTANCE",
"Ami": "ami-44444",
"Resource Public Ipv4": "",
"Resource Private Ipv4": "10.138.97.166",
"Resource Ipv6": "",
"Resource Vpc": "vpc-121212xx",
"Port Range": "",
"Epss Score": "4.2E-4",
"Exploit Available": "NO",
"Last Exploited At": "",
"Lambda Layers": "",
"Lambda Package Type": "",
"Lambda Last Updated At": "",
"Reference Urls": "https://alas.aws.amazon.com",
"Detector Name": "",
"Package Manager": "OS, OS"
}
]
}
Just a question here. In former versions, the field "AWS Account Id" was stored without spaces in the json:
"AWS Account Id": "123456",
Did you modify this / add it later? Otherwise, I have to fix this in the code.
Hey @manuel-sommer ,
Apologies for the misunderstanding here is the correct json content. The above one is export from the inspector. Here is the correct one.
{
"findings": [
{
"EpssScore": "0.00239",
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:inspector2:us-east-1:1234567:finding/12344bc",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/inspector",
"ProductName": "Inspector",
"CompanyName": "Amazon",
"Region": "us-east-1",
"GeneratorId": "AWSInspector",
"AwsAccountId": "1234567",
"Types": [
"Software and Configuration Checks/Vulnerabilities/CVE"
],
"FirstObservedAt": "2024-07-30T12:17:32.646Z",
"LastObservedAt": "2024-09-18T05:16:44.106Z",
"CreatedAt": "2024-07-30T12:17:32.646Z",
"UpdatedAt": "2024-09-18T05:16:44.106Z",
"Severity": {
"Label": "MEDIUM",
"Normalized": 50
},
"Title": "CVE-2024-123 - fdd",
"Description": "A vulnerability was found in sdd.",
"Remediation": {
"Recommendation": {
"Text": "None Provided"
}
},
"ProductFields": {
"aws/inspector/FindingStatus": "ACTIVE",
"aws/inspector/inspectorScore": "5.1",
"aws/inspector/resources/1/resourceDetails/awsEc2InstanceDetails/platform": "AMAZON_LINUX_2023",
"aws/inspector/ProductVersion": "1",
"aws/inspector/instanceId": "i-1234xxyy",
"aws/securityhub/FindingId": "arn:aws:inspector2:us-east-1:1234567:finding/addfss",
"aws/securityhub/ProductName": "Inspector",
"aws/securityhub/CompanyName": "Amazon"
},
"Resources": [
{
"Type": "AwsEc2Instance",
"Id": "i-1234xxyy",
"Partition": "aws",
"Region": "us-east-1",
"Tags": {
"Name": "Name:xx-123-yy"
},
"Details": {
"AwsEc2Instance": {
"Type": "tt",
"ImageId": "ami-1234",
"IpV4Addresses": [
"0.0.0.0"
],
"IamInstanceProfileArn": "arn:aws:iam::1234567:instance-profile/something",
"VpcId": "vpc-1234",
"SubnetId": "subnet-xxxxxxx",
"LaunchedAt": "2024-09-18T05:16:44.106Z"
}
}
}
],
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"Vulnerabilities": [
{
"Id": "CVE-2024-1234",
"VulnerablePackages": [
{
"Name": "aa",
"Version": "1.2.0",
"Architecture": "X86_64]",
"PackageManager": "OS",
"FixedInVersion": "abc[2.0]"
}
],
"Cvss": [
{
"Version": "3.1",
"BaseScore": "7.5",
"BaseVector": "CVSS:9.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"Source": "NVD"
}
],
"Vendor": {
"Name": "AMAZON_CVE",
"Url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-1234.json",
"VendorSeverity": "Medium",
"VendorCreatedAt": "2024-01-16T00:00:00Z",
"VendorUpdatedAt": "2024-09-18T05:16:44.106Z"
},
"ReferenceUrls": [
"https://alas.aws.amazon.com"
],
"FixAvailable": "YES"
}
],
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM"
},
"Types": [
"Software and Configuration Checks/Vulnerabilities/CVE"
]
}
}
]
}
This can be closed
Hello Team, I was exploring the AWS Inspector scans upload into defectdojo. Rest all the fields work like a charm only facing an issue with EPSS Score. There is a field which is getting destructured from request. But I guess its getting lost in further internal processing. Similar issue we faced with Aqua Scan and it was fixed promptly. Could you please shed some light on this as well ?
Thank you so much in advance