SecurityHub - batch-import-findings - Inconsistent ASFF format between API and CLI usage

[oliviergaumond]

Confirm by changing [ ] to [x] below to ensure that it's a bug:

• [x] I've gone through the User Guide and the API reference
• [x] I've searched for previous similar issues and didn't find any solution

Describe the bug The API Reference for BatchImportFindings specifies that the payload for the findings should correspond to the ASFF Syntax which should be a Findings object containing an array.

The CLI Reference for batch-import-findings also refer to the ASFF Syntax however it expects to directly receive an array without the wrapping Findings object.

To Reproduce (observed behavior) Error when trying to import a file conforming to ASFF format using the CLI.

$ cat report-asff.json 

{
    "Findings": [
        {
            "SchemaVersion": "2018-10-08",
            "Id": "mycontainer (debian 11.2)/CVE-2022-0778",
            "ProductArn": "arn:aws:securityhub:ca-central-1::product/aquasecurity/aquasecurity",
            "GeneratorId": "Trivy",
            "AwsAccountId": "123456789",
            "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
            "CreatedAt": "2022-03-22T15:02:31.017124215Z",
            "UpdatedAt": "2022-03-22T15:02:31.017153183Z",
            "Severity": {
                "Label": "HIGH"
            },
            "Title": "Trivy found a vulnerability to CVE-2022-0778 in container mycontainer (debian 11.2)",
            "Description": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification r ..",
            "Remediation": {
                "Recommendation": {
                    "Text": "More information on this vulnerability is provided in the hyperlink",
                    "Url": "https://avd.aquasec.com/nvd/cve-2022-0778"
                }
            },
            "ProductFields": { "Product Name": "Trivy" },
            "Resources": [
                {
                    "Type": "Container",
                    "Id": "mycontainer (debian 11.2)",
                    "Partition": "aws",
                    "Region": "ca-central-1",
                    "Details": {
                        "Container": { "ImageName": "mycontainer (debian 11.2)" },
                        "Other": {
                            "CVE ID": "CVE-2022-0778",
                            "CVE Title": "openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates",
                            "PkgName": "libssl1.1",
                            "Installed Package": "1.1.1k-1+deb11u1",
                            "Patched Package": "1.1.1k-1+deb11u2",
                            "NvdCvssScoreV3": "7.5",
                            "NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                            "NvdCvssScoreV2": "5",
                            "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:N/I:N/A:P"
                        }
                    }
                }
            ],
            "RecordState": "ACTIVE"
        }
    ]
}

$ aws securityhub batch-import-findings --findings file://report.asff 

Error parsing parameter '--findings': Invalid JSON: Expecting property name enclosed in double quotes: line 1 column 2 (char 1)
JSON received: {

Expected behavior For consistency purposes the same import format should be used for the API and CLI.

Additional context The respective documentations for API and CLI are correct and each tool works correctly provided the appropriated format. However, it should be possible to use the exact same format for CLI, API and SDK.

[tim-finnigan]

Hi @oliviergaumond thanks for reaching out. There are examples for this command here in the CLI Command Reference and here in the Security Hub User Guide.

This behavior is consistent with other APIs requiring lists such as create-members. The AccountDetails in the RequestSyntax is abstracted to the --account-details parameter.

[oliviergaumond]

Thanks for your answer @tim-finnigan. You are right that the examples provided for the commands are accurate and well detailed. It is simply slightly confusing if you try to use the same ASFF report across the CLI and an SDK. But like you said this is consistent with other uses. We can close this.

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.