From c35d79a59eb42e40b8ab5f8881ed9dc87914f72e Mon Sep 17 00:00:00 2001 From: ralongit Date: Mon, 20 Nov 2023 18:00:41 +0200 Subject: [PATCH] Upgrade AWS Security Hub to v0.0.2 - Upgraded Go support to v1.19 - Modified location of function files to new version 0.0.2. - Fixed CVE-2022-29526 - Upgraded the golang.org/x/sys dependency indirectly as it relates to this issue: https://github.com/sirupsen/logrus/pull/1402 - Created a release workflow to publish to Cloudformation S3 buckets --- collector/go.mod | 16 ++++- collector/go.sum | 82 ++++++++++++++++++++++++++ collector/sam/template.yaml | 2 +- go.mod | 2 +- release/main.py | 114 ++++++++++++++++++++++++++++++++++++ release/requirements.txt | 1 + 6 files changed, 214 insertions(+), 3 deletions(-) create mode 100644 collector/go.sum create mode 100644 release/main.py create mode 100644 release/requirements.txt diff --git a/collector/go.mod b/collector/go.mod index 00d06cb..100fd3d 100644 --- a/collector/go.mod +++ b/collector/go.mod @@ -1,6 +1,6 @@ module aws-security-hub/collector -go 1.15 +go 1.19 require ( github.com/aws/aws-lambda-go v1.26.0 @@ -8,3 +8,17 @@ require ( github.com/sirupsen/logrus v1.8.1 github.com/stretchr/testify v1.6.1 ) + +require ( + github.com/StackExchange/wmi v1.2.0 // indirect + github.com/beeker1121/goque v2.1.0+incompatible // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/go-ole/go-ole v1.2.5 // indirect + github.com/golang/snappy v0.0.4 // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/shirou/gopsutil/v3 v3.21.6 // indirect + github.com/syndtr/goleveldb v1.0.0 // indirect + go.uber.org/atomic v1.9.0 // indirect + golang.org/x/sys v0.1.0 // indirect; indirect, relates to: https://github.com/sirupsen/logrus/pull/1402 + gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect +) diff --git a/collector/go.sum b/collector/go.sum new file mode 100644 index 0000000..3b20ccb --- /dev/null +++ b/collector/go.sum @@ -0,0 +1,82 @@ +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/StackExchange/wmi v0.0.0-20180116203802-5d049714c4a6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= +github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= +github.com/StackExchange/wmi v1.2.0 h1:noJEYkMQVlFCEAc+2ma5YyRhlfjcWfZqk5sBRYozdyM= +github.com/StackExchange/wmi v1.2.0/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= +github.com/aws/aws-lambda-go v1.26.0 h1:6ujqBpYF7tdZcBvPIccs98SpeGfrt/UOVEiexfNIdHA= +github.com/aws/aws-lambda-go v1.26.0/go.mod h1:jJmlefzPfGnckuHdXX7/80O3BvUUi12XOkbv4w9SGLU= +github.com/beeker1121/goque v2.1.0+incompatible h1:m5pZ5b8nqzojS2DF2ioZphFYQUqGYsDORq6uefUItPM= +github.com/beeker1121/goque v2.1.0+incompatible/go.mod h1:L6dOWBhDOnxUVQsb0wkLve0VCnt2xJW/MI8pdRX4ANw= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8= +github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM= +github.com/go-ole/go-ole v1.2.5 h1:t4MGB5xEDZvXI+0rMjjsfBsD7yAgp/s9ZDkL1JndXwY= +github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/logzio/logzio-go v1.0.2 h1:PM3+x2OEMku7VPrVa9AuT1+SR74vZQHVV+Sadqp1G9g= +github.com/logzio/logzio-go v1.0.2/go.mod h1:N0FvvsuktlxK6Ed5mlxaZUxUmgghkh4elMqEQcDPEMc= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.7.0 h1:WSHQ+IS43OoUrWtD1/bbclrwK8TTH5hzp+umCiuxHgs= +github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v1.4.3 h1:RE1xgDvH7imwFD45h+u2SgIfERHlS2yNG4DObb5BSKU= +github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/shirou/gopsutil v0.0.0-20190323131628-2cbc9195c892/go.mod h1:WWnYX4lzhCH5h/3YBfyVA3VbLYjlMZZAQcW9ojMexNc= +github.com/shirou/gopsutil/v3 v3.21.6 h1:vU7jrp1Ic/2sHB7w6UNs7MIkn7ebVtTb5D9j45o9VYE= +github.com/shirou/gopsutil/v3 v3.21.6/go.mod h1:JfVbDpIBLVzT8oKbvMg9P3wEIMDDpVn+LwHTKj0ST88= +github.com/shirou/w32 v0.0.0-20160930032740-bb4de0191aa4/go.mod h1:qsXQc7+bwAM3Q1u/4XEfrquwF8Lw7D7y5cD8CuHnfIc= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= +github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/syndtr/goleveldb v1.0.0 h1:fBdIW9lB4Iz0n9khmH8w27SJ3QEJ7+IgjPEwGSZiFdE= +github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ= +github.com/tidwall/gjson v1.8.1/go.mod h1:5/xDoumyyDNerp2U36lyolv46b3uF/9Bu6OfyQ9GImk= +github.com/tidwall/match v1.0.3/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= +github.com/tidwall/pretty v1.1.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= +github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= +github.com/tklauser/go-sysconf v0.3.6/go.mod h1:MkWzOF4RMCshBAMXuhXJs64Rte09mITnppBXY/rYEFI= +github.com/tklauser/numcpus v0.2.2/go.mod h1:x3qojaO3uyYt0i56EW/VUYs7uBvdl2fkfZFu0T9wgjM= +github.com/urfave/cli/v2 v2.2.0/go.mod h1:SE9GqnLQmjVa0iPEY0f1w3ygNIYcIJ0OKPMoW2caLfQ= +go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= +go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd h1:nTDtHvHSdCn1m6ITfMRqtOd/9+7a3s8RBNOZ3eYZzJA= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210316164454-77fc1eacc6aa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ= +gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/collector/sam/template.yaml b/collector/sam/template.yaml index 18888b2..0efe950 100644 --- a/collector/sam/template.yaml +++ b/collector/sam/template.yaml @@ -7,7 +7,7 @@ Resources: Properties: Code: S3Bucket: logzio-aws-integrations-us-east-1 - S3Key: aws-security-hub-collector/0.0.1/function.zip + S3Key: aws-security-hub-collector/0.0.2/function.zip Description: > Go executable of lambda function that receives an AWS Security Hub event and sends it to logz.io. Environment: diff --git a/go.mod b/go.mod index a71a678..18e041b 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,3 @@ module aws-security-hub -go 1.15 +go 1.19 diff --git a/release/main.py b/release/main.py new file mode 100644 index 0000000..4874ed3 --- /dev/null +++ b/release/main.py @@ -0,0 +1,114 @@ +import os + +import boto3 + +REGIONS = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', + 'ap-south-1', 'ap-northeast-3', 'ap-northeast-2', 'ap-southeast-1', 'ap-southeast-2', 'ap-northeast-1', + 'eu-central-1', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'eu-north-1', + 'sa-east-1', + 'ca-central-1'] + +BUCKET_NAME_PREFIX = 'logzio-aws-integrations-' +ENV_ACCESS_KEY = 'AWS_ACCESS_KEY' +ENV_SECRET_KEY = 'AWS_SECRET_KEY' +ENV_FOLDER_NAME = 'FOLDER_NAME' +ENV_VERSION_NUMBER = 'VERSION_NUMBER' +ENV_PATH_TO_FILE = 'PATH_TO_FILE' +CF_TEMPLATE = 'template.yaml' +CF_TEMPLATE_S3 = 'template.yaml' +REGION_PLACEHOLDER = '<>' +VERSION_PLACEHOLDER = '<>' + + +def upload_public_to_s3(access_key, secret_key, folder_name, version_number, path_to_file): + s3 = get_s3_client(access_key, secret_key) + file_name = path_to_file.split('/')[-1] + print(f'File name: {file_name}') + success = 0 + for region in REGIONS: + try: + print(f'Region: {region}') + object_name = f'{folder_name}/{version_number}/{file_name}' + bucket_name = f'{BUCKET_NAME_PREFIX}{region}' + s3.upload_file(path_to_file, bucket_name, object_name, ExtraArgs={'ACL': 'public-read'}) + success += 1 + except Exception as e: + print(f'Error occurred for region {region}: {e}') + print('Skipping this region') + + print(f'Uploaded to {success} regions') + + +def cf_template_workflow(access_key, secret_key, folder_name, version_number, path_to_file): + s3 = get_s3_client(access_key, secret_key) + file_name = path_to_file.split('/')[-1] + print(f'File name: {file_name}') + success = 0 + base_arr = [] + with open(path_to_file, 'r') as base_file: + base_arr = base_file.readlines() + if len(base_arr) == 0: + raise ValueError('Could not get base Cloudformation template') + for region in REGIONS: + try: + print(f'Region: {region}') + print(f'Version: {version_number}') + tmp_arr = [] + for line in base_arr: + tmp_line = line.replace(REGION_PLACEHOLDER, region) + tmp_line = tmp_line.replace(VERSION_PLACEHOLDER, version_number) + tmp_arr.append(tmp_line) + new_path = f'./{file_name}' + with open(new_path, 'w') as new_file: + new_file.writelines(tmp_arr) + object_name = f'{folder_name}/{version_number}/{file_name}' + bucket_name = f'{BUCKET_NAME_PREFIX}{region}' + s3.upload_file(new_path, bucket_name, object_name, ExtraArgs={'ACL': 'public-read'}) + success += 1 + except Exception as e: + print(f'Error occurred for region {region}: {e}') + print('Skipping this region') + + print(f'Uploaded to {success} regions') + os.remove(new_path) + + +def get_s3_client(access_key, secret_key): + session = boto3.Session( + aws_access_key_id=access_key, + aws_secret_access_key=secret_key, + ) + + return session.client('s3') + + +def upload(): + access_key = os.getenv(ENV_ACCESS_KEY) + secret_key = os.getenv(ENV_SECRET_KEY) + if access_key is None or access_key == '' or secret_key is None or secret_key == '': + raise ValueError('AWS credentials missing! Exiting') + folder_name = os.getenv(ENV_FOLDER_NAME) + if folder_name is None or folder_name == '': + raise ValueError('Missing folder name! Exiting') + version_number = os.getenv(ENV_VERSION_NUMBER) + if version_number is None or version_number == '': + raise ValueError('Missing version number! Exiting') + path_to_file = os.getenv(ENV_PATH_TO_FILE) + if path_to_file is None or path_to_file == '': + raise ValueError('Missing path to file! Exiting') + file_exists = os.path.isfile(path_to_file) + if not file_exists: + raise FileNotFoundError(f'Provided path to file ({path_to_file}) does not exists! Exiting') + try: + is_cf_template = (path_to_file.split('/')[-1] == CF_TEMPLATE or path_to_file.split('/')[-1] == CF_TEMPLATE_S3) + print(f'Is Cloudformation template: {is_cf_template}') + if is_cf_template: + cf_template_workflow(access_key, secret_key, folder_name, version_number, path_to_file) + else: + upload_public_to_s3(access_key, secret_key, folder_name, version_number, path_to_file) + except Exception as e: + print(f'Some error occurred while trying to upload file: {e}') + + +if __name__ == '__main__': + upload() diff --git a/release/requirements.txt b/release/requirements.txt new file mode 100644 index 0000000..3419e8c --- /dev/null +++ b/release/requirements.txt @@ -0,0 +1 @@ +boto3==1.26.22 \ No newline at end of file