-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ocsf): add OCSF format as JSON output for AWS, Azure and GCP. Hello Amazon Security Lake! #2429
Conversation
b8109b0
to
d263a78
Compare
d263a78
to
1bb6c29
Compare
@@ -70,12 +85,147 @@ def fill_json_asff(finding_output, audit_info, finding, output_options): | |||
return finding_output | |||
|
|||
|
|||
def fill_json_ocsf( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please move this function to another file?
@@ -228,6 +229,18 @@ def unroll_dict(dict: dict): | |||
return unrolled_items | |||
|
|||
|
|||
def unroll_dict_to_list(dict: dict): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please include tests for this function? And move it to another file to be able to use from another places.
@@ -621,3 +634,115 @@ class Check_Output_JSON_ASFF(BaseModel): | |||
Resources: List[Resource] = None | |||
Compliance: Compliance = None | |||
Remediation: dict = None | |||
|
|||
|
|||
# JSON OCSF |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, move the OCSF specification model to another file.
version: str = "1.0.0-rc.3" | ||
|
||
|
||
class Check_Output_JSON_OCSF(BaseModel): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why all the attributes have a default value? With that Pydantic makes no sense.
resource_uid = "" | ||
finding_uid = "" | ||
resource_labels = finding.resource_tags if finding.resource_tags else [] | ||
if finding.status == "PASS": |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also you should split this function into several ones to fill the model, it's hard to follow it.
@@ -161,6 +163,19 @@ def report(check_findings, output_options, audit_info): | |||
) | |||
file_descriptors["json"].write(",") | |||
|
|||
if "json-ocsf" in file_descriptors: | |||
finding_output = Check_Output_JSON_OCSF() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why this? And why the fill doesn't return anything?
Description
Add OCSF JSON as an output mode.
https://schema.ocsf.io/1.0.0-rc.3/classes/security_finding
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.