fix(securityhub): archive SecurityHub findings in empty regions

prowler/providers/aws/lib/security_hub/security_hub.py

@@ -11,9 +11,12 @@
 
 
 def prepare_security_hub_findings(
-    findings: [], audit_info, output_options, enabled_regions: []
+    findings: [], audit_info: AWS_Audit_Info, output_options, enabled_regions: []
 ) -> dict:
     security_hub_findings_per_region = {}
+    # Create a key per region
+    for region in audit_info.audited_regions:
+        security_hub_findings_per_region[region] = []
     for finding in findings:
         # We don't send the INFO findings to AWS Security Hub
         if finding.status == "INFO":
@@ -30,10 +33,6 @@
         # Get the finding region
         region = finding.region
 
-        # Check if the security_hub_findings_per_region has the region, if not we have to create it
-        if region not in security_hub_findings_per_region:
-            security_hub_findings_per_region[region] = []
-
         # Format the finding in the JSON ASFF format
         finding_json_asff = fill_json_asff(
             Check_Output_JSON_ASFF(), audit_info, finding, output_options
@@ -117,9 +116,10 @@
     resolve_security_hub_previous_findings archives all the findings that does not appear in the current execution
     """
     logger.info("Checking previous findings in Security Hub to archive them.")
-
-    for region, current_findings in security_hub_findings_per_region.items():
+    success_count = 0
+    for region in security_hub_findings_per_region.keys():
         try:
+            current_findings = security_hub_findings_per_region[region]
             # Get current findings IDs
             current_findings_ids = []
             for finding in current_findings:
@@ -151,14 +151,14 @@
             logger.info(f"Archiving {len(findings_to_archive)} findings.")
 
             # Send archive findings to SHub
-            success_count = __send_findings_to_security_hub__(
+            success_count += __send_findings_to_security_hub__(
                 findings_to_archive, region, security_hub_client
             )
-            return success_count
         except Exception as error:
             logger.error(
                 f"{error.__class__.__name__} -- [{error.__traceback__.tb_lineno}]:{error} in region {region}"
             )
+    return success_count
 
 
 def __send_findings_to_security_hub__(

tests/providers/aws/lib/security_hub/security_hub_test.py

@@ -159,7 +159,8 @@ def test_prepare_security_hub_findings_enabled_region_not_quiet(self):
                         }
                     },
                 }
-            ]
+            ],
+            AWS_REGION_2: [],
         }
 
     def test_prepare_security_hub_findings_quiet_INFO_finding(self):
@@ -168,47 +169,38 @@ def test_prepare_security_hub_findings_quiet_INFO_finding(self):
         findings = [self.generate_finding("INFO", AWS_REGION_1)]
         audit_info = self.set_mocked_audit_info()
 
-        assert (
-            prepare_security_hub_findings(
-                findings,
-                audit_info,
-                output_options,
-                enabled_regions,
-            )
-            == {}
-        )
+        assert prepare_security_hub_findings(
+            findings,
+            audit_info,
+            output_options,
+            enabled_regions,
+        ) == {AWS_REGION_1: [], AWS_REGION_2: []}
 
     def test_prepare_security_hub_findings_disabled_region(self):
         enabled_regions = [AWS_REGION_1]
         output_options = self.set_mocked_output_options(is_quiet=False)
         findings = [self.generate_finding("PASS", AWS_REGION_2)]
         audit_info = self.set_mocked_audit_info()
 
-        assert (
-            prepare_security_hub_findings(
-                findings,
-                audit_info,
-                output_options,
-                enabled_regions,
-            )
-            == {}
-        )
+        assert prepare_security_hub_findings(
+            findings,
+            audit_info,
+            output_options,
+            enabled_regions,
+        ) == {AWS_REGION_1: [], AWS_REGION_2: []}
 
     def test_prepare_security_hub_findings_quiet(self):
         enabled_regions = [AWS_REGION_1]
         output_options = self.set_mocked_output_options(is_quiet=True)
         findings = [self.generate_finding("PASS", AWS_REGION_1)]
         audit_info = self.set_mocked_audit_info()
 
-        assert (
-            prepare_security_hub_findings(
-                findings,
-                audit_info,
-                output_options,
-                enabled_regions,
-            )
-            == {}
-        )
+        assert prepare_security_hub_findings(
+            findings,
+            audit_info,
+            output_options,
+            enabled_regions,
+        ) == {AWS_REGION_1: [], AWS_REGION_2: []}
 
     @patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
     def test_batch_send_to_security_hub_one_finding(self):