Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create obligatron mode for AWS infrastructure vulnerabilities #1200

Merged
merged 10 commits into from
Jul 12, 2024
Merged

Create obligatron mode for AWS infrastructure vulnerabilities #1200

merged 10 commits into from
Jul 12, 2024

Conversation

NovemberTang
Copy link
Contributor

What does this change

Creates a new obligatron mode that collects information about AWS infrastructure vulnerabilities. Currently, it only logs the output and does not write to the table. This is because we are currently not filtering out results that are within SLA. This will need to be done as a separate PR as further work is needed to unify:

  1. the various Severity types
  2. the calculations we perform on those types to calculate whether a resource is inside or outside SLA

So, that work will be done as a follow up PR. At that point, we will start writing to the DB

Why?

So we can track departmental progress against our obligation to keep our AWS infrastructure compliant with AWS FSBP

How has it been verified?

Verified locally. Added unit tests to confirm expected behaviour

@NovemberTang NovemberTang marked this pull request as ready for review July 11, 2024 11:36
@NovemberTang NovemberTang requested review from a team as code owners July 11, 2024 11:36
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 11, 2024
edited
Loading

Deploy build 5626 of deploy::service-catalogue to CODE

All deployment options

From guardian/actions-riff-raff.

akash1810
akash1810 reviewed Jul 11, 2024
View reviewed changes
packages/obligatron/src/obligations/aws-vulnerabilities.ts Outdated Show resolved Hide resolved
packages/obligatron/src/obligations/aws-vulnerabilities.ts Outdated Show resolved Hide resolved
packages/obligatron/src/obligations/aws-vulnerabilities.ts Outdated Show resolved Hide resolved
packages/obligatron/src/obligations/aws-vulnerabilities.ts Outdated Show resolved Hide resolved
packages/obligatron/src/obligations/aws-vulnerabilities.ts
export async function evaluateFsbpVulnerabilities(
client: PrismaClient,
): Promise<ObligationResult[]> {
const findings = (await getFsbpFindings(client, ['CRITICAL', 'HIGH'])).map(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If these severities were passed via configuration, would it make local development easier?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why would it make local development easier?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was thinking of this within cloudbuster

service-catalogue/packages/cloudbuster/src/config.ts

Lines 29 to 31 in eb35b3e

const severities: SecurityHubSeverity[] = isDev
? ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFORMATION'] // Using all severities in DEV for more data.
: ['CRITICAL', 'HIGH'];
.

Base automatically changed from nt/fsbp-oblig to main July 11, 2024 16:02
AshCorr
AshCorr approved these changes Jul 11, 2024
View reviewed changes
packages/obligatron/src/obligations/aws-vulnerabilities.ts
client: PrismaClient,
): Promise<ObligationResult[]> {
const findings = (await getFsbpFindings(client, ['CRITICAL', 'HIGH'])).map(
(v) => v as unknown as SecurityHubFinding,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels like a bit of a spooky typecast! Are we sure that our schema will always match AWSs? Could lead to some annoying to debug errors if not!

We're quite explicit with type checking in the TAGGING job (maybe too much!), I wonder if we could have any shared behaviour for checking the schema matches?

service-catalogue/packages/obligatron/src/obligations/tagging.ts

Lines 40 to 44 in ba13195

const isFindingResource = (resource: unknown): resource is FindingResource =>
typeof resource === 'object' &&
resource != null &&
'Id' in resource &&
'Tags' in resource;

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as unknown as <CUSTOM TYPE> is a pretty common pattern across the service catalogue, especially in repocop. If we want to move away from it, could that be a separate piece of work?

@NovemberTang NovemberTang merged commit eb35b3e into main Jul 12, 2024
7 checks passed
@NovemberTang NovemberTang deleted the nt/fsbp-oblig-2 branch July 12, 2024 08:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akash1810 akash1810 akash1810 left review comments

@AshCorr AshCorr AshCorr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@NovemberTang @akash1810 @AshCorr