feat: reimplemented a way to collect guardduty

someengineering · Oct 31, 2024 · 4ad2ffc · 4ad2ffc
1 parent 09a097a
commit 4ad2ffc
Show file tree

Hide file tree

Showing 10 changed files with 41 additions and 746 deletions.
diff --git a/plugins/aws/fix_plugin_aws/resource/base.py b/plugins/aws/fix_plugin_aws/resource/base.py
@@ -66,17 +66,6 @@ def get_client(config: Config, resource: BaseResource) -> AwsClient:
 }
 
 
-@define(slots=True, frozen=True)
-class AssessmentKey:
-    provider: str
-    region: str
-    resource_type: str
-
-
-# Type alias for the inner dictionary that maps resource ID to a list of findings
-ResourceFindings = Dict[str, List[Finding]]
-
-
 def parse_json(
     json: Json, clazz: Type[T], builder: GraphBuilder, mapping: Optional[Dict[str, Bender]] = None
 ) -> Optional[T]:

diff --git a/plugins/aws/fix_plugin_aws/resource/ec2.py b/plugins/aws/fix_plugin_aws/resource/ec2.py
@@ -18,7 +18,6 @@
     operations_to_iops,
     normalizer_factory,
 )
-from fix_plugin_aws.resource.guardduty import AwsGuardDutyFinding
 from fix_plugin_aws.resource.iam import AwsIamInstanceProfile
 from fix_plugin_aws.resource.kms import AwsKmsKey
 from fix_plugin_aws.resource.s3 import AwsS3Bucket
@@ -706,7 +705,6 @@ def connect_in_graph(self, builder: GraphBuilder, source: Json) -> None:
                 clazz=AwsKmsKey,
                 id=AwsKmsKey.normalise_id(self.volume_kms_key_id),
             )
-        AwsGuardDutyFinding.set_findings(builder, self, "arn")
 
     def delete_resource(self, client: AwsClient, graph: Graph) -> bool:
         client.call(
@@ -1524,8 +1522,6 @@ def connect_in_graph(self, builder: GraphBuilder, source: Json) -> None:
         if iam_profile := self.instance_iam_instance_profile:
             builder.add_edge(self, reverse=True, clazz=AwsIamInstanceProfile, arn=iam_profile.arn)
 
-        AwsGuardDutyFinding.set_findings(builder, self, "id")
-
     def delete_resource(self, client: AwsClient, graph: Graph) -> bool:
         if self.instance_status == InstanceStatus.TERMINATED:
             self.log("Instance is already terminated")

diff --git a/plugins/aws/fix_plugin_aws/resource/ecr.py b/plugins/aws/fix_plugin_aws/resource/ecr.py
@@ -34,7 +34,6 @@ class AwsEcrRepository(AwsResource, HasResourcePolicy):
     _kind_service: ClassVar[Optional[str]] = service_name
     _metadata: ClassVar[Dict[str, Any]] = {"icon": "repository", "group": "compute"}
     _aws_metadata: ClassVar[Dict[str, Any]] = {"provider_link_tpl": "https://{region_id}.console.aws.amazon.com/ecr/repositories/{name}?region={region}", "arn_tpl": "arn:{partition}:ecr:{region}:{account}:repository/{name}"}  # fmt: skip
-    _reference_kinds: ClassVar[ModelReference] = {}
     api_spec: ClassVar[AwsApiSpec] = AwsApiSpec("ecr", "describe-repositories", "repositories")
     public_spec: ClassVar[AwsApiSpec] = AwsApiSpec("ecr-public", "describe-repositories", "repositories")
     mapping: ClassVar[Dict[str, Bender]] = {

diff --git a/plugins/aws/fix_plugin_aws/resource/ecs.py b/plugins/aws/fix_plugin_aws/resource/ecs.py
@@ -6,7 +6,6 @@
 from attrs import define, field
 from fix_plugin_aws.aws_client import AwsClient
 from fix_plugin_aws.resource.autoscaling import AwsAutoScalingGroup
-from fix_plugin_aws.resource.guardduty import AwsGuardDutyFinding
 from fix_plugin_aws.utils import TagsValue, ToDict
 
 from fix_plugin_aws.resource.base import AwsResource, GraphBuilder, AwsApiSpec
@@ -2111,7 +2110,6 @@ def connect_in_graph(self, builder: GraphBuilder, source: Json) -> None:
                     builder.dependant_node(self, clazz=AwsKmsKey, id=AwsKmsKey.normalise_id(exc.kms_key_id))
                 if exc.log_configuration and exc.log_configuration.s3_bucket_name:
                     builder.add_edge(self, clazz=AwsS3Bucket, name=exc.log_configuration.s3_bucket_name)
-        AwsGuardDutyFinding.set_findings(builder, self, "arn")
 
     def delete_resource(self, client: AwsClient, graph: Graph) -> bool:
         client.call(aws_service=self.api_spec.service, action="delete-cluster", result_name=None, cluster=self.arn)

diff --git a/plugins/aws/fix_plugin_aws/resource/eks.py b/plugins/aws/fix_plugin_aws/resource/eks.py
@@ -6,7 +6,6 @@
 
 from fix_plugin_aws.resource.autoscaling import AwsAutoScalingGroup
 from fix_plugin_aws.resource.base import AwsResource, GraphBuilder, AwsApiSpec
-from fix_plugin_aws.resource.guardduty import AwsGuardDutyFinding
 from fix_plugin_aws.resource.iam import AwsIamRole
 from fix_plugin_aws.aws_client import AwsClient
 from fixlib.baseresources import ModelReference, BaseManagedKubernetesClusterProvider
@@ -478,7 +477,6 @@ def connect_in_graph(self, builder: GraphBuilder, source: Json) -> None:
         builder.dependant_node(
             self, reverse=True, delete_same_as_default=True, clazz=AwsIamRole, arn=self.cluster_role_arn
         )
-        AwsGuardDutyFinding.set_findings(builder, self, "arn")
 
     def delete_resource(self, client: AwsClient, graph: Graph) -> bool:
         client.call(aws_service=self.api_spec.service, action="delete-cluster", result_name=None, name=self.name)

diff --git a/plugins/aws/fix_plugin_aws/resource/guardduty.py b/plugins/aws/fix_plugin_aws/resource/guardduty.py
diff --git a/plugins/aws/fix_plugin_aws/resource/lambda_.py b/plugins/aws/fix_plugin_aws/resource/lambda_.py
@@ -10,7 +10,6 @@
 from fix_plugin_aws.resource.base import AwsResource, GraphBuilder, AwsApiSpec, parse_json
 from fix_plugin_aws.resource.cloudwatch import AwsCloudwatchQuery, normalizer_factory
 from fix_plugin_aws.resource.ec2 import AwsEc2Subnet, AwsEc2SecurityGroup, AwsEc2Vpc
-from fix_plugin_aws.resource.guardduty import AwsGuardDutyFinding
 from fix_plugin_aws.resource.kms import AwsKmsKey
 from fixlib.baseresources import (
     BaseServerlessFunction,
@@ -406,7 +405,6 @@ def connect_in_graph(self, builder: GraphBuilder, source: Json) -> None:
                 clazz=AwsKmsKey,
                 arn=self.function_kms_key_arn,
             )
-        AwsGuardDutyFinding.set_findings(builder, self, "name")
 
     def update_resource_tag(self, client: AwsClient, key: str, value: str) -> bool:
         client.call(

diff --git a/plugins/aws/fix_plugin_aws/resource/rds.py b/plugins/aws/fix_plugin_aws/resource/rds.py
@@ -7,7 +7,6 @@
 from fix_plugin_aws.resource.base import AwsApiSpec, AwsResource, GraphBuilder
 from fix_plugin_aws.resource.cloudwatch import AwsCloudwatchQuery, AwsCloudwatchMetricData, normalizer_factory
 from fix_plugin_aws.resource.ec2 import AwsEc2SecurityGroup, AwsEc2Subnet, AwsEc2Vpc
-from fix_plugin_aws.resource.guardduty import AwsGuardDutyFinding
 from fix_plugin_aws.resource.kinesis import AwsKinesisStream
 from fix_plugin_aws.resource.kms import AwsKmsKey
 from fix_plugin_aws.utils import ToDict, TagsValue
@@ -599,8 +598,6 @@ def connect_in_graph(self, builder: GraphBuilder, source: Json) -> None:
         for key_reference in keys:
             builder.dependant_node(from_node=self, clazz=AwsKmsKey, id=AwsKmsKey.normalise_id(key_reference))
 
-        AwsGuardDutyFinding.set_findings(builder, self, "id")
-
     def delete_resource(self, client: AwsClient, graph: Graph) -> bool:
         client.call(
             aws_service=self.api_spec.service,
@@ -1042,7 +1039,6 @@ def connect_in_graph(self, builder: GraphBuilder, source: Json) -> None:
             )
         if kinesis := self.rds_activity_stream_kinesis_stream_name:
             builder.add_edge(self, clazz=AwsKinesisStream, name=kinesis)
-        AwsGuardDutyFinding.set_findings(builder, self, "id")
 
     def delete_resource(self, client: AwsClient, graph: Graph) -> bool:
         client.call(

diff --git a/plugins/aws/fix_plugin_aws/resource/s3.py b/plugins/aws/fix_plugin_aws/resource/s3.py
@@ -11,7 +11,6 @@
 from fix_plugin_aws.aws_client import AwsClient
 from fix_plugin_aws.resource.base import AwsResource, AwsApiSpec, GraphBuilder, parse_json
 from fix_plugin_aws.resource.cloudwatch import AwsCloudwatchQuery, normalizer_factory
-from fix_plugin_aws.resource.guardduty import AwsGuardDutyFinding
 from fix_plugin_aws.utils import tags_as_dict
 from fixlib.baseresources import (
     BaseBucket,
@@ -180,7 +179,6 @@ class AwsS3Bucket(AwsResource, BaseBucket, HasResourcePolicy):
     _kind_description: ClassVar[str] = "AWS S3 Bucket is a cloud storage service provided by Amazon Web Services. It stores and retrieves data objects, such as files, documents, and images. S3 Buckets organize data into containers, offering features like access control, versioning, and lifecycle management. Users can interact with S3 Buckets through APIs, SDKs, or the AWS Management Console."  # fmt: skip
     _docs_url: ClassVar[str] = "https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html"
     _kind_service: ClassVar[Optional[str]] = service_name
-    _reference_kinds: ClassVar[ModelReference] = {}
     api_spec: ClassVar[AwsApiSpec] = AwsApiSpec(
         service_name, "list-buckets", "Buckets", override_iam_permission="s3:ListAllMyBuckets"
     )
@@ -216,9 +214,6 @@ def called_collect_apis(cls) -> List[AwsApiSpec]:
             AwsApiSpec(service_name, "get-bucket-lifecycle-configuration"),
         ]
 
-    def connect_in_graph(self, builder: GraphBuilder, source: Json) -> None:
-        AwsGuardDutyFinding.set_findings(builder, self, "name")
-
     @classmethod
     def collect(cls: Type[AwsResource], json: List[Json], builder: GraphBuilder) -> None:
         def add_tags(bucket: AwsS3Bucket) -> None:

diff --git a/plugins/aws/test/collector_test.py b/plugins/aws/test/collector_test.py
@@ -11,7 +11,6 @@
     called_collect_apis,
     called_mutator_apis,
 )
-from fix_plugin_aws.resource.guardduty import AwsGuardDutyFinding
 from fix_plugin_aws.resource.base import AwsResource, AwsApiSpec, GraphBuilder, AwsRegion
 from fix_plugin_aws.resource.ec2 import AwsEc2Instance
 from fixlib.baseresources import BaseResource