Skip to content

Commit

Permalink
Merge branch 'release' into ben/put-datamodels-in-packs
Browse files Browse the repository at this point in the history
  • Loading branch information
@arielkr256
arielkr256 authored Sep 4, 2024
2 parents c6573c7 + f67b924 commit 67c5d20
Show file tree
Hide file tree
Showing 18 changed files with 132 additions and 105 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/check-packs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7

- name: Set python version
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f #v5.1.1
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
with:
python-version: "3.11"

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7

- name: Set python version
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f #v5.1.1
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
with:
python-version: "3.11"

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
aws-region: ${{ secrets.AWS_REGION }}
role-session-name: panther-analysis-release
- name: Install Python
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f #v5.1.1
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
with:
python-version: "3.11"
- name: Create new panther-analysis release
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7

- name: Set python version
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f #v5.1.1
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
with:
python-version: "3.11"

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/upload.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7

- name: Set python version
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f #v5.1.1
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
with:
python-version: "3.11"

Expand Down
3 changes: 3 additions & 0 deletions rules/aws_cloudtrail_rules/aws_saml_activity.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ def rule(event):
":assumed-role/AWSServiceRoleForSSO/AWS-SSO"
):
return False
# Don't alert on errors such as EntityAlreadyExistsException and NoSuchEntity
if event.get("errorCode"):
return False
return (
event.get("eventSource") == "iam.amazonaws.com" and event.get("eventName") in SAML_ACTIONS
)
Expand Down
15 changes: 7 additions & 8 deletions rules/snyk_rules/snyk_misc_settings.py
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
from global_filter_snyk import filter_include_event
from panther_base_helpers import deep_get
from panther_snyk_helpers import snyk_alert_context

ACTIONS = [
Expand All @@ -11,21 +10,21 @@
def rule(event):
if not filter_include_event(event):
return False
action = deep_get(event, "event", default="<NO_EVENT>")
action = event.deep_get("event", default="<NO_EVENT>")
return action in ACTIONS


def title(event):
group_or_org = "<GROUP_OR_ORG>"
operation = "<NO_OPERATION>"
action = deep_get(event, "event", default="<NO_EVENT>")
action = event.deep_get("event", default="<NO_EVENT>")
if "." in action:
group_or_org = action.split(".")[0].title()
operation = ".".join(action.split(".")[1:]).title()
return (
f"Snyk: [{group_or_org}] Setting "
f"[{operation}] "
f"performed by [{deep_get(event, 'userId', default='<NO_USERID>')}]"
f"performed by [{event.deep_get('userId', default='<NO_USERID>')}]"
)


Expand All @@ -35,8 +34,8 @@ def alert_context(event):

def dedup(event):
return (
f"{deep_get(event, 'userId', default='<NO_USERID>')}"
f"{deep_get(event, 'orgId', default='<NO_ORGID>')}"
f"{deep_get(event, 'groupId', default='<NO_GROUPID>')}"
f"{deep_get(event, 'event', default='<NO_EVENT>')}"
f"{event.deep_get('userId', default='<NO_USERID>')}"
f"{event.deep_get('orgId', default='<NO_ORGID>')}"
f"{event.deep_get('groupId', default='<NO_GROUPID>')}"
f"{event.deep_get('event', default='<NO_EVENT>')}"
)
15 changes: 7 additions & 8 deletions rules/snyk_rules/snyk_org_settings.py
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
from global_filter_snyk import filter_include_event
from panther_base_helpers import deep_get
from panther_snyk_helpers import snyk_alert_context

ACTIONS = [
Expand All @@ -18,21 +17,21 @@
def rule(event):
if not filter_include_event(event):
return False
action = deep_get(event, "event", default="<NO_EVENT>")
action = event.deep_get("event", default="<NO_EVENT>")
return action in ACTIONS


def title(event):
group_or_org = "<GROUP_OR_ORG>"
operation = "<NO_OPERATION>"
action = deep_get(event, "event", default="<NO_EVENT>")
action = event.deep_get("event", default="<NO_EVENT>")
if "." in action:
group_or_org = action.split(".")[0].title()
operation = ".".join(action.split(".")[1:]).title()
return (
f"Snyk: [{group_or_org}] Setting "
f"[{operation}] "
f"performed by [{deep_get(event, 'userId', default='<NO_USERID>')}]"
f"performed by [{event.deep_get('userId', default='<NO_USERID>')}]"
)


Expand All @@ -42,8 +41,8 @@ def alert_context(event):

def dedup(event):
return (
f"{deep_get(event, 'userId', default='<NO_USERID>')}"
f"{deep_get(event, 'orgId', default='<NO_ORGID>')}"
f"{deep_get(event, 'groupId', default='<NO_GROUPID>')}"
f"{deep_get(event, 'event', default='<NO_EVENT>')}"
f"{event.deep_get('userId', default='<NO_USERID>')}"
f"{event.deep_get('orgId', default='<NO_ORGID>')}"
f"{event.deep_get('groupId', default='<NO_GROUPID>')}"
f"{event.deep_get('event', default='<NO_EVENT>')}"
)
17 changes: 8 additions & 9 deletions rules/snyk_rules/snyk_ou_change.py
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
from global_filter_snyk import filter_include_event
from panther_base_helpers import deep_get
from panther_snyk_helpers import snyk_alert_context

ACTIONS = [
Expand All @@ -21,19 +20,19 @@
def rule(event):
if not filter_include_event(event):
return False
action = deep_get(event, "event", default="<NO_EVENT>")
action = event.deep_get("event", default="<NO_EVENT>")
return action in ACTIONS


def title(event):
group_or_org = "<GROUP_OR_ORG>"
action = deep_get(event, "event", default="<NO_EVENT>")
action = event.deep_get("event", default="<NO_EVENT>")
if "." in action:
group_or_org = action.split(".")[0].title()
return (
f"Snyk: [{group_or_org}] Organizational Unit settings have been modified "
f"via [{action}] "
f"performed by [{deep_get(event, 'userId', default='<NO_USERID>')}]"
f"performed by [{event.deep_get('userId', default='<NO_USERID>')}]"
)


Expand All @@ -43,15 +42,15 @@ def alert_context(event):

def dedup(event):
return (
f"{deep_get(event, 'userId', default='<NO_USERID>')}"
f"{deep_get(event, 'orgId', default='<NO_ORGID>')}"
f"{deep_get(event, 'groupId', default='<NO_GROUPID>')}"
f"{deep_get(event, 'event', default='<NO_EVENT>')}"
f"{event.deep_get('userId', default='<NO_USERID>')}"
f"{event.deep_get('orgId', default='<NO_ORGID>')}"
f"{event.deep_get('groupId', default='<NO_GROUPID>')}"
f"{event.deep_get('event', default='<NO_EVENT>')}"
)


def severity(event):
action = deep_get(event, "event", default="<NO_EVENT>")
action = event.deep_get("event", default="<NO_EVENT>")
if action.endswith((".remove", ".delete")):
return "HIGH"
if action.endswith((".edit")):
Expand Down
20 changes: 10 additions & 10 deletions rules/snyk_rules/snyk_project_settings.py
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
from global_filter_snyk import filter_include_event
from panther_base_helpers import deep_get
from panther_snyk_helpers import snyk_alert_context

# The bodies of these actions are quite diverse.
Expand All @@ -13,7 +12,6 @@
"org.project.attributes.edit",
"org.project.add",
"org.project.delete",
"org.project.edit",
"org.project.fix_pr.manual_open",
"org.project.ignore.create",
"org.project.ignore.delete",
Expand All @@ -34,21 +32,23 @@
def rule(event):
if not filter_include_event(event):
return False
action = deep_get(event, "event", default="<NO_EVENT>")
if event.deep_get("content", "after", "description") == "No new Code Analysis issues found":
return False
action = event.deep_get("event", default="<NO_EVENT>")
return action in ACTIONS


def title(event):
group_or_org = "<GROUP_OR_ORG>"
operation = "<NO_OPERATION>"
action = deep_get(event, "event", default="<NO_EVENT>")
action = event.deep_get("event", default="<NO_EVENT>")
if "." in action:
group_or_org = action.split(".")[0].title()
operation = ".".join(action.split(".")[1:]).title()
return (
f"Snyk: [{group_or_org}] "
f"[{operation}] "
f"performed by [{deep_get(event, 'userId', default='<NO_USERID>')}]"
f"performed by [{event.deep_get('userId', default='<NO_USERID>')}]"
)


Expand All @@ -61,15 +61,15 @@ def alert_context(event):

def dedup(event):
return (
f"{deep_get(event, 'userId', default='<NO_USERID>')}"
f"{deep_get(event, 'orgId', default='<NO_ORGID>')}"
f"{deep_get(event, 'groupId', default='<NO_GROUPID>')}"
f"{deep_get(event, 'event', default='<NO_EVENT>')}"
f"{event.deep_get('userId', default='<NO_USERID>')}"
f"{event.deep_get('orgId', default='<NO_ORGID>')}"
f"{event.deep_get('groupId', default='<NO_GROUPID>')}"
f"{event.deep_get('event', default='<NO_EVENT>')}"
)


def severity(event):
action = deep_get(event, "event", default="<NO_EVENT>")
action = event.deep_get("event", default="<NO_EVENT>")
if action == "org.project.fix_pr.manual_open":
return "INFO"
return "LOW"
32 changes: 32 additions & 0 deletions rules/snyk_rules/snyk_project_settings.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,3 +71,35 @@ Tests:
"event": "group.sso.membership.sync",
"groupId": "8fffffff-1555-4444-b000-b55555555555",
}
- Name: Snyk Org Project Edit
ExpectedResult: false
Log:
{
"content": {
"snapshotId": "69af7170-87cc-4939-bbaf-1fd99f80cde4"
},
"created": "2024-09-02 23:49:37.552000000",
"event": "org.project.edit",
"orgId": "69af7170-87cc-4939-bbaf-1fd99f80cde4",
"projectId": "69af7170-87cc-4939-bbaf-1fd99f80cde4"
}
- Name: Snyk No New Code Issues Found
ExpectedResult: false
Log:
{
"content": {
"after": {
"description": "No new Code Analysis issues found",
"state": "success"
},
"before": {
"state": "processing"
},
"prCheckPublicId": "69af7170-87cc-4939-bbaf-1fd99f80cde4",
"prChecksGroupPublicId": "69af7170-87cc-4939-bbaf-1fd99f80cde4"
},
"created": "2024-08-27 14:02:48.823000000",
"event": "org.project.pr_check.edit",
"orgId": "69af7170-87cc-4939-bbaf-1fd99f80cde4",
"projectId": "69af7170-87cc-4939-bbaf-1fd99f80cde4"
}
27 changes: 13 additions & 14 deletions rules/snyk_rules/snyk_role_change.py
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
from global_filter_snyk import filter_include_event
from panther_base_helpers import deep_get
from panther_snyk_helpers import snyk_alert_context

ACTIONS = [
Expand All @@ -19,47 +18,47 @@
def rule(event):
if not filter_include_event(event):
return False
action = deep_get(event, "event", default="<NO_EVENT>")
action = event.deep_get("event", default="<NO_EVENT>")
return action in ACTIONS


def title(event):
group_or_org = "<GROUP_OR_ORG>"
crud_operation = "<NO_OPERATION>"
action = deep_get(event, "event", default="<NO_EVENT>")
action = event.deep_get("event", default="<NO_EVENT>")
if "." in action:
group_or_org = action.split(".")[0].title()
crud_operation = action.split(".")[-1].title()
return (
f"Snyk: [{group_or_org}] Role "
f"[{crud_operation}] "
f"performed by [{deep_get(event, 'userId', default='<NO_USERID>')}]"
f"performed by [{event.deep_get('userId', default='<NO_USERID>')}]"
)


def alert_context(event):
a_c = snyk_alert_context(event)
role = deep_get(event, "content", "after", "role", default=None)
if not role and "afterRoleName" in deep_get(event, "content", default={}):
role = deep_get(event, "content", "afterRoleName", default=None)
role = event.deep_get("content", "after", "role", default=None)
if not role and "afterRoleName" in event.deep_get("content", default={}):
role = event.deep_get("content", "afterRoleName", default=None)
if role:
a_c["role_permission"] = role
return a_c


def dedup(event):
return (
f"{deep_get(event, 'userId', default='<NO_USERID>')}"
f"{deep_get(event, 'orgId', default='<NO_ORGID>')}"
f"{deep_get(event, 'groupId', default='<NO_GROUPID>')}"
f"{deep_get(event, 'event', default='<NO_EVENT>')}"
f"{event.deep_get('userId', default='<NO_USERID>')}"
f"{event.deep_get('orgId', default='<NO_ORGID>')}"
f"{event.deep_get('groupId', default='<NO_GROUPID>')}"
f"{event.deep_get('event', default='<NO_EVENT>')}"
)


def severity(event):
role = deep_get(event, "content", "after", "role", default=None)
if not role and "afterRoleName" in deep_get(event, "content", default={}):
role = deep_get(event, "content", "afterRoleName", default=None)
role = event.deep_get("content", "after", "role", default=None)
if not role and "afterRoleName" in event.deep_get("content", default={}):
role = event.deep_get("content", "afterRoleName", default=None)
if role == "ADMIN":
return "CRITICAL"
return "MEDIUM"
Loading

0 comments on commit 67c5d20

Please sign in to comment.