fix: Matching logic for product_name and title (#23)

* fix: Matching logic for product_name and title

* chore: updates fixture names

awsfindingsmanagerlib/awsfindingsmanagerlib.py

@@ -338,9 +338,9 @@ def match_if_set(left, right):
     def is_matching_rule(self, rule: Rule) -> bool:
         """Checks a rule for a match with the finding.
 
-        If any of control_id, security_control_id, rule_id or product_name attributes match between the rule and the
-        finding and the rule does not have any filtering attributes like resource_id_regexps or tags then it is
-        considered a match. (Big blast radius) only matching on the control or product.
+        If any of control_id, security_control_id, rule_id or product_name and title attributes match between the
+        rule and the finding and the rule does not have any filtering attributes like resource_id_regexps or tags
+        then it is considered a match. (Big blast radius) only matching on the control or product.
 
         If the rule has any attributes like resource_id_regexps or tags then a secondary match is searched for any of
         them with the corresponding finding attributes. If any match is found then the rule is found matching if none
@@ -363,14 +363,14 @@ def is_matching_rule(self, rule: Rule) -> bool:
                               rule.security_control_id),
             self.match_if_set(self.control_id, rule.rule_or_control_id),
             self.match_if_set(self.rule_id, rule.rule_or_control_id),
-            self.match_if_set(self.product_name, rule.product_name),
+            all([
+                self.match_if_set(self.product_name, rule.product_name),
+                self.match_if_set(self.title, rule.title),
+            ])
         ]):
             self._logger.debug(
-                f'Matched with rule "{rule.note}" on one of "control_id, security_control_id, product_name"')
-            if self.match_if_set(self.title, rule.title):
-                self._logger.debug(
-                    f'Matched with rule "{rule.note}" on title.')
-                return True
+                f'Matched with rule "{rule.note}" on one of "control_id, security_control_id" or \
+                    "product_name" and "title"')
             if not any([rule.tags, rule.resource_id_regexps]):
                 self._logger.debug(
                     f'Rule "{rule.note}" does not seem to have filters for resources or tags.')

tests/README

@@ -1 +1,11 @@
 Please place testing code here. The name should be: test_<package name>.py
+
+## Testing Suppressions
+
+The tests for suppressions follow these basic principles:
+
+- The test suppression rules can be found in `fixtures/suppression.yaml`.
+- Findings that should be matched against the suppression rules can be found in `fixtures/matching_findings.json`.
+- Findings that should NOT be matched with any suppression rule can be found in `fixtures/non_matching_findings.json`.
+- The expected match result between findings and rules can be found in `fixtures/expected_matched_findings.json`.
+- The expected suppression requests sent to Security Hub can be found in `fixtures/expected_batch_update_findings.json`.

tests/fixtures/batch_update_findings_full.json → tests/fixtures/expected_batch_update_findings.json

@@ -2,11 +2,11 @@
   {
     "FindingIdentifiers": [
       {
-        "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/180e73dc-a807-4ddd-a36a-14696c85ba9e",
+        "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/71a625e2-1a57-4fee-bc3f-22cf3f9f9e57",
         "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub"
       },
       {
-        "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/71a625e2-1a57-4fee-bc3f-22cf3f9f9e57",
+        "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.9/finding/180e73dc-a807-4ddd-a36a-14696c85ba9e",
         "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub"
       }
     ],
@@ -40,11 +40,11 @@
   {
     "FindingIdentifiers": [
       {
-        "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/45fee04a-22ed-4242-a316-ebaecd5a1b36",
+        "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/2e14352c-2bb5-4dfc-88af-71467172d92f",
         "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub"
       },
       {
-        "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/2e14352c-2bb5-4dfc-88af-71467172d92f",
+        "Id": "arn:aws:securityhub:eu-west-1:988763490897:security-control/S3.20/finding/45fee04a-22ed-4242-a316-ebaecd5a1b36",
         "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub"
       },
       {
@@ -65,14 +65,6 @@
       {
         "Id": "arn:aws:inspector2:eu-west-1:012345678912:finding/ff4ebfb9d83b0ee89c7140b30eed5ef9",
         "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/inspector"
-      },
-      {
-        "Id": "arn:aws:inspector2:eu-west-1:012345678912:finding/ioperfb9d83b0ee89c7140b30eed5lf9",
-        "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/inspector"
-      },
-      {
-          "Id": "arn:aws:inspector2:eu-west-1:012345678912:finding/m58hv3b9d83b0ee89c7140b30eed55kv",
-          "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/inspector"
       }
     ],
     "Workflow": {
@@ -82,5 +74,20 @@
       "Text": "We support Inspector too",
       "UpdatedBy": "FindingsManager"
     }
+  },
+  {
+    "FindingIdentifiers": [
+      {
+        "Id": "arn:aws:securityhub:eu-west-1:222555888333:subscription/aws-foundational-security-best-practices/v/1.0.0/GuardDuty.5/finding/fa64b182-1f5d-4c13-828a-50af12336fd0",
+        "ProductArn": "arn:aws:securityhub:eu-west-1::product/aws/securityhub"
+      }
+    ],
+    "Workflow": {
+      "Status": "SUPPRESSED"
+    },
+    "Note": {
+      "Text": "We also support legacy format findings",
+      "UpdatedBy": "FindingsManager"
+    }
   }
 ]