Upgrade AWS Security Hub to v0.0.2

- Upgraded Go support to v1.19
- Modified location of function files to new version 0.0.2.
- Fixed CVE-2022-29526
  - Upgraded the golang.org/x/sys dependency indirectly as it relates to this issue: sirupsen/logrus#1402
- Created a release workflow to publish to Cloudformation S3 buckets

collector/go.mod

@@ -1,10 +1,24 @@
 module aws-security-hub/collector
 
-go 1.15
+go 1.19
 
 require (
 	github.com/aws/aws-lambda-go v1.26.0
 	github.com/logzio/logzio-go v1.0.2
 	github.com/sirupsen/logrus v1.8.1
 	github.com/stretchr/testify v1.6.1
 )
+
+require (
+	github.com/StackExchange/wmi v1.2.0 // indirect
+	github.com/beeker1121/goque v2.1.0+incompatible // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/go-ole/go-ole v1.2.5 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/shirou/gopsutil/v3 v3.21.6 // indirect
+	github.com/syndtr/goleveldb v1.0.0 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	golang.org/x/sys v0.1.0 // indirect; indirect, relates to: https://github.com/sirupsen/logrus/pull/1402
+	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect
+)

collector/go.sum

@@ -0,0 +1,82 @@
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/StackExchange/wmi v0.0.0-20180116203802-5d049714c4a6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
+github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
+github.com/StackExchange/wmi v1.2.0 h1:noJEYkMQVlFCEAc+2ma5YyRhlfjcWfZqk5sBRYozdyM=
+github.com/StackExchange/wmi v1.2.0/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
+github.com/aws/aws-lambda-go v1.26.0 h1:6ujqBpYF7tdZcBvPIccs98SpeGfrt/UOVEiexfNIdHA=
+github.com/aws/aws-lambda-go v1.26.0/go.mod h1:jJmlefzPfGnckuHdXX7/80O3BvUUi12XOkbv4w9SGLU=
+github.com/beeker1121/goque v2.1.0+incompatible h1:m5pZ5b8nqzojS2DF2ioZphFYQUqGYsDORq6uefUItPM=
+github.com/beeker1121/goque v2.1.0+incompatible/go.mod h1:L6dOWBhDOnxUVQsb0wkLve0VCnt2xJW/MI8pdRX4ANw=
+github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8=
+github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM=
+github.com/go-ole/go-ole v1.2.5 h1:t4MGB5xEDZvXI+0rMjjsfBsD7yAgp/s9ZDkL1JndXwY=
+github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
+github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/logzio/logzio-go v1.0.2 h1:PM3+x2OEMku7VPrVa9AuT1+SR74vZQHVV+Sadqp1G9g=
+github.com/logzio/logzio-go v1.0.2/go.mod h1:N0FvvsuktlxK6Ed5mlxaZUxUmgghkh4elMqEQcDPEMc=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.7.0 h1:WSHQ+IS43OoUrWtD1/bbclrwK8TTH5hzp+umCiuxHgs=
+github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v1.4.3 h1:RE1xgDvH7imwFD45h+u2SgIfERHlS2yNG4DObb5BSKU=
+github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/shirou/gopsutil v0.0.0-20190323131628-2cbc9195c892/go.mod h1:WWnYX4lzhCH5h/3YBfyVA3VbLYjlMZZAQcW9ojMexNc=
+github.com/shirou/gopsutil/v3 v3.21.6 h1:vU7jrp1Ic/2sHB7w6UNs7MIkn7ebVtTb5D9j45o9VYE=
+github.com/shirou/gopsutil/v3 v3.21.6/go.mod h1:JfVbDpIBLVzT8oKbvMg9P3wEIMDDpVn+LwHTKj0ST88=
+github.com/shirou/w32 v0.0.0-20160930032740-bb4de0191aa4/go.mod h1:qsXQc7+bwAM3Q1u/4XEfrquwF8Lw7D7y5cD8CuHnfIc=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
+github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/syndtr/goleveldb v1.0.0 h1:fBdIW9lB4Iz0n9khmH8w27SJ3QEJ7+IgjPEwGSZiFdE=
+github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=
+github.com/tidwall/gjson v1.8.1/go.mod h1:5/xDoumyyDNerp2U36lyolv46b3uF/9Bu6OfyQ9GImk=
+github.com/tidwall/match v1.0.3/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.1.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
+github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tklauser/go-sysconf v0.3.6/go.mod h1:MkWzOF4RMCshBAMXuhXJs64Rte09mITnppBXY/rYEFI=
+github.com/tklauser/numcpus v0.2.2/go.mod h1:x3qojaO3uyYt0i56EW/VUYs7uBvdl2fkfZFu0T9wgjM=
+github.com/urfave/cli/v2 v2.2.0/go.mod h1:SE9GqnLQmjVa0iPEY0f1w3ygNIYcIJ0OKPMoW2caLfQ=
+go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
+go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd h1:nTDtHvHSdCn1m6ITfMRqtOd/9+7a3s8RBNOZ3eYZzJA=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210316164454-77fc1eacc6aa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

collector/sam/template.yaml

@@ -7,7 +7,7 @@ Resources:
     Properties:
       Code:
         S3Bucket: logzio-aws-integrations-us-east-1
-        S3Key: aws-security-hub-collector/0.0.1/function.zip
+        S3Key: aws-security-hub-collector/0.0.2/function.zip
       Description: >
         Go executable of lambda function that receives an AWS Security Hub event and sends it to logz.io.
       Environment:

go.mod

@@ -1,3 +1,3 @@
 module aws-security-hub
 
-go 1.15
+go 1.19

release/main.py

@@ -0,0 +1,114 @@
+import os
+
+import boto3
+
+REGIONS = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2',
+           'ap-south-1', 'ap-northeast-3', 'ap-northeast-2', 'ap-southeast-1', 'ap-southeast-2', 'ap-northeast-1',
+           'eu-central-1', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'eu-north-1',
+           'sa-east-1',
+           'ca-central-1']
+
+BUCKET_NAME_PREFIX = 'logzio-aws-integrations-'
+ENV_ACCESS_KEY = 'AWS_ACCESS_KEY'
+ENV_SECRET_KEY = 'AWS_SECRET_KEY'
+ENV_FOLDER_NAME = 'FOLDER_NAME'
+ENV_VERSION_NUMBER = 'VERSION_NUMBER'
+ENV_PATH_TO_FILE = 'PATH_TO_FILE'
+CF_TEMPLATE = 'template.yaml'
+CF_TEMPLATE_S3 = 'template.yaml'
+REGION_PLACEHOLDER = '<<REGION>>'
+VERSION_PLACEHOLDER = '<<VERSION>>'
+
+
+def upload_public_to_s3(access_key, secret_key, folder_name, version_number, path_to_file):
+    s3 = get_s3_client(access_key, secret_key)
+    file_name = path_to_file.split('/')[-1]
+    print(f'File name: {file_name}')
+    success = 0
+    for region in REGIONS:
+        try:
+            print(f'Region: {region}')
+            object_name = f'{folder_name}/{version_number}/{file_name}'
+            bucket_name = f'{BUCKET_NAME_PREFIX}{region}'
+            s3.upload_file(path_to_file, bucket_name, object_name, ExtraArgs={'ACL': 'public-read'})
+            success += 1
+        except Exception as e:
+            print(f'Error occurred for region {region}: {e}')
+            print('Skipping this region')
+
+    print(f'Uploaded to {success} regions')
+
+
+def cf_template_workflow(access_key, secret_key, folder_name, version_number, path_to_file):
+    s3 = get_s3_client(access_key, secret_key)
+    file_name = path_to_file.split('/')[-1]
+    print(f'File name: {file_name}')
+    success = 0
+    base_arr = []
+    with open(path_to_file, 'r') as base_file:
+        base_arr = base_file.readlines()
+    if len(base_arr) == 0:
+        raise ValueError('Could not get base Cloudformation template')
+    for region in REGIONS:
+        try:
+            print(f'Region: {region}')
+            print(f'Version: {version_number}')
+            tmp_arr = []
+            for line in base_arr:
+                tmp_line = line.replace(REGION_PLACEHOLDER, region)
+                tmp_line = tmp_line.replace(VERSION_PLACEHOLDER, version_number)
+                tmp_arr.append(tmp_line)
+            new_path = f'./{file_name}'
+            with open(new_path, 'w') as new_file:
+                new_file.writelines(tmp_arr)
+            object_name = f'{folder_name}/{version_number}/{file_name}'
+            bucket_name = f'{BUCKET_NAME_PREFIX}{region}'
+            s3.upload_file(new_path, bucket_name, object_name, ExtraArgs={'ACL': 'public-read'})
+            success += 1
+        except Exception as e:
+            print(f'Error occurred for region {region}: {e}')
+            print('Skipping this region')
+
+    print(f'Uploaded to {success} regions')
+    os.remove(new_path)
+
+
+def get_s3_client(access_key, secret_key):
+    session = boto3.Session(
+        aws_access_key_id=access_key,
+        aws_secret_access_key=secret_key,
+    )
+
+    return session.client('s3')
+
+
+def upload():
+    access_key = os.getenv(ENV_ACCESS_KEY)
+    secret_key = os.getenv(ENV_SECRET_KEY)
+    if access_key is None or access_key == '' or secret_key is None or secret_key == '':
+        raise ValueError('AWS credentials missing! Exiting')
+    folder_name = os.getenv(ENV_FOLDER_NAME)
+    if folder_name is None or folder_name == '':
+        raise ValueError('Missing folder name! Exiting')
+    version_number = os.getenv(ENV_VERSION_NUMBER)
+    if version_number is None or version_number == '':
+        raise ValueError('Missing version number! Exiting')
+    path_to_file = os.getenv(ENV_PATH_TO_FILE)
+    if path_to_file is None or path_to_file == '':
+        raise ValueError('Missing path to file! Exiting')
+    file_exists = os.path.isfile(path_to_file)
+    if not file_exists:
+        raise FileNotFoundError(f'Provided path to file ({path_to_file}) does not exists! Exiting')
+    try:
+        is_cf_template = (path_to_file.split('/')[-1] == CF_TEMPLATE or path_to_file.split('/')[-1] == CF_TEMPLATE_S3)
+        print(f'Is Cloudformation template: {is_cf_template}')
+        if is_cf_template:
+            cf_template_workflow(access_key, secret_key, folder_name, version_number, path_to_file)
+        else:
+            upload_public_to_s3(access_key, secret_key, folder_name, version_number, path_to_file)
+    except Exception as e:
+        print(f'Some error occurred while trying to upload file: {e}')
+
+
+if __name__ == '__main__':
+    upload()

release/requirements.txt

@@ -0,0 +1 @@
+boto3==1.26.22