Merge branch 'main' into nt/prod-params

packages/cloudbuster/src/digests.test.ts

@@ -1,5 +1,6 @@
 import type { cloudbuster_fsbp_vulnerabilities } from '@prisma/client';
-import { createDigestForAccount } from './digests';
+import type { SecurityHubSeverity } from 'common/types';
+import { createDigestForAccount, createDigestsFromFindings } from './digests';
 
 describe('createDigestForAccount', () => {
 	it('should return nothing if no vulnerabilities are passed to it', () => {
@@ -23,6 +24,7 @@ describe('createDigestForAccount', () => {
 		title: 'test-title',
 		within_sla: false,
 	};
+
 	it('should return a digest with the correct fields', () => {
 		const actual = createDigestForAccount([testVuln]);
 		expect(actual).toEqual({
@@ -57,3 +59,64 @@ Remediation: [Documentation](https://example.com)`,
 		expect(actual).toBeUndefined();
 	});
 });
+
+function mockFinding(
+	aws_account_id: string,
+	severity: SecurityHubSeverity,
+): cloudbuster_fsbp_vulnerabilities {
+	return {
+		aws_account_id,
+		title: 'mock title',
+		aws_account_name: 'mock-account',
+		arn: 'arn::mock::123',
+		remediation: 'https://mock.url/mock',
+		severity,
+		within_sla: true,
+		first_observed_at: new Date('2020-01-01'),
+		control_id: 'MOCK.1',
+		aws_region: 'eu-mock-1',
+		repo: null,
+		stack: null,
+		stage: null,
+		app: null,
+	};
+}
+
+describe('createDigestsFromFindings', () => {
+	it('should filter findings by severity', () => {
+		const findings = [
+			mockFinding('1', 'CRITICAL'),
+			mockFinding('2', 'HIGH'),
+			mockFinding('3', 'CRITICAL'),
+		];
+		const criticalDigests = createDigestsFromFindings(findings, 'CRITICAL');
+		expect(criticalDigests.length).toBe(2);
+
+		const highDigests = createDigestsFromFindings(findings, 'HIGH');
+		expect(highDigests.length).toBe(1);
+	});
+	it('should create one digest per account', () => {
+		const findingsFromTwoAccounts = [
+			mockFinding('1', 'CRITICAL'),
+			mockFinding('2', 'CRITICAL'),
+			mockFinding('3', 'CRITICAL'),
+		];
+		const result = createDigestsFromFindings(
+			findingsFromTwoAccounts,
+			'CRITICAL',
+		);
+		expect(result.length).toBe(3);
+	});
+	it('should combine findings of the same account and severity into one digest', () => {
+		const findingsFromOneAccount = [
+			mockFinding('1', 'CRITICAL'),
+			mockFinding('1', 'CRITICAL'),
+			mockFinding('1', 'CRITICAL'),
+		];
+		const result = createDigestsFromFindings(
+			findingsFromOneAccount,
+			'CRITICAL',
+		);
+		expect(result.length).toBe(1);
+	});
+});

packages/cloudbuster/src/digests.ts

@@ -1,6 +1,7 @@
 import { RequestedChannel } from '@guardian/anghammarad';
 import type { Action, Anghammarad, NotifyParams } from '@guardian/anghammarad';
 import type { cloudbuster_fsbp_vulnerabilities } from '@prisma/client';
+import type { SecurityHubSeverity } from 'common/src/types';
 import { type Config } from './config';
 import { groupFindingsByAccount } from './findings';
 import type { Digest } from './types';
@@ -10,8 +11,11 @@ import type { Digest } from './types';
  */
 export function createDigestsFromFindings(
 	findings: cloudbuster_fsbp_vulnerabilities[],
+	severity: SecurityHubSeverity,
 ): Digest[] {
-	const groupedFindings = groupFindingsByAccount(findings);
+	const filteredFindings = findings.filter((f) => f.severity === severity);
+
+	const groupedFindings = groupFindingsByAccount(filteredFindings);
 
 	return Object.keys(groupedFindings)
 		.map((awsAccountId) =>

packages/cloudbuster/src/index.ts

@@ -7,15 +7,8 @@ import { getConfig } from './config';
 import { createDigestsFromFindings, sendDigest } from './digests';
 import { findingsToGuardianFormat } from './findings';
 
-type LambdaHandlerProps = {
-	severities?: SecurityHubSeverity[];
-};
-
-export async function main(input: LambdaHandlerProps) {
-	// When manually invoking the function in AWS for testing,
-	// it can be cumbersome to manually type this object as an input.
-	// Therefore, fall back to default values.
-	const { severities = ['CRITICAL', 'HIGH'] } = input;
+export async function main() {
+	const severities: SecurityHubSeverity[] = ['CRITICAL', 'HIGH'];
 
 	// *** SETUP ***
 	const config = await getConfig();
@@ -38,8 +31,12 @@ export async function main(input: LambdaHandlerProps) {
 		data: tableContents,
 	});
 
-	const digests = createDigestsFromFindings(tableContents);
+	const digests = createDigestsFromFindings(tableContents, 'CRITICAL');
 
+	const isTuesday = new Date().getDay() === 2;
+	if (isTuesday) {
+		digests.push(...createDigestsFromFindings(tableContents, 'HIGH'));
+	}
 	// *** NOTIFICATION SENDING ***
 	const anghammaradClient = new Anghammarad();
 

packages/cloudbuster/src/run-locally.ts

@@ -6,8 +6,5 @@ config({ path: `../../.env` }); // Load `.env` file at the root of the repositor
 config({ path: `${homedir()}/.gu/service_catalogue/.env.local` });
 
 if (require.main === module) {
-	void main({
-		// Using all severities in DEV for more data.
-		severities: ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFORMATION'],
-	});
+	void main();
 }

packages/dependency-graph-integrator/src/file-generator.test.ts

@@ -20,7 +20,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Submit dependencies
         id: submit
-        uses: scalacenter/sbt-dependency-submission@7ebd561e5280336d3d5b445a59013810ff79325e # v3.0.1
+        uses: scalacenter/sbt-dependency-submission@64084844d2b0a9b6c3765f33acde2fbe3f5ae7d3 # v3.1.0
       - name: Log snapshot for user validation
         id: validate
         run: cat` +
@@ -59,11 +59,11 @@ jobs:
           java-version: 17
       - name: Submit dependencies
         id: submit
-        uses: gradle/actions/dependency-submission@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3.5.0
+        uses: gradle/actions/dependency-submission@d156388eb19639ec20ade50009f3d199ce1e2808 # v4.1.0
       - name: Log snapshot for user validation
         id: validate
         run: cat ` + // Need to split this line to avoid errors due to new line produced in yaml
-			'/home/runner/work/repo2/repo2/dependency-graph-reports/update_dependency_graph_for_kotlin-dependency-graph.json\n          | jq' +
+			'/home/runner/work/repo2/repo2/dependency-graph-reports/update_dependency_graph_for_gradle-dependency-graph.json\n          | jq' +
 			String.raw`
     permissions:
       contents: write

packages/dependency-graph-integrator/src/file-generator.ts

@@ -21,7 +21,7 @@ function createLanguageSpecificWorkflowSteps(
 			{
 				name: 'Submit dependencies',
 				id: 'submit',
-				uses: 'scalacenter/sbt-dependency-submission@7ebd561e5280336d3d5b445a59013810ff79325e # v3.0.1',
+				uses: 'scalacenter/sbt-dependency-submission@64084844d2b0a9b6c3765f33acde2fbe3f5ae7d3 # v3.1.0',
 			},
 			{
 				name: 'Log snapshot for user validation',
@@ -47,12 +47,12 @@ function createLanguageSpecificWorkflowSteps(
 			{
 				name: 'Submit dependencies',
 				id: 'submit',
-				uses: 'gradle/actions/dependency-submission@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3.5.0',
+				uses: 'gradle/actions/dependency-submission@d156388eb19639ec20ade50009f3d199ce1e2808 # v4.1.0',
 			},
 			{
 				name: 'Log snapshot for user validation',
 				id: 'validate',
-				run: `cat /home/runner/work/${repo}/${repo}/dependency-graph-reports/update_dependency_graph_for_kotlin-dependency-graph.json | jq`,
+				run: `cat /home/runner/work/${repo}/${repo}/dependency-graph-reports/update_dependency_graph_for_gradle-dependency-graph.json | jq`,
 			},
 		],
 	};