From 5ecf1e2a855afd5315b1f87e1c22286dfebb9bfb Mon Sep 17 00:00:00 2001
From: nikirby <nikirby@amazon.com>
Date: Wed, 1 Dec 2021 13:25:48 -0500
Subject: [PATCH 1/3] Fixed error that appeared if the number of findings was
 very high.

---
 include/securityhub_integration | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/include/securityhub_integration b/include/securityhub_integration
index 74a1c35d9e..11f62f35c6 100644
--- a/include/securityhub_integration
+++ b/include/securityhub_integration
@@ -42,15 +42,31 @@ checkSecurityHubCompatibility(){
 
 resolveSecurityHubPreviousFails(){
   # Move previous check findings RecordState to ARCHIVED (as prowler didn't re-detect them)
+    SH_TEMP_FOLDER="$PROWLER_DIR/SH-$ACCOUNT_NUM"
+    if [[ ! -d $SH_TEMP_FOLDER ]]; then
+      # this folder is deleted once the security hub update is completed
+      mkdir "$SH_TEMP_FOLDER"
+    fi
   for regx in $REGIONS; do
-
+    REGION_FOLDER="$SH_TEMP_FOLDER/$regx"
+    if [[ ! -d $REGION_FOLDER ]]; then
+      mkdir "$REGION_FOLDER"
+    fi
     local check="$1"
     NEW_TIMESTAMP=$(get_iso8601_timestamp)
 
     FILTER="{\"GeneratorId\":[{\"Value\": \"prowler-$check\",\"Comparison\":\"EQUALS\"}],\"RecordState\":[{\"Value\": \"ACTIVE\",\"Comparison\":\"EQUALS\"}],\"AwsAccountId\":[{\"Value\": \"$ACCOUNT_NUM\",\"Comparison\":\"EQUALS\"}]}"
 
-    NEW_FINDING_IDS=$(echo -n "${SECURITYHUB_NEW_FINDINGS_IDS[@]}" | jq -cRs 'split(" ")')
-    SECURITY_HUB_PREVIOUS_FINDINGS=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT get-findings --filters "${FILTER}" | jq -c --argjson ids "$NEW_FINDING_IDS" --arg updated_at $NEW_TIMESTAMP  '[ .Findings[] | select( .Id| first(select($ids[] == .)) // false | not) | .RecordState = "ARCHIVED" | .UpdatedAt = $updated_at ]')
+    NEW_FINDING_FILE="$REGION_FOLDER/findings.json"
+    NEW_FINDING_IDS=$(echo -n "${SECURITYHUB_NEW_FINDINGS_IDS[@]}" | jq -cRs 'split(" ")' > $NEW_FINDING_FILE)
+    EXISTING_FILE="$REGION_FOLDER/existing.json"
+    EXISTING_FINDINGS=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT get-findings --filters "${FILTER}" > $EXISTING_FILE)
+
+    SECURITY_HUB_PREVIOUS_FINDINGS=$(for id in $(comm -23 <(jq '[.Findings[].Id] | sort | .[]' $EXISTING_FILE) <(jq '[.[]] | sort | .[]' $NEW_FINDING_FILE));
+      do
+        jq --arg updated_at $NEW_TIMESTAMP '.Findings[] | select(.Id == '"$id"') | .RecordState = "ARCHIVED" | .UpdatedAt = $updated_at ' < $EXISTING_FILE
+      done | jq -s '.')
+
 
     if [[ $SECURITY_HUB_PREVIOUS_FINDINGS != "[]" ]]; then
       FINDINGS_COUNT=$(echo $SECURITY_HUB_PREVIOUS_FINDINGS | jq '. | length')

From 43b3ad6447d77001ae63d11576b7eb2ad9d06f53 Mon Sep 17 00:00:00 2001
From: nikirby <nikirby@amazon.com>
Date: Wed, 1 Dec 2021 13:29:12 -0500
Subject: [PATCH 2/3] Adjusted the batch to only do 50 at a time. 100 caused
 capacity issues. Also added a check for an edge case where if the updated
 findings was a multiple of the batch size, it would throw an error for
 attempting to import 0 findings.

---
 include/securityhub_integration | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/include/securityhub_integration b/include/securityhub_integration
index 11f62f35c6..9c3d8f48a5 100644
--- a/include/securityhub_integration
+++ b/include/securityhub_integration
@@ -70,12 +70,15 @@ resolveSecurityHubPreviousFails(){
 
     if [[ $SECURITY_HUB_PREVIOUS_FINDINGS != "[]" ]]; then
       FINDINGS_COUNT=$(echo $SECURITY_HUB_PREVIOUS_FINDINGS | jq '. | length')
-      for i in `seq 0 100 $FINDINGS_COUNT`; 
+      for i in $(seq 0 50 $FINDINGS_COUNT);
       do 
-        BATCH_FINDINGS=$(echo $SECURITY_HUB_PREVIOUS_FINDINGS | jq -c '.['"$i:$i+100"']')
-        BATCH_IMPORT_RESULT=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT batch-import-findings --findings "${BATCH_FINDINGS}")
-        if [[ -z "${BATCH_IMPORT_RESULT}" ]] || jq -e '.FailedCount >= 1' <<< "${BATCH_IMPORT_RESULT}" > /dev/null 2>&1; then
-          echo -e "\n$RED ERROR!$NORMAL Failed to send check output to AWS Security Hub\n"
+        BATCH_FINDINGS=$(echo $SECURITY_HUB_PREVIOUS_FINDINGS | jq -c '.['"$i:$i+50"']')
+        BATCH_FINDINGS_COUNT=$(echo $BATCH_FINDINGS | jq '. | length')
+        if [ "$BATCH_FINDINGS_COUNT" -gt 0 ]; then
+          BATCH_IMPORT_RESULT=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT batch-import-findings --findings "${BATCH_FINDINGS}")
+          if [[ -z "${BATCH_IMPORT_RESULT}" ]] || jq -e '.FailedCount >= 1' <<< "${BATCH_IMPORT_RESULT}" > /dev/null 2>&1; then
+            echo -e "\n$RED ERROR!$NORMAL Failed to send check output to AWS Security Hub\n"
+          fi
         fi
       done
     fi

From 4ea4debeddac054fc999ca04d610fd63984831ed Mon Sep 17 00:00:00 2001
From: nikirby <nikirby@amazon.com>
Date: Wed, 1 Dec 2021 15:06:09 -0500
Subject: [PATCH 3/3] Added line to delete the temp folder after everything is
 done.

---
 include/securityhub_integration | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/securityhub_integration b/include/securityhub_integration
index 9c3d8f48a5..92151d45e7 100644
--- a/include/securityhub_integration
+++ b/include/securityhub_integration
@@ -83,7 +83,7 @@ resolveSecurityHubPreviousFails(){
       done
     fi
   done
-
+  rm -rf "$SH_TEMP_FOLDER"
 }
 
 sendToSecurityHub(){