Sync with aqua main branch

Dockerfile

@@ -9,18 +9,27 @@ FROM node:lts-alpine3.12
 # You could also use this to specify a particular version number.
 ARG PACKAGENAME=cloudsploit
 
+# Create a non-root user and group
+RUN addgroup -S cloudsploit && adduser -S cloudsploit -G cloudsploit
+
 COPY . /var/scan/cloudsploit/
 
+# Set the working directory to /var/scan
+WORKDIR /var/scan
+
 # Install cloudsploit/scan into the container using npm from NPM
-RUN cd /var/scan \
-&& npm init --yes \
+RUN npm init --yes \
 && npm install ${PACKAGENAME} \
-&& npm link /var/scan/cloudsploit
+&& npm link /var/scan/cloudsploit \
+&& chown -R cloudsploit:cloudsploit /var/scan
 
 # Setup the container's path so that you can run cloudsploit directly
 # in case someone wants to customize it when running the container.
 ENV PATH "$PATH:/var/scan/node_modules/.bin"
 
+# Switch to non-root user
+USER cloudsploit
+
 # By default, run the scan. CMD allows consumers of the container to supply
 # command line arguments to the run command to control how this executes.
 # Thus, you can use the parameters that you would normally give to index.js

collectors/aws/accessanalyzer/listFindingsV2.js

@@ -0,0 +1,49 @@
+var AWS = require('aws-sdk');
+var async = require('async');
+var helpers = require(__dirname + '/../../../helpers/aws');
+
+module.exports = function(AWSConfig, collection, retries, callback) {
+    var accessanalyzer = new AWS.AccessAnalyzer(AWSConfig);
+    async.eachLimit(collection.accessanalyzer.listAnalyzers[AWSConfig.region].data, 15, function(analyzer, cb) {
+        collection.accessanalyzer.listFindingsV2[AWSConfig.region][analyzer.arn] = {};
+        var params = {
+            analyzerArn: analyzer.arn
+        };
+
+        var paginating = false;
+        var paginateCb = function(err, data) {
+            if (err) collection.accessanalyzer.listFindingsV2[AWSConfig.region][analyzer.arn].err = err;
+
+            if (!data) return cb();
+
+            if (paginating && data.findings && data.findings.length &&
+                collection.accessanalyzer.listFindingsV2[AWSConfig.region][analyzer.arn].data.findings &&
+                collection.accessanalyzer.listFindingsV2[AWSConfig.region][analyzer.arn].data.findings.length) {
+                collection.accessanalyzer.listFindingsV2[AWSConfig.region][analyzer.arn].data.findings = collection.accessanalyzer.listFindingsV2[AWSConfig.region][analyzer.arn].data.findings.concat(data.findings);
+            } else {
+                collection.accessanalyzer.listFindingsV2[AWSConfig.region][analyzer.arn].data = data;
+            }
+
+            if (data.nextToken && data.nextToken.length) {
+                paginating = true;
+                return execute(data.nextToken);
+            }
+
+            cb();
+        };
+
+        function execute(nextToken) { // eslint-disable-line no-inner-declarations
+            var localParams = JSON.parse(JSON.stringify(params || {}));
+            if (nextToken) localParams['nextToken'] = nextToken;
+            if (nextToken) {
+                helpers.makeCustomCollectorCall(accessanalyzer, 'listFindingsV2', localParams, retries, null, null, null, paginateCb);
+            } else {
+                helpers.makeCustomCollectorCall(accessanalyzer, 'listFindingsV2', params, retries, null, null, null, paginateCb);
+            }
+        }
+
+        execute();
+    }, function(){
+        callback();
+    });
+};

collectors/aws/apigateway/getClientCertificate.js

@@ -26,7 +26,8 @@ module.exports = function(AWSConfig, collection, retries, callback) {
                     collection.apigateway.getClientCertificate[AWSConfig.region][stage.clientCertificateId].err = err;
                     return pCb();
                 }
-                collection.apigateway.getClientCertificate[AWSConfig.region][stage.clientCertificateId].data = data;
+                if (data) collection.apigateway.getClientCertificate[AWSConfig.region][stage.clientCertificateId].data = data;
+
                 pCb();
             });
 

collectors/aws/apigateway/getIntegration.js

@@ -35,7 +35,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
                         return mCb();
                     }
 
-                    collection.apigateway.getIntegration[AWSConfig.region][api.id][resource.id][methodKey].data = data;
+                    if (data) collection.apigateway.getIntegration[AWSConfig.region][api.id][resource.id][methodKey].data = data;
                     mCb();
                 });
             }, function(){

collectors/aws/appmesh/describeVirtualGateway.js

@@ -29,7 +29,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
                     collection.appmesh.describeVirtualGateway[AWSConfig.region][gateway.virtualGatewayName].err = err;
                 }
 
-                collection.appmesh.describeVirtualGateway[AWSConfig.region][gateway.virtualGatewayName].data = data;
+                if (data) collection.appmesh.describeVirtualGateway[AWSConfig.region][gateway.virtualGatewayName].data = data;
                 pCb();
             });
 

collectors/aws/autoscaling/describeLaunchConfigurations.js

@@ -15,7 +15,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.autoscaling.describeLaunchConfigurations[AWSConfig.region][asg.AutoScalingGroupARN].err = err;
             }
-            collection.autoscaling.describeLaunchConfigurations[AWSConfig.region][asg.AutoScalingGroupARN].data = data;
+            if (data) collection.autoscaling.describeLaunchConfigurations[AWSConfig.region][asg.AutoScalingGroupARN].data = data;
 
             cb();
         });

collectors/aws/cloudfront/getDistribution.js

@@ -15,7 +15,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.cloudfront.getDistribution[AWSConfig.region][distribution.Id].err = err;
             }
-            collection.cloudfront.getDistribution[AWSConfig.region][distribution.Id].data = data;
+            if (data) collection.cloudfront.getDistribution[AWSConfig.region][distribution.Id].data = data;
             cb();
         });
 

collectors/aws/cloudwatch/getEcMetricStatistics.js

@@ -29,7 +29,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.cloudwatch.getEcMetricStatistics[AWSConfig.region][cluster.CacheClusterId].err = err;
             }
-            collection.cloudwatch.getEcMetricStatistics[AWSConfig.region][cluster.CacheClusterId].data = data;
+            if (data) collection.cloudwatch.getEcMetricStatistics[AWSConfig.region][cluster.CacheClusterId].data = data;
             cb();
         });
 

collectors/aws/cloudwatch/getEsMetricStatistics.js

@@ -29,7 +29,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.cloudwatch.getEsMetricStatistics[AWSConfig.region][domain.DomainName].err = err;
             }
-            collection.cloudwatch.getEsMetricStatistics[AWSConfig.region][domain.DomainName].data = data;
+            if (data) collection.cloudwatch.getEsMetricStatistics[AWSConfig.region][domain.DomainName].data = data;
             cb();
         });
 

collectors/aws/cloudwatch/getRdsMetricStatistics.js

@@ -29,7 +29,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.cloudwatch.getRdsMetricStatistics[AWSConfig.region][instance.DBInstanceIdentifier].err = err;
             }
-            collection.cloudwatch.getRdsMetricStatistics[AWSConfig.region][instance.DBInstanceIdentifier].data = data;
+            if (data) collection.cloudwatch.getRdsMetricStatistics[AWSConfig.region][instance.DBInstanceIdentifier].data = data;
             cb();
         });
 

collectors/aws/cloudwatch/getRdsReadIOPSMetricStatistics.js

@@ -29,7 +29,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.cloudwatch.getRdsReadIOPSMetricStatistics[AWSConfig.region][instance.DBInstanceIdentifier].err = err;
             }
-            collection.cloudwatch.getRdsReadIOPSMetricStatistics[AWSConfig.region][instance.DBInstanceIdentifier].data = data;
+            if (data) collection.cloudwatch.getRdsReadIOPSMetricStatistics[AWSConfig.region][instance.DBInstanceIdentifier].data = data;
             cb();
         });
 

collectors/aws/cloudwatch/getRdsWriteIOPSMetricStatistics.js

@@ -29,7 +29,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.cloudwatch.getRdsWriteIOPSMetricStatistics[AWSConfig.region][instance.DBInstanceIdentifier].err = err;
             }
-            collection.cloudwatch.getRdsWriteIOPSMetricStatistics[AWSConfig.region][instance.DBInstanceIdentifier].data = data;
+            if (data) collection.cloudwatch.getRdsWriteIOPSMetricStatistics[AWSConfig.region][instance.DBInstanceIdentifier].data = data;
             cb();
         });
 

collectors/aws/cloudwatch/getredshiftMetricStatistics.js

@@ -29,7 +29,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.cloudwatch.getredshiftMetricStatistics[AWSConfig.region][cluster.ClusterIdentifier].err = err;
             }
-            collection.cloudwatch.getredshiftMetricStatistics[AWSConfig.region][cluster.ClusterIdentifier].data = data;
+            if (data) collection.cloudwatch.getredshiftMetricStatistics[AWSConfig.region][cluster.ClusterIdentifier].data = data;
             cb();
         });
 

collectors/aws/codebuild/batchGetProjects.js

@@ -16,7 +16,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.codebuild.batchGetProjects[AWSConfig.region][project].err = err;
             }
-            collection.codebuild.batchGetProjects[AWSConfig.region][project].data = data;
+            if (data) collection.codebuild.batchGetProjects[AWSConfig.region][project].data = data;
             cb();
         });
     }, function(){

collectors/aws/connect/instanceAttachmentStorageConfigs.js

@@ -16,7 +16,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.connect.instanceAttachmentStorageConfigs[AWSConfig.region][instance.Id].err = err;
             }
-            collection.connect.instanceAttachmentStorageConfigs[AWSConfig.region][instance.Id].data = data;
+            if (data) collection.connect.instanceAttachmentStorageConfigs[AWSConfig.region][instance.Id].data = data;
             cb();
         });
     }, function(){

collectors/aws/connect/listInstanceCallRecordingStorageConfigs.js

@@ -16,7 +16,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.connect.listInstanceCallRecordingStorageConfigs[AWSConfig.region][instance.Id].err = err;
             }
-            collection.connect.listInstanceCallRecordingStorageConfigs[AWSConfig.region][instance.Id].data = data;
+            if (data) collection.connect.listInstanceCallRecordingStorageConfigs[AWSConfig.region][instance.Id].data = data;
             cb();
         });
     }, function(){

collectors/aws/connect/listInstanceChatTranscriptStorageConfigs.js

@@ -16,7 +16,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.connect.listInstanceChatTranscriptStorageConfigs[AWSConfig.region][instance.Id].err = err;
             }
-            collection.connect.listInstanceChatTranscriptStorageConfigs[AWSConfig.region][instance.Id].data = data;
+            if (data) collection.connect.listInstanceChatTranscriptStorageConfigs[AWSConfig.region][instance.Id].data = data;
             cb();
         });
     }, function(){

collectors/aws/connect/listInstanceExportedReportStorageConfigs.js

@@ -16,7 +16,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.connect.listInstanceExportedReportStorageConfigs[AWSConfig.region][instance.Id].err = err;
             }
-            collection.connect.listInstanceExportedReportStorageConfigs[AWSConfig.region][instance.Id].data = data;
+            if (data) collection.connect.listInstanceExportedReportStorageConfigs[AWSConfig.region][instance.Id].data = data;
             cb();
         });
     }, function(){

collectors/aws/connect/listInstanceMediaStreamStorageConfigs.js

@@ -16,7 +16,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.connect.listInstanceMediaStreamStorageConfigs[AWSConfig.region][instance.Id].err = err;
             }
-            collection.connect.listInstanceMediaStreamStorageConfigs[AWSConfig.region][instance.Id].data = data;
+            if (data) collection.connect.listInstanceMediaStreamStorageConfigs[AWSConfig.region][instance.Id].data = data;
             cb();
         });
     }, function(){

collectors/aws/dynamodb/describeContinuousBackups.js

@@ -15,7 +15,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.dynamodb.describeContinuousBackups[AWSConfig.region][table].err = err;
             }
-            collection.dynamodb.describeContinuousBackups[AWSConfig.region][table].data = data;
+            if (data) collection.dynamodb.describeContinuousBackups[AWSConfig.region][table].data = data;
             cb();
         });
     }, function(){

collectors/aws/dynamodb/describeTable.js

@@ -15,7 +15,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.dynamodb.describeTable[AWSConfig.region][table].err = err;
             }
-            collection.dynamodb.describeTable[AWSConfig.region][table].data = data;
+            if (data) collection.dynamodb.describeTable[AWSConfig.region][table].data = data;
             cb();
         });
     }, function(){

collectors/aws/dynamodb/listBackups.js

@@ -18,7 +18,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.dynamodb.listBackups[AWSConfig.region][table].err = err;
             }
-            collection.dynamodb.listBackups[AWSConfig.region][table].data = data;
+            if (data) collection.dynamodb.listBackups[AWSConfig.region][table].data = data;
             cb();
         });
     }, function(){

collectors/aws/ec2/describeSnapshotAttribute.js

@@ -16,7 +16,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.ec2.describeSnapshotAttribute[AWSConfig.region][snapshot.SnapshotId].err = err;
             }
-            collection.ec2.describeSnapshotAttribute[AWSConfig.region][snapshot.SnapshotId].data = data;
+            if (data) collection.ec2.describeSnapshotAttribute[AWSConfig.region][snapshot.SnapshotId].data = data;
             cb();
         });
     }, function(){

collectors/aws/ec2/describeSnapshots.js

@@ -9,6 +9,9 @@ module.exports = function(AWSConfig, collection, retries, callback) {
     var ec2 = new AWS.EC2(AWSConfig);
     var sts = new AWS.STS(AWSConfig);
     var paginating = false;
+    var maxSnapshots = 30000; // Limit the collection to 30,000 snapshots
+    var createdTime = new Date();
+    createdTime.setDate(createdTime.getDate() - 30);
 
     helpers.makeCustomCollectorCall(sts, 'getCallerIdentity', {}, retries, null, null, null, function(stsErr, stsData) {
         if (stsErr || !stsData.Account) {
@@ -38,16 +41,22 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.ec2.describeSnapshots[AWSConfig.region].err = err;
             } else if (data) {
-                if (paginating && data.Snapshots && data.Snapshots.length &&
+                const filteredSnapshots = data.Snapshots? data.Snapshots.filter(snapshot => {
+                    return new Date(snapshot.StartTime) > createdTime;
+                }) : [];
+
+                if (paginating && filteredSnapshots && filteredSnapshots.length &&
                     collection.ec2.describeSnapshots[AWSConfig.region].data &&
-                    collection.ec2.describeSnapshots[AWSConfig.region].data.length) {
-                    collection.ec2.describeSnapshots[AWSConfig.region].data = collection.ec2.describeSnapshots[AWSConfig.region].data.concat(data.Snapshots);
+                    collection.ec2.describeSnapshots[AWSConfig.region].data.length &&
+                    collection.ec2.describeSnapshots[AWSConfig.region].data.length < maxSnapshots) {
+                    collection.ec2.describeSnapshots[AWSConfig.region].data = collection.ec2.describeSnapshots[AWSConfig.region].data.concat(filteredSnapshots);
                 } else if (!paginating) {
-                    collection.ec2.describeSnapshots[AWSConfig.region].data = data.Snapshots;
+                    collection.ec2.describeSnapshots[AWSConfig.region].data = filteredSnapshots;
                 }
-                if (data.NextToken &&
+                if (data.NextToken && data.NextToken.length &&
                     collection.ec2.describeSnapshots[AWSConfig.region].data &&
-                    collection.ec2.describeSnapshots[AWSConfig.region].data.length) {
+                    collection.ec2.describeSnapshots[AWSConfig.region].data.length &&
+                    collection.ec2.describeSnapshots[AWSConfig.region].data.length < maxSnapshots) {
                     paginating = true;
                     return execute(data.NextToken);
                 }

collectors/aws/ec2/describeSubnets.js

@@ -25,7 +25,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
                 collection.ec2.describeSubnets[AWSConfig.region][vpc.VpcId].err = err;
             }
 
-            collection.ec2.describeSubnets[AWSConfig.region][vpc.VpcId].data = data;
+            if (data) collection.ec2.describeSubnets[AWSConfig.region][vpc.VpcId].data = data;
 
             cb();
         });

collectors/aws/ecs/describeCluster.js

@@ -19,7 +19,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
                 collection.ecs.describeCluster[AWSConfig.region][cluster].err = err;
             }
 
-            collection.ecs.describeCluster[AWSConfig.region][cluster].data = data;
+            if (data) collection.ecs.describeCluster[AWSConfig.region][cluster].data = data;
 
             cb();
         });

collectors/aws/ecs/describeContainerInstances.js

@@ -22,7 +22,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
                     collection.ecs.describeContainerInstances[AWSConfig.region][containerInstance].err = err;
                 }
 
-                collection.ecs.describeContainerInstances[AWSConfig.region][containerInstance].data = data;
+                if (data) collection.ecs.describeContainerInstances[AWSConfig.region][containerInstance].data = data;
 
                 ccb();
             });

collectors/aws/ecs/describeServices.js

@@ -22,7 +22,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
                     collection.ecs.describeServices[AWSConfig.region][service].err = err;
                 }
 
-                collection.ecs.describeServices[AWSConfig.region][service].data = data;
+                if (data) collection.ecs.describeServices[AWSConfig.region][service].data = data;
 
                 ccb();
             });

collectors/aws/ecs/describeTasks.js

@@ -22,7 +22,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
                     collection.ecs.describeTasks[AWSConfig.region][task].err = err;
                 }
 
-                collection.ecs.describeTasks[AWSConfig.region][task].data = data;
+                if (data) collection.ecs.describeTasks[AWSConfig.region][task].data = data;
 
                 ccb();
             });

collectors/aws/ecs/listTasks.js

@@ -18,10 +18,9 @@ module.exports = function(AWSConfig, collection, retries, callback) {
         helpers.makeCustomCollectorCall(ecs, 'listTasks', params, retries, null, null, null, function(err, data) {
             if (err) {
                 collection.ecs.listTasks[AWSConfig.region][cluster].err = err;
+            } else if (data && data.taskArns) {
+                collection.ecs.listTasks[AWSConfig.region][cluster].data = data.taskArns;
             }
-
-            collection.ecs.listTasks[AWSConfig.region][cluster].data = data.taskArns;
-
             cb();
         });
     }, function(){

collectors/aws/elasticache/describeCacheSubnetGroups.js

@@ -15,7 +15,7 @@ module.exports = function(AWSConfig, collection, retries, callback) {
             if (err) {
                 collection.elasticache.describeCacheSubnetGroups[AWSConfig.region][cluster.CacheSubnetGroupName].err = err;
             }
-            collection.elasticache.describeCacheSubnetGroups[AWSConfig.region][cluster.CacheSubnetGroupName].data = data;
+            if (data) collection.elasticache.describeCacheSubnetGroups[AWSConfig.region][cluster.CacheSubnetGroupName].data = data;
             cb();
         });
     }, function(){