Migrate to aws-sdk-go-v2

check/controls.go

@@ -21,8 +21,8 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go-v2/aws"
-	"github.com/aws/aws-sdk-go/service/securityhub"
+	"github.com/aws/aws-sdk-go-v2/service/securityhub/types"
 	"github.com/golang/glog"
 	"github.com/onsi/ginkgo/reporters"
 	"github.com/spf13/viper"
@@ -206,8 +206,8 @@ func (controls *Controls) JUnit() ([]byte, error) {
 }
 
 // ASFF encodes the results of last run to AWS Security Finding Format(ASFF).
-func (controls *Controls) ASFF() ([]*securityhub.AwsSecurityFinding, error) {
+func (controls *Controls) ASFF() ([]types.AwsSecurityFinding, error) {
-	fs := []*securityhub.AwsSecurityFinding{}
+	fs := []types.AwsSecurityFinding{}
 	account, err := getConfig("AWS_ACCOUNT")
 	if err != nil {
 		return nil, err
@@ -250,9 +250,9 @@ func (controls *Controls) ASFF() ([]*securityhub.AwsSecurityFinding, error) {
 					id = aws.String(fmt.Sprintf("%s%sEKSnodeID+%s+%s+%s", arn, account, check.ID, cluster, nodeName))
 				}
 
-				f := securityhub.AwsSecurityFinding{
+				f := types.AwsSecurityFinding{
 					AwsAccountId:  aws.String(account),
-					Confidence:    aws.Int64(100),
+					Confidence:    *aws.Int32(100),
 					GeneratorId:   aws.String(fmt.Sprintf("%s/cis-kubernetes-benchmark/%s/%s", arn, controls.Version, check.ID)),
 					Id:            id,
 					CreatedAt:     aws.String(tf),
@@ -261,30 +261,30 @@ func (controls *Controls) ASFF() ([]*securityhub.AwsSecurityFinding, error) {
 					SchemaVersion: aws.String(SCHEMA),
 					Title:         aws.String(fmt.Sprintf("%s %s", check.ID, check.Text)),
 					UpdatedAt:     aws.String(tf),
-					Types:         []*string{aws.String(TYPE)},
+					Types:         []string{*aws.String(TYPE)},
-					Severity: &securityhub.Severity{
+					Severity: &types.Severity{
-						Label: aws.String(securityhub.SeverityLabelHigh),
+						Label: types.SeverityLabelHigh,
 					},
-					Remediation: &securityhub.Remediation{
+					Remediation: &types.Remediation{
-						Recommendation: &securityhub.Recommendation{
+						Recommendation: &types.Recommendation{
 							Text: aws.String(remediation),
 						},
 					},
-					ProductFields: map[string]*string{
+					ProductFields: map[string]string{
-						"Reason":          aws.String(reason),
+						"Reason":          reason,
-						"Actual result":   aws.String(actualValue),
+						"Actual result":   actualValue,
-						"Expected result": aws.String(check.ExpectedResult),
+						"Expected result": check.ExpectedResult,
-						"Section":         aws.String(fmt.Sprintf("%s %s", controls.ID, controls.Text)),
+						"Section":         fmt.Sprintf("%s %s", controls.ID, controls.Text),
-						"Subsection":      aws.String(fmt.Sprintf("%s %s", g.ID, g.Text)),
+						"Subsection":      fmt.Sprintf("%s %s", g.ID, g.Text),
 					},
-					Resources: []*securityhub.Resource{
+					Resources: []types.Resource{
 						{
 							Id:   aws.String(cluster),
 							Type: aws.String(TYPE),
 						},
 					},
 				}
-				fs = append(fs, &f)
+				fs = append(fs, f)
 			}
 		}
 	}

check/controls_test.go

@@ -25,8 +25,8 @@ import (
 	"reflect"
 	"testing"
 
-	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go-v2/aws"
-	"github.com/aws/aws-sdk-go/service/securityhub"
+	"github.com/aws/aws-sdk-go-v2/service/securityhub/types"
 	"github.com/onsi/ginkgo/reporters"
 	"github.com/spf13/viper"
 	"github.com/stretchr/testify/assert"
@@ -374,7 +374,7 @@ func TestControls_ASFF(t *testing.T) {
 	tests := []struct {
 		name    string
 		fields  fields
-		want    []*securityhub.AwsSecurityFinding
+		want    []types.AwsSecurityFinding
 		wantErr bool
 	}{
 		{
@@ -405,32 +405,32 @@ func TestControls_ASFF(t *testing.T) {
 						},
 					},
 				}},
-			want: []*securityhub.AwsSecurityFinding{
+			want: []types.AwsSecurityFinding{
 				{
 					AwsAccountId:  aws.String("foo account"),
-					Confidence:    aws.Int64(100),
+					Confidence:    *aws.Int32(100),
 					GeneratorId:   aws.String(fmt.Sprintf("%s/cis-kubernetes-benchmark/%s/%s", fmt.Sprintf(ARN, "somewhere"), "1", "check1id")),
 					Description:   aws.String("check1text"),
 					ProductArn:    aws.String(fmt.Sprintf(ARN, "somewhere")),
 					SchemaVersion: aws.String(SCHEMA),
 					Title:         aws.String(fmt.Sprintf("%s %s", "check1id", "check1text")),
-					Types:         []*string{aws.String(TYPE)},
+					Types:         []string{*aws.String(TYPE)},
-					Severity: &securityhub.Severity{
+					Severity: &types.Severity{
-						Label: aws.String(securityhub.SeverityLabelHigh),
+						Label: types.SeverityLabelHigh,
 					},
-					Remediation: &securityhub.Remediation{
+					Remediation: &types.Remediation{
-						Recommendation: &securityhub.Recommendation{
+						Recommendation: &types.Recommendation{
 							Text: aws.String("fix me"),
 						},
 					},
-					ProductFields: map[string]*string{
+					ProductFields: map[string]string{
-						"Reason":          aws.String("failed"),
+						"Reason":          "failed",
-						"Actual result":   aws.String("failed"),
+						"Actual result":   "failed",
-						"Expected result": aws.String("failed"),
+						"Expected result": "failed",
-						"Section":         aws.String(fmt.Sprintf("%s %s", "test1", "test runnner")),
+						"Section":         fmt.Sprintf("%s %s", "test1", "test runnner"),
-						"Subsection":      aws.String(fmt.Sprintf("%s %s", "g1", "Group text")),
+						"Subsection":      fmt.Sprintf("%s %s", "g1", "Group text"),
 					},
-					Resources: []*securityhub.Resource{
+					Resources: []types.Resource{
 						{
 							Id:   aws.String("foo Cluster"),
 							Type: aws.String(TYPE),

cmd/securityHub.go

@@ -1,33 +1,32 @@
 package cmd
 
 import (
+	"context"
 	"fmt"
 	"log"
 
 	"github.com/aquasecurity/kube-bench/internal/findings"
-	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
-	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go-v2/service/securityhub"
-	"github.com/aws/aws-sdk-go/service/securityhub"
+	"github.com/aws/aws-sdk-go-v2/service/securityhub/types"
 	"github.com/spf13/viper"
 )
 
 // REGION ...
 const REGION = "AWS_REGION"
 
-func writeFinding(in []*securityhub.AwsSecurityFinding) error {
+func writeFinding(in []types.AwsSecurityFinding) error {
 	r := viper.GetString(REGION)
 	if len(r) == 0 {
 		return fmt.Errorf("%s not set", REGION)
 	}
-	sess, err := session.NewSession(&aws.Config{
+	cfg, err := config.LoadDefaultConfig(context.Background(), config.WithRegion(r))
-		Region: aws.String(r),
-	},
-	)
 	if err != nil {
 		return err
 	}
-	svc := securityhub.New(sess)
+
-	p := findings.New(svc)
+	svc := securityhub.NewFromConfig(cfg)
+	p := findings.New(*svc)
 	out, perr := p.PublishFinding(in)
 	print(out)
 	return perr

go.mod

@@ -3,7 +3,9 @@ module github.com/aquasecurity/kube-bench
 go 1.16
 
 require (
-	github.com/aws/aws-sdk-go v1.44.91
+	github.com/aws/aws-sdk-go-v2 v1.16.14
+	github.com/aws/aws-sdk-go-v2/config v1.17.5
+	github.com/aws/aws-sdk-go-v2/service/securityhub v1.23.3
 	github.com/fatih/color v1.13.0
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/magiconair/properties v1.8.6

go.sum

@@ -83,8 +83,32 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/aws/aws-sdk-go v1.44.91 h1:SRWmuX7PTyhBdLuvSfM7KWrWISJsrRsUPcFDSFduRxY=
+github.com/aws/aws-sdk-go-v2 v1.16.14 h1:db6GvO4Z2UqHt5gvT0lr6J5x5P+oQ7bdRzczVaRekMU=
-github.com/aws/aws-sdk-go v1.44.91/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
+github.com/aws/aws-sdk-go-v2 v1.16.14/go.mod h1:s/G+UV29dECbF5rf+RNj1xhlmvoNurGSr+McVSRj59w=
+github.com/aws/aws-sdk-go-v2/config v1.17.5 h1:+NS1BWvprx7nHcIk5o32LrZgifs/7Pm1V2nWjQgZ2H0=
+github.com/aws/aws-sdk-go-v2/config v1.17.5/go.mod h1:H0cvPNDO3uExWts/9PDhD/0ne2esu1uaIulwn1vkwxM=
+github.com/aws/aws-sdk-go-v2/credentials v1.12.18 h1:HF62tbhARhgLfvmfwUbL9qZ+dkbZYzbFdxBb3l5gr7Q=
+github.com/aws/aws-sdk-go-v2/credentials v1.12.18/go.mod h1:O7n/CPagQ33rfG6h7vR/W02ammuc5CrsSM22cNZp9so=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.15 h1:nkQ+aI0OCeYfzrBipL6ja/6VEbUnHQoZHBHtoK+Nzxw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.15/go.mod h1:Oz2/qWINxIgSmoZT9adpxJy2UhpcOAI3TIyWgYMVSz0=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.21 h1:gRIXnmAVNyoRQywdNtpAkgY+f30QNzgF53Q5OobNZZs=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.21/go.mod h1:XsmHMV9c512xgsW01q7H0ut+UQQQpWX8QsFbdLHDwaU=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.15 h1:noAhOo2mMDyYhTx99aYPvQw16T3fQ/DiKAv9fzpIKH8=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.15/go.mod h1:kjJ4CyD9M3Wq88GYg3IPfj67Rs0Uvz8aXK7MJ8BvE4I=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.22 h1:nF+E8HfYpOMw6M5oA9efB602VC00IHNQnB5CmFvZPvA=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.22/go.mod h1:tltHVGy977LrSOgRR5aV9+miyno/Gul/uJNPKS7FzP4=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.15 h1:xlf0J6DUgAj/ocvKQxCmad8Bu1lJuRbt5Wu+4G1xw1g=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.15/go.mod h1:ZVJ7ejRl4+tkWMuCwjXoy0jd8fF5u3RCyWjSVjUIvQE=
+github.com/aws/aws-sdk-go-v2/service/securityhub v1.23.3 h1:1LIfhYGTK6Kw7owKXpEA5pAaWjdVYRNcBLJ81B2TJzs=
+github.com/aws/aws-sdk-go-v2/service/securityhub v1.23.3/go.mod h1:Tv7Jz1TX6TBzm7xn3wdvQrjoWQAa9wIHnW4jR4udpuQ=
+github.com/aws/aws-sdk-go-v2/service/sso v1.11.21 h1:7jUFr+7F4MzIjCZzy7ygRtXFQcQ0kAbT0gUvtUeAdyU=
+github.com/aws/aws-sdk-go-v2/service/sso v1.11.21/go.mod h1:q8nYq51W3gpZempYsAD83fPRlrOTMCwN+Ahg4BKFTXQ=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.3 h1:UTTPNP3/WzZa7hoHP3Szb/Yl0bM3NoBrf5ABy1OArUM=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.3/go.mod h1:+IF75RMJh0+zqTGXGshyEGRsU2ImqWv6UuHGkHl6kEo=
+github.com/aws/aws-sdk-go-v2/service/sts v1.16.17 h1:LVM2jzEQ8mhb2dhrFl4PJ3sa5+KcKT01dsMk2Ma9/FU=
+github.com/aws/aws-sdk-go-v2/service/sts v1.16.17/go.mod h1:bQujK1n0V1D1Gz5uII1jaB1WDvhj4/T3tElsJnVXCR0=
+github.com/aws/smithy-go v1.13.2 h1:TBLKyeJfXTrTXRHmsv4qWt9IQGYyWThLYaJWSahTOGE=
+github.com/aws/smithy-go v1.13.2/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
@@ -350,9 +374,7 @@ github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.4 h1:tHnRBy1i5F2Dh8BAFxqFzxKqqvezXrL2OW1TnX+Mlas=
 github.com/jinzhu/now v1.1.4/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
-github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=

internal/findings/publisher.go

@@ -1,14 +1,16 @@
 package findings
 
 import (
-	"github.com/aws/aws-sdk-go/service/securityhub"
+	"context"
-	"github.com/aws/aws-sdk-go/service/securityhub/securityhubiface"
+
+	"github.com/aws/aws-sdk-go-v2/service/securityhub"
+	"github.com/aws/aws-sdk-go-v2/service/securityhub/types"
 	"github.com/pkg/errors"
 )
 
 // A Publisher represents an object that publishes finds to AWS Security Hub.
 type Publisher struct {
-	client securityhubiface.SecurityHubAPI // AWS Security Hub Service Client
+	client securityhub.Client // AWS Security Hub Service Client
 }
 
 // A PublisherOutput represents an object that contains information about the service call.
@@ -16,26 +18,26 @@ type PublisherOutput struct {
 	// The number of findings that failed to import.
 	//
 	// FailedCount is a required field
-	FailedCount int64
+	FailedCount int32
 
 	// The list of findings that failed to import.
-	FailedFindings []*securityhub.ImportFindingsError
+	FailedFindings []types.ImportFindingsError
 
 	// The number of findings that were successfully imported.
 	//
 	// SuccessCount is a required field
-	SuccessCount int64
+	SuccessCount int32
 }
 
 // New creates a new Publisher.
-func New(client securityhubiface.SecurityHubAPI) *Publisher {
+func New(client securityhub.Client) *Publisher {
 	return &Publisher{
 		client: client,
 	}
 }
 
 // PublishFinding publishes findings to AWS Security Hub Service
-func (p *Publisher) PublishFinding(finding []*securityhub.AwsSecurityFinding) (*PublisherOutput, error) {
+func (p *Publisher) PublishFinding(finding []types.AwsSecurityFinding) (*PublisherOutput, error) {
 	o := PublisherOutput{}
 	i := securityhub.BatchImportFindingsInput{}
 	i.Findings = finding
@@ -45,24 +47,20 @@ func (p *Publisher) PublishFinding(finding []*securityhub.AwsSecurityFinding) (*
 	batch := 100
 
 	for i := 0; i < len(finding); i += batch {
-		j := i + batch
-		if j > len(finding) {
-			j = len(finding)
-		}
 		i := securityhub.BatchImportFindingsInput{}
 		i.Findings = finding
-		r, err := p.client.BatchImportFindings(&i) // Process the batch.
+		r, err := p.client.BatchImportFindings(context.Background(), &i) // Process the batch.
 		if err != nil {
 			errs = errors.Wrap(err, "finding publish failed")
 		}
-		if r.FailedCount != nil {
+		if r != nil {
-			o.FailedCount += *r.FailedCount
+			if r.FailedCount != 0 {
+				o.FailedCount += r.FailedCount
 			}
-		if r.SuccessCount != nil {
+			if r.SuccessCount != 0 {
-			o.SuccessCount += *r.SuccessCount
+				o.SuccessCount += r.SuccessCount
 			}
-		for _, ff := range r.FailedFindings {
+			o.FailedFindings = append(o.FailedFindings, r.FailedFindings...)
-			o.FailedFindings = append(o.FailedFindings, ff)
 		}
 	}
 	return &o, errs

internal/findings/publisher_test.go

@@ -1,68 +0,0 @@
-package findings
-
-import (
-	"testing"
-
-	"github.com/aws/aws-sdk-go/service/securityhub"
-	"github.com/aws/aws-sdk-go/service/securityhub/securityhubiface"
-)
-
-// Define a mock struct to be used in your unit tests of myFunc.
-type MockSHClient struct {
-	securityhubiface.SecurityHubAPI
-	Batches         int
-	NumberOfFinding int
-}
-
-func NewMockSHClient() *MockSHClient {
-	return &MockSHClient{}
-}
-
-func (m *MockSHClient) BatchImportFindings(input *securityhub.BatchImportFindingsInput) (*securityhub.BatchImportFindingsOutput, error) {
-	o := securityhub.BatchImportFindingsOutput{}
-	m.Batches++
-	m.NumberOfFinding = len(input.Findings)
-	return &o, nil
-}
-
-func TestPublisher_publishFinding(t *testing.T) {
-	type fields struct {
-		client *MockSHClient
-	}
-	type args struct {
-		finding []*securityhub.AwsSecurityFinding
-	}
-	tests := []struct {
-		name             string
-		fields           fields
-		args             args
-		wantBatchCount   int
-		wantFindingCount int
-	}{
-		{"Test single finding", fields{NewMockSHClient()}, args{makeFindings(1)}, 1, 1},
-		{"Test 150 finding should return 2 batches", fields{NewMockSHClient()}, args{makeFindings(150)}, 2, 150},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			p := New(tt.fields.client)
-			p.PublishFinding(tt.args.finding)
-			if tt.fields.client.NumberOfFinding != tt.wantFindingCount {
-				t.Errorf("Publisher.publishFinding() want = %v, got %v", tt.wantFindingCount, tt.fields.client.NumberOfFinding)
-			}
-			if tt.fields.client.Batches != tt.wantBatchCount {
-				t.Errorf("Publisher.publishFinding() want = %v, got %v", tt.wantBatchCount, tt.fields.client.Batches)
-			}
-		})
-	}
-}
-
-func makeFindings(count int) []*securityhub.AwsSecurityFinding {
-	var findings []*securityhub.AwsSecurityFinding
-
-	for i := 0; i < count; i++ {
-		t := securityhub.AwsSecurityFinding{}
-		findings = append(findings, &t)
-
-	}
-	return findings
-}