Fixing #43

* Fixed data race condition discovered in #43
* Modernized github pipeline to use uv (like we are elsewhere)
* Removed conftest.py && requirements.txt as no longer needed
* reformatted the code using ruff to comply with other projects

Author: SteveMcGrath

.github/workflows/testing.yml

@@ -14,57 +14,13 @@ jobs:
         python-version: ["3.9", "3.10", "3.11"]
     steps:
       - uses: actions/checkout@v2
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
+      - uses: astral-sh/setup-uv@v4
         with:
           python-version: ${{ matrix.python-version }}
-      - name: Install dependencies
-        run: |
-          pip install -U pip
-          pip install pytest-console-scripts \
-                      pytest                 \
-                      pytest-cov             \
-                      responses              \
-                      moto
-          pip install -r requirements.txt
-      - name: Run the unit test suite.
-        run: |
-          pytest tests                        \
-            --cov-report term-missing         \
-            --cov-report xml:cov/coverage.xml \
-            --cov=tenable_aws_sechub tests
-#      - name: Save Coverage Report
-#        uses: actions/upload-artifact@v2
-#        with:
-#          name: coverage_report_${{ matrix.python-version }}
-#          path: cov
-#          retention-days: 1
+      - run: uv sync --all-extras --dev
 
-  style:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - uses: actions/setup-python@v2
-      with:
-        python-version: 3.8
-    - name: Setup environment
-      run: |
-        pip install -U pip
-        pip install -r requirements.txt
-        pip install flake8          \
-                    flake8-fixme    \
-                    flake8-author   \
-                    flake8-pylint   \
-                    flake8-plugin-utils
-    - name: Run flake8
-      run: |
-        flake8 tenable_aws_sechub \
-          --count                 \
-          --select=E9,F63,F7,F82  \
-          --show-source           \
-          --statistics
-        flake8 tenable_aws_sechub \
-          --count                 \
-          --exit-zero             \
-          --max-complexity=12     \
-          --statistics
+      - name: Code linting
+        run: uv run ruff check --exit-zero
+
+      - name: Run unit tests
+        run: uv run pytest

conftest.py

@@ -54,3 +54,37 @@ readme = {file = ["README.md"], content-type = "text/markdown"}
 [tool.setuptools.packages.find]
 include         = ["tenable_aws_sechub*"]
 
+[tool.ruff.lint]
+select = ["E4", "E7", "E9", "F", "B"]
+fixable = [ "ALL" ]
+unfixable = [ "B" ]
+
+
+[tool.ruff.format]
+quote-style = "single"
+indent-style = "space"
+skip-magic-trailing-comma = false
+line-ending = "lf"
+docstring-code-format = false
+docstring-code-line-length = "dynamic"
+
+
+[tool.ruff.lint.per-file-ignores]
+"__init__.py" = ["E402", "F401"]
+"tenable/vm.py" = ["F401"]
+"**/{tests,docs,tools}/*" = ["E402"]
+
+[tool.pytest.ini_options]
+addopts  = "--cov-report term-missing --cov=tenable_aws_sechub"
+pythonpath = ["."]
+testpaths = ["./tests"]
+filterwarnings = ["ignore:::DeprecationWarning"]
+
+[dependency-groups]
+dev = [
+    "moto>=5.0.28",
+    "pytest>=8.3.4",
+    "pytest-console-scripts>=1.4.1",
+    "pytest-cov>=6.0.0",
+    "ruff>=0.9.6",
+]

pyproject.toml

@@ -1,6 +1,7 @@
 """
 Simple CLI wrapper for commandline interaction with the integration.
 """
+
 import logging
 from pathlib import Path
 from typing_extensions import Annotated
@@ -14,20 +15,19 @@
 
 
 @app.command()
-def sechub(configfile: Path = Path('tvm2aws.toml'),
-           verbose: Annotated[int, typer.Option('--verbose', '-v',
-                                                max=5,
-                                                count=True
-                                                )] = 2
-         ):
+def sechub(
+    configfile: Path = Path('tvm2aws.toml'),
+    verbose: Annotated[int, typer.Option('--verbose', '-v', max=5, count=True)] = 2,
+):
     """
     Tenable to AWS Security Hub vulnerability finding importer.
     """
     # Set the logging handler.
-    logging.basicConfig(level=(5 - verbose) * 10,
-                        datefmt="[%X]",
-                        handlers=[RichHandler(rich_tracebacks=True)]
-                        )
+    logging.basicConfig(
+        level=(5 - verbose) * 10,
+        datefmt='[%X]',
+        handlers=[RichHandler(rich_tracebacks=True)],
+    )
 
     # Read the configuration file
     with configfile.open('r', encoding='utf-8') as cobj:

requirements.txt

@@ -2,6 +2,7 @@
 The findings module handles transforming a TVM vulnerability finding into an
 AWS Security Hub finding.
 """
+
 from typing import Dict
 from restfly.utils import dict_flatten, dict_clean, trunc
 import arrow
@@ -12,14 +13,15 @@
     'OPEN': 'ACTIVE',
     'NEW': 'ACTIVE',
     'REOPENED': 'ACTIVE',
-    'FIXED': 'ARCHIVED'
+    'FIXED': 'ARCHIVED',
 }
 
 
 class Finding:
     """
     Security Hub Finding transformer
     """
+
     region: str
     account_id: str
     start_date: str
@@ -45,16 +47,19 @@ def check_required_params(self, vuln: Dict):
             'asset.aws_ec2_instance_id',
             'asset.aws_owner_id',
             'asset.aws_ec2_instance_type',
-            'asset.aws_ec2_instance_ami_id'
+            'asset.aws_ec2_instance_ami_id',
         ]
         failed = []
         for attr in required_attributes:
             if vuln.get(attr) is None:
                 failed.append(attr)
         if failed:
-            raise KeyError((f'The required asset attributes {",".join(failed)}'
-                            f' were not set on asset {vuln["asset.uuid"]}'
-                            ))
+            raise KeyError(
+                (
+                    f'The required asset attributes {",".join(failed)}'
+                    f' were not set on asset {vuln["asset.uuid"]}'
+                )
+            )
 
     def generate(self, vuln: Dict) -> Dict:
         """
@@ -77,25 +82,27 @@ def generate(self, vuln: Dict) -> Dict:
         # and lastly fall back to the severity_default_id.
         # FIXME: I don't really like how this nested fallback looks, and I feel
         #        there has to be a cleaner way to implement.
-        base_score = vuln.get('plugin.cvss3_base_score',
-                              vuln.get('plugin.cvss_base_score',
-                                       SEV_MAP[vuln.get('severity_default_id',
-                                                        0
-                                                        )]))
+        base_score = vuln.get(
+            'plugin.cvss3_base_score',
+            vuln.get(
+                'plugin.cvss_base_score', SEV_MAP[vuln.get('severity_default_id', 0)]
+            ),
+        )
 
         finding = {
             'SchemaVersion': '2018-10-08',
             'FirstObservedAt': vuln['first_found'],
             'LastObservedAt': vuln['last_found'],
-            'ProductArn': (f'arn:aws:securityhub:'
-                           f'{self.region}::product/tenable/tenable-io'
-                           ),
+            'ProductArn': (
+                f'arn:aws:securityhub:{self.region}::product/tenable/tenable-io'
+            ),
             'AwsAccountId': self.account_id,
             'GeneratorId': f'tenable-plugin-{vuln["plugin.id"]}',
-            'Id': (f'{vuln["asset.aws_region"]}/'
-                   f'{vuln["asset.aws_ec2_instance_id"]}/'
-                   f'{vuln["plugin.id"]}'
-                   ),
+            'Id': (
+                f'{vuln["asset.aws_region"]}/'
+                f'{vuln["asset.aws_ec2_instance_id"]}/'
+                f'{vuln["plugin.id"]}'
+            ),
             'CreatedAt': self.start_date,
             'UpdatedAt': self.start_date,
             'Types': ['Software and Configuration Checks/Vulnerabilities/CVE'],
@@ -109,27 +116,29 @@ def generate(self, vuln: Dict) -> Dict:
             # Some plugin names run quite long, we will need to truncate to
             # the max string size that AWS supports.
             'Title': trunc(vuln['plugin.name'], 256),
-
             # The description cannot exceed 1024 characters in size.
             'Description': trunc(vuln['plugin.description'], 1024),
-            'Resources': [{
-                'Type': 'AwsEc2Instance',
-                'Id': ('arn:aws:ec2:'
-                       f'{vuln["asset.aws_region"]}:'
-                       f'{vuln["asset.aws_owner_id"]}:'
-                       'instance:'
-                       f'{vuln["asset.aws_ec2_instance_id"]}'
-                       ),
-                'Region': vuln['asset.aws_region'],
-                'Details': {
-                    'AwsEc2Instance': {
-                        'Type': vuln['asset.aws_ec2_instance_type'],
-                        'ImageId': vuln['asset.aws_ec2_instance_ami_id'],
-                        'IpV4Addresses': vuln['asset.ipv4s'],
-                        'IpV6Addresses': vuln['asset.ipv6s'],
+            'Resources': [
+                {
+                    'Type': 'AwsEc2Instance',
+                    'Id': (
+                        'arn:aws:ec2:'
+                        f'{vuln["asset.aws_region"]}:'
+                        f'{vuln["asset.aws_owner_id"]}:'
+                        'instance:'
+                        f'{vuln["asset.aws_ec2_instance_id"]}'
+                    ),
+                    'Region': vuln['asset.aws_region'],
+                    'Details': {
+                        'AwsEc2Instance': {
+                            'Type': vuln['asset.aws_ec2_instance_type'],
+                            'ImageId': vuln['asset.aws_ec2_instance_ami_id'],
+                            'IpV4Addresses': vuln['asset.ipv4s'],
+                            'IpV6Addresses': vuln['asset.ipv6s'],
+                        },
                     },
-                },
-            }],
+                }
+            ],
             'ProductFields': {
                 'CVE': ', '.join(vuln.get('plugin.cve', [])),
                 'Plugin Family': vuln['plugin.family'],
@@ -142,12 +151,11 @@ def generate(self, vuln: Dict) -> Dict:
             # 'SourceUrl': 'XXXXXXX',
             'Remediation': {
                 'Recommendation': {
-
                     # The solution cannot exceed 1024 characters in length.
                     'Text': trunc(vuln['plugin.solution'], 512),
-                    'Url': vuln.get('plugin.see_also', [])[0]
+                    'Url': vuln.get('plugin.see_also', [])[0],
                 }
             },
-            'RecordState': STATE_MAP[vuln['state']]
+            'RecordState': STATE_MAP[vuln['state']],
         }
         return dict_clean(finding)