File: //snap/google-cloud-cli/current/lib/surface/scc/findings/group.py
# -*- coding: utf-8 -*- #
# Copyright 2023 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Command to Filter an organization or source's findings and group them by their specified properties."""
from __future__ import absolute_import
from __future__ import division
from __future__ import print_function
from __future__ import unicode_literals
import re
import sys
from googlecloudsdk.api_lib.scc import securitycenter_client
from googlecloudsdk.calliope import arg_parsers
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.scc import flags as scc_flags
from googlecloudsdk.command_lib.scc import util as scc_util
from googlecloudsdk.command_lib.scc.findings import flags
from googlecloudsdk.command_lib.scc.findings import util
from googlecloudsdk.core.util import times
@base.ReleaseTracks(
base.ReleaseTrack.GA, base.ReleaseTrack.BETA, base.ReleaseTrack.ALPHA
)
class Group(base.Command):
"""Filter an organization or source's findings and groups them by their specified properties."""
detailed_help = {
"DESCRIPTION": """
To group across all sources provide a '-' as the source id.""",
"EXAMPLES": """
Group findings under organization `123456` across all sources by their
category:
$ {command} 123456 --group-by="category"
Group findings under project `example-project` across all sources by
their category:
$ {command} projects/example-project --group-by="category"
Group findings under folders `456` across all sources by their
category:
$ {command} folders/456 --group-by="category"
Group findings under organization `123456` and source `5678`, by their
category:
$ {command} 123456 --source=5678 --group-by="category"
Group ACTIVE findings under organization `123456` and source `5678`,
by their category:
$ {command} 123456 --source=5678 --group-by="category"
--filter="state=\\"ACTIVE\\""
Group findings under organization `123456` and `location=eu` across
all sources by their category:
$ {command} 123456 --group-by="category" --location=eu""",
"API REFERENCE": """
This command uses the Security Command Center API. For more information,
see [Security Command Center API.](https://cloud.google.com/security-command-center/docs/reference/rest)""",
}
@staticmethod
def Args(parser):
# Add shared flags and parent positional argument
scc_flags.AppendParentArg()[0].AddToParser(parser)
scc_flags.PAGE_TOKEN_FLAG.AddToParser(parser)
scc_flags.READ_TIME_FLAG.AddToParser(parser)
flags.COMPARE_DURATION_FLAG.AddToParser(parser)
flags.SOURCE_FLAG.AddToParser(parser)
scc_flags.API_VERSION_FLAG.AddToParser(parser)
scc_flags.LOCATION_FLAG.AddToParser(parser)
parser.add_argument(
"--filter",
help="""
Expression that defines the filter to apply across findings. The
expression is a list of one or more restrictions combined via logical
operators 'AND' and 'OR'. Parentheses are supported, and 'OR' has higher
precedence than 'AND'. Restrictions have the form
'<field> <operator> <value>' and may have a '-' character in front of
them to indicate negation. Examples include: name,
source_properties.a_property, security_marks.marks.marka.
The supported operators are:
* '=' for all value types.
* '>', '<', '>=', '<=' for integer values.
* ':', meaning substring matching, for strings.
The supported value types are:string literals in quotes, integer
literals without quotes, boolean literals 'true' and 'false' without
quotes. Some example filters: 'source_properties.size = 100',
'category=\\"XSS\\" AND event_time > 10' etc.""",
)
parser.add_argument(
"--group-by",
help="""
Expression that defines what findings fields to use for grouping
(including 'state'). String value should follow SQL syntax: comma
separated list of fields. For example: "parent,resource_name".
The following fields are supported:
* resource_name
* category
* state
* parent""",
)
parser.add_argument(
"--page-size",
type=arg_parsers.BoundedInt(1, sys.maxsize, unlimited=True),
help="""
Maximum number of results to return in a single response. Default is 10,
minimum is 1, maximum is 1000.""",
)
def Run(self, args):
deprecated_args = ["compare_duration", "read_time"]
version = util.GetApiVersionUsingDeprecatedArgs(args, deprecated_args)
messages = securitycenter_client.GetMessages(version)
request = messages.SecuritycenterOrganizationsSourcesFindingsGroupRequest()
request.groupFindingsRequest = messages.GroupFindingsRequest()
# Populate request fields from args.
if version == "v1":
# Include args deprecated in v2.
if args.IsKnownAndSpecified("compare_duration"):
# Process compareDuration argument.
request.groupFindingsRequest.compareDuration = args.compare_duration
compare_duration_iso = times.ParseDuration(
request.groupFindingsRequest.compareDuration
)
request.groupFindingsRequest.compareDuration = (
times.FormatDurationForJson(compare_duration_iso)
)
if args.IsKnownAndSpecified("read_time"):
# Get DateTime from string and convert to the format required by API.
request.groupFindingsRequest.readTime = args.read_time
read_time_dt = times.ParseDateTime(
request.groupFindingsRequest.readTime
)
request.groupFindingsRequest.readTime = times.FormatDateTime(
read_time_dt
)
request.groupFindingsRequest.filter = args.filter
request.groupFindingsRequest.groupBy = args.group_by
request.groupFindingsRequest.pageSize = args.page_size
request.groupFindingsRequest.pageToken = args.page_token
request = _GenerateParentForGroupCommand(args, request, version)
client = securitycenter_client.GetClient(version)
result = client.organizations_sources_findings.Group(request)
return result
def _GenerateParentForGroupCommand(args, req, version="v1"):
"""Generate a finding's name and parent using org, source and finding id."""
util.ValidateMutexOnSourceAndParent(args)
req.groupFindingsRequest.filter = args.filter
args.filter = ""
region_resource_patern = re.compile(
"(organizations|projects|folders)/[a-z0-9]+/sources/[0-9-]{0,62}/locations/[A-Za-z0-9-]{0,62}$"
)
parent = scc_util.GetParentFromPositionalArguments(args)
if region_resource_patern.match(parent):
req.parent = parent
return req
resource_pattern = re.compile(
"(organizations|projects|folders)/[a-z0-9]+/sources/[0-9-]{0,62}$"
)
if resource_pattern.match(parent):
args.source = parent
req.parent = util.GetFullSourceName(args, version)
return req