Refine cloud provider inference logic in ProwlerParser

cosmel-dojo · cosmel-dojo · commit a4e40a93996f · 2025-06-11T11:07:22.000-06:00
- Update check_id prefixes for AWS detection to include "accessanalyzer_" and "account_"
- Simplify Azure detection by removing unnecessary check_id prefixes
- Streamline GCP detection to rely solely on title matching
- Adjust Kubernetes detection to focus on "apiserver_" prefix in check_id
diff --git a/dojo/tools/prowler/parser.py b/dojo/tools/prowler/parser.py
@@ -211,18 +211,16 @@ def _parse_json_findings(self, data, test, *, file_name=""):
             if cloud_provider:
                 finding.unsaved_tags.append(cloud_provider)
             # If no cloud provider but we can infer it from check_id or title
-            elif check_id and any(prefix in check_id.lower() for prefix in ["iam_", "elb_", "ec2_", "s3_"]):
+            elif check_id and any(prefix in check_id.lower() for prefix in ["accessanalyzer_", "account_"]):
                 finding.unsaved_tags.append("aws")
             elif "azure" in title.lower() or (
-                check_id and any(prefix in check_id.lower() for prefix in ["aks_", "aad_"])
+                check_id and any(prefix in check_id.lower() for prefix in ["aks_"])
             ):
                 finding.unsaved_tags.append("azure")
-            elif "gcp" in title.lower() or (
-                check_id and any(prefix in check_id.lower() for prefix in ["gcp_", "gke_"])
-            ):
+            elif "gcp" in title.lower():
                 finding.unsaved_tags.append("gcp")
             elif "kubernetes" in title.lower() or (
-                check_id and any(prefix in check_id.lower() for prefix in ["k8s_", "bc_k8s_"])
+                check_id and any(prefix in check_id.lower() for prefix in ["apiserver_"])
             ):
                 finding.unsaved_tags.append("kubernetes")
             # If still no provider tag, try to detect from the file name
@@ -371,18 +369,16 @@ def _parse_csv_findings(self, csv_data, test, *, file_name=""):
             if provider:
                 finding.unsaved_tags.append(provider)
             # If no provider in the CSV but we can infer it from check_id or title
-            elif check_id and any(prefix in check_id.lower() for prefix in ["iam_", "elb_", "ec2_", "s3_"]):
+            elif check_id and any(prefix in check_id.lower() for prefix in ["accessanalyzer_", "account_"]):
                 finding.unsaved_tags.append("AWS")
             elif "azure" in title.lower() or (
-                check_id and any(prefix in check_id.lower() for prefix in ["aks_", "aad_"])
+                check_id and any(prefix in check_id.lower() for prefix in ["aks_"])
             ):
                 finding.unsaved_tags.append("AZURE")
-            elif "gcp" in title.lower() or (
-                check_id and any(prefix in check_id.lower() for prefix in ["gcp_", "gke_"])
-            ):
+            elif "gcp" in title.lower():
                 finding.unsaved_tags.append("GCP")
             elif "kubernetes" in title.lower() or (
-                check_id and any(prefix in check_id.lower() for prefix in ["k8s_", "bc_k8s_"])
+                check_id and any(prefix in check_id.lower() for prefix in ["apiserver_"])
             ):
                 finding.unsaved_tags.append("KUBERNETES")
 
