fix(cloud-tests): parse all SecHub compliance formats + dedupe scan-mode literals#2875
Merged
Merged
Conversation
…ode literals
Two issues cubic flagged on the production-deploy PR:
P2 — formatSingleRequirement regex couldn't match 3 of 4 documented
SecHub compliance formats. The character class
`[A-Z][A-Z0-9 .]+?` excluded lowercase letters and hyphens, so
NIST.800-53.r5, CIS AWS Foundations Benchmark, and AWS Foundational
Security Best Practices all silently fell through to the raw-string
fallback. Only PCI DSS (all uppercase + digits) matched. Effect:
compliance chips for 3 of 4 standards rendered as one verbose label
instead of split standard / version / control.
Fix:
1. Widen the first capture group to `[A-Za-z][A-Za-z0-9 .\-]+?`
so lowercase letters and hyphens are accepted.
2. Normalize `/` → ' ' before matching, so AWS FSBP's
"v1.0.0/EC2.2" version-control separator works.
3. Make the version capture REQUIRED rather than optional —
formats without an explicit version (NIST embeds "r5" in the
standard name) cleanly fall through to the raw fallback. This
avoids the awkward "unspecified" placeholder the prior code
emitted.
Verified against all 4 documented formats:
NIST.800-53.r5 AC-2 → raw (no version separator)
CIS AWS Foundations Benchmark v1.2.0 1.1 → cis 1.2.0 (1.1)
PCI DSS v3.2.1 8.2.3 → pci dss 3.2.1 (8.2.3)
AWS Foundational Security Best Practices v1.0.0/EC2.2 → aws fsbp 1.0.0 (EC2.2)
P2 — update-scan-mode.dto.ts hardcoded the scan-mode literals
('comp_scanners', 'security_hub') in two places, drifting from the
source-of-truth comment in aws-scan-mode.ts ("importers never spell
the values themselves"). Added an exported const tuple
AWS_SCAN_MODES, used it in the DTO for both @isin validator and
Swagger enum. Adding a new mode now touches only one file.
Tests:
- 26 → 29 SecHub adapter tests (NIST verbatim, CIS / PCI / AWS FSBP
each get a regression guard for the regex fix).
- 6 → 9 aws-scan-mode tests (AWS_SCAN_MODES contents, default
inclusion, round-trip consistency with resolveAwsScanMode).
Identified by cubic.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
|
🎉 This PR is included in version 3.59.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two real P2s flagged by cubic on PR #2873 (production deploy), both isolated to API code, surgical fixes.
P2: formatSingleRequirement regex couldn't match 3 of 4 documented SecHub formats
The bug: the first capture group
[A-Z][A-Z0-9 .]+?excluded lowercase letters and hyphens, so these documented formats all silently fell through to the raw-string fallback instead of producing structuredstandard version (control)output:NIST.800-53.r5 AC-2CIS AWS Foundations Benchmark v1.2.0 1.1cis 1.2.0 (1.1)PCI DSS v3.2.1 8.2.3pci dss 3.2.1 (8.2.3)AWS Foundational Security Best Practices v1.0.0/EC2.2aws fsbp 1.0.0 (EC2.2)User-visible impact before the fix: compliance chips on Security Hub findings would render as one verbose label (
"CIS AWS Foundations Benchmark v1.2.0 1.1") instead of cleanly split into standard / version / control parts (CIS 1.2.0chip with1.1detail).Three changes:
[A-Za-z][A-Za-z0-9 .\-]+?to accept lowercase + hyphens./→ ' ' before matching, so AWS FSBP'sv1.0.0/EC2.2separator works.r5in the standard name) now cleanly fall through to the raw fallback — avoids the awkwardunspecifiedplaceholder the prior code emitted.P2: DTO drifted from the source-of-truth promise
The bug:
aws-scan-mode.tsexplicitly says "importers never spell the values themselves" — but the DTO atupdate-scan-mode.dto.tshardcoded['comp_scanners', 'security_hub']in both the Swaggerenumand the@IsInvalidator. If we ever add a new mode, the DTO would silently accept fewer values than the union type allows.Fix: add an exported tuple
AWS_SCAN_MODESinaws-scan-mode.ts, use it in the DTO for both validator and Swagger metadata. One file to change when a new mode is added.Tests
security-hub.adapter.spec.ts: 26 → 29 tests (regression guards for CIS, PCI, AWS FSBP formats — would catch any future regex narrowing).aws-scan-mode.spec.ts: 6 → 9 tests (AWS_SCAN_MODEScontents, default inclusion, round-trip consistency withresolveAwsScanMode— would catch drift if a future commit adds a mode to one file but forgets the other).Why a separate PR
PR #2873 is the auto-generated
main → releaseproduction deploy PR, which regenerates on every merge. Pushing fixes targetingmainmakes them eligible for the next deploy cycle.Test plan
PATCH /v1/cloud-security/connections/:id/scan-modewith{"mode": "bogus"}→ expect 400 (DTO validation rejects unknown modes)remediationfield containsCompliance: cis 1.2.0 (1.1); pci dss 3.2.1 (8.2.3)shape (or equivalent for the standards the customer has enabled)🤖 Generated with Claude Code
Summary by cubic
Fixes Security Hub compliance parsing so CIS, PCI DSS, and AWS FSBP formats render structured chips, and centralizes AWS scan-mode values to prevent DTO drift. Improves chip labels and makes adding new modes safer.
AWS_SCAN_MODESinaws-scan-mode.tsand use it for both Swagger enum and@IsInvalidation, removing hardcoded literals.Written for commit a5d1539. Summary will update on new commits. Review in cubic