Migrate to aws-sdk-go-v2 (#1268)

* Migrate to aws-sdk-go-v2

* Update dependencies

Minimum go version increased due to k8s.io/client-go

.github/workflows/build.yml

@@ -14,7 +14,7 @@ on:
       - "LICENSE"
       - "NOTICE"
 env:
-  GO_VERSION: "1.16"
+  GO_VERSION: "1.19"
   KIND_VERSION: "v0.11.1"
   KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
 
@@ -26,7 +26,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.16
+          go-version: ${{ env.GO_VERSION }}
       - name: Checkout code
         uses: actions/checkout@v3
       - name: yaml-lint
@@ -43,7 +43,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.16
+          go-version: ${{ env.GO_VERSION }}
       - name: Checkout code
         uses: actions/checkout@v3
       - name: Run unit tests
@@ -59,7 +59,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.16
+          go-version: ${{ env.GO_VERSION }}
       - name: Checkout code
         uses: actions/checkout@v3
       - name: Setup Kubernetes cluster (KIND)
@@ -89,7 +89,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.16
+          go-version: ${{ env.GO_VERSION }}
       - name: Checkout code
         uses: actions/checkout@v3
         with:

.github/workflows/release.yml

@@ -5,7 +5,7 @@ on:
     tags:
       - "v*"
 env:
-  GO_VERSION: "1.16"
+  GO_VERSION: "1.19"
   KIND_VERSION: "v0.11.1"
   KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
 
@@ -17,7 +17,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.16
+          go-version: ${{ env.GO_VERSION }}
       - name: Checkout code
         uses: actions/checkout@v3
         with:

check/controls.go

@@ -21,8 +21,8 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/service/securityhub"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/securityhub/types"
 	"github.com/golang/glog"
 	"github.com/onsi/ginkgo/reporters"
 	"github.com/spf13/viper"
@@ -206,8 +206,8 @@ func (controls *Controls) JUnit() ([]byte, error) {
 }
 
 // ASFF encodes the results of last run to AWS Security Finding Format(ASFF).
-func (controls *Controls) ASFF() ([]*securityhub.AwsSecurityFinding, error) {
-	fs := []*securityhub.AwsSecurityFinding{}
+func (controls *Controls) ASFF() ([]types.AwsSecurityFinding, error) {
+	fs := []types.AwsSecurityFinding{}
 	account, err := getConfig("AWS_ACCOUNT")
 	if err != nil {
 		return nil, err
@@ -250,9 +250,9 @@ func (controls *Controls) ASFF() ([]*securityhub.AwsSecurityFinding, error) {
 					id = aws.String(fmt.Sprintf("%s%sEKSnodeID+%s+%s+%s", arn, account, check.ID, cluster, nodeName))
 				}
 
-				f := securityhub.AwsSecurityFinding{
+				f := types.AwsSecurityFinding{
 					AwsAccountId:  aws.String(account),
-					Confidence:    aws.Int64(100),
+					Confidence:    *aws.Int32(100),
 					GeneratorId:   aws.String(fmt.Sprintf("%s/cis-kubernetes-benchmark/%s/%s", arn, controls.Version, check.ID)),
 					Id:            id,
 					CreatedAt:     aws.String(tf),
@@ -261,30 +261,30 @@ func (controls *Controls) ASFF() ([]*securityhub.AwsSecurityFinding, error) {
 					SchemaVersion: aws.String(SCHEMA),
 					Title:         aws.String(fmt.Sprintf("%s %s", check.ID, check.Text)),
 					UpdatedAt:     aws.String(tf),
-					Types:         []*string{aws.String(TYPE)},
-					Severity: &securityhub.Severity{
-						Label: aws.String(securityhub.SeverityLabelHigh),
+					Types:         []string{*aws.String(TYPE)},
+					Severity: &types.Severity{
+						Label: types.SeverityLabelHigh,
 					},
-					Remediation: &securityhub.Remediation{
-						Recommendation: &securityhub.Recommendation{
+					Remediation: &types.Remediation{
+						Recommendation: &types.Recommendation{
 							Text: aws.String(remediation),
 						},
 					},
-					ProductFields: map[string]*string{
-						"Reason":          aws.String(reason),
-						"Actual result":   aws.String(actualValue),
-						"Expected result": aws.String(check.ExpectedResult),
-						"Section":         aws.String(fmt.Sprintf("%s %s", controls.ID, controls.Text)),
-						"Subsection":      aws.String(fmt.Sprintf("%s %s", g.ID, g.Text)),
+					ProductFields: map[string]string{
+						"Reason":          reason,
+						"Actual result":   actualValue,
+						"Expected result": check.ExpectedResult,
+						"Section":         fmt.Sprintf("%s %s", controls.ID, controls.Text),
+						"Subsection":      fmt.Sprintf("%s %s", g.ID, g.Text),
 					},
-					Resources: []*securityhub.Resource{
+					Resources: []types.Resource{
 						{
 							Id:   aws.String(cluster),
 							Type: aws.String(TYPE),
 						},
 					},
 				}
-				fs = append(fs, &f)
+				fs = append(fs, f)
 			}
 		}
 	}

check/controls_test.go

@@ -25,8 +25,8 @@ import (
 	"reflect"
 	"testing"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/service/securityhub"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/securityhub/types"
 	"github.com/onsi/ginkgo/reporters"
 	"github.com/spf13/viper"
 	"github.com/stretchr/testify/assert"
@@ -374,7 +374,7 @@ func TestControls_ASFF(t *testing.T) {
 	tests := []struct {
 		name    string
 		fields  fields
-		want    []*securityhub.AwsSecurityFinding
+		want    []types.AwsSecurityFinding
 		wantErr bool
 	}{
 		{
@@ -405,32 +405,32 @@ func TestControls_ASFF(t *testing.T) {
 						},
 					},
 				}},
-			want: []*securityhub.AwsSecurityFinding{
+			want: []types.AwsSecurityFinding{
 				{
 					AwsAccountId:  aws.String("foo account"),
-					Confidence:    aws.Int64(100),
+					Confidence:    *aws.Int32(100),
 					GeneratorId:   aws.String(fmt.Sprintf("%s/cis-kubernetes-benchmark/%s/%s", fmt.Sprintf(ARN, "somewhere"), "1", "check1id")),
 					Description:   aws.String("check1text"),
 					ProductArn:    aws.String(fmt.Sprintf(ARN, "somewhere")),
 					SchemaVersion: aws.String(SCHEMA),
 					Title:         aws.String(fmt.Sprintf("%s %s", "check1id", "check1text")),
-					Types:         []*string{aws.String(TYPE)},
-					Severity: &securityhub.Severity{
-						Label: aws.String(securityhub.SeverityLabelHigh),
+					Types:         []string{*aws.String(TYPE)},
+					Severity: &types.Severity{
+						Label: types.SeverityLabelHigh,
 					},
-					Remediation: &securityhub.Remediation{
-						Recommendation: &securityhub.Recommendation{
+					Remediation: &types.Remediation{
+						Recommendation: &types.Recommendation{
 							Text: aws.String("fix me"),
 						},
 					},
-					ProductFields: map[string]*string{
-						"Reason":          aws.String("failed"),
-						"Actual result":   aws.String("failed"),
-						"Expected result": aws.String("failed"),
-						"Section":         aws.String(fmt.Sprintf("%s %s", "test1", "test runnner")),
-						"Subsection":      aws.String(fmt.Sprintf("%s %s", "g1", "Group text")),
+					ProductFields: map[string]string{
+						"Reason":          "failed",
+						"Actual result":   "failed",
+						"Expected result": "failed",
+						"Section":         fmt.Sprintf("%s %s", "test1", "test runnner"),
+						"Subsection":      fmt.Sprintf("%s %s", "g1", "Group text"),
 					},
-					Resources: []*securityhub.Resource{
+					Resources: []types.Resource{
 						{
 							Id:   aws.String("foo Cluster"),
 							Type: aws.String(TYPE),

cmd/securityHub.go

@@ -1,33 +1,32 @@
 package cmd
 
 import (
+	"context"
 	"fmt"
 	"log"
 
 	"github.com/aquasecurity/kube-bench/internal/findings"
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/securityhub"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/securityhub"
+	"github.com/aws/aws-sdk-go-v2/service/securityhub/types"
 	"github.com/spf13/viper"
 )
 
 // REGION ...
 const REGION = "AWS_REGION"
 
-func writeFinding(in []*securityhub.AwsSecurityFinding) error {
+func writeFinding(in []types.AwsSecurityFinding) error {
 	r := viper.GetString(REGION)
 	if len(r) == 0 {
 		return fmt.Errorf("%s not set", REGION)
 	}
-	sess, err := session.NewSession(&aws.Config{
-		Region: aws.String(r),
-	},
-	)
+	cfg, err := config.LoadDefaultConfig(context.Background(), config.WithRegion(r))
 	if err != nil {
 		return err
 	}
-	svc := securityhub.New(sess)
-	p := findings.New(svc)
+
+	svc := securityhub.NewFromConfig(cfg)
+	p := findings.New(*svc)
 	out, perr := p.PublishFinding(in)
 	print(out)
 	return perr

go.mod

@@ -1,11 +1,13 @@
 module github.com/aquasecurity/kube-bench
 
-go 1.16
+go 1.19
 
 require (
-	github.com/aws/aws-sdk-go v1.44.91
+	github.com/aws/aws-sdk-go-v2 v1.16.16
+	github.com/aws/aws-sdk-go-v2/config v1.17.8
+	github.com/aws/aws-sdk-go-v2/service/securityhub v1.23.5
 	github.com/fatih/color v1.13.0
-	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
+	github.com/golang/glog v1.0.0
 	github.com/magiconair/properties v1.8.6
 	github.com/onsi/ginkgo v1.16.5
 	github.com/pkg/errors v0.9.1
@@ -14,6 +16,50 @@ require (
 	github.com/stretchr/testify v1.8.0
 	gopkg.in/yaml.v2 v2.4.0
 	gorm.io/driver/postgres v1.3.10
-	gorm.io/gorm v1.23.9
-	k8s.io/client-go v0.24.3
+	gorm.io/gorm v1.23.10
+	k8s.io/client-go v0.25.2
+)
+
+require (
+	github.com/aws/aws-sdk-go-v2/credentials v1.12.21 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.24 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.11.23 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.16.19 // indirect
+	github.com/aws/smithy-go v1.13.3 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/fsnotify/fsnotify v1.5.4 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
+	github.com/jackc/pgconn v1.13.0 // indirect
+	github.com/jackc/pgio v1.0.0 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgproto3/v2 v2.3.1 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect
+	github.com/jackc/pgtype v1.12.0 // indirect
+	github.com/jackc/pgx/v4 v4.17.2 // indirect
+	github.com/jinzhu/inflection v1.0.0 // indirect
+	github.com/jinzhu/now v1.1.5 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.16 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/pelletier/go-toml v1.9.5 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.5 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/spf13/afero v1.9.2 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stretchr/objx v0.4.0 // indirect
+	github.com/subosito/gotenv v1.4.1 // indirect
+	golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be // indirect
+	golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec // indirect
+	golang.org/x/text v0.3.7 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )