airbnb/streamalert

[Bug] TypeError: unhashable type: 'dict' on AWS Config Messages

rsavjani opened this issue · 2 comments

Hi all
I seen a previous fixed bug of Classifier throwing a "TypeError: unhashable type: 'dict'" for AWS Security Hub events.
However this fix does not seem to have fixed my issue. I am getting same error but for AWS Config event. Its throwing error on the source field also.
Below is what the event looks like:

{
    "version": "0",
    "id": "xxxxx",
    "detail-type": "Config Configuration Item Change",
    "source": "aws.config",
    "account": "xxxx",
    "time": "2020-10-27T10:49:09Z",
    "region": "xxxx",
    "resources": ["arn:aws:codebuild:xxxx:xxxx:project/xxxxxxxx"],
    "detail": {
        "recordVersion": "1.3",
        "messageType": "ConfigurationItemChangeNotification",
        "configurationItemDiff": {
            "changedProperties": {
                "Configuration.source.0": {
                    "previousValue": {
                        "type": "CODEPIPELINE",
                        "buildSpec": "{\n  \"version\": \"0.2\",\n  \"env\": {\n    \"variables\": {\n      \"SKIP_TESTS\": \"xxxxUE\",\n}"
                    },
                    "changeType": "DELETE"
                },
                "Configuration.source.1": {
                    "updatedValue": {
                        "type": "CODEPIPELINE",
                        "buildSpec": "{\n  \"version\": \"0.2\",\n  \"env\": {\n    \"variables\": {\n      \"SKIP_TESTS\": \"xxxxE\",\n }\n}"
                    },
                    "changeType": "CREATE"
                }
            },
            "changeType": "UPDATE"
        },
        "notificationCreationTime": "2020-10-27T10:49:09.330Z",
        "configurationItem": {
            "relatedEvents": [],
            "relationships": [{
                "resourceName": "codepipeline_xxxxpipeline",
                "resourceType": "AWS::IAM::Role",
                "name": "with "
            }],
            "configuration": {
                "name": "xxxxxxxx",
                "source": [{
                    "type": "CODEPIPELINE",
                    "buildSpec": "{\n  \"version\": \"0.2\",\n  \"env\": {\n    \"variables\": {\n      \"SKIP_TESTS\": \"xxxxUE\",\n \n    ]\n  }\n}"
                }],
                "artifacts": [{
                    "type": "CODEPIPELINE",
                    "name": "xxxx",
                    "packaging": "NONE",
                    "encryptionDisabled": false
                }],
                "serviceRole": "arn:aws:iam::xxxx:role/xxxx",
                "timeoutInMinutes": 60.0,
                "queuedtimeoutInMinutes": 480.0,
                "environment": {
                    "type": "LINUX_CONTAINER",
                    "image": "xxxx",
                    "computeType": "BUILD_GENERAL1_SMALL",
                    "privilegedMode": false,
                    "environmentVariables": [],
                    "imagePullCredentialsType": "SERVICE_ROLE"
                },
                "encryptionKey": "arn:aws:kms:xxxx:xxxx:alias/aws/s3",
                "tags": [],
                "cache": {
                    "type": "NO_CACHE"
                }
            },
            "supplementaryConfiguration": {},
            "tags": {},
            "configurationItemVersion": "1.3",
            "configurationItemCaptureTime": "2020-10-27T10:49:08.580Z",
            "configurationStateId": xx,
            "awsAccountId": "xxxx",
            "configurationItemStatus": "OK",
            "resourceType": "AWS::CodeBuild::Project",
            "resourceId": "xxxx",
            "resourceName": "xxxx",
            "ARN": "arn:aws:codebuild:xxxx:xxxx:project/xxxx",
            "awsRegion": "xxxx",
            "availabilityZone": "x",
            "configurationStateMd5Hash": "",
            "resourceCreationTime": "2020-10-14T15:41:41.380Z"
        }
    }
}

Not tried the work around of removing Source from SourceAddress in the normalizer types file but raising a bug here so we can get this fixed.
This is coming from a Kineses Data Stream if that makes any difference.

Thanks

This issue is legit. The quick fix is remove source from sourceAddress in normalized_types.json file.

Hi @rsavjani, if you would like to contribute, feel free to submit a PR based on release-4-0-0, but totally optional. I can do the PR when I get a chance.

The issue is normalization doesn't handle well when the source field is a list of dictionary. Or maybe we can have better handling in the code. Open to suggestions.

"source": [{
  "type": "CODEPIPELINE",
  "buildSpec": "{\n "version": "0.2",\n "env": {\n "variables": {\n "SKIP_TESTS": "xxxxUE",\n \n ]\n }\n}"
}]