feat(ingestions): allow multiple scan_ids and providers inside the ocsf (#10182)

prowler/lib/outputs/ocsf/ocsf.py

@@ -57,8 +57,14 @@ class OCSF(Output):
             if not findings:
                 return
 
-            scan_id = _uuid7_from_timestamp(findings[0].timestamp)
+            scan_ids_by_provider = {}
             for finding in findings:
+                provider = finding.metadata.Provider
+                if provider not in scan_ids_by_provider:
+                    scan_ids_by_provider[provider] = _uuid7_from_timestamp(
+                        finding.timestamp
+                    )
+                scan_id = scan_ids_by_provider[provider]
                 finding_activity = ActivityID.Create
                 cloud_account_type = self.get_account_type_id_by_provider(
                     finding.metadata.Provider

tests/lib/outputs/ocsf/ocsf_test.py

@@ -123,6 +123,23 @@ class TestOCSF:
             1619600000, tz=timezone.utc
         )
 
+    def test_scan_id_is_unique_per_provider(self):
+        findings = [
+            generate_finding_output(provider="aws"),
+            generate_finding_output(provider="azure"),
+            generate_finding_output(provider="aws"),
+        ]
+
+        ocsf = OCSF(findings)
+
+        scan_ids = [finding.unmapped["scan_id"] for finding in ocsf.data]
+
+        assert UUID(scan_ids[0])
+        assert UUID(scan_ids[1])
+        assert UUID(scan_ids[2])
+        assert scan_ids[0] == scan_ids[2]
+        assert scan_ids[0] != scan_ids[1]
+
     def test_validate_ocsf(self):
         mock_file = StringIO()
         findings = [