feat(ingestions): allow multiple scan_ids and providers inside the ocsf (#10182)

2026-03-22 03:08:23 +00:00 · 2026-02-26 17:56:21 +01:00
parent c8ce590039
commit 336cbe1844
2 changed files with 24 additions and 1 deletions
--- a/prowler/lib/outputs/ocsf/ocsf.py
+++ b/prowler/lib/outputs/ocsf/ocsf.py
@@ -57,8 +57,14 @@ class OCSF(Output):
            if not findings:
                return

-            scan_id = _uuid7_from_timestamp(findings[0].timestamp)
+            scan_ids_by_provider = {}
            for finding in findings:
+                provider = finding.metadata.Provider
+                if provider not in scan_ids_by_provider:
+                    scan_ids_by_provider[provider] = _uuid7_from_timestamp(
+                        finding.timestamp
+                    )
+                scan_id = scan_ids_by_provider[provider]
                finding_activity = ActivityID.Create
                cloud_account_type = self.get_account_type_id_by_provider(
                    finding.metadata.Provider
--- a/tests/lib/outputs/ocsf/ocsf_test.py
+++ b/tests/lib/outputs/ocsf/ocsf_test.py
@@ -123,6 +123,23 @@ class TestOCSF:
            1619600000, tz=timezone.utc
        )

+    def test_scan_id_is_unique_per_provider(self):
+        findings = [
+            generate_finding_output(provider="aws"),
+            generate_finding_output(provider="azure"),
+            generate_finding_output(provider="aws"),
+        ]
+
+        ocsf = OCSF(findings)
+
+        scan_ids = [finding.unmapped["scan_id"] for finding in ocsf.data]
+
+        assert UUID(scan_ids[0])
+        assert UUID(scan_ids[1])
+        assert UUID(scan_ids[2])
+        assert scan_ids[0] == scan_ids[2]
+        assert scan_ids[0] != scan_ids[1]
+
    def test_validate_ocsf(self):
        mock_file = StringIO()
        findings = [